A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org – A free, web based anonymizer.
  • OpenVPN – VPN software and hosting solutions.
  • Privoxy – An open source proxy server with some privacy features.
  • Tor – The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot – ICS/SCADA honeypot.
  • Dionaea – Honeypot designed to trap malware.
  • Glastopf – Web application honeypot.
  • Honeyd – Create a virtual honeynet.
  • HoneyDrive – Honeypot bundle Linux distro.
  • Kippo – Medium interaction SSH honeypot.
  • Mnemosyne – A normalizer for honeypot data; supports Dionaea.
  • Thug – Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • maltrieve – Retrieve malware samples directly from a number of online sources.
  • MalwareDB – Malware samples repository.
  • theZoo – Live malware samples for analysts.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011. required.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files, from Mandiant.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • PassiveTotal – Research, connect, tag and share IPs and domains.
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • ExifTool – Read, write and edit file metadata.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEiD – Packer identifier for Windows binaries.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • AndroTotal – free online analysis of APKs against multiple mobile antivirus apps.
  • Anubis – Malware Analysis for Unknown Binaries and Site Check.
  • AVCaesar – Malware.lu online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • DRAKVUF – Dynamic malware analysis system.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Jotti – Free online multi-AV scanner.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metascan Online – Free file scanning with multiple antivirus engines.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • SenderBase – Search for IP, domain or network owner.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • TekDefense Automator – OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java IDX cache files.
  • JSDetox – JavaScript malware analysis tool.
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
  • swftools – Tools for working with Adobe Flash files.
  • xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor – Fast file carving tool.
  • EVTXtract – Carve Windows Event Log files from raw binary data.
  • Foremost – File carving tool designed by the US Air Force.
  • Hachoir – A collection of Python libraries for dealing with binary files.
  • Scalpel – Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken – GUI for Pyew and Radare.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • GDB – The GNU debugger.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • pestudio – Perform static analysis of Windows executables.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • Pyew – Python tool for malware analysis.
  • Radare2 – Reverse engineering framework, with debugger support.
  • strace – Dynamic analysis for Linux executables.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • X64dbg – An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro – Protocol analyzer that operates at incredible scale; both file and network protocols.
  • CapTipper – Malicious HTTP traffic explorer.
  • chopshop – Protocol analysis and decoding framework.
  • Fiddler – Intercepting web proxy designed for “web debugging.”
  • Hale – Botnet C&C monitor.
  • INetSim – Network service emulation, useful when building a malware lab.
  • Malcom – Malware Communications Analyzer.
  • Maltrail – A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy – Intercept network traffic on the fly.
  • Moloch – IPv4 traffic capturing, indexing and database system.
  • NetworkMiner – Network forensic analysis tool, with a free version.
  • ngrep – Search through network traffic like grep.
  • Tcpdump – Collect network traffic.
  • tcpick – Trach and reassemble TCP streams from network traffic.
  • tcpxtract – Extract files from network traffic.
  • Wireshark – The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • DAMM – Differential Analysis of Malware in Memory, built on Volatility
  • FindAES – Find AES encryption keys in memory.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – OpenSource Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • Malwarehouse – Store, tag, and search malware.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Viper – A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • DC3-MWCP – The Defense Cyber Crime Center’s Malware Configuration Parser framework.
  • Pafish – Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux – Linux distribution and docker images for malware reverse engineering and analysis.
  • Santoku Linux – Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Twitter

Some relevant Twitter accounts.

Other

Related Awesome Lists

Reference :github

Original Post: https://www.linkedin.com/pulse/awesome-malware-analysis-lists-mayur-agnihotri

Advertisements