25 KiB
Awesome Malware Analysis
A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.
- Awesome Malware Analysis
- Malware Collection
- Open Source Threat Intelligence
- Detection and Classification
- Online Scanners and Sandboxes
- Domain Analysis
- Browser Malware
- Documents and Shellcode
- File Carving
- Deobfuscation
- Debugging and Reverse Engineering
- Network
- Memory Forensics
- Windows Artifacts
- Storage and Workflow
- Miscellaneous
- Resources
- Related Awesome Lists
- Contributing
- Thanks
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
- Anonymouse.org - A free, web based anonymizer.
- OpenVPN - VPN software and hosting solutions.
- Privoxy - An open source proxy server with some privacy features.
- Tor - The Onion Router, for browsing the web without leaving traces of the client IP.
Honeypots
Trap and collect your own samples.
- Conpot - ICS/SCADA honeypot.
- Dionaea - Honeypot designed to trap malware.
- Glastopf - Web application honeypot.
- Honeyd - Create a virtual honeynet.
- HoneyDrive - Honeypot bundle Linux distro.
- Kippo - Medium interaction SSH honeypot.
- Mnemosyne - A normalizer for honeypot data; supports Dionaea.
- Thug - Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
- Clean MX - Realtime database of malware and malicious domains.
- Contagio - A collection of recent malware samples and analyses.
- Exploit Database - Exploit and shellcode samples.
- Malshare - Large repository of malware actively scrapped from malicious sites.
- maltrieve - Retrieve malware samples directly from a number of online sources.
- MalwareDB - Malware samples repository.
- theZoo - Live malware samples for analysts.
- ViruSign - Malware database that detected by many anti malware programs except ClamAV.
- VirusShare - Malware repository, registration
- Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
- Zeus Source Code - Source for the Zeus trojan leaked in 2011. required.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
- Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
- IntelMQ - A tool for CERTs for processing incident data using a message queue.
- IOC Editor - A free editor for XML IOC files, from Mandiant.
- ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
- Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
- MISP - Malware Information Sharing Platform curated by The MISP Project.
- PassiveTotal - Research, connect, tag and share IPs and domains.
- threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
- ThreatCrowd - A search engine for threats, with graphical visualization.
- TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.
Other Resources
Threat intelligence and IOC resources.
- Autoshun (list) - Snort plugin and blocklist.
- CI Army (list) - Network security blocklists.
- Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- CRDF ThreatCenter - List of new threats detected by CRDF anti-malware.
- Emerging Threats - Rulesets and more.
- FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
- hpfeeds - Honeypot feed protocol.
- Internet Storm Center (DShield) - Diary and searchable incident database, with a web API (unofficial Python library).
- malc0de - Searchable incident database.
- Malware Domain List - Search and share malicious URLs.
- OpenIOC - Framework for sharing threat intelligence.
- Palevo Blocklists - Botnet C&C blocklists.
- STIX - Structured Threat Information eXpression - Standardized language to represent and share cyber threat information. Related efforts from MITRE:
- threatRECON - Search for indicators, up to 1000 free per month.
- Yara rules - Yara rules repository.
- ZeuS Tracker - ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
- chkrootkit - Local Linux rootkit detection.
- ClamAV - Open source antivirus engine.
- ExifTool - Read, write and edit file metadata.
- hashdeep - Compute digest hashes with a variety of algorithms.
- Loki - Host based scanner for IOCs.
- MASTIFF - Static analysis framework.
- MultiScanner - Modular file scanning/analysis framework
- nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
- packerid - A cross-platform Python alternative to PEiD.
- PEiD - Packer identifier for Windows binaries.
- PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
- Rootkit Hunter - Detect Linux rootkits.
- ssdeep - Compute fuzzy hashes.
- totalhash.py - Python script for easy searching of the TotalHash.com database.
- TrID - File identifier.
- YARA - Pattern matching tool for analysts.
- Yara rules generator - Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- Anubis - Malware Analysis for Unknown Binaries and Site Check.
- AVCaesar - Malware.lu online scanner and malware repository.
- Cryptam - Analyze suspicious office documents.
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- cuckoo-modified - Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- DRAKVUF - Dynamic malware analysis system.
- Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
- IRMA - An asynchronous and customizable analysis platform for suspicious files.
- Jotti - Free online multi-AV scanner.
- Malheur - Automatic sandboxed analysis of malware behavior.
- Malwr - Free analysis with an online Cuckoo Sandbox instance.
- MASTIFF Online - Online static analysis of malware.
- Metascan Online - Free file scanning with multiple antivirus engines.
- Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
- PDF Examiner - Analyse suspicious PDF files.
- Recomposer - A helper script for safely uploading binaries to sandbox sites.
- VirusTotal - Free online analysis of malware samples and URLs
- Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
Domain Analysis
Inspect domains and IP addresses.
- Desenmascara.me - One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- Dig - Free online dig and other network tools.
- IPinfo - Gather information about an IP or domain by searching online resources.
- SenderBase - Search for IP, domain or network owner.
- SpamCop - IP based spam block list.
- SpamHaus - Block list based on domains and IPs.
- Sucuri SiteCheck - Free Website Malware and Security Scanner.
- TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
- Whois - DomainTools free online whois search.
- Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.
Browser Malware
Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.
- Firebug - Firefox extension for web development.
- Java Decompiler - Decompile and inspect Java apps.
- Java IDX Parser - Parses Java IDX cache files.
- JSDetox - JavaScript malware analysis tool.
- jsunpack-n - A javascript unpacker that emulates browser functionality.
- Malzilla - Analyze malicious web pages.
- RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
- swftools - Tools for working with Adobe Flash files.
- xxxswf - A Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm - Disassembler for analyzing malicious shellcode.
- JS Beautifier - JavaScript unpacking and deobfuscation.
- libemu - Library and tools for x86 shellcode emulation.
- malpdfobj - Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner - Scan for malicious traces in MS Office documents.
- olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF - A tool for analyzing malicious PDFs, and more.
- PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf - Python tool for exploring possibly malicious PDFs.
- Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.
File Carving
For extracting files from inside disk and memory images.
- bulk_extractor - Fast file carving tool.
- EVTXtract - Carve Windows Event Log files from raw binary data.
- Foremost - File carving tool designed by the US Air Force.
- Hachoir - A collection of Python libraries for dealing with binary files.
- Scalpel - Another data carving tool.
Deobfuscation
Reverse XOR and other code obfuscation methods.
- Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
- ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
- unxor - Guess XOR keys using known-plaintext attacks.
- XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
- xortool - Guess XOR key length, as well as the key itself.
Debugging and Reverse Engineering
Disassemblers, debuggers, and other static and dynamic analysis tools.
- Bokken - GUI for Pyew and Radare.
- Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
- GDB - The GNU debugger.
- IDA Pro - Windows disassembler and debugger, with a free evaluation version.
- Immunity Debugger - Debugger for malware analysis and more, with a Python API.
- ltrace - Dynamic analysis for Linux executables.
- objdump - Part of GNU binutils, for static analysis of Linux binaries.
- OllyDbg - An assembly-level debugger for Windows executables.
- pestudio - Perform static analysis of Windows executables.
- Process Monitor - Advanced monitoring tool for Windows programs.
- Pyew - Python tool for malware analysis.
- Radare2 - Reverse engineering framework, with debugger support.
- strace - Dynamic analysis for Linux executables.
- Udis86 - Disassembler library and tool for x86 and x86_64.
- Vivisect - Python tool for malware analysis.
Network
Analyze network interactions.
- Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
- CapTipper - Malicious HTTP traffic explorer.
- chopshop - Protocol analysis and decoding framework.
- Fiddler - Intercepting web proxy designed for "web debugging."
- Hale - Botnet C&C monitor.
- INetSim - Network service emulation, useful when building a malware lab.
- Malcom - Malware Communications Analyzer.
- mitmproxy - Intercept network traffic on the fly.
- Moloch - IPv4 traffic capturing, indexing and database system.
- NetworkMiner - Network forensic analysis tool, with a free version.
- ngrep - Search through network traffic like grep.
- Tcpdump - Collect network traffic.
- tcpick - Trach and reassemble TCP streams from network traffic.
- tcpxtract - Extract files from network traffic.
- Wireshark - The network traffic analysis tool.
Memory Forensics
Tools for dissecting malware in memory images or running systems.
- DAMM - Differential Analysis of Malware in Memory, built on Volatility
- FindAES - Find AES encryption keys in memory.
- Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
- Rekall - Memory analysis framework, forked from Volatility in 2013.
- TotalRecall - Script based on Volatility for automating various malware analysis tasks.
- VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
- Volatility - Advanced memory forensics framework.
- WinDbg - Live memory inspection and kernel debugging for Windows systems.
Windows Artifacts
- python-evt - Python library for parsing Windows Event Logs.
- python-registry - Python library for parsing registry files.
- RegRipper (GitHub) - Plugin-based registry analysis tool.
Storage and Workflow
- Aleph - OpenSource Malware Analysis Pipeline System.
- CRITs - Collaborative Research Into Threats, a malware and threat repository.
- Malwarehouse - Store, tag, and search malware.
- MISP - Malware Information Sharing Platform curated by The MISP Project.
- Viper - A binary management and analysis framework for analysts and researchers.
Miscellaneous
- DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
- REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
- Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.
Resources
Books
Essential malware analysis reading material.
- Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
- Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
- The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
- The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.
Some relevant Twitter accounts.
- Adamb @Hexacorn
- Andrew Case @attrc
- Claudio @botherder
- Dustin Webber @mephux
- Glenn @hiddenillusion
- jekil @jekil
- Jurriaan Bremer @skier_t
- Lenny Zeltser @lennyzeltser
- Liam Randall @hectaman
- Mark Schloesser @repmovsb
- Michael Ligh (MHL) @iMHLv2
- Richard Bejtlich @taosecurity
- Volatility @volatility
Other
- Honeynet Project - Honeypot tools, papers, and other resources.
- Malicious Software - Malware blog and resources by Lenny Zeltser.
- Malware Analysis Search - Custom Google search engine from Corey Harrell.
- WindowsIR: Malware - Harlan Carvey's page on Malware.
- /r/Malware - The malware subreddit.
- /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.
Related Awesome Lists
Contributing
Pull requests and issues with suggestions are welcome!
Thanks
This list was made possible by:
- Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
- Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
- And everyone else who has sent pull requests or suggested links to add here!
Thanks!