As the title says

I noticed that while analyzing certain binaries offline there is an issue where the analysis stops abruptly before the
getting to the yara section of triage. The issue lies with check of IP addreses in the malware domains blacklist. When the internet
is unreachable rather than skip this section it timesout and the analysis just ends. The analysis when you internet access works fine but if are analyzing malware offline which is a very large percentage of time this could be troublesome.

The problem seems to arise on line 328 in ssma.py and the source file file_strings.py. see the analysis below.

███████╗███████╗███╗ ███╗ █████╗
██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple
███████╗███████╗██╔████╔██║███████║ Static
╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware
███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer
╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝

File Details:
File: /home/remnux/Desktop/sample.bin
Size: 419568 bytes
Type: application/x-dosexec
MD5: 62b59289e8651e5ed35e9a18f70dc28d
SHA1: 286393dfb09a57aea9753596bc79a38ec1b96331
ssdeep: 6144:F5/h6De6n6ZU43/97xYqCo8HYsKjF8BrGtQothGbtj9aUuVcade7OcqXmBh3jIA:F1h6i6n6Z9Qo5EK/thGBjsUgcadYOeUA
Date: Mon Jan 19 20:42:53 2015
PE file entropy: 6.744053952912414

================================================================================
Number of Sections: 4

Section VirtualAddress VirtualSize SizeofRawData Sections_MD5_Hash Section_Entropy
.text 0x1000 204133 204800 b16b856703961e7c99a298e31c8bbf92 6.882997324536023
.rdata 0x33000 59016 61440 c3b090467254c6d2a5ab7d78d91473a1 6.097080594618708
.data 0x42000 45000 32768 1c0100bf3c97224e27fb34c7fc5802f6 6.473725101397605
.rsrc 0x4d000 102592 106496 f257d7a0bb661f5b85eaa5488fca8366 6.043580449076323

================================================================================
No overlay Data Present

Suspicious flags in the characteristics of the PE file:
RELOCS_STRIPPED flag is set - This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address.
Flag has the effect of disabling Address Space Layout Randomization(ASLR) for the process.

================================================================================
This file contains a list of Windows functions commonly used by malware.
For more information use the Microsoft documentation.

IsDebuggerPresent - Checks to see if the current process is being debugged, often as part oan anti-debugging technique. This function is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
GetStartupInfoA - Retrieves a structure containing details about how the current process was configured to run, such as where the standard handles are directed.
QueryPerformanceCounter - Used to retrieve the value of the hardware-based performance counter. This function is sometimes using to gather timing information as part of an anti-debugging technique. It is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
GetTickCount - Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
CreateFileA - Creates a new file or opens an existing file.
GetVersionExA - Returns information about which version of Windows is currently running. This can be used as part of a victim survey or to select between different offsets for undocumented structures that have changed between different versions of Windows.
GetModuleHandleA - Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
LoadLibraryA - Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
GetProcAddress - Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.
FindResourceA - Used to find a resource in an executable or loaded DLL. Malware some- times uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malware’s PE header.
LoadResource - Loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files
WideCharToMultiByte - Used to convert a Unicode string into an ASCII string.
CallNextHookEx - Used within code that is hooking an event set by SetWindowsHookEx. CallNextHookEx calls the next hook in the chain. Analyze the function calling CallNextHookEx to determine the purpose of a hook set by SetWindowsHookEx.
GetForegroundWindow - Returns a handle to the window currently in the foreground of the desktop. Keyloggers commonly use this function to determine in which window the user is entering his keystrokes.
GetKeyState - Used by keyloggers to obtain the status of a particular key on the keyboard.
GetDC - Returns a handle to a device context for a window or the whole screen. Spyware that takes screen captures often uses this function.
SetWindowsHookExA - Sets a hook function to be called whenever a certain event is called. Commonly used with keyloggers and spyware, this function also provides an easy way to load a DLL into all GUI processes on the system. This function is sometimes added by the compiler.
CryptAcquireContextW - Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.
RegOpenKeyA - Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.
RegOpenKeyExA - Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.
OpenProcessToken - Opens a handle to another process running on the system. This handle can be used to read and write to the other process memory or to inject code into the other process.
AdjustTokenPrivileges - Used to enable or disable specific access privileges. Malware that performs process injection often calls this function to gain additional permissions.
CryptAcquireContextA - Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.
CoCreateInstance - Creates a COM object. COM objects provide a wide variety of functionality. The class identifier (CLSID) will tell you which file contains the code that implements the COM object. See Chapter 7 for an in-depth explanation of COM.

================================================================================
Traceback (most recent call last):
File "/home/remnux/RE-tools/SSMA/ssma.py", line 328, in
strings = get_strings(filename=args.filename).get_result()
File "/home/remnux/RE-tools/SSMA/src/file_strings.py", line 17, in init
self.result = (is_website(strings), is_ip(strings), is_email(strings))
File "/home/remnux/RE-tools/SSMA/src/check_strings.py", line 39, in is_email
if validate_email(e, check_mx=True):
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 135, in validate_email
mx_hosts = get_mx_ip(hostname)
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 102, in get_mx_ip
MX_DNS_CACHE[hostname] = DNS.mxlookup(hostname)
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 54, in mxlookup
l = dnslookup(name, qtype = 'mx')
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 37, in dnslookup
result = Base.DnsRequest(name=name, qtype=qtype).req()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 323, in req
self.sendUDPRequest(server)
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 376, in sendUDPRequest
raise first_socket_error
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 351, in sendUDPRequest
r=self.processUDPReply()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 134, in processUDPReply
raise TimeoutError('Timeout')
DNS.Base.TimeoutError: Timeout

Hello, can you please aid with the following error?

Traceback (most recent call last):
File "ssma.py", line 141, in
_tls = pe.checkTSL()
File "/home/user/Downloads/SSMA-master/src/check_file.py", line 243, in checkTSL
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_TLS']].VirtualAddress
IndexError: list index out of range
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 63, in apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/init.py", line 5, in
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 30, in
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 23, in
from apport.packaging_impl import impl as packaging
File "/usr/lib/python3/dist-packages/apport/packaging_impl.py", line 23, in
import apt
File "/usr/lib/python3/dist-packages/apt/init.py", line 23, in
import apt_pkg
ModuleNotFoundError: No module named 'apt_pkg'

Original exception was:
Traceback (most recent call last):
File "ssma.py", line 141, in
_tls = pe.checkTSL()
File "/home/user/Downloads/SSMA-master/src/check_file.py", line 243, in checkTSL
pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_TLS']].VirtualAddress
IndexError: list index out of range

The project is nice, it would be more powerful if supporting ELF or APK, would you have some plans to do that?

Hi all,

I found this interesting repo, in short

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

I think that could be interesting using that to extract embedded exes and analyze them with SSMA, a great problem is that's wrote in C and "porting" C to Python is not so easy (at least for me).

A workaround could be extracting exes (something with subprocess or stuff like that) to a specific dir and then let SSMA analyze them.

What about a Markdown output?

I need it, so if someone would help me, it will be very appreciated. Also I think that we can discuss what to print because, I think, all the strings are a lot.

Whenever I try to SSMA, most of it goes without issue, however, once it gets to the yara rules it fails. Regardless of if I try to re-download yara rules or not I get the error undefined identifier "pe" in rules/Packers/packer.yar.

I tried changing it be pefile, which I have installed, but it still fails with the same issue. Any suggestions?

rules/Packers/peid.yar contains rule for Safeguard_103_Simonzh detection. This rule is way too much generic and generates a lot of false positives. Could you please delete this rule ?

Tried report to JSON, why report is shorter than the actual output?

Installed ssma without python errors or conflicts. But when I go for a directory scan it throws back a message that filename argument is required
~/SSMA$ python3 ssma.py -D ~/Labs-and-samples/wannacry
usage: ssma.py [-h] [-k API_KEY] [-d] [-F FLUSH] [-u UPDATE] [-y YARA]
[-D DIRECTORY] [-r REPORT] [-t]
filename
ssma.py: error: the following arguments are required: filename

If I preform just a file scan in that same directory
I get all the expected out put which you can see a snipet below
I believe this has to do with the filename argument being mandatory in the parser

~/SSMA$ python3 ssma.py ~/Labs-and-samples/wannacry/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

███████╗███████╗███╗ ███╗ █████╗
██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple
███████╗███████╗██╔████╔██║███████║ Static
╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware
███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer
╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝

File Details:
File: /home/slipstream/Labs-and-samples/wannacry/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Size: 3723264 bytes
Type: application/x-dosexec
MD5: db349b97c37d22f5ea1d1841e3c89eb4
SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26
ssdeep: 98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gB
Date: Sat Nov 20 04:03:08 2010
PE file entropy: 7.964258747283063
Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.

omething seems to be off with the yara rule detection this appears to be an issue with the rules being compiled. Take a look at the output below the yara successfuly hit when just run from yara but ssma did not detect it despite it being present in the rules folder see output below

remnux@siftworkstation:~/Desktop/SSMA$ yara '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar' '/home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc'
Contains_VBA_macro_code /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc

remnux@siftworkstation:~/Desktop/SSMA$ ./ssma.py -d /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc

███████╗███████╗███╗ ███╗ █████╗
██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple
███████╗███████╗██╔████╔██║███████║ Static
╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware
███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer
╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝

File Details:
File: /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc
Size: 553984 bytes
Type: application/msword
MD5: 1400dc28f32d901a3b26a61c3956dfac
SHA1: 021276d1f2fb48b762738a132e9f83cdc52f48a2

================================================================================
Scan file using Yara-rules.
With Yara rules you can create a "description" of malware families to detect new samples.
For more information: https://virustotal.github.io/yara/

Nothing found

================================================================================
remnux@siftworkstation:~/Desktop/SSMA$

The yara flag also no longer appears to be working either but since yara scanning happens whenever you run ssma it might not be necessary anymore and these might be two unrelated issues

remnux@siftworkstation:~/Desktop/SSMA$ ./ssma.py -d --yara '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar' '/home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc'

███████╗███████╗███╗ ███╗ █████╗
██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple
███████╗███████╗██╔████╔██║███████║ Static
╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware
███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer
╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝

File Details:
File: /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc
Size: 553984 bytes
Type: application/msword
MD5: 1400dc28f32d901a3b26a61c3956dfac
SHA1: 021276d1f2fb48b762738a132e9f83cdc52f48a2

================================================================================
Scan file using Yara-rules.
With Yara rules you can create a "description" of malware families to detect new samples.
For more information: https://virustotal.github.io/yara/

Traceback (most recent call last):
File "./ssma.py", line 669, in
your_target = is_your_target(args.filename, yara)
File "/home/remnux/Desktop/SSMA/src/check.py", line 75, in is_your_target
for n in os.listdir(yara_file):
NotADirectoryError: [Errno 20] Not a directory: '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar'

update feature does not work see command output below. Correct me if I am wrong but new yara rules are downloaded if they exist from the main repo everytime ssma is run or are they not updating at all

remnux@siftworkstation:~/Desktop/SSMA$ ./ssma.py -u
usage: ssma.py [-h] [-k API_KEY] [-d] [-u UPDATE] [-y YARA] [-D DIRECTORY]
[-r REPORT] [-t]
filename
ssma.py: error: argument -u/--update: expected one argument

/Desktop/SSMA$ ./ssma.py -u mal.exe
usage: ssma.py [-h] [-k API_KEY] [-d] [-u UPDATE] [-y YARA] [-D DIRECTORY]
[-r REPORT] [-t]
filename
ssma.py: error: the following arguments are required: filename
remnux@siftworkstation:/Desktop/SSMA$

Similar issue with the report feature as well

remnux@siftworkstation:~/Desktop/SSMA$ ssma -r '/home/remnux/malware-samples/Macro-Ransomeware/bleachbit-test'
usage: ssma.py [-h] [-k API_KEY] [-d] [-F FLUSH] [-u UPDATE] [-y YARA]
[-D DIRECTORY] [-r REPORT] [-t]
filename
ssma.py: error: the following arguments are required: filename

as the title says

Hi, can you provide test samples since the tool is not working for a real malicious samples

Thank you

There seems to be an issue installing using the ssdeep txt file. I posted the error message below along with the full trace

distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-yeg5lpgx/ssdeep/

$ sudo pip3 install -r requirements_with_ssdeep.txt The directory '/home/labadmin/.cache/pip/http' or its parent directory is not owned by the current user and the cache has been disabled. Please check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
The directory '/home/labadmin/.cache/pip' or its parent directory is not owned by the current user and caching wheels has been disabled. check the permissions and owner of that directory. If executing pip with sudo, you may want sudo's -H flag.
Collecting pefile (from -r requirements_with_ssdeep.txt (line 1))
Downloading pefile-2017.9.3.tar.gz (61kB)
100% |████████████████████████████████| 71kB 3.1kB/s
Collecting python-magic (from -r requirements_with_ssdeep.txt (line 2))
Downloading python_magic-0.4.13-py2.py3-none-any.whl
Collecting yara-python (from -r requirements_with_ssdeep.txt (line 3))
Downloading yara-python-3.6.3.tar.gz (301kB)
100% |████████████████████████████████| 307kB 7.2kB/s
Collecting ssdeep (from -r requirements_with_ssdeep.txt (line 4))
Downloading ssdeep-3.2.tar.gz (316kB)
100% |████████████████████████████████| 317kB 99kB/s
Complete output from command python setup.py egg_info:
c/_cffi_backend.c:2:20: fatal error: Python.h: No such file or directory
#include <Python.h>
^
compilation terminated.
Traceback (most recent call last):
File "/usr/lib/python3.4/distutils/unixccompiler.py", line 116, in _compile
extra_postargs)
File "/usr/lib/python3.4/distutils/ccompiler.py", line 909, in spawn
spawn(cmd, dry_run=self.dry_run)
File "/usr/lib/python3.4/distutils/spawn.py", line 36, in spawn
_spawn_posix(cmd, search_path, dry_run=dry_run)
File "/usr/lib/python3.4/distutils/spawn.py", line 162, in _spawn_posix
% (cmd, exit_status))
distutils.errors.DistutilsExecError: command 'x86_64-linux-gnu-gcc' failed with exit status 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.4/distutils/core.py", line 148, in setup
    dist.run_commands()
  File "/usr/lib/python3.4/distutils/dist.py", line 955, in run_commands
    self.run_command(cmd)
  File "/usr/lib/python3.4/distutils/dist.py", line 974, in run_command
    cmd_obj.run()
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/bdist_egg.py", line 169, in run
    cmd = self.call_command('install_lib', warn_dir=0)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/bdist_egg.py", line 155, in call_command
    self.run_command(cmdname)
  File "/usr/lib/python3.4/distutils/cmd.py", line 313, in run_command
    self.distribution.run_command(command)
  File "/usr/lib/python3.4/distutils/dist.py", line 974, in run_command
    cmd_obj.run()
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/install_lib.py", line 11, in run
    self.build()
  File "/usr/lib/python3.4/distutils/command/install_lib.py", line 109, in build
    self.run_command('build_ext')
  File "/usr/lib/python3.4/distutils/cmd.py", line 313, in run_command
    self.distribution.run_command(command)
  File "/usr/lib/python3.4/distutils/dist.py", line 974, in run_command
    cmd_obj.run()
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/build_ext.py", line 75, in run
    _build_ext.run(self)
  File "/usr/lib/python3.4/distutils/command/build_ext.py", line 339, in run
    self.build_extensions()
  File "/usr/lib/python3.4/distutils/command/build_ext.py", line 448, in build_extensions
    self.build_extension(ext)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/build_ext.py", line 196, in build_extension
    _build_ext.build_extension(self, ext)
  File "/usr/lib/python3.4/distutils/command/build_ext.py", line 503, in build_extension
    depends=ext.depends)
  File "/usr/lib/python3.4/distutils/ccompiler.py", line 574, in compile
    self._compile(obj, src, ext, cc_args, extra_postargs, pp_opts)
  File "/usr/lib/python3.4/distutils/unixccompiler.py", line 118, in _compile
    raise CompileError(msg)
distutils.errors.CompileError: command 'x86_64-linux-gnu-gcc' failed with exit status 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 158, in save_modules
    yield saved
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 199, in setup_context
    yield
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 254, in run_setup
    _execfile(setup_script, ns)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 49, in _execfile
    exec(code, globals, locals)
  File "/tmp/easy_install-pxl3g9em/cffi-1.11.0/setup.py", line 235, in <module>
  File "/usr/lib/python3.4/distutils/core.py", line 163, in setup
    raise SystemExit("error: " + str(msg))
SystemExit: error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 1104, in run_setup
    run_setup(setup_script, args)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 257, in run_setup
    raise
  File "/usr/lib/python3.4/contextlib.py", line 77, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 199, in setup_context
    yield
  File "/usr/lib/python3.4/contextlib.py", line 77, in __exit__
    self.gen.throw(type, value, traceback)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 170, in save_modules
    saved_exc.resume()
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 145, in resume
    six.reraise(type, exc, self._tb)
  File "/usr/local/lib/python3.4/dist-packages/pkg_resources/_vendor/six.py", line 685, in reraise
    raise value.with_traceback(tb)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 158, in save_modules
    yield saved
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 199, in setup_context
    yield
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 254, in run_setup
    _execfile(setup_script, ns)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/sandbox.py", line 49, in _execfile
    exec(code, globals, locals)
  File "/tmp/easy_install-pxl3g9em/cffi-1.11.0/setup.py", line 235, in <module>
  File "/usr/lib/python3.4/distutils/core.py", line 163, in setup
    raise SystemExit("error: " + str(msg))
SystemExit: error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/tmp/pip-build-yeg5lpgx/ssdeep/setup.py", line 138, in <module>
    ext_package="ssdeep",
  File "/usr/lib/python3.4/distutils/core.py", line 108, in setup
    _setup_distribution = dist = klass(attrs)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/dist.py", line 335, in __init__
    self.fetch_build_eggs(attrs['setup_requires'])
  File "/usr/local/lib/python3.4/dist-packages/setuptools/dist.py", line 456, in fetch_build_eggs
    replace_conflicting=True,
  File "/usr/local/lib/python3.4/dist-packages/pkg_resources/__init__.py", line 863, in resolve
    replace_conflicting=replace_conflicting
  File "/usr/local/lib/python3.4/dist-packages/pkg_resources/__init__.py", line 1141, in best_match
    return self.obtain(req, installer)
  File "/usr/local/lib/python3.4/dist-packages/pkg_resources/__init__.py", line 1153, in obtain
    return installer(requirement)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/dist.py", line 522, in fetch_build_egg
    return cmd.easy_install(req)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 672, in easy_install
    return self.install_item(spec, dist.location, tmpdir, deps)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 698, in install_item
    dists = self.install_eggs(spec, download, tmpdir)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 879, in install_eggs
    return self.build_and_install(setup_script, setup_base)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 1118, in build_and_install
    self.run_setup(setup_script, setup_base, args)
  File "/usr/local/lib/python3.4/dist-packages/setuptools/command/easy_install.py", line 1106, in run_setup
    raise DistutilsError("Setup script exited with %s" % (v.args[0],))
distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1

----------------------------------------

Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-yeg5lpgx/ssdeep/

line 35: filetype=Magic(mime=True).from_file(args.filename)

Regards

Hi,

I think that could be interesting creating a database to store reports. Everyone could contribute or not with a simple argument (disabled by default), so that we can identify different but similar actors and factors.

The users could choose to share widely (with everyone using ssma) or closely (with their specific team).

Others ideas are on the way, if you think that this could be a great feature please let me know so that I can elaborate something on.

I have a short list of ideas for 2018 that I was interested in for ssma development. I wanted to hear some feedback on these ideas before going forward.

Create on option that Prints detailed yara results that show what strings hit on the sample

Display Marco Offsets in the same way that oledump or oletools does

Develop a detailed display option that Dumps PE and PE sections info in the same way manalyze or Pecheck does (header, sections, etc...)

Develop a framework for static analysis

Create an output to CSV or PDF report option

write a simple cheat sheet the commands are little confusing (I've had feedback were people didn't realize you needed a period to do the directory scan or couldn't get the virus total option to work embarrassingly I still don't know how to use that feature.

this why? I've installed it but can not ?