34 KiB
Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
- Awesome Malware Analysis
- Malware Collection
- Open Source Threat Intelligence
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
- Related Awesome Lists
- Contributing
- Thanks
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
- Conpot - ICS/SCADA honeypot.
- Cowrie - SSH honeypot, based on Kippo.
- Dionaea - Honeypot designed to trap malware.
- Glastopf - Web application honeypot.
- Honeyd - Create a virtual honeynet.
- HoneyDrive - Honeypot bundle Linux distro.
- Mnemosyne - A normalizer for honeypot data; supports Dionaea.
- Thug - Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
- Clean MX - Realtime database of malware and malicious domains.
- Contagio - A collection of recent malware samples and analyses.
- Exploit Database - Exploit and shellcode samples.
- Malshare - Large repository of malware actively scrapped from malicious sites.
- maltrieve - Retrieve malware samples directly from a number of online sources.
- MalwareDB - Malware samples repository.
- Open Malware Project - Sample information and downloads. Formerly Offensive Computing.
- theZoo - Live malware samples for analysts.
- ViruSign - Malware database that detected by many anti malware programs except ClamAV.
- VirusShare - Malware repository, registration required.
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
- Zeus Source Code - Source for the Zeus trojan leaked in 2011.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
- AbuseHelper - An open-source framework for receiving and redistributing abuse feeds and threat intel.
- AlienVault Open Threat Exchange - Share and collaborate in developing Threat Intelligence.
- Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
- IntelMQ - A tool for CERTs for processing incident data using a message queue.
- IOC Editor - A free editor for XML IOC files.
- ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
- Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- MISP - Malware Information Sharing Platform curated by The MISP Project.
- PassiveTotal - Research, connect, tag and share IPs and domains.
- PyIOCe - A Python OpenIOC editor.
- threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
- ThreatCrowd - A search engine for threats, with graphical visualization.
- ThreatTracker - A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
- TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.
Other Resources
Threat intelligence and IOC resources.
- Autoshun (list) - Snort plugin and blocklist.
- CI Army (list) - Network security blocklists.
- Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- CRDF ThreatCenter - List of new threats detected by CRDF anti-malware.
- FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
- FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
- hpfeeds - Honeypot feed protocol.
- Internet Storm Center (DShield) - Diary and searchable incident database, with a web API (unofficial Python library).
- malc0de - Searchable incident database.
- Malware Domain List - Search and share malicious URLs.
- OpenIOC - Framework for sharing threat intelligence.
- Palevo Blocklists - Botnet C&C blocklists.
- Proofpoint Threat Intelligence (formerly Emerging Threats) - Rulesets and more.
- STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
- threatRECON - Search for indicators, up to 1000 free per month.
- Yara rules - Yara rules repository.
- ZeuS Tracker - ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
- chkrootkit - Local Linux rootkit detection.
- ClamAV - Open source antivirus engine.
- Detect-It-Easy - A program for determining types of files.
- ExifTool - Read, write and edit file metadata.
- hashdeep - Compute digest hashes with a variety of algorithms.
- Loki - Host based scanner for IOCs.
- Malfunction - Catalog and compare malware at a function level.
- MASTIFF - Static analysis framework.
- MultiScanner - Modular file scanning/analysis framework
- nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
- packerid - A cross-platform Python alternative to PEiD.
- PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
- Rootkit Hunter - Detect Linux rootkits.
- ssdeep - Compute fuzzy hashes.
- totalhash.py - Python script for easy searching of the TotalHash.cymru.com database.
- TrID - File identifier.
- YARA - Pattern matching tool for analysts.
- Yara rules generator - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- APK Analyzer - Free dynamic analysis of APKs.
- AndroTotal - Free online analysis of APKs against multiple mobile antivirus apps.
- AVCaesar - Malware.lu online scanner and malware repository.
- Cryptam - Analyze suspicious office documents.
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- cuckoo-modified - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- DeepViz - Multi-format file analyzer with machine-learning classification.
- Document Analyzer - Free dynamic analysis of DOC and PDF files.
- DRAKVUF - Dynamic malware analysis system.
- File Analyzer - Free dynamic analysis of PE files.
- Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
- IRMA - An asynchronous and customizable analysis platform for suspicious files.
- Joe Sandbox - Deep malware analysis with Joe Sandbox.
- Jotti - Free online multi-AV scanner.
- Malheur - Automatic sandboxed analysis of malware behavior.
- Malwr - Free analysis with an online Cuckoo Sandbox instance.
- MASTIFF Online - Online static analysis of malware.
- Metadefender.com - Scan a file, hash or IP address for malware (free)
- Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
- PDF Examiner - Analyse suspicious PDF files.
- Recomposer - A helper script for safely uploading binaries to sandbox sites.
- SEE - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
- URL Analyzer - Free dynamic analysis of URL files.
- VirusTotal - Free online analysis of malware samples and URLs
- Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
- Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- Dig - Free online dig and other network tools.
- dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
- IPinfo - Gather information about an IP or domain by searching online resources.
- Machinae - OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
- mailchecker - Cross-language temporary email detection library.
- MaltegoVT - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
- SenderBase - Search for IP, domain or network owner.
- SpamCop - IP based spam block list.
- SpamHaus - Block list based on domains and IPs.
- squidmagic - A tool designed to analyze network traffic to detect central C&C servers and malicious sites, using Squid proxy server, Virustotal and more.
- Sucuri SiteCheck - Free Website Malware and Security Scanner.
- TekDefense Automator - OSINT tool for gathering information about URLs, IPs, or hashes.
- URLQuery - Free URL Scanner.
- Whois - DomainTools free online whois search.
- Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
- ZScalar Zulu - Zulu URL Risk Analyzer.
Browser Malware
Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.
- Firebug - Firefox extension for web development.
- Java Decompiler - Decompile and inspect Java apps.
- Java IDX Parser - Parses Java IDX cache files.
- JSDetox - JavaScript malware analysis tool.
- jsunpack-n - A javascript unpacker that emulates browser functionality.
- Krakatau - Java decompiler, assembler, and disassembler.
- Malzilla - Analyze malicious web pages.
- RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
- swftools - Tools for working with Adobe Flash files.
- xxxswf - A Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm - Disassembler for analyzing malicious shellcode.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- JS Deobfuscator - Deobfuscate simple Javascript that use eval or document.write to conceal its code.
- libemu - Library and tools for x86 shellcode emulation.
- malpdfobj - Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF - A tool for analyzing malicious PDFs, and more.
- PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf - Python tool for exploring possibly malicious PDFs.
- Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
- bulk_extractor - Fast file carving tool.
- EVTXtract - Carve Windows Event Log files from raw binary data.
- Foremost - File carving tool designed by the US Air Force.
- Hachoir - A collection of Python libraries for dealing with binary files.
- Scalpel - Another data carving tool.
Deobfuscation
Reverse XOR and other code obfuscation methods.
- Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
- de4dot - .NET deobfuscator and unpacker.
- ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- FLOSS - The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
- NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
- PackerAttacker - A generic hidden code extractor for Windows malware.
- unpacker - Automated malware unpacker for Windows malware based on WinAppDbg.
- unxor - Guess XOR keys using known-plaintext attacks.
- VirtualDeobfuscator - Reverse engineering tool for virtualization wrappers.
- XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
- xortool - Guess XOR key length, as well as the key itself.
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- angr - Platform-agnostic binary analysis framework developed at UCSB's Seclab.
- bamfdetect - Identifies and extracts information from bots and other malware.
- BARF - Multiplatform, open source Binary Analysis and Reverse engineering Framework.
- binnavi - Binary analysis IDE for reverse engineering based on graph visualization.
- Bokken - GUI for Pyew and Radare.
- Capstone - Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
- codebro - Web based code browser using clang to provide basic code analysis.
- dnSpy - .NET assembly editor, decompiler and debugger.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- Fibratus - Tool for exploration and tracing of the Windows kernel.
- GDB - The GNU debugger.
- GEF - GDB Enhanced Features, for exploiters and reverse engineers.
- hackers-grep - A utility to search for strings in PE executables including imports, exports, and debug symbols.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- PANDA - Platform for Architecture-Neutral Dynamic Analysis
- PEDA - Python Exploit Development Assistance for GDB, an enhanced display with added commands.
- pestudio - Perform static analysis of Windows executables.
- plasma - Interactive disassembler for x86/ARM/MIPS.
- PPEE (puppy) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
- Process Monitor - Advanced monitoring tool for Windows programs.
- Pyew - Python tool for malware analysis.
- Radare2 - Reverse engineering framework, with debugger support.
- ROPMEMU - A framework to analyze, dissect and decompile complex code-reuse attacks.
- SMRT - Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
- strace - Dynamic analysis for Linux executables.
- Triton - A dynamic binary analysis (DBA) framework.
- Udis86 - Disassembler library and tool for x86 and x86_64.
- Vivisect - Python tool for malware analysis.
- X64dbg - An open-source x64/x32 debugger for windows.
Network
Analyze network interactions.
- Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
- BroYara - Use Yara rules from Bro.
- CapTipper - Malicious HTTP traffic explorer.
- chopshop - Protocol analysis and decoding framework.
- Fiddler - Intercepting web proxy designed for "web debugging."
- Hale - Botnet C&C monitor.
- Haka - An open source security oriented language for describing protocols and applying security policies on (live) captured traffic.
- INetSim - Network service emulation, useful when building a malware lab.
- Laika BOSS - Laika BOSS is a file-centric malware analysis and intrusion detection system.
- Malcom - Malware Communications Analyzer.
- Maltrail - A malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails and featuring an reporting and analysis interface.
- mitmproxy - Intercept network traffic on the fly.
- Moloch - IPv4 traffic capturing, indexing and database system.
- NetworkMiner - Network forensic analysis tool, with a free version.
- ngrep - Search through network traffic like grep.
- PcapViz - Network topology and traffic visualizer.
- Tcpdump - Collect network traffic.
- tcpick - Trach and reassemble TCP streams from network traffic.
- tcpxtract - Extract files from network traffic.
- Wireshark - The network traffic analysis tool.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
- DAMM - Differential Analysis of Malware in Memory, built on Volatility
- evolve - Web interface for the Volatility Memory Forensics Framework.
- FindAES - Find AES encryption keys in memory.
- Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
- Rekall - Memory analysis framework, forked from Volatility in 2013.
- TotalRecall - Script based on Volatility for automating various malware analysis tasks.
- VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
- Volatility - Advanced memory forensics framework.
- VolUtility - Web Interface for Volatility Memory Analysis framework.
- WinDbg - Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts
- AChoir - A live incident response script for gathering Windows artifacts.
- python-evt - Python library for parsing Windows Event Logs.
- python-registry - Python library for parsing registry files.
- RegRipper (GitHub) - Plugin-based registry analysis tool.
Storage and Workflow
- Aleph - OpenSource Malware Analysis Pipeline System.
- CRITs - Collaborative Research Into Threats, a malware and threat repository.
- Malwarehouse - Store, tag, and search malware.
- Viper - A binary management and analysis framework for analysts and researchers.
Miscellaneous
- DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
- Pafish - Paranoid Fish, a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
- REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
- Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.
Resources
Books
Essential malware analysis reading material.
- Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
Some relevant Twitter accounts.
- Adamb @Hexacorn
- Andrew Case @attrc
- Claudio @botherder
- Dustin Webber @mephux
- Glenn @hiddenillusion
- jekil @jekil
- Jurriaan Bremer @skier_t
- Lenny Zeltser @lennyzeltser
- Liam Randall @hectaman
- Mark Schloesser @repmovsb
- Michael Ligh (MHL) @iMHLv2
- Open Malware @OpenMalware
- Richard Bejtlich @taosecurity
- Volatility @volatility
Other
- APT Notes - A collection of papers and notes related to Advanced Persistent Threats.
- File Formats posters - Nice visualization of commonly used file format (including PE & ELF).
- Honeynet Project - Honeypot tools, papers, and other resources.
- Kernel Mode - An active community devoted to malware analysis and kernel development.
- Malicious Software - Malware blog and resources by Lenny Zeltser.
- Malware Analysis Search - Custom Google search engine from Corey Harrell.
- Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu, a great resource for learning practical malware analysis.
- Malware Samples and Traffic - This blog focuses on network traffic related to malware infections.
- Practical Malware Analysis Starter Kit - This package contains most of the software referenced in the Practical Malware Analysis book.
- RPISEC Malware Analysis - These are the course materials used in the Malware Analysis course at at Rensselaer Polytechnic Institute during Fall 2015.
- WindowsIR: Malware - Harlan Carvey's page on Malware.
- Windows Registry specification - Windows registry file format specification.
- /r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysis flair.
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
Related Awesome Lists
- Android Security
- AppSec
- CTFs
- "Hacking"
- Honeypots
- Industrial Control System Security
- Incident-Response
- Infosec
- PCAP Tools
- Pentesting
- Security
- Threat Intelligence
Contributing
Pull requests and issues with suggestions are welcome! Please read the CONTRIBUTING guidelines before submitting a PR.
Thanks
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
- And everyone else who has sent pull requests or suggested links to add here!
Thanks!