Share
## https://sploitus.com/exploit?id=F9DDCDC7-DD2C-5A26-AD8A-4BEA52F15C18
# Dillu-Analyzer
๐Ÿ›ก๏ธ Dillu Analyzer โ€” A web-based universal malware scanner built with Python, Flask & 317 YARA rules. Detects RATs, ransomware, exploits, and Android APK threats
----------------------------------------------------------------------------------------------------------------------------------------------------------------------

# ๐Ÿ›ก๏ธ Dillu Analyzer โ€” Universal Malware Scanner



![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python)
![Flask](https://img.shields.io/badge/Flask-3.0-black?style=for-the-badge&logo=flask)
![YARA](https://img.shields.io/badge/YARA-317%20Rules-red?style=for-the-badge)
![License](https://img.shields.io/badge/License-MIT-green?style=for-the-badge)
![Platform](https://img.shields.io/badge/Platform-Linux%20%7C%20Windows%20%7C%20macOS-lightgrey?style=for-the-badge)

**A powerful, web-based malware scanner that detects threats across every major file type โ€” built with Python, Flask, and 317 YARA rules.**

[Features](#-features) โ€ข [Demo](#-screenshots) โ€ข [Installation](#-installation) โ€ข [Usage](#-usage) โ€ข [File Types](#-supported-file-types) โ€ข [YARA Rules](#-yara-rules)



---

## ๐Ÿ‘จโ€๐Ÿ’ป About

> **Created by [Dilkash](https://github.com/dilkash-20)** with the assistance of AI (Claude by Anthropic).
>
> This project was built as a learning and practical cybersecurity tool, combining real-world YARA malware detection rules, deep file analysis, and a modern dark-themed web interface โ€” all in a self-contained Python application.

---

## โœจ Features

- ๐Ÿ” **317 YARA detection rules** covering malware families, exploits, RATs, ransomware, and more
- ๐Ÿ“ฑ **SpyNote Android RAT detection** โ€” identifies obfuscated SpyNote samples including base64-encoded package names
- ๐Ÿ—‚๏ธ **Universal file type support** โ€” PDFs, EXE/DLL, Office documents, APKs, archives, scripts, images, and more
- ๐Ÿงฌ **Deep APK analysis** โ€” extracts permissions, dangerous capabilities, DEX strings, and device admin abuse
- ๐Ÿ” **VirusTotal integration** โ€” hash lookup and file upload for cross-reference
- ๐Ÿ“Š **Risk scoring** โ€” 0โ€“100 CRITICAL / HIGH / MEDIUM / LOW scoring engine
- โšก **Fallback pattern scanning** โ€” works even without `yara-python` installed
- ๐ŸŒ **Web UI** โ€” dark cyberpunk-themed browser interface
- ๐Ÿ“„ **JSON forensic reports** โ€” downloadable full scan reports
- ๐Ÿ”’ **Auto file cleanup** โ€” uploaded files deleted after 1 hour

---

## ๐Ÿ–ฅ๏ธ Screenshots

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  ๐Ÿ›ก๏ธ  Dillu Analyzer Universal Malware Scanner      โ”‚
โ”‚  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”‚
โ”‚  Drop file or click to upload                       โ”‚
โ”‚                                                     โ”‚
โ”‚  [  SCAN FILE  ]   VT API Key: [____________]       โ”‚
โ”‚                                                     โ”‚
โ”‚  โ— CRITICAL  Score: 95/100                          โ”‚
โ”‚  โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€  โ”‚
โ”‚  YARA Matches (7):                                  โ”‚
โ”‚    ๐Ÿšจ SpyNote_RAT_Android    [HIGH] RAT             โ”‚
โ”‚    ๐Ÿšจ Android_RAT_Screen     [HIGH] RAT             โ”‚
โ”‚    ๐Ÿšจ Android_DeviceAdmin    [HIGH] Persistence     โ”‚
โ”‚    ...                                               โ”‚
โ”‚                                                      โ”‚
โ”‚  APK Permissions (20 dangerous):                     โ”‚
โ”‚    โ€ข android.permission.READ_SMS                     โ”‚
โ”‚    โ€ข android.permission.BIND_DEVICE_ADMIN            โ”‚
โ”‚    โ€ข android.permission.RECORD_AUDIO                 โ”‚
โ”‚    ...                                               โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## ๐Ÿ“ฆ Project Structure

```
dillu-analyzer/
โ”œโ”€โ”€ app/
โ”‚   โ”œโ”€โ”€ app.py                  # Flask API server
โ”‚   โ”œโ”€โ”€ utils/
โ”‚   โ”‚   โ”œโ”€โ”€ file_analyzer.py    # Core analysis engine
โ”‚   โ”‚   โ””โ”€โ”€ virustotal.py       # VirusTotal API client
โ”‚   โ”œโ”€โ”€ yara_rules/
โ”‚   โ”‚   โ””โ”€โ”€ universal_malware.yar   # 317 YARA detection rules
โ”‚   โ”œโ”€โ”€ templates/
โ”‚   โ”‚   โ””โ”€โ”€ index.html          # Web UI
โ”‚   โ”œโ”€โ”€ static/
โ”‚   โ”‚   โ”œโ”€โ”€ css/style.css       # Cyberpunk dark theme
โ”‚   โ”‚   โ””โ”€โ”€ js/scanner.js       # Frontend scan logic
โ”‚   โ””โ”€โ”€ uploads/                # Temp storage (auto-deleted)
โ”œโ”€โ”€ requirements.txt
โ”œโ”€โ”€ run.sh
โ””โ”€โ”€ README.md
```

---

## ๐Ÿš€ Installation

### Prerequisites

- Python 3.8 or higher
- pip
- (Optional) `libyara` for full YARA engine support

### Quick Start

```bash
# 1. Clone the repository
git clone https://github.com/dilkash-20/dillu-analyzer.git
cd dillu-analyzer

# 2. Run the setup script (creates venv, installs deps, starts server)
chmod +x run.sh
./run.sh
```

Then open your browser at **http://localhost:5000**

---

### Manual Setup

```bash
# Create virtual environment
python3 -m venv venv
source venv/bin/activate        # Linux/macOS
# venv\Scripts\activate         # Windows

# Install dependencies
pip install -r requirements.txt

# Install YARA engine (recommended for full rule scanning)
# Linux โ€” install system dependency first:
sudo apt install libssl-dev libmagic-dev build-essential
pip install yara-python

# Start the scanner
cd app
python3 app.py
```

> **Note:** If `yara-python` fails to install, the scanner automatically falls back to built-in pattern matching. Detection still works, but with fewer rules.

---

### VirusTotal Integration (Optional)

```bash
# Set your VT API key as environment variable
export VIRUSTOTAL_API_KEY="your_api_key_here"

# Or enter it in the web UI before scanning
```

Get a free API key at [virustotal.com](https://www.virustotal.com)

---

## ๐Ÿ—‚๏ธ Supported File Types

| Category | Extensions |
|----------|-----------|
| **Android APK** | `.apk` |
| **Windows PE** | `.exe` `.dll` `.sys` |
| **Linux/macOS** | `.elf` `.so` `.dmg` |
| **PDF** | `.pdf` |
| **Office Documents** | `.doc` `.docx` `.xls` `.xlsx` `.ppt` `.pptx` `.rtf` |
| **Archives** | `.zip` `.rar` `.7z` `.tar` `.gz` `.bz2` `.jar` |
| **Scripts** | `.py` `.js` `.vbs` `.ps1` `.bat` `.cmd` `.sh` `.php` `.rb` `.pl` |
| **Images** | `.png` `.jpg` `.jpeg` `.gif` `.svg` `.tif` `.bmp` |
| **Web / Data** | `.html` `.xml` `.json` `.csv` `.txt` `.log` |
| **Other** | `.iso` `.img` `.lnk` `.eml` `.msg` |

---

## ๐Ÿ” YARA Rules

The scanner ships with **317 YARA rules** across these categories:

| Category | Rules | Description |
|----------|-------|-------------|
| Android / APK | 30+ | SpyNote RAT, Dendroid, Metasploit payloads, banking trojans |
| Anti-Debug / Anti-VM | 40+ | Debugger checks, VM detection, sandbox evasion |
| Capabilities | 50+ | Process injection, keyloggers, RAT features, credential theft |
| Crypto Signatures | 60+ | AES, RSA, DES, SHA, MD5 constant detection |
| CVE Exploits | 20+ | CVE-2017-11882, CVE-2018-4878, CVE-2016-5195, and more |
| PDF Malware | 10 | JavaScript, shellcode, obfuscation, auto-launch |
| Windows PE | 10 | Ransomware, packers, process injection |
| Office Macros | 5 | AutoExec, DDE attacks, obfuscated VBA |
| Scripts | 5 | Encoded PowerShell, droppers, persistence |
| Generic | 5 | NOP sleds, TOR indicators, crypto wallets |

### SpyNote RAT Detection

Dillu Analyzer includes a custom rule specifically built to detect SpyNote Android RAT, including obfuscated variants that encode the package name in base64:

```
Package: cmf0.c3b5bm90zq.patch
         โ””โ”€โ”€ c3b5bm90zq = base64("spynote")
```

Detection checks:
- โœ… APK magic bytes + `classes.dex` presence
- โœ… Obfuscated package name (`c3b5bm90zq`) or C2 endpoint (`/exit/chat/`)
- โœ… Screen capture, network socket, and surveillance capabilities
- โœ… UTF-16LE dangerous permissions (READ_SMS, BIND_DEVICE_ADMIN, RECORD_AUDIO, etc.)

---

## ๐Ÿง  How It Works

```
Upload File
     โ”‚
     โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  File Type      โ”‚  Magic bytes + extension detection
โ”‚  Detection      โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  ZIP Extraction โ”‚  For APK/JAR/ZIP: decompress all entries
โ”‚  (for YARA)     โ”‚  so YARA can scan uncompressed content
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  YARA Scan      โ”‚  317 rules against combined raw+extracted bytes
โ”‚                 โ”‚  Falls back to pattern scan if yara-python missing
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Type-Specific  โ”‚  PDF / APK / PE / Office / Script / Image
โ”‚  Deep Analysis  โ”‚  analyzers extract indicators
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  VirusTotal     โ”‚  Hash lookup โ†’ file upload (if no match)
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚
         โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚  Risk Score     โ”‚  0โ€“100  CRITICAL / HIGH / MEDIUM / LOW
โ”‚  + JSON Report  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

---

## ๐Ÿ”Œ API

The scanner exposes a simple REST API:

### Scan a file

```http
POST /api/scan
Content-Type: multipart/form-data

file=
vt_api_key=
```

**Response:**
```json
{
  "scan_id": "uuid",
  "risk": {
    "score": 95,
    "level": "CRITICAL",
    "color": "#ff2d55"
  },
  "yara_results": {
    "rule_count": 7,
    "matches": [
      {
        "rule": "SpyNote_RAT_Android",
        "severity": "HIGH",
        "category": "RAT",
        "description": "Detects SpyNote Android RAT..."
      }
    ]
  },
  "type_analysis": {
    "analyzer": "Android APK",
    "apk_analysis": {
      "dangerous_permissions": ["android.permission.READ_SMS", "..."],
      "suspicious_indicators": ["SpyNote encoded package (c3b5bm90zq)", "..."]
    }
  }
}
```

### Download report

```http
GET /api/report/
```

Returns the full JSON forensic report as a downloadable file.

---

## โš™๏ธ Configuration

| Setting | Default | How to change |
|---------|---------|---------------|
| Port | `5000` | Edit `app.py` line: `app.run(port=5000)` |
| Max file size | `100MB` | Edit `app.config['MAX_CONTENT_LENGTH']` |
| File retention | `1 hour` | Edit `cleanup_old_files()` threshold |
| VirusTotal key | *(empty)* | `export VIRUSTOTAL_API_KEY="key"` |
| YARA rules path | `yara_rules/universal_malware.yar` | Edit `app.config['YARA_RULES']` |

---

## ๐Ÿ› Troubleshooting

**`yara-python` install fails:**
```bash
# Ubuntu/Debian
sudo apt install libssl-dev libmagic-dev build-essential python3-dev
pip install yara-python

# If still failing, scanner uses fallback detection automatically
```

**Port already in use:**
```bash
# Change port in app.py, or kill existing process:
lsof -ti:5000 | xargs kill
```

**APK not detected:**
- Make sure the file has `.apk` extension when uploading
- The scanner uses extension + magic bytes to route APK files to the dedicated analyzer

**YARA rules not loading:**
```bash
# Verify the rules file compiles cleanly:
python3 -c "import yara; yara.compile('app/yara_rules/universal_malware.yar'); print('OK')"
```

---

## ๐Ÿ”’ Security Notes

- All uploaded files are **automatically deleted after 1 hour**
- Files are stored in `uploads/` with UUID-prefixed names
- This tool is intended for **security research and malware analysis only**
- Do **not** expose this server publicly without authentication
- Never upload sensitive or personal files to any scanner you do not control

---

## ๐Ÿ“‹ Requirements

```
flask>=3.0.0
werkzeug>=3.0.0
requests>=2.31.0
yara-python>=4.3.0    # optional but recommended
```

---

## ๐Ÿค Contributing

Pull requests are welcome. For major changes, please open an issue first to discuss what you'd like to change.

1. Fork the repository
2. Create your feature branch (`git checkout -b feature/new-detection`)
3. Commit your changes (`git commit -m 'Add detection for XYZ malware'`)
4. Push to the branch (`git push origin feature/new-detection`)
5. Open a Pull Request

---

## ๐Ÿ“œ License

This project is licensed under the MIT License โ€” see the [LICENSE](LICENSE) file for details.

The YARA rules included in this project are sourced from open community rulesets and are licensed under GNU-GPLv2 where applicable. See individual rule metadata for attribution.

---

## ๐Ÿ™ Acknowledgements

- **YARA rules** โ€” community rulesets from [naxonez](https://github.com/naxonez/yaraRules), [x0r](https://github.com/x0r), [Florian Roth](https://github.com/Neo23x0), and others
- **SpyNote analysis** โ€” custom rule developed from reverse-engineering `client.apk`
- **Flask** โ€” lightweight Python web framework
- **yara-python** โ€” Python bindings for the YARA pattern matching library

---



**Built by Dilkash with the help of AI ๐Ÿค–**

*"Security is not a product, but a process."* โ€” Bruce Schneier

โญ Star this repo if you found it useful!