You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Morpheus is a file-based malware scanner built to detect a wide range of malicious artifacts across several critical stages of the Cyber Kill Chain. Using a robust YARA rule set, Morpheus systematically analyzes files to uncover traces of attack strategies, ensuring that even sophisticated, staged attacks are identified:
53
-
54
-
-**Reconnaissance:** Detecting evidence of preparatory steps embedded in files that may signal information-gathering activities by attackers.
55
-
-**Exploitation:** Identifying patterns in files indicating attempts to exploit known vulnerabilities, utilizing custom YARA rules for specificity.
56
-
-**Lateral Movement & Privilege Escalation:** Recognizing malware signatures indicative of privilege escalation scripts or code fragments designed for network propagation.
57
-
-**Obfuscation & Anti-Forensics:** Catching malware files attempting to disguise their presence or eliminate forensic traces, signaling an effort to evade detection.
58
-
-**Exfiltration:** Monitoring for files or embedded data configured to exfiltrate sensitive information from the target system.
48
+
Morpheus offers a range of powerful features that make it an essential tool for malware analysis. Here’s what sets it apart:
59
49
60
-
### Sophistication lies in this tool:
61
-
62
-
Furthermore, Morpheus is equipped with advanced APT (Advanced Persistent Threat) detection, allowing it to catch even the most sophisticated attacks in real time. If the YARA ruleset isn’t enough, Morpheus seamlessly integrates with VirusTotal, one of the world’s leading platforms for malware analysis, widely trusted by security professionals. Rest easy knowing Morpheus has you covered.
50
+
-**Blazing-Fast Analysis:** Morpheus uses dynamic multithreading to rapidly scan large file sets, delivering results in seconds without compromising accuracy.
51
+
-**Cutting-Edge Threat Detection:** Built on a robust YARA rule set, Morpheus identifies a wide range of threats, from common malware to advanced, multi-stage attacks.
52
+
-**Always Up-to-Date:** With seamless YARA rule updates, Morpheus ensures its detection capabilities remain effective against the latest threats.
53
+
-**User-Friendly Interface:** Morpheus features an intuitive design, making it accessible for both experienced professionals and beginners in cybersecurity.
54
+
-**Comprehensive Reporting:** Generate detailed, actionable reports to support malware investigations and enhance incident response workflows.
63
55
64
56
Morpheus’s goal is to comprehensively address threats throughout every phase of the attack lifecycle, defend like there is no tomorrow.
65
57
@@ -69,21 +61,32 @@ Morpheus’s goal is to comprehensively address threats throughout every phase o
69
61
70
62
## Modes of Operation
71
63
72
-
1.**VirusTotal Scan (API Key Required)**
64
+
### 1)**VirusTotal Scan (API Key) [_Online_]**
73
65
Submit a file or hash to VirusTotal for an in-depth analysis using multiple antivirus engines. This mode provides comprehensive information about potential threats using VirusTotal's extensive database.
74
66
75
-
Provides detailed output, including insights from security vendors, community feedback, and more. Limitations include API rate limiting (though the default limit is relatively high) and no results for files that haven't been previously analyzed in the VirusTotal database.
67
+
Provides detailed output, including insights from security vendors, community feedback, and more. Limitations include API rate limiting (though the default limit is relatively high) and no results for files that haven't been previously analyzed in the VirusTotal database.
68
+
69
+
**Usage in Morpheus**
70
+
71
+
- Sign up at VirusTotal using the [VirusTotal Sign Up](https://www.virustotal.com).
72
+
- Retrieve your API key from your profile under "API Key".
73
+
- Run the tool, choose the VirusTotal scan option, and paste your API key when prompted.
74
+
76
75
77
-
2.**Default Scan (YARA)**
76
+
### 2)**Default Scan (YARA)[_Offline_]**
78
77
Perform a static scan using YARA rules and Pefile to identify common malicious patterns. This method can quickly flag suspicious files, including the custom detection of **KRYPT0S**, a ransomware developed by me as a proof of concept (POC).
79
-
80
-
Provides enhanced features compared to the "VirusTotal Scan" option, including PDF output, AI integration, and access to an extensive signature database capable of detecting files not registered with VirusTotal. However, it may be prone to instability due to heavy dependencies and pre-setup requirements. While Morpheus undergoes rigorous testing, results may vary depending on the system.
78
+
79
+
Provides enhanced features compared to the "VirusTotal Scan" option, including PDF output, AI integration, and access to an extensive signature database capable of detecting files not registered with VirusTotal. However, it may be prone to instability due to heavy dependencies and pre-setup requirements. While Morpheus undergoes rigorous testing, results may vary depending on the system.
80
+
81
+
**Usage in Morpheus**
82
+
83
+
- After following the installation to ensure all depenacies are installed, you can just run the morpheus_scanner.py and choose the default scan option to analyze files with the built-in YARA rules.
Periodically run the `database_updater.py` script to fetch the latest YARA rules and ensure your database is up-to-date with the latest versions from the GitHub repositories.
112
111
@@ -133,62 +132,31 @@ Below are error messages that can be outputted from Morpheus:
133
132
134
133
This is primarily a Windows-specific error that occurs when Git is not installed. Morpheus attempts to install Git using "winget" (a Windows package manager). While this usually succeeds, the terminal may need to be restarted for the environmental variables associated with Git to take effect. If this error appears, restart the terminal and re-run Morpheus. If the issue persists, manually install Git from its official website to resolve the problem.
135
134
136
-
4. **Libyara.so Error**:```Libyara not found in your 'Yara' installation. Please try uninstall all python dependencies and re-install them.```
137
-
138
-
This is a known and persistent issue with the "yara" library in Python. It occurs when a required shared object is missing during the installation of "yara." This problem is commonly observed on both Windows and Linux systems and has been widely documented across various forums and resources. Below are some steps to help mitigate this error:
139
-
- Purge all YARA libraries and files from the system, then attempt a re-installation to ensure any missing files are properly restored
140
-
- If on Linux, try run this command:```sudo apt-get install libyara-dev```for Ubuntu/Debian or ```sudo dnf install yara-devel```if on Red Hat/CentOS/Fedora, then re-run the tool
141
-
- If on Linux try rebuild the local library : First run ```sudo echo"/usr/local/lib">> /etc/ld.so.conf```then run ```sudo ldconfig```, then re-run the tool
142
-
143
-
If the issue persists, you can refer to a thread where the problem is discussed in detail, including alternative methods shared by others who managed to resolve it. Link to thread can be found [here](https://stackoverflow.com/questions/41255478/issue-oserror-usr-lib-libyara-so-cannot-open-shared-object-file-no-such-fi).
144
-
145
-
5. **Resolving RPC Errors When Cloning Morpheus with Git**
146
-
147
-
Morpheus is a large repository containing numerous YARA rules, which can require significant bandwidth to download via Git. In cases where your Wi-Fi signal is slow or unstable, you may encounter the following error:
If you encounter this issue, try cloning Morpheus using the following method to reduce network load by downloading only the latest items in the repository.
137
+
Morpheus is a large repository containing numerous YARA rules, which can require significant bandwidth to download via Git. In cases where your Wi-Fi signal is slow or unstable. If you encounter this issue, try cloning Morpheus using the following method to reduce network load by downloading only the latest items in the repository.
152
138
153
139
To resolve this issue, try the following: ```git clone --depth 1 https://github.com/phantom0004/morpheus_IOC_scanner```
154
140
155
-
6. **VirusTotal Resource not Found**:```The requested resource (file or URL) was not found in VirusTotal's database.```
141
+
5. **VirusTotal Resource not Found**:```The requested resource (file or URL) was not found in VirusTotal's database.```
156
142
157
143
This error occurs when the file, URL, or hash isn't recognized by VirusTotal, as it must already exist in their database to display results. If no prior scans exist, detailed information won't be available. Sometimes, the API may return an error or no response, which could indicate an API issue rather than the absence of an entry. To resolve this, try submitting a hash (MD5, SHA-256, or SHA-1) instead of the file itself for potentially better results.
158
144
159
-
Found an error which isin't documented here? Open an issue! Help Morpheus to grow <3
To use the VirusTotal scan, you will need an API key - This is *free*.
169
-
170
-
Do the following to get one:
171
-
1. **Sign up at VirusTotal**: [VirusTotal Sign Up](https://www.virustotal.com)
172
-
2. Retrieve your API key from your profile under "API Key".
173
-
3. Run the tool, choose the VirusTotal scan option, and paste your API key when prompted.
174
-
175
-
Still stuck? Use **Option 3**in Morpheus to view the guide on how to get the VirusTotal key, this is a detailed step-by-step guide.
149
+
# Watch Morpheus V2 in Usage
150
+
Morpheus V2 was tested by scanning an actual WannaCry sample. As demonstrated below, the tool successfully extracts key details about the file, providing valuable insights through its AI-generated verdict. Additionally, the VirusTotal API integration enhances the analysis by offering deeper insights into the sample. Finally, the results can be compiled into a PDF, enabling comprehensive documentation for further review and analysis.
176
151
177
-
### For Option 2 - Default Scan:
178
-
After following the *installation* to ensure all depenacies are installed, you can just run the **morpheus_scanner.py** and choose the default scan option to analyze files with the built-in YARA rules and Pefile.
# Practical Analysis of WannaCry Using Morpheus V2
185
-
Morpheus V2 was tested by scanning an actual WannaCry sample. As demonstrated below, the tool successfully extracts key details about the file, providing valuable insights through its AI-generated verdict. Additionally, the VirusTotal API integration enhances the analysis by offering deeper insights into the sample. Finally, the results can be compiled into a PDF, enabling comprehensive documentation for further review and analysis.
0 commit comments