BlueJupyter: Automating Triage with Jupyter Notebooks

Samples for this section:

All samples located in PMAT-labs/labs/5-1.Automation-BlueJupyter/FORTRIAGE.7z

Note: For this section of the course, I am working on my Linux development workstation. This is outside of my lab environment. I confirmed that Blue-Jupyter functions as intended if you install it on REMnux, so feel free to carefully add REMnux back onto a NAT adapter and follow the install instructions for Blue-Jupyter.

Update 2/18/22: Dockerized Blue-Jupyter Installation Instructions

I have Dockerized the Blue-Jupyter application to cut down on the number of poetry and pip errors that were plaguing the code! Please follow these instructions to install and run the Dockerized version of the app. Note that these instructions are different than what you see in the video:

Clone the PMAT-lab branch of the code repository and change directories into it:

[email protected]:~$ git clone --branch PMAT-lab https://github.com/HuskyHacks/blue-jupyter.git && cd blue-jupyter

Run the following Docker build command:

[email protected]:~/blue-jupyter$ sudo docker build -t bluejupyter .

When the image is finished building, run the following command to launch the notebook with a published port of 8888 and a mounted volume to the dropbox directory:

[email protected]:~/blue-jupyter$ sudo docker run -it -p 8888:8888 -v /home/remnux/blue-jupyter/malware-analysis/dropbox/:/src/malware-analysis/dropbox bluejupyter

Now, if you want to add malware into the dropbox, copy it from the PMAT-labs repository into the /home/remnux/blue-jupyter/malware-analysis/dropbox/ directory and it will also copy into the container.

You can then proceed to follow the instructions from the video.

Please note that you need to be connected to the internet and must use a valid VirusTotal API key to get the API results. VirusTotal Public API keys are free and you can sign up for one here: https://www.virustotal.com/gui/join-us

Once you are done, make sure to remove REMnux from the NAT adapter and double-check that it is back in the isolated lab environment.

References:

Taggart Tech Youtube Channel: https://www.youtube.com/c/TaggartTech
Taggart Tech Twitch: https://www.twitch.tv/mttaggart
@MalwareUnicorn: https://twitter.com/malwareunicorn
Referenced ShellCon talk: https://www.youtube.com/watch?v=rX7lIfQlqOo
Linux Dev Workstation: https://neon.kde.org/

Complete and Continue