mastiff
Spin up a Docker container (docker run) using the remnux/mastiff image, mapping the host /tmp (or wherever your suspicious file resides) to the Docker /tmp (/tmp:/tmp), drop directly into a terminal (-it, bash), and delete Docker after use (--rm). To be clear, when mapping host directories into Docker containers its /host:/container:
docker run --rm -it -v /tmp:/tmp remnux/mastiff bash
Run mas.py against the suspicious files (in this case teflondoor.exe from the “EQUATIONGROUP” sample):
./mas.py /tmp/TOOLS/teflondoor.exe
Change directory to ~/workdir/xxxhashxxx to view the output files of mastiff:
The “peinfo-quick.txt”:
EXTRA---VirusTotal results for “57d8f4d4e74d5ea21e8e257d810f7177”: