# Awesome Malware Analysis A curated list of awesome malware analysis tools and resources. Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php). - [Awesome Malware Analysis](#awesome-malware-analysis) - [Malware Collection](#malware-collection) - [Anonymizers](#anonymizers) - [Honeypots](#honeypots) - [Malware Corpora](#malware-corpora) - [Open Source Threat Intelligence](#open-source-threat-intelligence) - [Tools](#tools) - [Other Resources](#other-resources) - [Detection and Classification](#detection-and-classification) - [Online Scanners and Sandboxes](#online-scanners-and-sandboxes) - [Domain Analysis](#domain-analysis) - [Browser Malware](#browser-malware) - [Documents and Shellcode](#documents-and-shellcode) - [File Carving](#file-carving) - [Deobfuscation](#deobfuscation) - [Debugging and Reverse Engineering](#debugging-and-reverse-engineering) - [Network](#network) - [Memory Forensics](#memory-forensics) - [Windows Artifacts](#windows-artifacts) - [Storage and Workflow](#storage-and-workflow) - [Miscellaneous](#miscellaneous) - [Resources](#resources) - [Books](#books) - [Twitter](#twitter) - [Other](#other) - [Related Awesome Lists](#related-awesome-lists) - [Contributing](#contributing) - [Thanks](#thanks) --- ## Malware Collection ### Anonymizers *Web traffic anonymizers for analysts.* * [Anonymouse.org](http://anonymouse.org/) - A free, web based anonymizer. * [OpenVPN](https://openvpn.net/) - VPN software and hosting solutions. * [Privoxy](http://www.privoxy.org/) - An open source proxy server with some privacy features. * [Tor](https://www.torproject.org/) - The Onion Router, for browsing the web without leaving traces of the client IP. ### Honeypots *Trap and collect your own samples.* * [Conpot](https://github.com/glastopf/conpot) - ICS/SCADA honeypot. * [Dionaea](http://dionaea.carnivore.it/) - Honeypot designed to trap malware. * [Glastopf](http://glastopf.org/) - Web application honeypot. * [Honeyd](http://honeyd.org/) - Create a virtual honeynet. * [HoneyDrive](http://honeydrive.org/) - Honeypot bundle Linux distro. * [Kippo](https://github.com/desaster/kippo) - Medium interaction SSH honeypot. * [Mnemosyne](https://github.com/johnnykv/mnemosyne) - A normalizer for honeypot data; supports Dionaea. * [Thug](https://github.com/buffer/thug) - Low interaction honeyclient, for investigating malicious websites. ### Malware Corpora *Malware samples collected for analysis.* * [Clean MX](http://support.clean-mx.de/clean-mx/viruses.php) - Realtime database of malware and malicious domains. * [Contagio](http://contagiodump.blogspot.com/) - A collection of recent malware samples and analyses. * [Exploit Database](https://www.exploit-db.com/) - Exploit and shellcode samples. * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for analysts. * [maltrieve](https://github.com/krmaxwell/maltrieve) - Retrieve malware samples directly from a number of online sources. * [Zeltser's Sources](https://zeltser.com/malware-sample-sources/) - A list of malware sample sources put together by Lenny Zeltser. * [Zeus Source Code](https://github.com/Visgean/Zeus) - Source for the Zeus trojan leaked in 2011. ## Open Source Threat Intelligence ### Tools *Harvest and analyze IOCs.* * [Combine](https://github.com/mlsecproject/combine) - Tool to gather Threat Intelligence indicators from publicly available sources. * [IOC Editor](https://www.mandiant.com/resources/download/ioc-editor/) - A free editor for XML IOC files, from Mandiant. * [ioc_writer](https://github.com/mandiant/ioc_writer) - Python library for working with OpenIOC objects, from Mandiant. * [threataggregator](https://github.com/jpsenior/threataggregator) - Aggregates security threats from a number of sources, including some of those listed below in [other resources](#other-resources). * [TIQ-test](https://github.com/mlsecproject/tiq-test) - Data visualization and statistical analysis of Threat Intelligence feeds. ### Other Resources *Threat intelligence and IOC resources.* * [Autoshun](http://autoshun.org/) ([list](http://autoshun.org/)) - Snort plugin and blocklist. * [CI Army](http://www.ciarmy.com/) ([list](http://www.ciarmy.com/list/ci-badguys.txt)) - Network security blocklists. * [Emerging Threats](http://www.emergingthreats.net/) - Rulesets and more. * [FireEye IOCs](https://github.com/fireeye/iocs) - Indicators of Compromise shared publicly by FireEye. * [hpfeeds](https://github.com/rep/hpfeeds) - Honeypot feed protocol. * [Internet Storm Center (DShield)](https://isc.sans.edu/) - Diary and searchable incident database, with a web [API](https://dshield.org/api/) ([unofficial Python library](https://github.com/rshipp/python-dshield)). * [malc0de](http://malc0de.com/database/) - Searchable incident database. * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share malicious URLs. * [OpenIOC](http://openioc.org/) - Framework for sharing threat intelligence. * [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - Botnet C&C blocklists. * [ZeuS Tracker](https://zeustracker.abuse.ch/blocklist.php) - ZeuS blocklists. * [Critical Stack- Free Intel Market](https://intel.CriticalStack.com) - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators. ## Detection and Classification *Antivirus and other malware identification tools* * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files. * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. * [ClamAV](http://www.clamav.net/index.html) - Open source antivirus engine. * [ExifTool](http://www.sno.phy.queensu.ca/~phil/exiftool/) - Read, write and edit file metadata. * [hashdeep](https://github.com/jessek/hashdeep) - Compute digest hashes with a variety of algorithms. * [MASTIFF](https://github.com/KoreLogicSecurity/mastiff) - Static analysis framework. * [nsrllookup](https://github.com/rjhansen/nsrllookup) - A tool for looking up hashes in NIST's National Software Reference Library database. * [packerid](http://handlers.sans.org/jclausing/packerid.py) - A cross-platform Python alternative to PEiD. * [PEiD](http://woodmann.com/BobSoft/Pages/Programs/PEiD) - Packer identifier for Windows binaries. * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits. * [ssdeep](http://ssdeep.sourceforge.net/) - Compute fuzzy hashes. * [totalhash.py](https://gist.github.com/malc0de/10270150) - Python script for easy searching of the [TotalHash.com](http://totalhash.com/) database. * [TrID](http://mark0.net/soft-trid-e.html) - File identifier. * [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for analysts. ## Online Scanners and Sandboxes *Web-based multi-AV scanners, and malware sandboxes for automated analysis.* * [Cuckoo Sandbox](http://cuckoosandbox.org/) - Open source, self hosted sandbox and automated analysis system. * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis system. * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware analysis tool, powered by VxSandbox. * [Jotti](http://virusscan.jotti.org/en) - Free online multi-AV scanner. * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis of malware behavior. * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox instance. * [MASTIFF Online](https://mastiff-online.korelogic.com/) - Online static analysis of malware. * [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment. * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper script for safely uploading binaries to sandbox sites. * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free automated sandboxes and services, compiled by Lenny Zeltser. ## Domain Analysis *Inspect domains and IP addresses.* * [Dig](http://networking.ringofsaturn.com/) - Free online dig and other network tools. * [IPinfo](https://github.com/hiddenillusion/IPinfo) - Gather information about an IP or domain by searching online resources. * [TekDefense Automator](http://www.tekdefense.com/automater/) - OSINT tool for gatherig information about URLs, IPs, or hashes. * [Whois](http://whois.domaintools.com/) - DomainTools free online whois search. * [Zeltser's List](https://zeltser.com/lookup-malicious-websites/) - Free online tools for researching malicious websites, compiled by Lenny Zeltser. ## Browser Malware *Analyze malicious URLs. See also the [domain analysis](#domain-analysis) and [documents and shellcode](#documents-and-shellcode) sections.* * [Firebug](http://getfirebug.com/) - Firefox extension for web development. * [Java Decompiler](http://jd.benow.ca/) - Decompile and inspect Java apps. * [Java IDX Parser](https://github.com/Rurik/Java_IDX_Parser/) - Parses Java IDX cache files. * [JSDetox](http://www.relentless-coding.com/projects/jsdetox/) - JavaScript malware analysis tool. * [jsunpack-n](https://code.google.com/p/jsunpack-n/) - A javascript unpacker that emulates browser functionality. * [Malzilla](http://malzilla.sourceforge.net/) - Analyze malicious web pages. * [RABCDAsm](https://github.com/CyberShadow/RABCDAsm) - A "Robust ActionScript Bytecode Disassembler." * [swftools](http://www.swftools.org/) - Tools for working with Adobe Flash files. * [xxxswf](http://hooked-on-mnemonics.blogspot.com/2011/12/xxxswfpy.html) - A Python script for analyzing Flash files. ## Documents and Shellcode *Analyze malicious JS and shellcode from PDFs and Office documents. See also the [browser malware](#browser-malware) section.* * [AnalyzePDF](https://github.com/hiddenillusion/AnalyzePDF) - A tool for analyzing PDFs and attempting to determine whether they are malicious. * [diStorm](http://www.ragestorm.net/distorm/) - Disassembler for analyzing malicious shellcode. * [JS Beautifier](http://jsbeautifier.org/) - JavaScript unpacking and deobfuscation. * [libemu](http://libemu.carnivore.it/) - Library and tools for x86 shellcode emulation. * [malpdfobj](https://github.com/9b/malpdfobj) - Deconstruct malicious PDFs into a JSON representation. * [OfficeMalScanner](http://www.reconstructer.org/code.html) - Scan for malicious traces in MS Office documents. * [olevba](http://www.decalage.info/python/olevba) - A script for parsing OLE and OpenXML documents and extracting useful information. * [Origami PDF](https://code.google.com/p/origami-pdf/) - A tool for analyzing malicious PDFs, and more. * [PDF Tools](http://blog.didierstevens.com/programs/pdf-tools/) - pdfid, pdf-parser, and more from Didier Stevens. * [PDF X-Ray Lite](https://github.com/9b/pdfxray_lite) - A PDF analysis tool, the backend-free version of PDF X-RAY. * [peepdf](http://eternal-todo.com/tools/peepdf-pdf-analysis-tool) - Python tool for exploring possibly malicious PDFs. * [Spidermonkey](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey) - Mozilla's JavaScript engine, for debugging malicious JS. ## File Carving *For extracting files from inside disk and memory images.* * [bulk_extractor](https://github.com/simsong/bulk_extractor) - Fast file carving tool. * [EVTXtract](https://github.com/williballenthin/EVTXtract) - Carve Windows Event Log files from raw binary data. * [Foremost](http://foremost.sourceforge.net/) - File carving tool designed by the US Air Force. * [Hachoir](https://bitbucket.org/haypo/hachoir) - A collection of Python libraries for dealing with binary files. * [Scalpel](https://github.com/sleuthkit/scalpel) - Another data carving tool. ## Deobfuscation *Reverse XOR and other code obfuscation methods.* * [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home) - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more. * [ex_pe_xor](http://hooked-on-mnemonics.blogspot.com/2014/04/expexorpy.html) & [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html) - Two tools from Alexander Hanel for working with single-byte XOR encoded files. * [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR) - Guess a 256 byte XOR key using frequency analysis. * [unxor](https://github.com/tomchop/unxor/) - Guess XOR keys using known-plaintext attacks. * [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer) - A Python script for brute forcing single-byte XOR keys. * [XORSearch & XORStrings](http://blog.didierstevens.com/programs/xorsearch/) - A couple programs from Didier Stevens for finding XORed data. * [xortool](https://github.com/hellman/xortool) - Guess XOR key length, as well as the key itself. ## Debugging and Reverse Engineering *Disassemblers, debuggers, and other static and dynamic analysis tools.* * [Bokken](https://inguma.eu/projects/bokken) - GUI for Pyew and Radare. * [Evan's Debugger (EDB)](http://codef00.com/projects#debugger) - A modular debugger with a Qt GUI. * [GDB](http://www.sourceware.org/gdb/) - The GNU debugger. * [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Windows disassembler and debugger, with a free evaluation version. * [Immunity Debugger](http://debugger.immunityinc.com/) - Debugger for malware analysis and more, with a Python API. * [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables. * [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils, for static analysis of Linux binaries. * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows executables. * [Process Monitor](https://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) - Advanced monitoring tool for Windows programs. * [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware analysis. * [strace](https://sourceforge.net/projects/strace/) - Dynamic analysis for Linux executables. * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with debugger support. * [Udis86](https://github.com/vmt/udis86) - Disassembler library and tool for x86 and x86_64. * [Vivisect](https://github.com/vivisect/vivisect) - Python tool for malware analysis. ## Network *Analyze network interactions.* * [Bro](https://www.bro.org) - Protocol analyzer that operates at incredible scale; both file and network protocols. * [Fiddler](http://www.telerik.com/fiddler) - Intercepting web proxy designed for "web debugging." * [Hale](https://github.com/pjlantz/Hale) - Botnet C&C monitor. * [INetSim](http://www.inetsim.org/) - Network service emulation, useful when building a malware lab. * [Malcom](https://github.com/tomchop/malcom) - Malware Communications Analyzer. * [mitmproxy](https://mitmproxy.org/) - Intercept network traffic on the fly. * [NetworkMiner](http://www.netresec.com/?page=NetworkMiner) - Network forensic analysis tool, with a free version. * [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic like grep. * [Tcpdump](http://www.tcpdump.org/) - Collect network traffic. * [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams from network traffic. * [tcpxtract](http://tcpxtract.sourceforge.net/) - Extract files from network traffic. * [Wireshark](https://www.wireshark.org/) - The network traffic analysis tool. ## Memory Forensics *Tools for dissecting malware in memory images or running systems.* * [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of Malware in Memory, built on Volatility * [FindAES](https://jessekornblum.livejournal.com/269749.html) - Find AES encryption keys in memory. * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions of analysis using Volatility, and create a readable report. * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework, forked from Volatility in 2013. * [TotalRecall](https://github.com/sketchymoose/TotalRecall) - Script based on Volatility for automating various malware analysis tasks. * [Volatility](https://github.com/volatilityfoundation/volatility) - Advanced memory forensics framework. * [WinDbg](https://msdn.microsoft.com/en-us/windows/hardware/hh852365) - Live memory inspection and kernel debugging for Windows systems. ## Windows Artifacts * [python-evt](https://github.com/williballenthin/python-evt) - Python library for parsing Windows Event Logs. * [python-registry](http://www.williballenthin.com/registry/) - Python library for parsing registry files. * [RegRipper](https://regripper.wordpress.com/) ([GitHub](https://github.com/keydet89/RegRipper2.8)) - Plugin-based registry analysis tool. ## Storage and Workflow * [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and search malware. * [Viper](http://viper.li/) - A binary management and analysis framework for analysts and researchers. ## Miscellaneous * [REMnux](https://remnux.org/) - Linux distribution and docker images for malware reverse engineering and analysis. * [Santoku Linux](https://santoku-linux.com/) - Linux distribution for mobile forensics, malware analysis, and security. # Resources ## Books *Essential malware analysis reading material.* * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - Tools and Techniques for Fighting Malicious Code. * [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide to Dissecting Malicious Software. * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting Malware and Threats in Windows, Linux, and Mac Memory. * [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide to the World's Most Popular Disassembler. ## Twitter *Some relevant Twitter accounts.* * Andrew Case [@attrc](https://twitter.com/attrc) * Claudio [@botherder](https://twitter.com/botherder) * Dustin Webber [@mephux](https://twitter.com/mephux) * Glenn [@hiddenillusion](https://twitter.com/hiddenillusion) * jekil [@jekil](https://twitter.com/jekil) * Jurriaan Bremer [@skier_t](https://twitter.com/skier_t) * Lenny Zeltser [@lennyzeltser](https://twitter.com/lennyzeltser) * Liam Randall [@hectman](https://twitter.com/hectaman) * Mark Schloesser [@repmovsb](https://twitter.com/repmovsb) * Michael Ligh (MHL) [@iMHLv2](https://twitter.com/iMHLv2) * Richard Bejtlich [@taosecurity](https://twitter.com/taosecurity) * Volatility [@volatility](https://twitter.com/volatility) ## Other * [Honeynet Project](http://honeynet.org/) - Honeypot tools, papers, and other resources. * [Malicious Software](https://zeltser.com/malicious-software/) - Malware blog and resources by Lenny Zeltser. * [Malware Analysis Search](http://www.google.com/cse/home?cx=011750002002865445766:pc60zx1rliu) - Custom Google search engine from [Corey Harrell](journeyintoir.blogspot.com/). * [WindowsIR: Malware](http://windowsir.blogspot.com/p/malware.html) - Harlan Carvey's page on Malware. * [/r/Malware](https://www.reddit.com/r/Malware) - The malware subreddit. * [/r/ReverseEngineering](https://www.reddit.com/r/ReverseEngineering) - Reverse engineering subreddit, not limited to just malware. # Related Awesome Lists * [Android Security](https://github.com/ashishb/android-security-awesome) * [Pentesting](https://github.com/enaqx/awesome-pentest) * [Security](https://github.com/sbilly/awesome-security) # [Contributing](CONTRIBUTING.md) Pull requests and issues with suggestions are welcome! # Thanks This list was made possible by: * Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list; * Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the *Malware Analyst's Cookbook*, which was a big inspiration for creating the list; * And everyone else who has sent pull requests or suggested links to add here! Thanks!