ELFEN is a dockerized sandbox for analyzing Linux (file type: ELF
) malware. It leverages an array of open-source technologies to perform both static and dynamic analysis.
Results are available through both the GUI and API. Currently, ELFEN supports the analysis of ELF binaries for the following architectures:
Install docker and docker compose.
$ git clone --recursive link
2. Modify the DJANGO secret key in ELFEN/settings.py#L30
. The secret key is used by Django for cryptographic purposes and must be secure. It can be generated in the following manner, for example:
import secrets
# ASCII characters range: 33-126
ascii_chars = [chr(i) for i in range(33, 127)]
# Length of SECRET_KEY must be 50 characters minimum
keylen = 60
''.join(secrets.choice(ascii_chars) for i in range(keylen))
3. ELFEN uses fixed credentials for the following services. Modify them as needed.
docker/mysql/Dockerfile
. ELFEN/settings.py#L101-L103
docker/postgres/Dockerfile
and docker/postgres/init.sql
. ELFEN/settings.py#L115-L117
and ELFEN/settings.py#L136
docker/rabbitmq/Dockerfile
. ELFEN/settings.py#L134
$ mkdir data && cd data && mkdir mysql postgres rabbitmq && cd ..
$ ls -1q data/
mysql
postgres
rabbitmq
$ mkdir -p media/web
6. Modify the docker-compose.user.yml
to contain your UID and GID. By default, both are set to 1000:1000
.
# UID
$ id -u
1000
# GID
$ id -g
1000
7. Build the ELFEN docker system.
$ docker compose build
8. Bring up ELFEN services.
$ docker compose -f docker-compose.yml -f docker-compose.user.yml up
...
...
elfen-web-1 | Performing system checks...
elfen-web-1 |
elfen-web-1 |
elfen-web-1 | System check identified no issues (0 silenced).
elfen-web-1 | August 31, 2023 - 10:46:41
elfen-web-1 | Django version 4.1.7, using settings 'ELFEN.settings'
elfen-web-1 | Starting development server at http://0.0.0.0:8000/
elfen-web-1 | Quit the server with CONTROL-C.
A Django superuser, admin
is also created with password admin
. ELFEN should now be available on the host at in debug mode.
Note: ELFEN has only been tested on Ubuntu 22.04.2 LTS host.
$ docker --version
Docker version 24.0.4, build 3713ee1
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammy
$ uname -a
Linux oni 6.2.0-26-generic #26~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 16:27:29 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
See the troubleshooting document for known issues.
ELFEN provides an API to submit samples and retrieve analysis reports. Ready-to-use scripts are available under the scripts
directory.
To retrieve your API token, visit and login with your username and password. If you’re using the default Django superuser, the credentials are admin:admin
.
You should now see two values: access
and refresh
tokens. The access
token will be valid for 7 days after which it will have to be re-generated (visit ) using the refresh
token (valid for 30 days).
Copy the access
token into scripts/submit_samples.py
. Given a file containing newline-separated full paths to samples, this script can be used to submit them to ELFEN. The output JSON is a mapping between the submitted sample path and ELFEN task UUID.
$ cat demo_submit
/full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe
$ python submit_samples.py -f demo_submit -o output.json
Submitted /full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe successfully.
$ cat output.json
{
"/full/path/to/1af85af86c92c06dd2d127e0b462679f60d085cfc28cf13c79988b7ef50b95fe": "4122f552-1897-48d0-b906-bb144c6e4010"
}
Copy the access
token into scripts/get_report_task.py
. Given a task UUID, it retrieves the full analysis JSON report.
$ python3 get_report_task.py -u 4122f552-1897-48d0-b906-bb144c6e4010 -o report.json
Report retrieved successfully for 4122f552-1897-48d0-b906-bb144c6e4010.
$ du -h report.json
56K report.json
ELFEN leverages multiple backends to conduct analysis. Some backends like elfheader
and capa
are associated with static analysis, whereas others such as fileops
, c2config
are associated with dynamic analysis. Reports can be retrieved for a given backend using scripts/get_report_backend.py
. Copy the access
token into the script.
$ python3 get_report_backend.py -u 4122f552-1897-48d0-b906-bb144c6e4010 -b procops -o report.json
Report retrieved successfully for procops for 4122f552-1897-48d0-b906-bb144c6e4010.
$ cat report.json | jq
{
"submission_uuid": "4122f552-1897-48d0-b906-bb144c6e4010",
"backend": "procops",
"report": {
"errors": false,
"error_msg": [],
"data": [
{
"ts": "05:10:03.360807 UTC",
"pid": 130,
"procname": "Ba9iedKN",
"func": "getpid",
"args": "",
"ret": 130
},
{
"ts": "05:10:03.361229 UTC",
"pid": 130,
"procname": "Ba9iedKN",
"func": "getpid",
"args": "",
"ret": 130
},
{
"ts": "05:10:03.363962 UTC",
"pid": 130,
"procname": "Ba9iedKN",
"func": "fork",
"args": "",
"ret": 132
},
{
"ts": "05:10:03.388397 UTC",
"pid": 132,
"procname": "Ba9iedKN",
"func": "fork",
"args": "",
"ret": 133
}
]
}
}
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…