Malware Analysis Tool using Function Level Fuzzy Hashing
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Malfunction is a set of tools for cataloging and comparing malware at a function level. Uses Radare2 internally for finding function locations. Written in Python 3. Currently only works on Linux based systems.

Jeramy Lochner and Matthew Rogers gave a presentation on Malfunction for DerbyCon on 9/25/2015 in Louisville, KY.


Manual Installation (Example work for Ubuntu 14.04 64bit)

Install prerequisites 
$ apt-get install git build-essential libffi-dev python3 python3-dev python3-pip automake autoconf libtool
$ BUILD_LIB=1 pip3 install ssdeep
$ pip3 install psutil
Clone this repository
Install the latest version of libsqlite3
$ wget
$ dpkg -i libsqlite3-0_3.8.10.2-1_amd64.deb
Install the latest version of libsqlite3-dev
$ wget
$ dpkg -i libsqlite3-dev_3.8.10.2-1_amd64.deb
Install the latest version of apsw
$ wget
$ unzip
$ cd
$ python3 install
Install the latest version of progress-python3 (OPTIONAL)
$ git clone
$ cd progressbar-python3
$ python3 install
Install the latest version of radare2
$ git clone
$ cd radare2
$ ./configure
$ make
$ make install

General Usage

Using mallearn to add a piece of malware to the database, then use malfucntion to compare another program with it.

$ python3 malware.exe blacklist
$ python3 possiblymalware.exe



mal-get 'gets' the function-level fuzzy hashes from a given binary and is usually used in conjunction with mal-learn or malfunction

$ python3 [FILE] -o output.txt


mal-learn is used for known malware, or things you want to white-list and learns them to the database

$ python3 malware.exe blacklist -a 'Bad Guy' -c 'Evil piece of malware'  
$ python3 notepad.exe whitelist -a 'Microsoft Corporation' -c "Notepad.exe" -p 4


Malfunction generates reports on a unknown binary, based on the signatures in the database.

$ python3 [FILE]


A bunch of high school/college interns at Dynetics.

  • Matthew Rogers
  • Jeramy Lochner
  • James Brahm
  • Morgan Wagner
  • Donte Brock