Skip to main content
Glama
zrax-x

APT Analysis MCP Server

by zrax-x
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

APT Analysis MCP Server

An MCP (Model Context Protocol) server designed to assist in APT (Advanced Persistent Threat) malware analysis. Currently provides tools for securely downloading samples via a jump server.

Features

  • Sample Downloader: Securely download malware samples from a remote server via a jump host using SSH/SCP.

  • Rule Hash Query: Query sample hashes associated with YARA rules by rule name and namespace.

  • Integrated Workflow: Download samples directly by YARA rule name.

Installation

  1. Clone the repository:

    git clone https://github.com/zrax-x/apt-analysis-mcp.git
cd apt-analysis-mcp

  2. Install dependencies: It is recommended to use a virtual environment.

    python -m venv .venv
.venv\Scripts\activate  # Windows
# source .venv/bin/activate # Linux/Mac
pip install -r requirements.txt

Configuration

  1. Copy the example configuration:

    copy config.example.json config.json

  2. Edit config.json: Fill in your SSH details for the jumper and target servers, specify the local download directory, and configure the Rule Hash Mapping file path.

    {
  "jumper": {
    "user": "your_jumper_user",
    "host": "jump_server_ip",
    "port": 22,
    "key": "~/.ssh/id_rsa_jumper"
  },
  "target": {
    "user": "your_target_user",
    "host": "target_server_ip",
    "port": 22,
    "workdir": "/path/to/target/workdir",
    "key": "~/.ssh/id_rsa_target"
  },
  "local_download_dir": "/path/to/local/samples",
  "rule_hash_mapping_file": "/path/to/Rule_Hash_Mapping.csv"
}

    Configuration Fields:

    • jumper: Jump server (bastion host) SSH configuration

    • target: Target server SSH configuration where samples are stored

    • local_download_dir: Local directory to save downloaded samples

    • rule_hash_mapping_file: Path to the Rule_Hash_Mapping.csv file (absolute path recommended)

  3. Generate Rule Hash Mapping: The server requires a Rule_Hash_Mapping.csv file. Generate it by running:

    cd /path/to/yara_rules_parent_directory
python3 build_rule_hash_mapping.py

    This will scan all YARA rules and create the mapping table. Then update the rule_hash_mapping_file path in config.json to point to this file.

Usage with Claude Desktop

Add the server to your claude_desktop_config.json (typically in %APPDATA%\Claude\ on Windows).

{
  "mcpServers": {
    "apt-analysis": {
      "command": "path/to/your/venv/Scripts/python.exe",
      "args": [
        "path/to/apt-analysis-mcp/server.py"
      ]
    }
  }
}

Available Tools

1. download_samples

Download malware samples by SHA256 hash.

Parameters:

  • hash_list (list[str]): List of SHA256 hashes to download

  • output_dir (str, optional): Local directory to save samples to (defaults to local_download_dir in config)

Example:

Download samples with hashes: ["3123bbd5564f4381820fb8da5810bd4d9718b5c80a7e8f055961007c6f30daff", "..."]

Returns:

"Successfully downloaded samples to /path/to/samples"

2. get_rule_sha256_list

Get SHA256 hash list for a YARA rule (ready for downloading samples).

This tool queries the Rule_Hash_Mapping.csv file (configured in config.json) to retrieve SHA256 hashes associated with a specific YARA rule. The returned hashes can be directly used with the download_samples tool.

Parameters:

  • rule (str, required): YARA rule name (e.g., "APT_xxx")

  • namespace (str, optional): YARA file path for exact matching (e.g., "./yara_rules/xxx/pe_rules/abc.yara")

    • If not provided, returns all rules matching the rule name

    • If provided, returns only the exact match

Example Usage:

Get SHA256 list for rule: APT_xxx

Returns:

{
  "success": true,
  "sha256_hashes": [
    "3123bbd5564f4381820fb8da5810bd4d9718b5c80a7e8f055961007c6f30daff",
    "123408972b8ec9c2e64eeb46ce1db92ae3c40bc8de48d278ba4d436fc3c8b3a4",
    "ffaab4463be9d8131f363fd78e21d9de5d838a3ec4044526aea45a473d6ddd61",
    "..."
  ],
  "count": 9,
  "error": null
}

Error Response:

{
  "success": false,
  "sha256_hashes": [],
  "count": 0,
  "error": "No SHA256 hashes found for rule: nonexistent_rule"
}

Notes:

  • The tool reads from the rule_hash_mapping_file configured in config.json

  • Returns only SHA256 hashes (MD5 hashes are not included as downloads require SHA256)

  • Automatically deduplicates hashes if a rule appears in multiple files

  • If the mapping file is not found or not configured, returns an error

Workflow Examples

Example 1: Query and Download Samples

Step 1: Get SHA256 list for rule: APT_IN_xxx
Step 2: Download samples with the returned SHA256 hashes

Example 2: Download Specific Rule Samples

1. Get SHA256 list for rule: M_Hunting_yyy
2. Copy the SHA256 hashes from the response
3. Download samples with those hashes to /home/user/samples

Development

  • Add new tools: Create new modules in tools/ and register them in server.py.

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/zrax-x/apt-analysis-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server