Malware Analysis
Contents
Malware Collection
Honeypots
ICS/SCADA honeypot.
SSH honeypot, based on Kippo.
Low interaction Distributed Honeypots.
Honeypot designed to trap malware.
Web application honeypot.
Opensource system for running, monitoring and managing honeypots.
MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
A normalizer for honeypot data; supports Dionaea.
Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Collection of almost 40.000 javascript malware samples
Plugin based malware crawler with pre-analysis and reporting functionalities
Live malware samples for analysts.
Collection of various malware files and source code.
Source for the Zeus trojan leaked in 2011.
Open Source Threat Intelligence
Tools
An open-source framework for receiving and redistributing abuse feeds and threat intel.
Tool to gather Threat Intelligence indicators from publicly available sources.
Pull intelligence per file hash.
Pull intelligence per host.
Advanced Indicator of Compromise (IOC) extractor, Python library and command-line tool.
Python library for working with OpenIOC objects, from Mandiant.
Malware/IOC ingestion and processing engine, that enriches collected data.
Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
Malware Information Sharing Platform curated by The MISP Project.
A Python OpenIOC editor.
Aggregates security threats from a number of sources, including some of those listed below in other resources.
Build automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and more.
A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
Data visualization and statistical analysis of Threat Intelligence feeds.
Indicators of Compromise shared publicly by FireEye.
Honeypot feed protocol.
Yara rules repository.
Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
Detection and Classification
Wrapper for a variety of tools for reporting on Windows PE files.
An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
Detects capabilities in executable files.
A program for determining types of files.
Modular, recursive file scanning solution.
A Single Library Parser to extract meta information,static analysis and detect macros within the files.
Compute digest hashes with a variety of algorithms.
Windows shell extension to compute hashes with a variety of algorithms.
Host based scanner for IOCs.
Catalog and compare malware at a function level.
Static analyzer for PE executables.
Static analysis framework.
Modular file scanning/analysis framework
Linker/Compiler/Tool detector for Windows, Linux and MacOS.
A tool for looking up hashes in NIST's National Software Reference Library database.
A cross-platform Python alternative to PEiD.
PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
An Obfuscation-Neglect Android Malware Scoring System
Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
A simple tool to yara match the file against various yara rules to find the indicators of suspicion.
Debugging and Reverse Engineering
The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
Platform-agnostic binary analysis framework developed at UCSB's Seclab.
Identifies and extracts information from bots and other malware.
Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
Multiplatform, open source Binary Analysis and Reverse engineering Framework.
Binary analysis IDE for reverse engineering based on graph visualization.
Firmware analysis tool.
Framework for executing and debugging evasive malware and protected executables.
Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
Web based code browser using clang to provide basic code analysis.
GUI for Radare2.
A binary analysis platform based on QEMU. DroidScope is now an extension to DECAF.
.NET assembly editor, decompiler and debugger.
Tool for exploration and tracing of the Windows kernel.
GDB Enhanced Features, for exploiters and reverse engineers.
A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
A utility to search for strings in PE executables including imports, exports, and debug symbols.
Interactive Delphi Reconstructor is a decompiler of Delphi executable files and dynamic libraries.
An automated framework for mac malware hunting.
Platform for Architecture-Neutral Dynamic Analysis.
Python Exploit Development Assistance for GDB, an enhanced display with added commands.
Interactive disassembler for x86/ARM/MIPS.
Python tool for malware analysis.
Python scriptable reverse engineering sandbox by the Talos team at Cisco.
A framework to analyze, dissect and decompile complex code-reuse attacks.
Find and fix the IAT of an unpacked / dumped PE32 malware.
An Anti-Anti-Debug library and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
A machine learning tool that automatically ranks strings based on their relevance for malware analysis.
Disassembler library and tool for x86 and x86_64.
Python tool for malware analysis.
Online Scanners and Sandboxes
Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant.
Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
A Python API used to control a cuckoo-modified sandbox.
A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
Dynamic malware analysis system.
An Automated Malware Analysis Tool for Linux ELF Files.
Sandbox for Analyzing Linux Malware.
Automatic sandboxed analysis of malware behavior.
Massively scalable malware analysis framework.
A Python RESTful API framework for online malware and URL analysis services.
Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
A helper script for safely uploading binaries to sandbox sites.
Python library for building integrations with several open source and commercial malware sandboxes.
Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
Domain Analysis
A tool designed for consistent and safe capture of off network web resources.
Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
Gather information about an IP or domain by searching online resources.
OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
Cross-language temporary email detection library.
Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
Browser Malware
Combines multiple Java bytecode viewers and decompilers into one tool, including APK/DEX support.
Parses Java IDX cache files.
A javascript unpacker that emulates browser functionality.
Java decompiler, assembler, and disassembler.
A "Robust ActionScript Bytecode Disassembler."
Documents and Shellcode
A tool for analyzing PDFs and attempting to determine whether they are malicious.
A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
Deconstruct malicious PDFs into a JSON representation.
A PDF analysis tool, the backend-free version of PDF X-RAY.
File Carving
Fast file carving tool.
Carve Windows Event Log files from raw binary data.
Hachoir is a Python library to view and edit a binary stream field by field.
Another data carving tool.
Nested archive extraction/unpacking (used in Cuckoo Sandbox).
Deobfuscation
.NET deobfuscator and unpacker.
The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
Guess a 256 byte XOR key using frequency analysis.
A generic hidden code extractor for Windows malware.
A Python script to extract the contents of a PyInstaller generated Windows executable file. The contents of the pyz file (usually pyc files) present inside the executable are also extracted and automatically fixed so that a Python bytecode decompiler will recognize it.
A cross-version Python bytecode decompiler. Translates Python bytecode back into equivalent Python source code.
Automatic and platform-independent unpacker for Windows binaries based on emulation.
Automated malware unpacker for Windows malware based on WinAppDbg.
Guess XOR keys using known-plaintext attacks.
Reverse engineering tool for virtualization wrappers.
Guess XOR key length, as well as the key itself.
Network
Use Yara rules from Bro.
Malicious HTTP traffic explorer.
Protocol analysis and decoding framework.
Next generation dynamic network analysis tool.
Botnet C&C monitor.
Library for parsing and reading out PCAP files, including TLS streams using TLS Master Secrets (used in Cuckoo Sandbox).
Laika BOSS is a file-centric malware analysis and intrusion detection system.
Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.
Malware Communications Analyzer.
A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
IPv4 traffic capturing, indexing and database system.
Search through network traffic like grep.
Network topology and traffic visualizer.
An ICAP Server with yara scanner for URL or content.
squidmagic is a tool designed to analyze a web-based network traffic to detect central command and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus.
Memory Forensics
Differential Analysis of Malware in Memory, built on Volatility.
Web interface for the Volatility Memory Forensics Framework.
High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
A script to automate portions of analysis using Volatility, and create a readable report.
Orochi is an open source framework for collaborative forensic memory dump analysis.
Script based on Volatility for automating various malware analysis tasks.
Run Volatility on memory images before and after malware execution, and report changes.
Advanced memory forensics framework.
Web Interface for Volatility Memory Analysis framework.
WinDBG Anti-RootKit Extension.
Windows Artifacts
Storage and Workflow
Miscellaneous
A PoC malware with good intentions that aimes to stress anti-malware systems.
Automated cryptographic algorithm reverse engineering and classification framework.
The Defense Cyber Crime Center's Malware Configuration Parser framework.
A fully customizable, Windows-based, security distribution for malware analysis.
A database containing exploits used by malware.
A simple tool to organise large malicious/benign files into a organised Structure.
Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
Other
A collection of papers and notes related to Advanced Persistent Threats.
Endgame Malware BEnchmark for Research, a repository that makes it easy to (re)create a machine learning model that can be used to predict a score for a PE file based on static analysis.
Nice visualization of commonly used file format (including PE & ELF).
Collection of various information focused on malware persistence: detection (techniques), response, pitfalls and the log collection (tools).
These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
Windows registry file format specification.