diff --git a/README.md b/README.md index c21eaab..eacf83e 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ A curated list of awesome malware analysis tools and resources. Inspired by crawler with pre-analysis and reporting functionalities * [theZoo](https://github.com/ytisf/theZoo) - Live malware samples for analysts. -* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker +* [Tracker h3x](http://tracker.h3x.eu/) - Agregator for malware corpus tracker and malicious download sites. * [ViruSign](http://www.virussign.com/) - Malware database that detected by many anti malware programs except ClamAV. @@ -121,7 +121,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by working with OpenIOC objects, from Mandiant. * [Massive Octo Spice](https://github.com/csirtgadgets/massive-octo-spice) - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs - from various lists. Curated by the [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework). + from various lists. Curated by the + [CSIRT Gadgets Foundation](http://csirtgadgets.org/collective-intelligence-framework). * [MISP](https://github.com/MISP/MISP) - Malware Information Sharing Platform curated by [The MISP Project](http://www.misp-project.org/). * [PyIOCe](https://github.com/pidydx/PyIOCe) - A Python OpenIOC editor. @@ -165,14 +166,14 @@ A curated list of awesome malware analysis tools and resources. Inspired by * [malc0de](http://malc0de.com/database/) - Searchable incident database. * [Malware Domain List](http://www.malwaredomainlist.com/) - Search and share malicious URLs. -* [Metadefender.com Threat Intelligence Feeds](https://www.metadefender.com/threat-intelligence-feeds) - +* [Metadefender.com Threat Intelligence Feeds](https://www.metadefender.com/threat-intelligence-feeds) - List of the most looked up file hashes from Metadefender.com malware feed. * [OpenIOC](http://openioc.org/) - Framework for sharing threat intelligence. * [Palevo Blocklists](https://palevotracker.abuse.ch/blocklists.php) - Botnet C&C blocklists. * [Proofpoint Threat Intelligence](https://www.proofpoint.com/us/products/et-intelligence) - Rulesets and more. (Formerly Emerging Threats.) -* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - +* [Ransomware overview](https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml) - A list of ransomware overview with details, detection and prevention. * [STIX - Structured Threat Information eXpression](http://stixproject.github.io) - Standardized language to represent and share cyber threat information. @@ -193,8 +194,8 @@ A curated list of awesome malware analysis tools and resources. Inspired by * [AnalyzePE](https://github.com/hiddenillusion/AnalyzePE) - Wrapper for a variety of tools for reporting on Windows PE files. -* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless -AWS pipeline that scans and alerts on uploaded files based on a set of +* [BinaryAlert](https://github.com/airbnb/binaryalert) - An open source, serverless +AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules. * [chkrootkit](http://www.chkrootkit.org/) - Local Linux rootkit detection. * [ClamAV](http://www.clamav.net/) - Open source antivirus engine. @@ -221,8 +222,9 @@ YARA rules. files, providing feature-rich tools for proper analysis of suspicious binaries. * [Rootkit Hunter](http://rkhunter.sourceforge.net/) - Detect Linux rootkits. * [ssdeep](https://ssdeep-project.github.io/ssdeep/) - Compute fuzzy hashes. -* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - Python script - for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) database. +* [totalhash.py](https://gist.github.com/gleblanc1783/3c8e6b379fa9d646d401b96ab5c7877f) - + Python script for easy searching of the [TotalHash.cymru.com](https://totalhash.cymru.com/) + database. * [TrID](http://mark0.net/soft-trid-e.html) - File identifier. * [YARA](https://plusvic.github.io/yara/) - Pattern matching tool for analysts. @@ -243,16 +245,18 @@ YARA rules. * [cuckoo-modified](https://github.com/brad-accuvant/cuckoo-modified) - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author. -* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A Python API used to control - a cuckoo-modified sandbox. +* [cuckoo-modified-api](https://github.com/keithjjones/cuckoo-modified-api) - A + Python API used to control a cuckoo-modified sandbox. * [DeepViz](https://www.deepviz.com/) - Multi-format file analyzer with machine-learning classification. -* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do traffic analysis - of Linux malwares and capturing IOCs. +* [detux](https://github.com/detuxsandbox/detux/) - A sandbox developed to do + traffic analysis of Linux malwares and capturing IOCs. * [DRAKVUF](https://github.com/tklengyel/drakvuf) - Dynamic malware analysis system. -* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any firmware package. -* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware Analysis Tool for Linux ELF Files. +* [firmware.re](http://firmware.re/) - Unpacks, scans and analyzes almost any + firmware package. +* [HaboMalHunter](https://github.com/Tencent/HaboMalHunter) - An Automated Malware + Analysis Tool for Linux ELF Files. * [Hybrid Analysis](https://www.hybrid-analysis.com/) - Online malware analysis tool, powered by VxSandbox. * [IRMA](http://irma.quarkslab.com/) - An asynchronous and customizable @@ -262,8 +266,9 @@ YARA rules. * [Limon](https://github.com/monnappa22/Limon) - Sandbox for Analyzing Linux Malwares * [Malheur](https://github.com/rieck/malheur) - Automatic sandboxed analysis of malware behavior. -* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for online malware and URL analysis services. -* [Malware config](https://malwareconfig.com/) - Extract, decode and display online +* [malsub](https://github.com/diogo-fernan/malsub) - A Python RESTful API framework for + online malware and URL analysis services. +* [Malware config](https://malwareconfig.com/) - Extract, decode and display online the configuration settings from common malwares. * [Malwr](https://malwr.com/) - Free analysis with an online Cuckoo Sandbox instance. @@ -280,14 +285,15 @@ YARA rules. * [ProcDot](http://www.procdot.com) - A graphical malware analysis tool kit. * [Recomposer](https://github.com/secretsquirrel/recomposer) - A helper script for safely uploading binaries to sandbox sites. -* [Sand droid](http://sanddroid.xjtu.edu.cn/) - Automatic and complete +* [Sand droid](http://sanddroid.xjtu.edu.cn/) - Automatic and complete Android application analysis system. * [SEE](https://github.com/F-Secure/see) - Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. * [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs * [Visualize_Logs](https://github.com/keithjjones/visualize_logs) - Open source - visualization library and command line tools for logs. (Cuckoo, Procmon, more to come...) + visualization library and command line tools for logs. (Cuckoo, Procmon, more + to come...) * [Zeltser's List](https://zeltser.com/automated-malware-analysis/) - Free automated sandboxes and services, compiled by Lenny Zeltser. @@ -295,7 +301,8 @@ YARA rules. *Inspect domains and IP addresses.* -* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed for consistent and safe capture of off network web resources. +* [boomerang](https://github.com/EmersonElectricCo/boomerang) - A tool designed + for consistent and safe capture of off network web resources. * [Desenmascara.me](http://desenmascara.me) - One click tool to retrieve as much metadata as possible for a website and to assess its good standing. * [Dig](https://networking.ringofsaturn.com/) - Free online dig and other @@ -311,18 +318,18 @@ YARA rules. * [MaltegoVT](https://github.com/michael-yip/MaltegoVT) - Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports. -* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward +* [Multi rbl](http://multirbl.valli.org/) - Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs. -* [NormShield Services](https://services.normshield.com/) - Free API Services - for detecting possible phishing domains, blacklisted ip addresses and breached +* [NormShield Services](https://services.normshield.com/) - Free API Services + for detecting possible phishing domains, blacklisted ip addresses and breached accounts. * [SpamCop](https://www.spamcop.net/bl.shtml) - IP based spam block list. * [SpamHaus](https://www.spamhaus.org/lookup/) - Block list based on domains and IPs. * [Sucuri SiteCheck](https://sitecheck.sucuri.net/) - Free Website Malware and Security Scanner. -* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain or network - owner. (Previously SenderBase.) +* [Talos Intelligence](https://talosintelligence.com/) - Search for IP, domain + or network owner. (Previously SenderBase.) * [TekDefense Automater](http://www.tekdefense.com/automater/) - OSINT tool for gathering information about URLs, IPs, or hashes. * [URLQuery](http://urlquery.net/) - Free URL Scanner. @@ -455,7 +462,8 @@ the [browser malware](#browser-malware) section.* source Binary Analysis and Reverse engineering Framework. * [binnavi](https://github.com/google/binnavi) - Binary analysis IDE for reverse engineering based on graph visualization. -* [Binary ninja](https://binary.ninja/) - A reversing engineering platform that is an alternative to IDA. +* [Binary ninja](https://binary.ninja/) - A reversing engineering platform + that is an alternative to IDA. * [Binwalk](https://github.com/devttys0/binwalk) - Firmware analysis tool. * [Bokken](http://www.bokken.re/) - GUI for Pyew and Radare. ([mirror](https://github.com/inguma/bokken)) @@ -485,38 +493,42 @@ the [browser malware](#browser-malware) section.* * [Kaitai Struct](http://kaitai.io/) - DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby. -* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library +* [LIEF](https://lief.quarkslab.com/) - LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats. * [ltrace](http://ltrace.org/) - Dynamic analysis for Linux executables. * [objdump](https://en.wikipedia.org/wiki/Objdump) - Part of GNU binutils, for static analysis of Linux binaries. * [OllyDbg](http://www.ollydbg.de/) - An assembly-level debugger for Windows executables. -* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral Dynamic Analysis +* [PANDA](https://github.com/moyix/panda) - Platform for Architecture-Neutral + Dynamic Analysis. * [PEDA](https://github.com/longld/peda) - Python Exploit Development Assistance for GDB, an enhanced display with added commands. * [pestudio](https://winitor.com/) - Perform static analysis of Windows executables. -* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive disassembler for - x86/ARM/MIPS. +* [plasma](https://github.com/plasma-disassembler/plasma) - Interactive + disassembler for x86/ARM/MIPS. * [PPEE (puppy)](https://www.mzrst.com/) - A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail. * [Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) - Advanced task manager for Windows. -* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors system resources. +* [Process Hacker](http://processhacker.sourceforge.net/) - Tool that monitors + system resources. * [Process Monitor](https://docs.microsoft.com/sysinternals/downloads/procmon) - Advanced monitoring tool for Windows programs. * [PSTools](https://docs.microsoft.com/sysinternals/downloads/pstools) - Windows command-line tools that help manage and investigate live systems. * [Pyew](https://github.com/joxeankoret/pyew) - Python tool for malware analysis. -* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse engineering - sandbox by the Talos team at Cisco. -* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg server for stealth debugging. +* [PyREBox](https://github.com/Cisco-Talos/pyrebox) - Python scriptable reverse + engineering sandbox by the Talos team at Cisco. +* [QKD](https://github.com/ispras/qemu/releases/) - QEMU with embedded WinDbg + server for stealth debugging. * [Radare2](http://www.radare.org/r/) - Reverse engineering framework, with debugger support. -* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility that compares snapshots. +* [RegShot](https://sourceforge.net/projects/regshot/) - Registry compare utility + that compares snapshots. * [RetDec](https://retdec.com/) - Retargetable machine-code decompiler with an [online decompilation service](https://retdec.com/decompilation/) and [API](https://retdec.com/api/) that you can use in your tools. @@ -544,7 +556,7 @@ the [browser malware](#browser-malware) section.* explorer. * [chopshop](https://github.com/MITRECND/chopshop) - Protocol analysis and decoding framework. -* [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis +* [CloudShark](https://www.cloudshark.org) - Web-based tool for packet analysis and malware traffic detection. * [Fiddler](http://www.telerik.com/fiddler) - Intercepting web proxy designed for "web debugging." @@ -572,11 +584,14 @@ the [browser malware](#browser-malware) section.* forensic analysis tool, with a free version. * [ngrep](http://ngrep.sourceforge.net/) - Search through network traffic like grep. -* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and traffic visualizer. -* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An ICAP Server with yara scanner for URL or content. -* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool - designed to analyze a web-based network traffic to detect central command - and control (C&C) servers and malicious sites, using Squid proxy server and Spamhaus. +* [PcapViz](https://github.com/mateuszk87/PcapViz) - Network topology and + traffic visualizer. +* [Python ICAP Yara](https://github.com/RamadhanAmizudin/python-icap-yara) - An + ICAP Server with yara scanner for URL or content. +* [Squidmagic](https://github.com/ch3k1/squidmagic) - squidmagic is a tool + designed to analyze a web-based network traffic to detect central command + and control (C&C) servers and malicious sites, using Squid proxy server and + Spamhaus. * [Tcpdump](http://www.tcpdump.org/) - Collect network traffic. * [tcpick](http://tcpick.sourceforge.net/) - Trach and reassemble TCP streams from network traffic. @@ -589,16 +604,17 @@ the [browser malware](#browser-malware) section.* *Tools for dissecting malware in memory images or running systems.* -* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS forensics - client supporting hiberfil, pagefile, raw memory analysis +* [BlackLight](https://www.blackbagtech.com/blacklight.html) - Windows/MacOS + forensics client supporting hiberfil, pagefile, raw memory analysis * [DAMM](https://github.com/504ensicsLabs/DAMM) - Differential Analysis of Malware in Memory, built on Volatility * [evolve](https://github.com/JamesHabben/evolve) - Web interface for the Volatility Memory Forensics Framework. * [FindAES](http://jessekornblum.livejournal.com/269749.html) - Find AES encryption keys in memory. -* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory analysis framework - developed in .NET supports all Windows x64, includes code integrity and write support. +* [inVtero.net](https://github.com/ShaneK2/inVtero.net) - High speed memory + analysis framework developed in .NET supports all Windows x64, includes + code integrity and write support. * [Muninn](https://github.com/ytisf/muninn) - A script to automate portions of analysis using Volatility, and create a readable report. * [Rekall](http://www.rekall-forensic.com/) - Memory analysis framework, @@ -634,9 +650,10 @@ the [browser malware](#browser-malware) section.* Pipeline System. * [CRITs](https://crits.github.io/) - Collaborative Research Into Threats, a malware and threat repository. -* [FAME](https://certsocietegenerale.github.io/fame/) - FAME is a malware analysis framework. - It features a pipeline that can be extended with custom modules that can be chained and - interact with each other to perform end-to-end analysis. +* [FAME](https://certsocietegenerale.github.io/fame/) - A malware analysis + framework featuring a pipeline that can be extended with custom modules, + which can be chained and interact with each other to perform end-to-end + analysis. * [Malwarehouse](https://github.com/sroberts/malwarehouse) - Store, tag, and search malware. * [Polichombr](https://github.com/ANSSI-FR/polichombr) - A malware analysis @@ -655,7 +672,7 @@ the [browser malware](#browser-malware) section.* corpus of malware. * [DC3-MWCP](https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP) - The Defense Cyber Crime Center's Malware Configuration Parser framework. -* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable, +* [FLARE VM](https://github.com/fireeye/flare-vm) - A fully customizable, Windows-based, security distribution for malware analysis. * [MalSploitBase](https://github.com/misterch0c/malSploitBase) - A database containing exploits used by malware. @@ -677,10 +694,12 @@ the [browser malware](#browser-malware) section.* * [Malware Analyst's Cookbook and DVD](https://amzn.com/dp/0470613033) - Tools and Techniques for Fighting Malicious Code. -* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On Guide - to Dissecting Malicious Software. -* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) - Intermediate Reverse Engineering -* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer Security and Incident Response +* [Practical Malware Analysis](https://amzn.com/dp/1593272901) - The Hands-On + Guide to Dissecting Malicious Software. +* [Practical Reverse Engineering](https://www.amzn.com/dp/1118787315/) - + Intermediate Reverse Engineering +* [Real Digital Forensics](https://www.amzn.com/dp/0321240693) - Computer + Security and Incident Response * [The Art of Memory Forensics](https://amzn.com/dp/1118825098) - Detecting Malware and Threats in Windows, Linux, and Mac Memory. * [The IDA Pro Book](https://amzn.com/dp/1593272898) - The Unofficial Guide