This is the official MRF Documentation, a malware repository framework which can be downloaded here. The documentation is a basic walk-through, summarizing the features available in the framework, and how to deploy it.

 

PREREQUISITES

 

Optional: Webserver installation on Ubuntu

Mandatory: Modules installation on Ubuntu

 

DEPLOYMENT

  • Download sources.
  • Unzip and extract on your web server.
  • Create a database (suggested name ‘mrf’).
  • Edit /src/config.php
  • Browse to the root of the project, it should launch the installer script. Run it.
  • Remove /install folder.
  • Create an account, this will be the admin account.
  • Go to your profile and tweak what needs to be, add an avatar.
  • Go to admin config, configure name/url/email for the website.
  • Go to admin pages, and change [index.php/sample.php] to private, with Admin/New member visibility.
  • Go to users page, and give them permissions.

 

UPLOAD A FILE

To upload a file, click on “Add files…” button, or drag and drop the file in the interface. You can then choose whether you want to check the file on VirusTotal, start a Cuckoo analysis (if applicable) and add some tags. Next proceed by pushing the “Start” button.

 

FILE DETAILS

File details are available by clicking the “Up arrow” button on a file’s row. This opens a very better view to work on a particular file, giving much more information and full access to the file’s metadata. After some modifications, don’t forget to click on “Update” button to commit the changes.

 

SEARCH

Some search filters require a specific syntax:

  • Uploader: filters by uploader, nothing special.
  • Date: filters by date, nothing special.
  • Vendor: filters by vendor name, nothing special.
  • Comment: filters by comment, nothing special.
  • MD5: filters by md5, nothing special.
  • Filename: filters by name, nothing special.
  • FileSize: filters by size, can be: “<100" (less than 100 bytes), "100" (less than 100 bytes), ">100″ (more than 100 bytes).
  • VirusTotal: filters by score, can be: “<10" (less than 10), "10" (less than 10), ">10″ (more than 10).
  • Cuckoo: filters by cuckoo status, can be: “scanning” (being processed), “results” (result available), “no results” (no results available).
  • Favorite: filters by favorite, if is/isn’t in favorites.
  • Tags: filters by tags, currently search works only on 1 tag.
  • URLs: filters by url, currently search works only on 1 url.

 

VIDEO GUIDE


 

 

DETECTIONS COLORS

The colors used to display threat names are the following (using bootstrap color convention):

  • Exploit: label-primary.
  • PUP/not-a-virus: label-warning.
  • Rootkit/Trojan: label-danger.
  • Other: label-default.

 

API

To use the API, you need the API key from a user, you will find it in the account page.

To upload file(s), you can do a POST on:

You need to add your token (API key) to the POST data:

You can add a comment to the post by adding POST data:

You can add other metadatas to the sample(s) by adding POST data in JSON format:
The JSON array must contain the index of sample in the submission order.
If vtsubmit is true, the sample will be checked on VirusTotal
If cksubmit is true (and you have a cuckoo machine), the sample will be sent to sandbox.

 

CRON

You can speed up your MRF website by using the provided cron. The cron is performing the following tasks:

  • VirusTotal: looks for finished analysis.
  • Cuckoo: looks for finished analysis
  • PE scan: searches for files with missing data, performs a scan.
  • MIME type: searches for files with missing data, performs a scan.
  • SSDEEP: searches for files with missing data, performs a scan.

The VirusTotal and Cuckoo checks are performed by the query API (when opening the index for example) when the cron is disabled, so it slows down the page download. This is why it’s strongly advised to use the cron when possible.

To use the cron, enable it in the config file. Then register this file in the cron list (don’t forget to provide a token with enough rights):

 

MIGRATION

Migration: From 4.X to 4.3

  • TABLE storage_metas, COLUMN value: Change type from TEXT to LONGTEXT.