IcePorge

View on GitHub

Comprehensive Malware Analysis & Threat Intelligence Stack

IcePorge is a modular, enterprise-grade malware analysis ecosystem that integrates dynamic sandboxing, static reverse engineering, threat intelligence feeds, and LLM-powered analysis into a cohesive workflow.

License: MIT GitHub

Quick Start

Clone Everything 

# Clone main repository
git clone https://github.com/icepaule/IcePorge.git
cd IcePorge

# Clone all component repositories
./scripts/clone-all.sh

# For HTTPS instead of SSH:
./scripts/clone-all.sh --https

Update All Repositories 

# Pull latest from all repos
./scripts/clone-all.sh

Architecture Overview 

flowchart TB
    subgraph FEEDS["THREAT INTELLIGENCE FEEDS"]
        F1[URLhaus]
        F2[ThreatFox]
        F3[MalwareBazaar]
        F4[Hybrid Analysis]
        F5[Ransomware.live]
    end

    subgraph AGGREGATORS["FEED AGGREGATORS"]
        AGG1[MWDB-Feeder<br/>Multi-Source]
        AGG2[CAPE-Feed<br/>MalwareBazaar]
    end

    subgraph PLATFORM["ANALYSIS PLATFORM - Sandbox Server"]
        subgraph CORE["MWDB-Stack + CAPE Sandbox"]
            MWDB[MWDB-Core<br/>PostgreSQL + MinIO]
            KARTON[Karton<br/>Orchestrator]
            CAPE[CAPE Sandbox<br/>Dynamic Analysis]
            SUBMITTER[karton-cape-submitter<br/>Auto Pipeline]
        end
        MAILER[CAPE-Mailer<br/>Phishing Analysis]
        MISP[MISP<br/>Threat Intel]
    end

    subgraph AI["AI-ENHANCED ANALYSIS - GPU Server"]
        GHIDRA[Ghidra-Orchestrator<br/>Headless Decompilation]
        RAG[Malware-RAG<br/>Vector DB + FOR610]
        OLLAMA[Ollama<br/>Llama/Mistral LLMs]
    end

    FEEDS --> AGGREGATORS
    AGG1 --> MWDB
    AGG2 --> CAPE
    MWDB --> KARTON
    KARTON --> CAPE
    KARTON --> SUBMITTER
    SUBMITTER --> CAPE
    CAPE --> MISP
    CAPE --> MAILER
    PLATFORM --> AI
    GHIDRA --> RAG
    RAG --> OLLAMA

Architecture Diagram

Components

Repository Description Server
IcePorge-MWDB-Stack MWDB-core with Karton orchestration Sandbox
IcePorge-MWDB-Feeder Multi-source malware aggregator Sandbox
IcePorge-CAPE-Feed MalwareBazaar → CAPE → MISP pipeline Sandbox
IcePorge-CAPE-Mailer Email-triggered analysis Sandbox
IcePorge-Cockpit Web management UI (Cockpit modules) Sandbox
IcePorge-Ghidra-Orchestrator Automated reverse engineering GPU
IcePorge-Malware-RAG LLM-powered RAG analysis GPU

Features

Threat Intelligence Ingestion

  • URLhaus - Malicious URL and payload collection
  • ThreatFox - IOC aggregation with sample downloads
  • MalwareBazaar - Malware sample repository
  • Hybrid Analysis - Falcon Sandbox public feed
  • Ransomware.live - Ransomware gang tracking

Dynamic Analysis

  • CAPE Sandbox - Behavior analysis with config extraction
  • Automated submission - Tag-based routing and prefiltering
  • MISP integration - Automatic IOC export

Static Analysis

  • Ghidra Headless - Automated decompilation
  • LLM Enhancement - AI-powered code understanding
  • API Extraction - Function and string analysis

AI-Enhanced Analysis

  • Ollama Integration - Local LLM inference (privacy-focused)
  • RAG Pipeline - Context-aware malware analysis
  • Vector Search - Semantic similarity with Qdrant

Configuration

All sensitive data (API keys, passwords) is stored in .env files which are never committed.

Required API Keys

Service Registration Used By
abuse.ch https://auth.abuse.ch/ MWDB-Feeder, CAPE-Feed
Hybrid Analysis https://www.hybrid-analysis.com/signup MWDB-Feeder
MISP Your instance CAPE-Feed

Automatic Sync

The sync-to-github.sh script automatically synchronizes local changes:

# Manual sync with dry-run
/opt/iceporge/sync-to-github.sh --dry-run --verbose

# Sync with screenshot capture
/opt/iceporge/sync-to-github.sh --screenshots

# Add to crontab (daily at 2:00 AM)
0 2 * * * /opt/iceporge/sync-to-github.sh >> /var/log/iceporge-sync.log 2>&1

Features:

  • Sensitive data detection - Blocks commits with passwords/keys
  • Screenshot capture - Documents web interfaces
  • Multi-server support - Works on capev2 and ki01

Management UI

Access via Cockpit at https://your-server:9090/:

  • CAPE Sandbox - Service status, VM management
  • MWDB Stack - Container status, Karton pipeline

Screenshots

MWDB Web Interface

MWDB Web Interface

Central malware sample repository with tagging, relationships, and Karton integration.

MWDB Stack Manager (Cockpit)

MWDB Stack Manager

Manage MWDB services, Karton pipeline, and container health from Cockpit.

CAPE Sandbox Manager (Cockpit)

CAPE Sandbox Manager

Monitor CAPE services, VMs, and external service connectivity.

License

MIT License with Attribution

Author: Michael Pauli

When using this software, please maintain attribution to the original author.

Contributing

Contributions welcome! Please:

  1. Fork the relevant component repository
  2. Create a feature branch
  3. Submit a pull request

Support

  • Open an issue in the relevant repository
  • Email: info@mpauli.de