Florentino is a cross-platform file analysis framework.
It is useful for extracting static resources from malwares and unknown file analysis.
It can help malware analysts and security researchers to quickly get a glance at an unknown file.
Without these programs, it was a lost war from beginning.
Anytime we want to analyze an unknown file, there are a couple of steps which are almost identical Florentino aims to automate some of these boring steps so an analyst can move faster with manual and dynamic analysis.
Florentino: “Flowers, women – I desire all that is beautiful.”
Florentino is written in go, and it’s fast!. You can run it before any other tool in your chain to gain a good grasp of your target file. Most of the time, it’s all you need to determine if a file is malicious or not!
1- File detection engine
Thanks to D.I.E, Florentino can detect hundreds of file types.
- Number of com signatures: 200
- Number of Text signatures: 14
- Number of com signatures: 3
- Number of MSDOS signatures: 306
- Number of PE/PE+ signatures: 525
- Number of DS signatures: 19
- Number of EP signatures: 3
- Number of ELF/ELF64 signatures: 16
- Number of MACH/MACH64 signatures: 8
- Total signatures: 1117
Beside file detection, entropy and packer detection also performed.
2- Scan engine
Florentino can work various sources to analyze the file.
VirusTotal: we check it for an existing report
Strings and IOC scan: Florentino takes it; further it will extract, scan and possibly deobfuscate strings from binary files
Binary scan: Florentino can work with PE x86/x64, Macho x86/x64, ELF x86/x64 files it will obtain imported symbol and libraries
3- Packer detection and unpacking
Currently only support PE x86 Files
unpack engine : unpac.me
All reports are stored as a text file in /data directory
Please note Florentino is not a reversing suite and its only aim is only to fasten the first analysis Florentino is modular and easy to extend with your own tools.
Installation and Usage
Florentino is straightforward to use; all you have to do is install dependencies and setup .EVN file (there is an example env)
Build and Run
- cd cmd
- mkdir data
- touch .evn
- example .evn
DIEC_PATH=/tools/diec FLOSS_PATH=/tools/floss VIRUSTOTAL_API=YOUR_API_KEY
- go build main
- Florentino -f FILE-TO-ANALYSIS
- now data will be available in /data