Vault1337 - Documentation

Docker (Quick Start)

The fastest way to run Vault1337. Uses SQLite — data is not persisted after the container stops.

Requirements: Docker installed on your system. See the official Docker docs.

Pull the image

docker pull vault1337/vault1337:latest

Run the container

docker run -p 8000:8000 \
  -e SECRET_KEY=change-me-to-a-long-random-string \
  -e DEBUG=True \
  vault1337/vault1337:latest

Log in

Open http://localhost:8000 and log in with the default credentials:

Username: admin
Password: changeme123

Important: Change your password immediately via the Management page after first login.

Add API keys (optional)

Navigate to Management → API Keys to add keys for the intelligence integrations. See the API Keys section below.

Docker Compose

Recommended for persistent deployments. Spins up Vault1337 with a PostgreSQL database and named volumes for samples and YARA rules.

Clone the repository

git clone https://github.com/DanDreadless/Vault1337.git
cd Vault1337/Docker

Configure the environment

All settings live in Docker/.env. Open it and set at minimum:

Variable	Description
`SECRET_KEY`	Long random string — generate with `openssl rand -hex 50`
`POSTGRES_PASSWORD`	Password for the PostgreSQL database
`DJANGO_SUPERUSER_PASSWORD`	Initial admin account password
`ALLOWED_HOSTS`	Comma-separated hostnames or IPs, e.g. `localhost,192.168.1.10`

Start the stack

docker compose up -d

This builds the image (if not already built), starts PostgreSQL, waits for a health check, then starts Gunicorn. Migrations and superuser creation happen automatically on first run.

Open Vault1337

Navigate to http://localhost:8000 (or your configured HOST_PORT) and log in.

# View logs
docker compose logs -f

# Stop the stack (data preserved)
docker compose down

# Stop and wipe all data
docker compose down -v

Docker Development

Use the localdev overlay to run the Django + React stack in Docker while keeping your local db.sqlite3 and sample_storage/ mounted directly from the host. Ideal for day-to-day development without a full PostgreSQL setup.

Fix file permissions (WSL / Linux)

The container runs as vault (UID 1001). If your host files are owned by a different UID, the container cannot write to them. Run once from the project root:

chmod 666 db.sqlite3
chmod -R 777 sample_storage/

WSL note: Windows-side files mounted into WSL appear with host UID 1000, which differs from the container's UID 1001. The commands above fix this. You do not need to do this on a native Linux host where you created the files as the same user.

Start the dev stack

Run all three compose files — base, build override, and localdev overlay:

docker compose \
  -f Docker/docker-compose.yml \
  -f Docker/docker-compose.build.yml \
  -f Docker/docker-compose.localdev.yml \
  up --build

This mounts db.sqlite3 and sample_storage/ from the project root, skips PostgreSQL, and applies SQLite WAL mode for concurrent reads. The React dev server is not included — run it separately (see Local Development step 6) for hot-reload.

Useful compose commands

# Rebuild after backend dependency changes
docker compose -f Docker/docker-compose.yml \
  -f Docker/docker-compose.build.yml \
  -f Docker/docker-compose.localdev.yml \
  up --build

# Stop without removing volumes
docker compose -f Docker/docker-compose.yml \
  -f Docker/docker-compose.localdev.yml \
  down

Local Development

Requires Python 3.12+, Node.js 22+, and (optionally) PostgreSQL.

Clone and set up a Python virtual environment

git clone https://github.com/DanDreadless/Vault1337.git
cd Vault1337
python3 -m venv env
source env/bin/activate   # Windows: env\Scripts\activate
pip install -r requirements.txt

Install system dependencies

# Ubuntu / Debian
sudo apt install -y libimage-exiftool-perl libmpc-dev libgl1 libglib2.0-0

Configure the environment

Create a .env file in the project root with at minimum:

SECRET_KEY=change-me-to-a-long-random-string
DEBUG=True
ALLOWED_HOSTS=127.0.0.1,localhost
# Leave DATABASE_URL unset to use SQLite

Run migrations and create a superuser

python manage.py migrate
python manage.py createsuperuser

Start the Django API

python manage.py runserver

Start the React frontend (second terminal)

cd frontend
npm install
npm run dev

Open http://localhost:5173. The Vite dev server proxies /api/ requests to Django on port 8000.

Environment Variables

All configuration is handled via environment variables loaded from a .env file (or passed directly to the container).

Variable	Default	Description
`SECRET_KEY`	required	Django secret key — use a long random string
`DEBUG`	`False`	Set `True` for local development only
`ALLOWED_HOSTS`	`127.0.0.1`	Comma-separated list of allowed hostnames/IPs
`DATABASE_URL`	SQLite	PostgreSQL connection string, e.g. `postgres://user:pass@host:5432/db`
`CORS_ALLOWED_ORIGINS`	`http://localhost:5173`	Comma-separated origins allowed for CORS requests
`MAX_UPLOAD_SIZE_MB`	`200`	Maximum file upload size in megabytes
`POSTGRES_DB`	`vault1337`	PostgreSQL database name (Compose only)
`POSTGRES_USER`	`vault`	PostgreSQL username (Compose only)
`POSTGRES_PASSWORD`	required	PostgreSQL password (Compose only)
`DJANGO_SUPERUSER_USERNAME`	`admin`	Superuser created on first container startup
`DJANGO_SUPERUSER_EMAIL`	`admin@localhost`	Superuser email
`DJANGO_SUPERUSER_PASSWORD`	`changeme123`	Superuser initial password — change this
`HOST_PORT`	`8000`	Host port mapped to container port 8000
`IOC_VT_MALICIOUS_THRESHOLD`	`1`	VirusTotal malicious engine count required to auto-mark an IOC as true positive
`IOC_ABUSEIPDB_SCORE_THRESHOLD`	`25`	AbuseIPDB confidence score (0–100) required to auto-mark an IP IOC as true positive
`IOC_ENRICH_VT_DELAY_SECONDS`	`15`	Delay between VirusTotal calls during batch IOC enrichment (free tier rate limit)

API Keys

Third-party intelligence features require API keys. Add them via the web UI at Management → API Keys (staff account required), or set them in your .env file before starting the container.

Key	Service	Used for
`VT_KEY`	VirusTotal	Download samples by SHA256 hash, VT enrichment, domain/IP intelligence
`MALWARE_BAZAAR_KEY`	MalwareBazaar	Download samples by SHA256 hash
`ABUSEIPDB_KEY`	AbuseIPDB	IP reputation lookups and IOC enrichment
`SPUR_KEY`	Spur	VPN / proxy / residential IP context
`SHODAN_KEY`	Shodan	Open ports and banner data for an IP
`OTX_KEY`	AlienVault OTX	Pulse-based threat intelligence for IOC enrichment

Uploading Samples

Navigate to Upload in the navigation bar. Four ingestion methods are available:

Method	Description
Upload File	Direct file upload (max 200 MB). Optionally extract a ZIP or 7z archive with a password.
Fetch URL	Download a sample from an external URL. Private/internal IP ranges are blocked (SSRF protection).
VirusTotal	Download a sample by SHA256 hash using your VT API key.
MalwareBazaar	Download a sample by SHA256 hash using your MB API key.

All samples are stored by SHA256 hash. Original filenames are preserved in the database but never used as file paths on disk. Add comma-separated tags during upload for easier organisation.

Vault Page

The Vault page lists all stored samples with filtering, search, and bulk management controls.

File Type Filter Chips

A row of filter chips above the sample table lets you quickly narrow the list to a specific file category:

Filter	Matches
Windows	PE executables and DLLs (MIME `application/x-dosexec` / `application/x-msdownload`)
Linux	ELF binaries
macOS	Mach-O binaries
Documents	PDF, Office, and other document types
Archives	ZIP, 7z, TAR, GZ, RAR, and other archive formats
Email	`.eml` and `.msg` files
Scripts	Text/script MIME types and common script extensions, excluding URL-tagged items
Images	Image MIME types (PNG, JPEG, GIF, BMP, etc.)
URLs	Samples tagged with the auto-applied `url` tag (fetched via the Fetch URL ingestor)

Bulk Delete

Each row has a checkbox. Tick one or more rows (or use the header checkbox to select all on the current page) and a Delete N selected button appears in the page header. Clicking it prompts for confirmation then deletes all selected samples in parallel. The selection is cleared and the table reloads after deletion.

Pagination

The bottom of the vault list shows « ‹ page X of Y › » controls — first, previous, next, and last page buttons alongside the current page indicator.

Analysis Tools

Open a sample from the vault and select the Tools tab. The tool selector automatically filters and groups available tools based on the detected file type (PE, ELF, Mach-O, document, archive, email, script). A Show all tools checkbox is available for edge cases such as polyglot files.

Universal — all file types

Tool	Sub-options	Description
Strings	`UTF-8` `ASCII` `Wide (UTF-16LE)` `Latin-1` `UTF-16` `UTF-32`	Extracts printable strings across multiple encodings, including wide strings commonly used to hide Windows API calls.
Extract IOCs	—	Scans the sample for indicators of compromise and saves them to the IOC database linked to this sample. Detects: IP addresses, domains, URLs, emails, Bitcoin addresses, CVE IDs, registry keys, named pipes/mutexes, Windows persistence paths (Run/RunOnce/Services), scheduled task paths, Linux cron paths, systemd unit paths, and macOS LaunchAgent/LaunchDaemon plists.
Hex Viewer	—	Renders a hex dump of the sample with ASCII sidebar.
Run YARA Rules	—	Runs all saved YARA rules against the sample and reports matches with rule name, matched strings, and file offsets.
ExifTool	—	Reads all metadata tags from a file using ExifTool by Phil Harvey.

Windows (PE)

Tool	Sub-options	Description
LIEF Parser	`DOS Header` `Rich Header` `PE Header` `Entrypoint` `Sections` `Imports` `Signature Check` `Check Entropy` `Import Hash (LIEF)` `Overlay Detection` `Rich Header Hash` `Exports`	Comprehensive PE binary analysis via the LIEF project. Covers all standard PE structures including the export directory and digital signature verification.
PE File	`Import Hash` `Rich Header Hash` `Resources` `Version Info` `Overlay` `Suspicious Imports` `Section Entropy` `Packer Detection` `Compile Timestamp` `Anti-VM Detection`	PE-focused analysis via pefile. Highlights suspicious Windows API imports (62 APIs across 8 categories). Packer Detection performs a raw byte signature scan across the full binary (35+ signatures), checks the overlay for packer markers, and detects minimal import profiles (LoadLibrary/GetProcAddress only) — outputs a structured VERDICT line naming the packer where possible (UPX, MPRESS, ASPack, VMProtect, Themida, Armadillo, AutoIt, PyInstaller, NSIS, Inno Setup, WinRAR SFX, .NET obfuscators, and more). Checks compile timestamp for anomalies (future dates, pre-1993, zeroed, known fakes) and scans raw bytes for 50+ anti-VM/sandbox artifact strings (VMware, VirtualBox, QEMU, Hyper-V, analysis tools).
Disassembler	—	Disassembles code at the entry point using Capstone. Supports x86, x86-64, and ARM architectures with automatic detection.

Linux (ELF)

Tool	Sub-options	Description
LIEF Parser	`ELF Header` `ELF Sections` `ELF Symbols` `ELF Suspicious Symbols` `ELF Packer Detection` `ELF Segments` `ELF Binary Info`	ELF binary analysis via LIEF. ELF Suspicious Symbols flags 67 dangerous dynamic symbols across Execution, Network, Privilege Escalation, Anti-Analysis/Injection, Dynamic Loading, Rootkit/File Hiding, and Surveillance categories. ELF Segments lists all program headers and flags W+X PT_LOAD segments. ELF Binary Info reports stripped status, linking type, and interpreter path.
Disassembler	—	Entry point disassembly via Capstone with architecture auto-detection.

macOS (Mach-O)

Tool	Sub-options	Description
Mach-O Tool	`Header` `Load Commands` `Imported Libraries` `Exported Functions` `Symbols` `Sections & Entropy` `Code Signature` `Entitlements` `Encrypted Segments`	Mach-O binary analysis via LIEF. Supports fat binaries (reports all architectures). Imported Libraries annotates dylibs by capability category (Keychain, Network, Camera, Location, etc.). Entitlements extracts the embedded XML plist from the code signature blob. Encrypted Segments detects `LC_ENCRYPTION_INFO` / `LC_ENCRYPTION_INFO_64` load commands (App Store DRM / FairPlay) and high-entropy sections.

Documents & PDFs

Tool	Sub-options	Description
PDF Parser	`Extract Metadata` `Extract Content` `Extract Images` `Extract URLs` `JavaScript` `Embedded Files` `Render Pages`	PDF forensics via PyMuPDF. Surfaces embedded JavaScript, embedded files, URLs, and document metadata. Render Pages rasterises each page to a PNG image via `get_pixmap()` — pure pixel rendering with no JavaScript execution or active content triggered. Capped at 15 pages / 10 MB.
OLETools	`OLEID` `OLEMETA` `OLEDUMP` `OLEVBA` `RTFOBJ` `OLEOBJ`	Analyses Microsoft OLE2 compound files (Office documents, RTF) via Oletools. Detects VBA macros, auto-execution triggers, embedded objects, and obfuscation.

Archives & Email

Tool	Sub-options	Description
Zip Extractor	`With password` `Without password`	Extracts `.zip` and `.7z` archives. All extracted files are added to the vault as individual samples and automatically enriched with VirusTotal data.
Email Parser	`Email Headers` `Email Body` `Download Attachments` `URL Extractor`	Parses `.eml` and `.msg` files. Attachments are downloaded directly into the vault for further analysis.

Images

Tool	Sub-options	Description
Image Viewer	—	Renders the sample as an inline image using a data URI — useful for inspecting images that may contain steganography or hidden data. Format is detected via PIL. Capped at 10 MB.

Android (APK)

Tool	Sub-options	Description
APK Tool	`Manifest` `Components` `Intents` `Certificate` `Strings` `URLs` `Suspicious`	Android APK analysis via androguard. Manifest shows package name, version, SDK levels, and declared permissions (dangerous permissions highlighted). Components lists activities, services, receivers, and providers. Intents shows intent filters grouped by component. Certificate parses the signing certificate (v1/v2/v3 schemes) — subject, issuer, validity, SHA-1/SHA-256 fingerprints, and self-signed detection. Strings extracts meaningful strings from DEX bytecode (JVM class descriptors filtered). URLs finds hardcoded HTTP/HTTPS URLs and non-loopback IPs in DEX strings. Suspicious reports dangerous permissions, suspicious API class references (DexClassLoader, Runtime.exec, SMS access, etc.), and exported components with intent filters.

Scripts & .NET

Tool	Sub-options	Description
.NET Analysis	`Assembly Info` `Type Definitions` `Method Definitions` `Strings` `Imports` `Resources`	.NET managed assembly analysis via dnfile. Extracts assembly metadata, type and method definitions, embedded strings, imported namespaces, and embedded resource names. Useful for analysing C# / VB.NET malware, droppers, and stagers without executing the code.

YARA Rules

Navigate to YARA in the navigation bar to manage rules.

Create new rules using the built-in editor — paste or write YARA syntax directly.
Edit existing rules at any time.
Run all rules against a specific sample from the sample detail page using the Run YARA Rules tool.
Results show the matching rule name, tags, matched string identifiers, file offsets, and match lengths.
Rules are stored as .yar files in vault/yara-rules/ on the server.

Rules with syntax errors will fail to save — the editor will report the parse error inline.

No rules are included by default — Vault1337 ships with an empty rules directory. You need to add your own .yar files via the web editor or by placing them in the vault/yara-rules/ directory on the server.

IOC Management

Navigate to IOCs to view all extracted indicators of compromise across all samples.

Run the Extract IOCs tool on a sample to populate its IOCs.
Each IOC is linked back to the sample it came from.
Mark IOCs as true positive or false positive using the toggle on the IOC page.
Filter the list by classification (true / false / unreviewed) and by IOC type using the filter chips above the table.
Search by IOC value using the search box.

Auto-Enrichment

When the Extract IOCs tool runs, newly extracted ip and domain IOCs are automatically enriched against threat intel APIs in a background thread — the tool response returns immediately while enrichment continues asynchronously.

IP IOCs — queried against VirusTotal and AbuseIPDB concurrently.
Domain IOCs — queried against VirusTotal.
An IOC is marked true positive if the VT malicious count meets the threshold or the AbuseIPDB score meets the threshold. It is marked false positive if all sources return clean results.
RFC1918 private IPs (10/8, 172.16/12, 192.168/16) are saved as IOCs (useful for lateral movement analysis) but auto-marked false positive — they are never sent to external APIs.
Loopback, link-local, multicast, and other reserved IP ranges are discarded entirely at extraction time.

The enrichment column in the IOC table shows results as VT: x/y (malicious/total engines) and AIPDB: z% (abuse score). A dash (—) is shown for IOC types not yet enriched or where no API key is configured.

Bulk Actions

Each row in the IOC table has a checkbox. Selecting one or more rows reveals a bulk action bar with two options:

Export STIX — exports the selected IOCs as a STIX 2.1 bundle (see STIX 2.1 Export below).
Delete — permanently removes the selected IOCs. Requires a confirmation click to prevent accidental deletion (staff only).

Manual Override & Re-Enrichment

Manually toggling an IOC's true/false status sets an overridden flag, shown as a grey pill next to the status badge. Subsequent background enrichment runs will not overwrite a manually overridden IOC.
A Re-enrich button is available on each ip and domain row. Clicking it triggers a synchronous re-enrichment (both VT and AbuseIPDB in parallel) and immediately refreshes the row. This clears the overridden flag so fresh data is applied.

Enrichment Thresholds (Environment Variables)

Variable	Default	Description
`IOC_VT_MALICIOUS_THRESHOLD`	`1`	Minimum VirusTotal malicious engine count to mark an IOC as true positive
`IOC_ABUSEIPDB_SCORE_THRESHOLD`	`25`	Minimum AbuseIPDB confidence score (0–100) to mark an IP IOC as true positive
`IOC_ENRICH_VT_DELAY_SECONDS`	`15`	Delay in seconds between VirusTotal calls during batch enrichment (free tier: 4 req/min)

IOC types extracted:

Type	Description
`ip`	IPv4 addresses (loopback, multicast, and reserved ranges discarded; RFC1918 kept as false positive)
`domain`	Domains validated against the public suffix list; binary artifact extensions, purely numeric labels, and registered-domain labels shorter than 3 characters filtered (eliminates APK/DEX code artifacts)
`url`	HTTP / HTTPS / FTP URLs
`email`	Email addresses
`bitcoin`	Bitcoin wallet addresses
`cve`	CVE identifiers (e.g. CVE-2021-44228)
`registry`	Windows registry key paths (HKLM / HKCU etc.)
`named_pipe`	Named pipe and mutex paths
`win_persistence`	Windows Run / RunOnce / Services registry persistence paths
`scheduled_task`	Scheduled task file paths and schtasks command references
`linux_cron`	Linux cron paths (`/etc/cron*`, `/var/spool/cron`)
`systemd_unit`	Systemd service / timer / socket unit file paths
`macos_launchagent`	macOS LaunchAgent and LaunchDaemon plist paths

IP & Domain Intelligence

IP Check

Navigate to IP Check to query an IP address against multiple threat intelligence sources simultaneously.

Displays a colour-coded verdict banner (Malicious / Suspicious / Clean / Unknown) derived from all sources combined.
Individual source cards: VirusTotal (detection count + link), AbuseIPDB (score bar + usage type + ISP), Spur (tunnel/tag badges), Shodan (open ports, hostnames, CVEs).
Source cards with missing API keys are sorted to the bottom of the page.
Private, loopback, and reserved IP ranges are rejected before any external query is made.

Domain Check

Navigate to Domain Check to query a domain against VirusTotal and WHOIS.

Displays a verdict banner derived from VirusTotal detections.
Individual source cards: VirusTotal (detection count, category badges + link), WHOIS (registrar, creation/expiry dates, name servers, status badges), Passive DNS (unique IPs seen resolving to this domain).
Cards with missing API keys are sorted to the bottom.

Tags & Search

Add comma-separated tags when uploading a sample.
Add or remove tags from any sample on the sample detail page.
All tags are stored in lowercase automatically.
Use the search bar on the Vault page to filter samples by filename, hash, or tag.
Results are paginated — use the page controls at the bottom of the vault list.

Analyst Notes

Analyst notes let you attach structured commentary to any sample — useful for documenting findings, sharing context with team members, and capturing initial triage decisions.

Open a sample and select the Notes tab on the sample detail page.
Each note has a title, a body (supports Markdown formatting), and a type label.
Note types include: note (general observation), triage (initial assessment), ioc (indicator context), and malware (malware family / campaign attribution).
Notes are preserved across sessions and visible to all users with access to the sample.
Notes appear in the PDF report export under the Analyst Notes section.

Note bodies are rendered as Markdown in the UI — use headings, bullet lists, code blocks, and bold/italic formatting to structure your findings.

Sample Report

Every sample has a structured JSON report available at GET /api/v1/files/{id}/report/. The report aggregates all stored analysis data in a single response — no new analysis is run.

The report includes:

File metadata — name, size, magic bytes, MIME type, upload date, uploader
Hashes — MD5, SHA1, SHA256, SHA512
Tags — all tags applied to the sample
VirusTotal summary — detection counts (malicious / suspicious / undetected / harmless), threat label, threat category, scan date, and known names
IOCs — all confirmed (true positive) IOCs grouped by type

VirusTotal data is only included if a VT enrichment has previously been run on the sample (automatically on upload if a VT API key is configured, or manually via the VT Enrich action).

PDF Report Export

Every sample detail page has a PDF Report button on the Info tab. Clicking it generates a professional A4 PDF report entirely in-browser — no server round-trip is required beyond the initial page load.

The PDF is built from data already loaded on the page and downloads instantly with the filename:

vault1337_report_<sha256[:12]>_<YYYYMMDD>.pdf

Report sections:

Section	Contents
Header	Dark slate header band — report title, Vault1337 branding, generation timestamp, SHA256 sub-row, and "RESTRICTED — For authorised personnel only" classification label.
Executive Summary	Filename, detection ratio colour-coded by risk (red >5 detections, amber 1–5, green 0), and VirusTotal threat label — or a "No VT data" message if not yet enriched.
File Details	Original filename, file size (human-readable + bytes), MIME type, magic bytes, upload date, uploaded by.
Cryptographic Hashes	MD5, SHA-1, SHA-256, and SHA-512 in monospace font.
VirusTotal Intelligence	Detection ratio, threat label, scan date, and a table of the top 10 engine detections (malicious and suspicious results only). Omitted if no VT data is present.
Tags	All tags applied to the sample, comma-separated.
IOCs	Confirmed true-positive IOCs only, grouped by type with a sub-header per type. Omitted if no confirmed IOCs exist.
Analyst Notes	Each saved comment rendered as a titled block (bold title + body text). Shows "No analyst notes recorded." if empty.
Footer	Appears on every page: "Vault1337 — Confidential \| Generated: <ISO datetime> \| Page N of M".

The PDF is generated entirely client-side using jsPDF and jsPDF-AutoTable. No analysis data leaves the browser and no additional API calls are made.

MITRE ATT&CK Mapping

Each sample has a dedicated ATT&CK tab on the sample detail page showing matched MITRE ATT&CK techniques. A summary card is also shown on the Info tab.

Click Map Techniques to scan the sample's stored analysis results and linked IOC types for known MITRE ATT&CK technique indicators.
Results are displayed as colour-coded tactic badges arranged by tactic. Each badge shows the technique ID and name; expanding a badge shows the matched indicator evidence.
Click a badge to open the official MITRE ATT&CK technique page in a new tab.
Mapping covers 27 techniques across 10 tactics including execution, persistence, defence evasion, discovery, lateral movement, and impact.
Detection uses two sources: (1) regex pattern matching against saved AnalysisResult text (excluding IOC extractor output to prevent section-header false positives), and (2) direct mapping from linked IOC types (e.g. scheduled_task → T1053, win_persistence → T1547).
Results are persisted on the sample record and can be re-mapped at any time via the Re-map button.

STIX 2.1 Export

Vault1337 supports exporting threat intelligence in STIX 2.1 format via the stix2 library.

Sample STIX Export

On the sample detail page, the Info tab has an Export STIX button. Clicking it downloads a STIX 2.1 bundle for that sample containing:

A Vault1337 Identity SDO as the bundle author.
A File SCO with MD5, SHA-1, and SHA-256 hashes.
An Indicator SDO with a hash-based STIX pattern.
STIX objects for every linked IOC — IPv4Address, DomainName, URL, EmailAddress, WindowsRegistryKey SCOs with associated Indicator SDOs; Vulnerability SDOs for CVE IOCs; Note SDOs for persistence and other types.

Bulk IOC STIX Export

On the IOC page, select one or more IOCs using the row checkboxes, then click Export STIX in the bulk action bar. The download contains STIX objects for all selected IOCs, without being tied to a specific sample.

Decoder

Navigate to Decoder in the navigation bar to decode and transform encoded strings without uploading a sample.

Mode	Description
`Base64`	Decodes standard Base64-encoded strings
`Hex`	Decodes hex-encoded byte strings to ASCII/UTF-8
`URL Decode`	Decodes percent-encoded URL strings
`ROT13`	Applies ROT13 character substitution
`XOR`	XOR-decodes the input with a specified single-byte key (hex or decimal)

Output is displayed inline — no data is sent to the server. Useful for quickly decoding obfuscated strings found during analysis.

Management Page

Navigate to Management in the navigation bar (staff accounts only) to access platform administration tools organised across multiple tabs.

Dashboard

Overview statistics for the platform: total samples, total IOCs, YARA rules, active users, and recent upload activity.

Users & Roles

Create, edit, and deactivate user accounts without touching the Django admin.
Assign users to roles. Built-in roles: Admin, Analyst, Read Only.
Create custom roles and assign granular permissions to them.
Set or reset any user's password.
View and clear account lockouts — accounts are locked after repeated failed login attempts.

API Keys

Store third-party API keys securely in the database. Keys are written to the server's environment at runtime — they are never returned in API responses after being saved. See API Keys for the full list of supported keys.

Audit Log

Every write action (upload, delete, tool run, role change, login, logout) is recorded in the audit log with a timestamp, username, and action detail.
Filter the log by action type or username.
Purge records older than the configured retention window (AUDIT_LOG_RETENTION_DAYS, default 365 days) with a single click.

Settings

View current platform settings and update runtime-configurable values without restarting the server:

Storage paths — sample storage directory and backup directory.
Database info — active database engine and name.
Upload limit — maximum file upload size (configurable via MAX_UPLOAD_SIZE_MB).

SSO

Configure Single Sign-On without editing environment variables. Supported providers: Okta, Azure AD / Entra ID, Google Workspace, GitHub, and any generic OIDC provider. SSO can be enabled alongside local username/password login.

Backup

Run an on-demand pg_dump backup of the PostgreSQL database from the UI. Backup files are saved to the configured BACKUP_DIR. Backup status shows the last backup time and file path.

CyberChef

Check the locally bundled CyberChef version and update it to the latest GitHub release with a single click. No internet access is required at runtime — CyberChef is served entirely from the container.

Tech Stack

Layer	Technology
Backend	Python 3.12 / Django 5.2 / Django REST Framework
Authentication	JWT — djangorestframework-simplejwt with token blacklisting
API docs	drf-spectacular — Swagger UI at `/api/v1/docs/`
Frontend	React 19 / TypeScript / Vite 6 / Tailwind CSS 4
Database	PostgreSQL (production) / SQLite (development)
Static files	WhiteNoise (serves React SPA + Django admin assets)
Production server	Gunicorn (4 workers) + NGINX
Container	Docker — `vault1337/vault1337:latest`

REST API

All endpoints are under /api/v1/. JWT Bearer token authentication is required on all endpoints except registration and token endpoints.

Endpoint	Description
`POST /api/v1/auth/register/`	Register a new user account
`POST /api/v1/auth/token/`	Obtain JWT access + refresh token pair
`POST /api/v1/auth/token/set-cookie/`	Store a refresh token in an httpOnly cookie (called after login)
`POST /api/v1/auth/token/refresh/`	Issue a new access token using the httpOnly refresh cookie
`POST /api/v1/auth/logout/`	Blacklist the refresh token and clear the cookie
`GET/PATCH /api/v1/auth/user/`	Current user profile
`GET/POST /api/v1/files/`	List vault / upload a sample
`GET/DELETE /api/v1/files/{id}/`	Sample detail / delete
`GET /api/v1/files/{id}/download/`	Download sample file
`POST /api/v1/files/{id}/run_tool/`	Run an analysis tool
`POST /api/v1/files/{id}/add_tag/`	Add a tag to a sample
`POST /api/v1/files/{id}/remove_tag/`	Remove a tag from a sample
`GET/POST /api/v1/files/{id}/comments/`	List / add comments on a sample
`GET /api/v1/files/{id}/report/`	Structured JSON report (hashes, VT, IOCs, tags)
`POST /api/v1/files/{id}/vt-enrich/`	Fetch / refresh VirusTotal data for a sample
`POST /api/v1/files/fetch_url/`	Fetch a sample from a URL
`POST /api/v1/files/vt-download/`	Download from VirusTotal by SHA256
`POST /api/v1/files/mb-download/`	Download from MalwareBazaar by SHA256
`GET/PATCH /api/v1/iocs/`	List and update IOCs — supports `?ioc_type=ip\|domain\|url\|email\|…` filter
`POST /api/v1/iocs/{id}/enrich/`	Re-enrich a single IOC against VT + AbuseIPDB; returns updated IOC
`GET /api/v1/iocs/{id}/samples/`	List all samples that share a given IOC (pivot on shared infrastructure)
`POST /api/v1/iocs/export-stix/`	Export selected IOCs as a STIX 2.1 bundle — body: `{"ids": [1,2,3]}`
`POST /api/v1/iocs/bulk-delete/`	Delete selected IOCs — body: `{"ids": [1,2,3]}` (staff only)
`POST /api/v1/files/{id}/map-attack/`	Run MITRE ATT&CK technique mapping for a sample; persists and returns results
`GET /api/v1/files/{id}/stix/`	Download a STIX 2.1 bundle for a sample and all its IOCs
`GET/POST/PUT/DELETE /api/v1/yara/`	YARA rule management
`POST /api/v1/intel/ip/`	IP intelligence lookup (VT, AbuseIPDB, Spur, Shodan)
`POST /api/v1/intel/domain/`	Domain intelligence lookup (VT, WHOIS, passive DNS)
`GET/POST /api/v1/admin/keys/`	API key management (staff only)
`GET/POST/PATCH/DELETE /api/v1/admin/users/`	User account management (staff only)
`POST /api/v1/admin/users/{id}/set_password/`	Set a user's password (staff only)
`GET/POST/PATCH/DELETE /api/v1/admin/roles/`	Role and permission management (staff only)
`GET /api/v1/admin/permissions/`	List all available permissions
`GET /api/v1/admin/dashboard/`	Platform statistics (staff only)
`GET /api/v1/admin/audit/`	Audit log — supports `?action=` and `?username=` filters (staff only)
`POST /api/v1/admin/audit/purge/`	Purge audit log records older than retention window (staff only)
`GET/POST /api/v1/admin/auth/lockouts/`	View and clear account lockouts (staff only)
`GET/POST /api/v1/admin/settings/`	View and update runtime platform settings (staff only)
`GET/POST /api/v1/admin/sso/`	SSO configuration (staff only)
`GET /api/v1/admin/backup/status/`	Last backup status (staff only)
`POST /api/v1/admin/backup/db/`	Run a pg_dump database backup (staff only)
`POST /api/v1/tools/qr-decode/`	Stateless QR code decode

Interactive API documentation (Swagger UI) is available at /api/v1/docs/ on any running instance.

Acknowledgements

Vault1337 is built on outstanding open-source projects and public APIs.

Analysis Libraries

LIEF pefile Capstone YARA-Python Oletools PyMuPDF ExifTool pyzipper py7zr tldextract tabulate androguard dnfile stix2

Backend & Framework

Python Django Django REST Framework Requests

Intelligence APIs

VirusTotal MalwareBazaar AbuseIPDB Spur Shodan AlienVault OTX

Frontend

React Vite TypeScript Tailwind CSS Axios React Router react-markdown jsPDF jsPDF-AutoTable

Infrastructure

Gunicorn WhiteNoise PostgreSQL Docker NGINX