DDOM or Daily Dose of Malware allows you to gather malware and c&c from open source intelligence.
It can display info, export results to text file or download malicious software.
I want to make it as fresh as possible, that's why all malwares are dated on few days back.
Cymon displays last ten records, Google shows only first page and Malcode only main page.
Malshare API is updated, if new sample appears.
Supported platforms:
Malcode
Malshare (You need to get api key)
Google dorks
Cymon
-Vx vault
-CyberCrime tracker
-CybeCrime tracker for Pony malware (mostly c2 servers)
-Malcode
First clone this repo
git clone
For google dorks:
pip install selenium
pip install pyvirtualdisplay
and you need Mozilla Geckodriver https://github.com/mozilla/geckodriver/releases
for Malcode:
pip install bs4
You can run the tool with python ddom.py
usage: ddom.py [-h] [-s [[...]]] [-cs [[...]]] [-d | -o | -e]
Daily dose of malware
optional arguments:
-h, --help show this help message and exit
-s [ [ ...]], --source [ [ ...]]
source of feed. Allowed values are cymon, malshare,
malcode, google
-cs [ [ ...]], --cymonsource [ [ ...]]
Additional source for Cymon. Allowed values are
vxvault,malcode,cct,ponyc2
-d, --download download malware
-o, --output print to console
-e, --export export to text file
Display info from malcode and malshare
dom.py -s malcode malshare --output
++++++++++++++++++++++++++++++++++++
Brought to you by Malc0de
https://twitter.com/malc0de
http://malc0de.com
++++++++++++++++++++++++++++++++++++
------------------
2018-01-10
aba2d86ed17f587eb6d57e6c75f64f05
xxx.xxx.xxx.xxx/Photo.scr
-----------------
2018-01-10
6c29b80a61ff5ca7f5d8db8b002e9631
xxx.xxx/32nP30h187Z
[...]
++++++++++++++++++++++++++++++++++++
Brought to you by Malshare
A free Malware repository providing researchers access to samples, malicous feeds, and Yara results.
http://malshare.com
++++++++++++++++++++++++++++++++++++
http://xxx.xxx/kjdfhg874
http://xxx.xxx/error/error/tc.exe
http://xxx.xxx/images/rn.php
http://xxx.xxx.xxx.xxx/bprocess.exe
http://xxx.xxx.xxx.xxx/64Kilences.exe
[..]
Download files from vxvault and malcode (--download works for malshare, malcode and vxvault) (it connects to malicious, be careful)
ddom.py -s cymon -cs vxvault malcode --download
Cymon is the largest open tracker of malware, phishing, botnets, spam, and more. Brought to you by eSentire.
Downloading file http://xxx.xxx/rn.php
Downloaded malcode2018-01-13/rn.php
---------------------------
Downloading file http://xxx.xxx.xxx.xxx/32Kilences.exe
Downloaded malcode2018-01-13/32Kilences.exe
---------------------------
Downloading file http://xxx.xxx/dfjkgy7
Downloaded malcode2018-01-13/dfjkgy7
It creates directory named 'source + timestamp' and then download malware into it.
Export results from google dorks:
ddom.py -s google --export
++++++++++++++++++++++++++++++++++
Google dorks
++++++++++++++++++++++++++++++++++
Exported to google2018-01-13.txt
It creates text file named 'source + timestamp' with information inside.
- You are dealing with real malware, which may harm your computer badly. I'm not responsible for any caused damages. Be careful and think.
- For Google dorks please make sure to use newest firefox and geckodriver. It simulates browser, so it may not working sometimes because of google captcha. My advice is to connect and reconnect your vpn.
- To use Malshare, you have to register and obtain api key. Then paste it to modules/malshare.py - line 21
- If you know more public and open source platforms for retrieving malware, let me know.
- If this script violates terms of service from any used service, let me know and I will delete it.
- Not all of google dorks are perfect, you may encounter on some false positives.
Do whatever you want to do with this tool.
If you know how to develop or have any idea, let me know.