SMAT is a simple malware analyzer tool written in Python 3 and tuned from an older project. The original project was made by secrary, but it's not maintained anymore, so I'm keeping it, fixing, uploading and using.
Note: at some point of 2020' summer we will rework the whole project from zero, keeping the essence but changing the tools for a more efficient experience. The readmap of updates is now the roadmap of dev.
-
Analyze PE file's header and sections (number of sections, entropy of sections/PE file, suspicious section names, suspicious flags in the characteristics of the PE file, etc.)
-
Analyze ELF file for Linux malware analysis, it uses various open source tools (ldd, readelf, strings) to display ELF header structure, ASCII/UNICODE strings, shared objects, section header, symbol table, etc.
-
Searches for possible domains, e-mail addresses, IP addresses in the strings of the file.
-
Checks if domains are blacklisted based on abuse.ch's Ransomware Domain Blocklist and malwaredomains.com's blocklist.
-
Looks for Windows functions commonly used by malware.
-
Get results from VirusTotal and/or upload files.
-
Malware detection based on Yara-rules
-
Detect well-known software packers.
-
Detect the existence of cryptographic algorithms.
-
Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
-
Find if documents have been crafted to leverage malicious code.
-
Generate json format report.
-
Mass analysis by specifying a folder.
-
Uncompress compressed files.
git clone https://github.com/kosmokato/SMAT.git
cd SMAT
sudo pip3 install -r requirements.txt
python3 smat.py -h
git clone https://github.com/kosmokato/SMAT
cd SMAT
virtualenv -p python3 env
source env/bin/activate
pip3 install -r requirements.txt
python3 smat.py -h
Additional: ssdeep - Installation
More: Simple Static Malware Analyzer (original version)
- .zip decompression,
- .rar and .gz decompression
- yara-rules integration
- MISP integration
- Radare2 integration
- Munin integration