We presented tknk_scanner using YARA at Black Hat Europe 2018 Arsenal. tknk_scanner is a community-based integrated malware identification system, which aims to easily identify malware families by automating this process using an integration of open source community-based tools and freeware.
The previous tknk_scanner only supported binary based scanning(Scanning by YARA, a summary of VirusTotal using AVClass, file signatures by Detect It Easy). This major update adds packet capture and network based scanning mode. It allows the scanner to use network based signatures (snot rules, suricata rules). Not only that, you can get process communication information and associate network signatures with binary signatures. Of course, those results can be easily checked from the cool Web-UI. Support for binary based and network based signatures enabled simple dynamic analysis and provided malware identification accuracy. With this update, tknk_scanner further supports analysis by SOC operators, CSIRT members, and malware analysts.