/awesome-malware-analysis

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Cowrie - SSH honeypot, based on Kippo. Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • Malshare - Large repository of malware actively scrapped from malicious sites. samples directly from a number of online sources.
  • MalwareDB - Malware samples repository.
  • Open Malware Project - Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker - Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo - Live malware samples for analysts.
  • Tracker h3x - Agregator for malware corpus tracker and malicious download sites.
  • ViruSign - Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare - Malware repository, registration required.
  • VX Vault - Active collection of malware samples.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code - Source for the Zeus trojan leaked in 2011.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • AbuseHelper - An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
  • Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel - Pull intelligence per file hash.
  • Hostintel - Pull intelligence per host.
  • IntelMQ - A tool for CERTs for processing incident data using a message queue.
  • IOC Editor - A free editor for XML IOC files.
  • ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP - Malware Information Sharing Platform curated by The MISP Project.
  • PassiveTotal - Research, connect, tag and share IPs and domains.
  • PyIOCe - A Python OpenIOC editor.
  • threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd - A search engine for threats, with graphical visualization.
  • ThreatTracker - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • Detect-It-Easy - A program for determining types of files.
  • ExifTool - Read, write and edit file metadata.
  • File Scanning Framework - Modular, recursive file scanning solution.
  • hashdeep - Compute digest hashes with a variety of algorithms.
  • Loki - Host based scanner for IOCs.
  • Malfunction - Catalog and compare malware at a function level.
  • MASTIFF - Static analysis framework.
  • MultiScanner - Modular file scanning/analysis framework
  • nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform Python alternative to PEiD.
  • PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py - Python script for easy searching of the TotalHash.cymru.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.
  • Yara rules generator - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • APK Analyzer - Free dynamic analysis of APKs.
  • AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar - Malware.lu online scanner and malware repository.
  • Cryptam - Analyze suspicious office documents.
  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api - A Python API used to control a cuckoo-modified sandbox.
  • DeepViz - Multi-format file analyzer with machine-learning classification.
  • detux - A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • Document Analyzer - Free dynamic analysis of DOC and PDF files.
  • DRAKVUF - Dynamic malware analysis system.
  • File Analyzer - Free dynamic analysis of PE files.
  • firmware.re - Unpacks, scans and analyzes almost any firmware package.
  • Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
  • IRMA - An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox - Deep malware analysis with Joe Sandbox.
  • Jotti - Free online multi-AV scanner.
  • Limon - Sandbox for Analyzing Linux Malwares
  • Malheur - Automatic sandboxed analysis of malware behavior.
  • Malware config - Extract, decode and display online the configuration settings from common malwares.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online - Online static analysis of malware.
  • Metadefender.com - Scan a file, hash or IP address for malware (free)
  • NetworkTotal - A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner - Analyse suspicious PDF files.
  • ProcDot - A graphical malware analysis tool kit.
  • Recomposer - A helper script for safely uploading binaries to sandbox sites.
  • Sand droid - Automatic and complete Android application analysis system.
  • SEE - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • URL Analyzer - Free dynamic analysis of URL files.
  • VirusTotal - Free online analysis of malware samples and URLs
  • Visualize_Logs - Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...)
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig - Free online dig and other network tools.
  • dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • Machinae - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker - Cross-language temporary email detection library.
  • MaltegoVT - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • SenderBase - Search for IP, domain or network owner.
  • SpamCop - IP based spam block list.
  • SpamHaus - Block list based on domains and IPs.
  • Sucuri SiteCheck - Free Website Malware and Security Scanner.
  • TekDefense Automater - OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery - Free URL Scanner.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java IDX cache files.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • Krakatau - Java decompiler, assembler, and disassembler.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js - A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • JS Deobfuscator - Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • QuickSand - QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file carving tool.
  • EVTXtract - Carve Windows Event Log files from raw binary data.
  • Foremost - File carving tool designed by the US Air Force.
  • Hachoir - A collection of Python libraries for dealing with binary files.
  • Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot - .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker - A generic hidden code extractor for Windows malware.
  • unpacker - Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor - Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator - Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
  • bamfdetect - Identifies and extracts information from bots and other malware.
  • BAP - Multiplatform and open source (MIT) binary analysis framework developed at CMU's Cylab.
  • BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja - A reversing engineering platform that is an alternative to IDA.
  • Binwalk - Firmware analysis tool.
  • Bokken - GUI for Pyew and Radare. (mirror)
  • Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro - Web based code browser using clang to provide basic code analysis.
  • dnSpy - .NET assembly editor, decompiler and debugger.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • FPort - Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB - The GNU debugger.
  • GEF - GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ltrace - Dynamic analysis for Linux executables.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • PANDA - Platform for Architecture-Neutral Dynamic Analysis
  • PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio - Perform static analysis of Windows executables.
  • plasma - Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer - Advanced task manager for Windows.
  • [Process Hacker] (http://processhacker.sourceforge.net/) - Tool that monitors system resources
  • Process Monitor - Advanced monitoring tool for Windows programs.
  • PSTools - Windows command-line tools that help manage and investigate live systems.
  • Pyew - Python tool for malware analysis.
  • Radare2 - Reverse engineering framework, with debugger support.
  • RegShot - Registry compare utility that compares snapshots.
  • RetDec - Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU - A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace - Dynamic analysis for Linux executables.
  • Triton - A dynamic binary analysis (DBA) framework.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.
  • X64dbg - An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
  • BroYara - Use Yara rules from Bro.
  • CapTipper - Malicious HTTP traffic explorer.
  • chopshop - Protocol analysis and decoding framework.
  • Fiddler - Intercepting web proxy designed for "web debugging."
  • Hale - Botnet C&C monitor.
  • Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
  • INetSim - Network service emulation, useful when building a malware lab.
  • Laika BOSS - Laika BOSS is a file-centric malware analysis and intrusion detection system.
  • Malcom - Malware Communications Analyzer.
  • Maltrail - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
  • mitmproxy - Intercept network traffic on the fly.
  • Moloch - IPv4 traffic capturing, indexing and database system.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  • ngrep - Search through network traffic like grep.
  • PcapViz - Network topology and traffic visualizer.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight - Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis
  • DAMM - Differential Analysis of Malware in Memory, built on Volatility
  • evolve - Web interface for the Volatility Memory Forensics Framework.
  • FindAES - Find AES encryption keys in memory.
  • Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility - Advanced memory forensics framework.
  • VolUtility - Web Interface for Volatility Memory Analysis framework.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir - A live incident response script for gathering Windows artifacts.
  • python-evt - Python library for parsing Windows Event Logs.
  • python-registry - Python library for parsing registry files.
  • RegRipper (GitHub) - Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph - OpenSource Malware Analysis Pipeline System.
  • CRITs - Collaborative Research Into Threats, a malware and threat repository.
  • Malwarehouse - Store, tag, and search malware.
  • Polichombr - A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ - Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • al-khaser - A PoC malware with good intentions that aimes to stress anti-malware systems.
  • Binarly - Search engine for bytes in a large corpus of malware.
  • DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
  • MalSploitBase - A database containing exploits used by malware.
  • Malware Museum - Collection of malware programs that were distributed in the 1980s and 1990s.
  • Pafish - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
  • Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Twitter

Some relevant Twitter accounts.

Other

Related Awesome Lists

Thanks