Saturday, March 22, 2014

Preview - 3 - Hook Analyser 3.1 :Cyber Threat Intelligence


Here is an update on the Hook Analyser 3.1, specifically on Cyber Threat Intelligence module -

The IP intelligence component (within the Cyber Threat Intelligence module) has come up well, and it can collect, normalise and visualise data sets collected from Open sources to provide actionable information sets.

Following is the short video (or preview) of the tool -

Tuesday, February 18, 2014

Preview (Part 2) - Hook Analyser 3.1: Cyber Threat Intelligence Module


As you might be aware, with the release of Hook Analyser 3.0 (released last year), Cyber Intelligence has become one of the key focus areas - which can be used to provide Strategic and Tactical directions related to Cyber threats to an organisation.

The following screenshots are taken from "development" version of Hook Analyser 3.1 -

Homepage -

Menu 1 (option 1): Threat landscape - by country - This module will ingest "user-specified" external (or Internet facing) IP addresses from Internal / external URLs and map them back to countries. This has a potential of realising Cyber risks, and putting controls at strategic road-map - for e.g. enforcing a stringent policy at DLP, travel to high-risk countries.

Menu 1 (option 2) : Threat landscape - by Geography- This module will ingest external (or Internet facing)  IP addresses from Internal / external URLs and map them back to exact location. This option compliments the above - in case an organisation has multiple offices in geography, they could zoom in and consider controls for a specific location.

Menu 1 (option 3): Vulnerability Feeds- This module will ingest "user-specified" external (or Internet facing) RSS feeds and generates a table. At the moment, the table can be used more on a tactical side (for e. a new 0-day got released), instead of Strategic (for e.g. which software or vendors have got more issues or timeline etc).

Menu 1 (option 4) : Top 50 suspicious IPs - This module will reach to websites (for e.g. Stopbadware) and pull information about known blacklisted IPs, along with a rational - for e.g. number of malware URLs (along with ASN and Owner detail) associated with an IP.

Menu 1 (option 5): Suspicious ASN - This module will reach to websites (for e.g. Stopbadware) and pull information about ASNs associated with malware related activities. The representation is then performed via a bubble chat. For reference, larger bubble would mean, ratio of number of malware URLs to number of IPs on that ASN is high!

Menu 1 (Option 6) - Malware Intelligence - The module will reach onto public sources to gather information about certain keywords and generates a "motion timeline" of malwares associated to the keywords.

Menu 2 (Option 1) - Keyword based malware intelligence - This module will reach onto public source to gather information about "user-specified" keywords linked to malware samples.

Menu 2 (Option 2) - Keyword based search intelligence - This module will reach onto Google to extract websites (and IPs) hosting information about the user-specified keyword, and map it back to geo-location. This module could be useful if an organisation wants to keep a closer look on phishing websites targeting their customers.

The menu (3) - which is not added on the dashboard yet, is about IP address based intelligence. The module basically pulls information about "user-specified" IP list/file from public sources for e.g. DNS records, associated malware URLs, malware files & associated HTTP/TCP/DNS connections, and generates "bird-eye" and "detailed" information graphs with correlation.

For reference, blue dot represents - an IP address, Purple dot represents - a DNS record , Orange dot represents -URL associated with a malware and Red rectangle represents - the malware sample associated with an IP address.

Here is the sample video -

Saturday, February 8, 2014

Preview - Hook Analyser 3.1 : Cyber Threat Intelligence Module


It's been sometime since I blogged about the upcoming version of Hook Analyser, i.e. v 3.1.

To give a quick update, following are improvements / features added -

  1. Static malware analysis module has been updated - included a feature to identify (and extract certificate) digitally signed malware
  2. Threat Intelligence module has been updated, along with a new dashboard (refer to the following video)
  3. Bug fixes.

To give a look & feel of the new (Threat Intelligence) dashboard, I've created a short video - 

As always, if you've any specific feedback on the tool or on a particular module, please do not hesitate to contact.

Thursday, December 19, 2013

Hook Analyser 3.0 (with Cyber Threat Intelligence)


Here is the new release of Hook Analyser project.

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -

  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Malware Intelligence (Beta) 2013 (New! - added on 30/12/2013)
  4. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the [Updated - 30/12/2013] Cyber Threat Intelligence dashboard -

To download the project - Click Here

Update - 

  • 08/1/2014: Project development status/update
  • 30/12/2013: Fixed a defect in the ThreatIntel module. Added Malware Intelligence (Beta) into the dashboard.
  •  21/12/2013: Fixed a defect in the ThreatIntel module. Thanks to Darren Fitzpatrick for reporting it.

Wednesday, December 18, 2013

Preview - Hook Analyser 3.0


This is probably one of the major releases after a few months. A lot of features have been added, with an additional "Major" feature update.

As I don't want to steal the thunder by myself, I will let you play with it once I release it :)

Friday, September 20, 2013

Hook Analyser 2.6 released


I'm glad to announce release of the Hook Analyser v2.6.

 Following is the change log -
  1. Added new signatures (and removed redundant ones) 
  2. Bug fixes - Many thanks for community users to reporting them.
  3. Fixed start-up error.

Download link - Click Here

Sunday, May 12, 2013

Hook Analyser 2.5 Released

Friends - Here is the latest version of Hook Analyser project.

Updates -

  1. Hook Analyser can now perform XOR bruteforce on "encoded/obfuscated" executables. 
  2. Deep search improved (new signatures added).
  3. Bug fixes.

Download link - Click Here

For the project summary, please feel free to browse here