Skip to content

rem0obb/axalote-engine

BranchesTags

Repository files navigation

Axalote - Malware Analysis Engine

Production-grade malware analysis engine built with Lua, featuring automated binary analysis, nested file extraction, advanced YARA scanning, threat intelligence integration, code deobfuscation, and extensible plugin support.

Core Capabilities

Automatic File Processing

On file upload, Axalote automatically:

  • Detects file type (ELF, PE, Mach-O, DEX, PDF, ZIP, ISO, Donut)
  • Extracts nested samples from containers
  • Recursively analyzes contained files
  • Computes MD5, SHA1, SHA256 hashes
  • Calculates file entropy
  • Identifies MIME type
  • Tracks parent-child file relationships

Advanced Binary Parsing

Automatic detection and full parsing of:

  • PE (Windows) - Full header structure, sections, certificate extraction
  • ELF (Linux) - Bits, endianness, ABI, program headers, section headers
  • Mach-O (macOS) - Load commands and detailed header information
  • DEX (Android) - Classes, methods, strings, types, prototypes
  • PDF - Stream extraction and analysis
  • Nested formats - ZIP, ISO, Donut, PDF content extraction

YARA Scanning

  • Scan files against YARA rules with full pattern matching
  • Hunt patterns across entire file database
  • Load rules with compilation error diagnostics
  • Manage file-to-rule mappings
  • Delete specific rule associations

String Extraction & IOC Detection

Configurable string extraction with 7 encoding types:

  • ASCII, UTF-8, UTF-16LE/BE, UTF-32LE/BE, WIDE
  • Character type filters (printable, alphanumeric, all)
  • Configurable length limits (1-100,000 bytes)
  • Null-termination filtering

Automatic IOC detection:

  • IPv4 (with routable validation)
  • IPv6 addresses
  • URLs and domains
  • Email addresses

VirusTotal Integration

  • Full file reports with vendor detections
  • File existence verification
  • Sandbox behavior analysis reports
  • Direct download and local scanning
  • Multi-hash format support

Code Deobfuscation

  • Direct file deobfuscation by SHA256
  • JavaScript deobfuscation with extensible driver system
  • Custom deobfuscation options
  • Source code recovery

Artifact Management

  • Save analysis artifacts (deobfuscated code, configurations, extracted content)
  • Per-artifact metadata with timestamps
  • Artifact notes and documentation
  • Base64 encoding support
  • Full artifact lifecycle management

Plugin System

  • Load/update/unload Lua plugins at runtime
  • Pause/resume plugin execution
  • Plugin file management
  • Execute arbitrary code through plugins

System Monitoring

  • CPU core count and usage percentage
  • Memory statistics (total, used, free)
  • Disk usage information
  • Engine uptime tracking

File Record Management

Record metadata fields:

  • Tags and descriptions
  • IOC indicators
  • Malware family classification
  • File size, entropy, MIME type
  • Parent and dropped file relationships
  • Update and retrieve operations

Endpoints & Operations

Engine Control

  • POST /axalote/engine/restart - Restart the engine
  • POST /axalote/engine/stop - Stop the engine
  • GET /axalote/heartbeat/collect - System status and metrics

YARA Operations

  • POST /axalote/yara/scan - Scan file against rules
  • POST /axalote/yara/generate - Generate and compile a YARA rule for a stored file
  • POST /axalote/hunt/yara - Hunt patterns across database
  • POST /axalote/yara/load/rules - Load YARA rules with diagnostics
  • GET /axalote/yara/rules - List all rules
  • GET /axalote/yara/rules/{name} - Retrieve specific rule
  • GET /axalote/yara/rules/files - List files using rules
  • POST /axalote/yara/rules/files/delete - Delete rule file association

File Management

  • POST /axalote/records/files/upload - Upload file (base64 or raw)
  • GET /axalote/records/files - List all scanned files
  • GET /axalote/records/files/{sha256} - Get file metadata
  • POST /axalote/records/files/update - Update metadata and tags
  • POST /axalote/records/files/delete - Delete file (cascading)
  • POST /axalote/records/files/download - Download file bytes
  • GET /axalote/records/files/{sha256}/children - List dropped files
  • POST /axalote/records/files/rescan - Re-scan file

String Extraction

  • POST /axalote/strings/scan - Extract strings with IOC detection
  • Supports 7 encoding types with configurable filters

Binary Parsing

  • POST /axalote/parser/file - Auto-detect and parse binary headers
  • GET /axalote/parser/file/{sha256} - Get parsed binary info
  • Handles PE, ELF, Mach-O, DEX, PDF formats

VirusTotal Integration

  • GET /axalote/vt/files/{sha256}/check - Quick hash verification
  • GET /axalote/vt/files/{sha256} - Full file report
  • GET /axalote/vt/files/{sha256}/behaviour - Sandbox behavior
  • POST /axalote/vt/files/download - Download and scan

Deobfuscation

  • POST /axalote/deobfuscate - Deobfuscate code
  • GET /axalote/deobfuscate/languages - List supported languages

Artifacts

  • POST /axalote/artifacts/artifacts - Save analysis artifact
  • GET /axalote/artifacts/artifacts/{sha256} - List artifacts
  • GET /axalote/artifacts/artifacts/{sha256}/{name} - Retrieve specific artifact
  • POST /axalote/artifacts/artifacts/notes - Update artifact notes
  • POST /axalote/artifacts/artifacts/delete - Delete artifact

Plugins

  • POST /axalote/plugins/load - Load plugin
  • GET /axalote/plugins/list - List all plugins
  • GET /axalote/plugins/autocomplete - Plugin autocomplete
  • GET /axalote/plugins/{name} - Get plugin info
  • GET /axalote/plugins/{name}/files - List plugin files
  • POST /axalote/plugins/exec - Execute plugin
  • PUT /axalote/plugins/{name} - Update plugin
  • POST /axalote/plugins/{name}/pause - Pause plugin
  • POST /axalote/plugins/{name}/resume - Resume plugin
  • DELETE /axalote/plugins/{name} - Unload plugin

Configuration & Logging

  • GET /axalote/config/view - View configuration
  • POST /axalote/config/edit - Merge and persist changes
  • GET /axalote/logs/trace - Retrieve logs

Tools & MCP

  • GET /axalote/tools - List available tools
  • POST /axalote/tools/call - Call a tool
  • POST /axalote/mcp - MCP protocol endpoint (JSON-RPC 2.0)

Configuration

Configure in config/axalote.json:

{
  "server": {
    "host": "0.0.0.0",
    "port": 8080,
    "timeout": 600,
    "performance": {
      "max_concurrent": 4096,
      "max_body_size": 0
    }
  },
  "scanner": {
    "yara": {
      "rules": "./config/yara/rules",
      "rules_backup": "./config/yara/backup.yarc",
      "suspicious_words": "./config/yara/suspicious_words.txt"
    },
    "records": {
      "path": "./records/",
      "extension": ".record"
    }
  },
  "virustotal": {
    "api_key": ""
  },
  "plugins": {
    "path": "./config/plugins"
  }
}

Installation

git submodule update --init --recursive
sudo luarocks-5.4 install --only-deps cov-scm-1.rockspec

Docker

git submodule update --init --recursive
docker-compose up

Project Structure

  • sources/axalote/ - Engine implementation
    • scanner/ - Core analysis modules, extraction, parsing
    • endpoints/ - HTTP endpoints (15+ routes)
    • mcp/ - JSON-RPC protocol implementation
    • vt/ - VirusTotal client
    • deobfuscate/ - Code deobfuscation drivers
    • plugins/ - Plugin system
  • config/ - Configuration and YARA rules
  • ksy/ - Kaitai struct formats
  • libs/ - Dependencies

About

Engine for analyzing and categorizing samples.

Resources

Readme
Activity

Stars

5 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages