Assemblyline services¶
Services currently installed on a system can be found under Help > Service Listing.
This is the list of all the services that are bundled with Assemblyline and that are maintained by the Assemblyline team:
| Service Name | Speciality | Description |
|---|---|---|
| APIVector | Windows binaries | Extracts library imports from windows PE files or memory dump to generate api vector classification. |
| APKaye | Android APK | APKs are decompiled and inspected. Network indicators and information found in the APK manifest file are displayed |
| AntiVirus | Anti-virus | Generic ICAP client to integrate with most Anti-virus enterprise scanners |
| Batchdeobfuscator | Deobfuscation | Deobfuscate batch file through variable resolution |
| CAPA | Windows binaries | CAPA open-source tool integration |
| Characterize | Entropy analysis | Partitions the file and calculates visual entropy for each partition, extract Exif metadata |
| ConfigExtractor | IoC extraction | Extract malware configuration file, allowing to get list of C2, encryption material etc. |
| CAPE | Sandbox | Provides dynamic malware analysis through sandboxing. |
| DeobfuScripter | Deobfuscation | Static script de-obfuscator. The purpose is not to get surgical de-obfuscation, but rather to extract obfuscated IOCs. |
| ELF | Linux binaries | Extracts attributes (sections, segments, ...) from ELF files using LIEF |
| ELFPARSER | Linux binaries | ELFParser open-source tool integration |
| EmlParser | Parse emails using GOVCERT-LU eml_parser library while extracting header information, attachments, URIs | |
| Espresso | Java | All classes are extracted, decompiled, and analyzed for malicious behaviour |
| Extract | Compressed file | This service extracts embedded files from file containers (like ZIP, RAR, 7z, ...) |
| Floss | IoC extraction | Automatically extract obfuscated strings from malware using FireEye Labs Obfuscated String Solver |
| FrankenStrings | IoC extraction | This service performs file and IOC extractions using pattern matching, simple encoding decoder and script de-obfuscators |
| Intezer | File genome identification | Interface between Intezer Analyze API 2.0, submits file for analysis if hash is not present in Intezer database |
| IPArse | Apple IOS | Analyze Apple apps |
| JsJaws | Javascript | Analyze malicious Javascript |
| MetaPeek | Meta data analysis | Checks submission metadata for indicators of potential malicious behaviour (double file extensions, ...) |
| Oletools | Office documents | This service extracts metadata, network information and reports anomalies in Microsoft OLE and XML documents using the Python library py-oletools by Philippe Lagadec |
| Overpower | PowerShell | De-obfuscate PowerShell scripts |
| PDFId | This service extracts metadata from PDFs using Didier Stevens PDFId & PDFParse | |
| PE | Windows binaries | Extract attributes (imports, exports, sections, ...) from PE files using LIEF |
| PeePDF | This service uses the Python PeePDF library information from PDFs including JavaScript blocks which it will attempt to de-obfuscate, if necessary, for further analysis | |
| PixAxe | Images | Extract text from images |
| Safelist | Safelisting | Allow for hash, IoC and signature safelisting, including support for downloading NSRL |
| Sigma | Eventlog signatures | Scan event logs (e.g. from sandbox or a compromised host) using Sigma |
| Suricata | Network signatures | Scan network capture (.pcap) submitted and extracted from analysis via Suricata |
| Swiffer | Adobe Shockwave | This service extracts metadata and performs anomaly detection on Adobe Shockwave (.swf) files |
| TagCheck | Tag signatures | YARA signatures on Assemblyline Tags (build your own signatures to hit on specific tags) |
| TorrentSlicer | Torrent files | Extracts information from torrent files |
| Unpacker | UPX Unpacker | This service unpacks UPX packed executables for further analysis |
| Unpac.me | Unpacker | Integrate with unpac.me |
| URLCreator | URL File creation | Create URI files from URLs tags that are seemingly malicious |
| URLDownloader | URL Fetching | Fetches URLs from URI files |
| ViperMonkey | Office documents | ViperMonkey is a VBA Emulation engine by https://linktr.ee/decalage |
| VirusTotal | Anti-virus | This service checks (and optionally submits) files/URLs to VirusTotal for analysis. |
| XLMMacroDeobfuscator | Office documents | Analyze Excel 4.0 macros |
| YARA | File signatures | Signature for file |
End of life, no longer actively supported:
| Service Name | Speciality | Description |
|---|---|---|
| Cuckoo | Sandbox | Provides dynamic malware analysis through sandboxing. |
| IntezerStatic | File genome identification | Interface between Intezer Analyze API 2.0, performs hash lookups of submitted file |
| MetaDefender | Anti-virus | Service for OPSWAT MetaDefender anti-virus (multi-engine) |
| PEFile | Windows binaries | This service extracts attributes (imports, exports, section names, ...) from windows PE files using the Python library pefile |
| VirusTotalDynamic | Anti-virus | Checks and actively sends files to VirusTotal for analysis. |
| VirusTotalStatic | Anti-virus | Checks VirusTotal for existing analysis about submitted file. |