Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php.

Work in progress!

• Awesome Malware Analysis
  • Malware Collection
    • Anonymizers
    • Honeypots
    • Malware Corpora
  • Open Source Threat Intelligence
    • Tools
    • Other Resources
  • Detection and Classification
  • Online Scanners and Sandboxes
  • Domain Analysis
  • Browser Malware
  • Documents and Shellcode
  • File Carving
  • Deobfuscation
  • Debugging and Reverse Engineering
  • Network
  • Memory Forensics
  • Windows Artifacts
  • Storage and Workflow
  • Miscellaneous
• Resources
  • Books
  • Twitter
  • Other
• Related Awesome Lists
• Contributing
• Thanks

---

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some privacy features.
• Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot - ICS/SCADA honeypot.
• Dionaea - Honeypot designed to trap malware.
• Glastopf - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• HoneyDrive - Honeypot bundle Linux distro.
• Kippo - Medium interaction SSH honeypot.
• Mnemosyne - A normalizer for honeypot data; supports Dionaea.
• Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX - Realtime database of malware and malicious domains.
• Contagio - A collection of recent malware samples and analyses.
• Exploit Database - Exploit and shellcode samples.
• theZoo - Live malware samples for analysts.
• maltrieve - Retrieve malware samples directly from a number of online sources.
• Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code - Source for the Zeus trojan leaked in 2011.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

• Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
• IOC Editor - A free editor for XML IOC files, from Mandiant.
• ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
• threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
• TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

• Autoshun (list) - Snort plugin and blocklist.
• CI Army (list) - Network security blocklists.
• Emerging Threats - Rulesets and more.
• FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
• hpfeeds - Honeypot feed protocol.
• Internet Storm Center (DShield) - Diary and searchable incident database, with a web API (unofficial Python library).
• malc0de - Searchable incident database.
• Malware Domain List - Search and share malicious URLs.
• OpenIOC - Framework for sharing threat intelligence.
• Palevo Blocklists - Botnet C&C blocklists.
• ZeuS Tracker - ZeuS blocklists.
• Critical Stack- Free Intel Market - Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.

Detection and Classification

Antivirus and other malware identification tools

• AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
• ExifTool - Read, write and edit file metadata.
• hashdeep - Compute digest hashes with a variety of algorithms.
• MASTIFF - Static analysis framework.
• nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
• packerid - A cross-platform Python alternative to PEiD.
• PEiD - Packer identifier for Windows binaries.
• Rootkit Hunter - Detect Linux rootkits.
• ssdeep - Compute fuzzy hashes.
• totalhash.py - Python script for easy searching of the TotalHash.com database.
• TrID - File identifier.
• YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
• DRAKVUF - Dynamic malware analysis system.
• Jotti - Free online multi-AV scanner.
• Malheur - Automatic sandboxed analysis of malware behavior.
• Malwr - Free analysis with an online Cuckoo Sandbox instance.
• MASTIFF Online - Online static analysis of malware.
• Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
• Recomposer - A helper script for safely uploading binaries to sandbox sites.
• VirusTotal - Free online analysis of malware samples and URLs
• Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

• Dig - Free online dig and other network tools.
• IPinfo - Gather information about an IP or domain by searching online resources.
• TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
• Whois - DomainTools free online whois search.
• Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

• Firebug - Firefox extension for web development.
• Java Decompiler - Decompile and inspect Java apps.
• Java IDX Parser - Parses Java IDX cache files.
• JSDetox - JavaScript malware analysis tool.
• jsunpack-n - A javascript unpacker that emulates browser functionality.
• Malzilla - Analyze malicious web pages.
• RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
• swftools - Tools for working with Adobe Flash files.
• xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

• AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
• diStorm - Disassembler for analyzing malicious shellcode.
• JS Beautifier - JavaScript unpacking and deobfuscation.
• libemu - Library and tools for x86 shellcode emulation.
• malpdfobj - Deconstruct malicious PDFs into a JSON representation.
• OfficeMalScanner - Scan for malicious traces in MS Office documents.
• olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
• Origami PDF - A tool for analyzing malicious PDFs, and more.
• PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
• PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
• peepdf - Python tool for exploring possibly malicious PDFs.
• Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

• bulk_extractor - Fast file carving tool.
• EVTXtract - Carve Windows Event Log files from raw binary data.
• Foremost - File carving tool designed by the US Air Force.
• Hachoir - A collection of Python libraries for dealing with binary files.
• Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

• Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
• ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
• NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
• unxor - Guess XOR keys using known-plaintext attacks.
• XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
• XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
• xortool - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

• Bokken - GUI for Pyew and Radare.
• Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
• GDB - The GNU debugger.
• IDA Pro - Windows disassembler and debugger, with a free evaluation version.
• Immunity Debugger - Debugger for malware analysis and more, with a Python API.
• ltrace - Dynamic analysis for Linux executables.
• objdump - Part of GNU binutils, for static analysis of Linux binaries.
• OllyDbg - An assembly-level debugger for Windows executables.
• Process Monitor - Advanced monitoring tool for Windows programs.
• Pyew - Python tool for malware analysis.
• strace - Dynamic analysis for Linux executables.
• Radare2 - Reverse engineering framework, with debugger support.
• Udis86 - Disassembler library and tool for x86 and x86_64.
• Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

• Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
• Fiddler - Intercepting web proxy designed for "web debugging."
• Hale - Botnet C&C monitor.
• INetSim - Network service emulation, useful when building a malware lab.
• Malcom - Malware Communications Analyzer.
• mitmproxy - Intercept network traffic on the fly.
• NetworkMiner - Network forensic analysis tool, with a free version.
• ngrep - Search through network traffic like grep.
• Tcpdump - Collect network traffic.
• tcpick - Trach and reassemble TCP streams from network traffic.
• tcpxtract - Extract files from network traffic.
• Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

• DAMM - Differential Analysis of Malware in Memory, built on Volatility
• FindAES - Find AES encryption keys in memory.
• Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
• Rekall - Memory analysis framework, forked from Volatility in 2013.
• TotalRecall - Script based on Volatility for automating various malware analysis tasks.
• Volatility - Advanced memory forensics framework.
• WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

• python-evt - Python library for parsing Windows Event Logs.
• python-registry - Python library for parsing registry files.
• RegRipper (GitHub) - Plugin-based registry analysis tool.

Storage and Workflow

• Malwarehouse - Store, tag, and search malware.
• Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

• REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
• Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

• Malware Analyst's Cookbook and DVD - Tools and Techniques for Fighting Malicious Code.
• Practical Malware Analysis - The Hands-On Guide to Dissecting Malicious Software.
• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory.
• The IDA Pro Book - The Unofficial Guide to the World's Most Popular Disassembler.

Twitter

Some relevant Twitter accounts.

• Andrew Case @attrc
• Claudio @botherder
• Dustin Webber @mephux
• Glenn @hiddenillusion
• jekil @jekil
• Jurriaan Bremer @skier_t
• Lenny Zeltser @lennyzeltser
• Liam Randall @hectman
• Mark Schloesser @repmovsb
• Michael Ligh (MHL) @iMHLv2
• Richard Bejtlich @taosecurity
• Volatility @volatility

Other

• Honeynet Project - Honeypot tools, papers, and other resources.
• Malicious Software - Malware blog and resources by Lenny Zeltser.
• Malware Analysis Search - Custom Google search engine from Corey Harrell.
• WindowsIR: Malware - Harlan Carvey's page on Malware.
• /r/Malware - The malware subreddit.
• /r/ReverseEngineering - Reverse engineering subreddit, not limited to just malware.

Related Awesome Lists

• Android Security
• Pentesting
• Security

Contributing

Pull requests and issues with suggestions are welcome!

Thanks

This list was made possible by:

• Lenny Zeltser and other contributors for developing REMnux, where I found many of the tools in this list;
• Michail Hale Ligh, Steven Adair, Blake Hartstein, and Mather Richard for writing the Malware Analyst's Cookbook, which was a big inspiration for creating the list;
• And everyone else who has sent pull requests or suggested links to add here!

Thanks!