This is the official MRF Documentation, a malware repository framework which can be downloaded here. The documentation is a basic walk-through, summarizing the features available in the framework, and how to deploy it.
 

 

 

PREREQUISITES

 

Optional: Webserver installation on Ubuntu

Mandatory: Modules installation on Ubuntu

 

DEPLOYMENT

  • Download sources.
  • Unzip and extract on your web server.
  • Create a database (suggested name ‘mrf’).
  • Edit /src/config.php
  • Browse to the root of the project, it should launch the installer script. Run it.
  • Remove /install folder.
  • Create an account, this will be the admin account.
  • Go to your profile and tweak what needs to be, add an avatar.
  • Go to admin config, configure name/url/email for the website.
  • Go to admin pages, and change [index.php/sample.php] to private, with Admin/New member visibility.
  • Go to users page, and give them permissions.

 

CONFIGURATION

 

UPLOAD A FILE

To upload a file, click on “Add files…” button, or drag and drop the file in the interface. You can then choose whether you want to check the file on VirusTotal, start a Cuckoo analysis (if applicable) and add some tags. Next proceed by pushing the “Start” button.
 

 

 

FILE DETAILS

File details are available by clicking the “Up arrow” button on a file’s row. This opens a much better view to work on a particular file, giving much more information and full access to the file’s metadata. After some modifications, don’t forget to click on “Update” button to save the changes.
 

 

 

SEARCH

Some search filters require a specific syntax:

  • Uploader: filters by uploader, substring.
  • Date: filters by date, substring.
  • Vendor: filters by vendor name, substring.
  • Comment: filters by comment, substring.
  • MD5: filters by md5, exact match.
  • Filename: filters by name, substring.
  • FileSize: filters by size, can be: “<100" or "100" (less than 100 bytes), ">100″ (more than 100 bytes).
  • VirusTotal: filters by score, can be: “<10" or "10" (less than 10), ">10″ (more than 10).
  • Cuckoo: filters by cuckoo status, can be: “scanning” (being processed), “results” (result available), “no results” (no results available).
  • Favorite: filters by favorite, if is/isn’t in favorites.
  • Tags: filters by tags, currently search works only on 1 tag.
  • URLs: filters by url, currently search works only on 1 url.
  • SHA256: filters by sha256, exact match.

 

 

 

VIDEO GUIDE


 

 

DETECTIONS COLORS

The colors used to display threat names are the following (using bootstrap color convention):

  • Exploit: label-primary.
  • PUP/not-a-virus: label-warning.
  • Rootkit/Trojan: label-danger.
  • Other: label-default.

 

API

To use the API, you need the API key from a user, you will find it in the account page.

downloadfile

bulkdownload

getfile

getfiles

getstorageinfo

getusers

updatefile

deletefile

uploadfiles

gethexdata

getsubmissionsdata

getsubmissionsperuserdata

gettagsdata

cuckooscan

cuckoogetmachines

cuckoogettasks

getmimedata

officedatascan

getofficedata

pdfdatascan

getpdfdata

pedatascan

getpedata

virustotalcomment

virustotalscan

Upload script example

 

CRON

You can speed up your MRF website by using the provided cron. The cron is performing the following tasks:

  • SHA256: searches for files with missing data, and updates.
  • VirusTotal: looks for finished analysis.
  • Cuckoo: looks for finished analysis
  • PE scan: searches for files with missing data, performs a scan.
  • MIME type: searches for files with missing data, performs a scan.
  • SSDEEP: searches for files with missing data, performs a scan.
  • Office data: searches for files with missing data, performs a scan.
  • PDF data: searches for files with missing data, performs a scan.

The VirusTotal and Cuckoo checks are performed by the query API (when opening the index for example) when the cron is disabled, so it slows down the page download. This is why it’s strongly advised to use the cron when possible.

To use the cron, enable it in the config file. Then register this file in the cron list (don’t forget to provide a token with enough rights):

 

MIGRATION

Migration: From 4.X to 4.3

  • TABLE storage_metas, COLUMN value: Change type from TEXT to LONGTEXT.

Migration: From 4.3 to 5.X

  • Update Prerequisites
  • Upgrade Usercake:
  • Run installer (to create new schema), by restoring the “install” folder then navigate to the root
  • Run migration: (Execute these queries)
  • Modify Cron script location (from /src/cron.php to /cron.php)
  • Remove old tables: samples, samples_metas (when you are sure the migration is complete)

Migration: From 5.0 to 5.1

  • Install peepdf: pip install peepdf

 

DEMO

There is a live demo of our MRF system available at this address: http://mrf-demo.staging.adlice.com/
The credentials to login (minimum rights) are the following:

  • Login: mrfdemo
  • Password: password1234