Courses & TutorialsSecurity & Cloud

Awesome Malware Analysis – Massive Collection of Resources

A curated list of awesome malware analysis tools and resources.


Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org – A free, web based anonymizer.
  • OpenVPN – VPN software and hosting solutions.
  • Privoxy – An open source proxy server with some
    privacy features.
  • Tor – The Onion Router, for browsing the web
    without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot – ICS/SCADA honeypot.
  • Cowrie – SSH honeypot, based
    on Kippo.
  • DemoHunter – Low interaction Distributed Honeypots.
  • Dionaea – Honeypot designed to trap malware.
  • Glastopf – Web application honeypot.
  • Honeyd – Create a virtual honeynet.
  • HoneyDrive – Honeypot bundle Linux distro.
  • Honeytrap – Opensource system for running, monitoring and managing honeypots.
  • MHN – MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
  • Mnemosyne – A normalizer for
    honeypot data; supports Dionaea.
  • Thug – Low interaction honeyclient, for
    investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX – Realtime
    database of malware and malicious domains.
  • Contagio – A collection of recent
    malware samples and analyses.
  • Exploit Database – Exploit and shellcode
    samples.
  • Infosec – CERT-PA – Malware samples collection and analysis.
  • InQuest Labs – Evergrowing searchable corpus of malicious Microsoft documents.
  • Javascript Mallware Collection – Collection of almost 40.000 javascript malware samples
  • Malpedia – A resource providing
    rapid identification and actionable context for malware investigations.
  • Malshare – Large repository of malware actively
    scrapped from malicious sites.
  • Open Malware Project – Sample information and
    downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware
    crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for
    analysts.
  • Tracker h3x – Agregator for malware corpus tracker
    and malicious download sites.
  • vduddu malware repo – Collection of
    various malware files and source code.
  • VirusBay – Community-Based malware repository and social network.
  • ViruSign – Malware database that detected by
    many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration
    required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list
    of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus
    trojan leaked in 2011.
  • VX Underground – Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • AbuseHelper – An open-source
    framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and
    collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat
    Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ
    A tool for CERTs for processing incident data using a message queue.
  • IOC Editor
    A free editor for XML IOC files.
  • iocextract – Advanced Indicator
    of Compromise (IOC) extractor, Python library and command-line tool.
  • ioc_writer – Python library for
    working with OpenIOC objects, from Mandiant.
  • MalPipe – Malware/IOC ingestion and
    processing engine, that enriches collected data.
  • Massive Octo Spice
    Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
    from various lists. Curated by the
    CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing
    Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and
    share IPs and domains. (Was PassiveTotal.)
  • threataggregator
    Aggregates security threats from a number of sources, including some of
    those listed below in other resources.
  • ThreatConnect – TC Open allows you to see and
    share open source threat data, with support and validation from our free community.
  • ThreatCrowd – A search engine for threats,
    with graphical visualization.
  • ThreatIngestor – Build
    automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
    more.
  • ThreatTracker – A Python
    script to monitor and generate alerts based on IOCs indexed by a set of
    Google Custom Search Engines.
  • TIQ-test – Data visualization
    and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE – Wrapper for a
    variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable
    distributed file analysis framework.
  • BinaryAlert – An open source, serverless
    AWS pipeline that scans and alerts on uploaded files based on a set of
    YARA rules.
  • capa – Detects capabilities in executable files.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • Detect It Easy(DiE) – A program for
    determining types of files.
  • Exeinfo PE – Packer, compressor detector, unpack
    info, internal exe tools.
  • ExifTool – Read, write and
    edit file metadata.
  • File Scanning Framework
    Modular, recursive file scanning solution.
  • fn2yara – FN2Yara is a tool to generate
    Yara signatures for matching functions (code) in an executable program.
  • Generic File Parser – A Single Library Parser to extract meta information,static analysis and detect macros within the files.
  • hashdeep – Compute digest hashes with
    a variety of algorithms.
  • HashCheck – Windows shell extension
    to compute hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and
    compare malware at a function level.
  • Manalyze – Static analyzer for PE
    executables.
  • MASTIFF – Static analysis
    framework.
  • MultiScanner – Modular file
    scanning/analysis framework
  • Nauz File Detector(NFD) – Linker/Compiler/Tool detector for Windows, Linux and MacOS.
  • nsrllookup – A tool for looking
    up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform
    Python alternative to PEiD.
  • PE-bear – Reversing tool for PE
    files.
  • PEframe – PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
  • PEV – A multiplatform toolkit to work with PE
    files, providing feature-rich tools for proper analysis of suspicious binaries.
  • PortEx – Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
  • Quark-Engine – An Obfuscation-Neglect Android Malware Scoring System
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py
    Python script for easy searching of the TotalHash.cymru.com
    database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for
    analysts.
  • Yara rules generator – Generate
    yara rules based on a set of malware samples. Also contains a good
    strings DB to avoid false positives.
  • Yara Finder – A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • anlyz.io – Online sandbox.
  • any.run – Online interactive sandbox.
  • AndroTotal – Free online analysis of APKs
    against multiple mobile antivirus apps.
  • AVCaesar – Malware.lu online scanner and
    malware repository.
  • BoomBox – Automatic deployment of Cuckoo
    Sandbox malware lab using Packer and Vagrant.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted
    sandbox and automated analysis system.
  • cuckoo-modified – Modified
    version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
    legal concerns by the author.
  • cuckoo-modified-api – A
    Python API used to control a cuckoo-modified sandbox.
  • DeepViz – Multi-format file analyzer with
    machine-learning classification.
  • detux – A sandbox developed to do
    traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF – Dynamic malware analysis
    system.
  • firmware.re – Unpacks, scans and analyzes almost any
    firmware package.
  • HaboMalHunter – An Automated Malware
    Analysis Tool for Linux ELF Files.
  • Hybrid Analysis – Online malware
    analysis tool, powered by VxSandbox.
  • Intezer – Detect, analyze, and categorize malware by
    identifying code reuse and code similarities.
  • IRMA – An asynchronous and customizable
    analysis platform for suspicious files.
  • Joe Sandbox – Deep malware analysis with Joe Sandbox.
  • Jotti – Free online multi-AV scanner.
  • Limon – Sandbox for Analyzing Linux Malware.
  • Malheur – Automatic sandboxed analysis
    of malware behavior.
  • malice.io – Massively scalable malware analysis framework.
  • malsub – A Python RESTful API framework for
    online malware and URL analysis services.
  • Malware config – Extract, decode and display online
    the configuration settings from common malwares.
  • MalwareAnalyser.io – Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
  • Malwr – Free analysis with an online Cuckoo Sandbox
    instance.
  • MetaDefender Cloud – Scan a file, hash, IP, URL or
    domain address for malware for free.
  • NetworkTotal – A service that analyzes
    pcap files and facilitates the quick detection of viruses, worms, trojans, and all
    kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben – Uses Sysinternals Procmon to
    collect information about malware in a sandboxed environment.
  • PacketTotal – PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
  • PDF Examiner – Analyse suspicious PDF files.
  • ProcDot – A graphical malware analysis tool kit.
  • Recomposer – A helper
    script for safely uploading binaries to sandbox sites.
  • sandboxapi – Python library for
    building integrations with several open source and commercial malware sandboxes.
  • SEE – Sandboxed Execution Environment (SEE)
    is a framework for building test automation in secured Environments.
  • SEKOIA Dropper Analysis – Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
  • VirusTotal – Free online analysis of malware
    samples and URLs
  • Visualize_Logs – Open source
    visualization library and command line tools for logs. (Cuckoo, Procmon, more
    to come…)
  • Zeltser’s List – Free
    automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • AbuseIPDB – AbuseIPDB is a project dedicated
    to helping combat the spread of hackers, spammers, and abusive activity on the internet.
  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed
    for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash
    search.
  • Desenmascara.me – One click tool to retrieve as
    much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other
    network tools.
  • dnstwist – Domain name permutation
    engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information
    about an IP or domain by searching online resources.
  • Machinae – OSINT tool for
    gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language
    temporary email detection library.
  • MaltegoVT – Maltego transform
    for the VirusTotal API. Allows domain/IP research, and searching for file
    hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward
    confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services
    for detecting possible phishing domains, blacklisted ip addresses and breached
    accounts.
  • PhishStats – Phishing Statistics with search for
    IP, domain and website title
  • Spyse – subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
  • SecurityTrails – Historical and current WHOIS,
    historical and current DNS records, similar domains, certificate information
    and other domain and IP related API and tools.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on
    domains and IPs.
  • Sucuri SiteCheck – Free Website Malware
    and Security Scanner.
  • Talos Intelligence – Search for IP, domain
    or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool
    for gathering information about URLs, IPs, or hashes.
  • URLhaus – A project from abuse.ch with the goal
    of sharing malicious URLs that are being used for malware distribution.
  • URLQuery – Free URL Scanner.
  • urlscan.io – Free URL Scanner & domain information.
  • Whois – DomainTools free online whois
    search.
  • Zeltser’s List – Free
    online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and
documents and shellcode sections.

  • Bytecode Viewer – Combines
    multiple Java bytecode viewers and decompilers into one tool, including
    APK/DEX support.
  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java
    IDX cache files.
  • JSDetox – JavaScript
    malware analysis tool.
  • jsunpack-n – A javascript
    unpacker that emulates browser functionality.
  • Krakatau – Java decompiler,
    assembler, and disassembler.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust
    ActionScript Bytecode Disassembler.”
  • SWF Investigator
    Static and dynamic analysis of SWF applications.
  • swftools – Tools for working with Adobe Flash
    files.
  • xxxswf – A
    Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware section.

  • AnalyzePDF – A tool for
    analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript
    malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing
    malicious shellcode.
  • InQuest Deep File Inspection – Upload common malware lures for Deep File Inspection and heuristical analysis.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • libemu – Library and tools for x86 shellcode
    emulation.
  • malpdfobj – Deconstruct malicious PDFs
    into a JSON representation.
  • OfficeMalScanner – Scan for
    malicious traces in MS Office documents.
  • olevba – A script for parsing OLE
    and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for
    analyzing malicious PDFs, and more.
  • PDF Tools – pdfid,
    pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool,
    the backend-free version of PDF X-RAY.
  • peepdf – Python
    tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework
    to analyze suspected malware documents to identify exploits in streams of different
    encodings and to locate and extract embedded executables.
  • Spidermonkey
    Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor – Fast file
    carving tool.
  • EVTXtract – Carve Windows
    Event Log files from raw binary data.
  • Foremost – File carving tool designed
    by the US Air Force.
  • hachoir3 – Hachoir is a Python library
    to view and edit a binary stream field by field.
  • Scalpel – Another data carving
    tool.
  • SFlock – Nested archive
    extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware
    analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and
    unpacker.
  • ex_pe_xor
    & iheartxor
    Two tools from Alexander Hanel for working with single-byte XOR encoded
    files.
  • FLOSS – The FireEye Labs Obfuscated
    String Solver uses advanced static analysis techniques to automatically
    deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte
    XOR key using frequency analysis.
  • PackerAttacker – A generic
    hidden code extractor for Windows malware.
  • PyInstaller Extractor
    A Python script to extract the contents of a PyInstaller generated Windows
    executable file. The contents of the pyz file (usually pyc files) present
    inside the executable are also extracted and automatically fixed so that a
    Python bytecode decompiler will recognize it.
  • uncompyle6 – A cross-version
    Python bytecode decompiler. Translates Python bytecode back into equivalent
    Python source code.
  • un{i}packer – Automatic and
    platform-independent unpacker for Windows binaries based on emulation.
  • unpacker – Automated malware
    unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using
    known-plaintext attacks.
  • VirtualDeobfuscator
    Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer
    A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings
    A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as
    well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr – Platform-agnostic binary analysis
    framework developed at UCSB’s Seclab.
  • bamfdetect – Identifies and extracts
    information from bots and other malware.
  • BAP – Multiplatform and
    open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF – Multiplatform, open
    source Binary Analysis and Reverse engineering Framework.
  • binnavi – Binary analysis IDE for
    reverse engineering based on graph visualization.
  • Binary ninja – A reversing engineering platform
    that is an alternative to IDA.
  • Binwalk – Firmware analysis tool.
  • BluePill – Framework for executing and debugging evasive malware and protected executables.
  • Capstone – Disassembly framework for
    binary analysis and reversing, with support for many architectures and
    bindings in several languages.
  • codebro – Web based code browser using
    clang to provide basic code analysis.
  • Cutter – GUI for Radare2.
  • DECAF (Dynamic Executable Code Analysis Framework)
    – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy – .NET assembly editor, decompiler
    and debugger.
  • dotPeek – Free .NET Decompiler and
    Assembly Browser.
  • Evan’s Debugger (EDB) – A
    modular debugger with a Qt GUI.
  • Fibratus – Tool for exploration
    and tracing of the Windows kernel.
  • FPort – Reports
    open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB – The GNU debugger.
  • GEF – GDB Enhanced Features, for exploiters
    and reverse engineers.
  • Ghidra – A software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate.
  • hackers-grep – A utility to
    search for strings in PE executables including imports, exports, and debug
    symbols.
  • Hopper – The macOS and Linux Disassembler.
  • IDA Pro – Windows
    disassembler and debugger, with a free evaluation version.
  • IDR – Interactive Delphi Reconstructor
    is a decompiler of Delphi executable files and dynamic libraries.
  • Immunity Debugger – Debugger for
    malware analysis and more, with a Python API.
  • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct – DSL for file formats / network protocols /
    data structures reverse engineering and dissection, with code generation
    for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF – LIEF provides a cross-platform library
    to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace – Dynamic analysis for Linux executables.
  • mac-a-mal – An automated framework
    for mac malware hunting.
  • objdump – Part of GNU binutils,
    for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows
    executables.
  • OllyDumpEx – Dump memory
    from (unpacked) malware Windows process and store raw or rebuild PE file.
    This is a plugin for OllyDbg, Immunity Debugger, IDA Pro, WinDbg, and x64dbg.
  • PANDA – Platform for Architecture-Neutral
    Dynamic Analysis.
  • PEDA – Python Exploit Development
    Assistance for GDB, an enhanced display with added commands.
  • pestudio – Perform static analysis of Windows
    executables.
  • Pharos – The Pharos binary analysis framework
    can be used to perform automated static analysis of binaries.
  • plasma – Interactive
    disassembler for x86/ARM/MIPS.
  • PPEE (puppy) – A Professional PE file Explorer for
    reversers, malware researchers and those who want to statically inspect PE
    files in more detail.
  • Process Explorer
    Advanced task manager for Windows.
  • Process Hacker – Tool that monitors
    system resources.
  • Process Monitor
    Advanced monitoring tool for Windows programs.
  • PSTools – Windows
    command-line tools that help manage and investigate live systems.
  • Pyew – Python tool for malware
    analysis.
  • PyREBox – Python scriptable reverse
    engineering sandbox by the Talos team at Cisco.
  • QKD – QEMU with embedded WinDbg
    server for stealth debugging.
  • Radare2 – Reverse engineering framework, with
    debugger support.
  • RegShot – Registry compare utility
    that compares snapshots.
  • RetDec – Retargetable machine-code decompiler with an
    online decompilation service and
    API that you can use in your tools.
  • ROPMEMU – A framework to analyze, dissect
    and decompile complex code-reuse attacks.
  • Scylla Imports Reconstructor – Find and fix
    the IAT of an unpacked / dumped PE32 malware.
  • ScyllaHide – An Anti-Anti-Debug library
    and plugin for OllyDbg, x64dbg, IDA Pro, and TitanEngine.
  • SMRT – Sublime Malware Research Tool, a
    plugin for Sublime 3 to aid with malware analyis.
  • strace – Dynamic analysis for
    Linux executables.
  • StringSifter – A machine learning tool
    that automatically ranks strings based on their relevance for malware analysis.
  • Triton – A dynamic binary analysis (DBA) framework.
  • Udis86 – Disassembler library and tool
    for x86 and x86_64.
  • Vivisect – Python tool for
    malware analysis.
  • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg – An open-source x64/x32 debugger for windows.

Network

Analyze network interactions.

  • Bro – Protocol analyzer that operates at incredible
    scale; both file and network protocols.
  • BroYara – Use Yara rules from Bro.
  • CapTipper – Malicious HTTP traffic
    explorer.
  • chopshop – Protocol analysis and
    decoding framework.
  • CloudShark – Web-based tool for packet analysis
    and malware traffic detection.
  • FakeNet-NG – Next generation
    dynamic network analysis tool.
  • Fiddler – Intercepting web proxy designed
    for “web debugging.”
  • Hale – Botnet C&C monitor.
  • Haka – An open source security oriented
    language for describing protocols and applying security policies on (live)
    captured traffic.
  • HTTPReplay – Library for parsing
    and reading out PCAP files, including TLS streams using TLS Master Secrets
    (used in Cuckoo Sandbox).
  • INetSim – Network service emulation, useful when
    building a malware lab.
  • Laika BOSS – Laika BOSS is a file-centric
    malware analysis and intrusion detection system.
  • Malcolm – Malcolm is a powerful, easily
    deployable network traffic analysis tool suite for full packet capture artifacts
    (PCAP files) and Zeek logs.
  • Malcom – Malware Communications
    Analyzer.
  • Maltrail – A malicious traffic
    detection system, utilizing publicly available (black)lists containing
    malicious and/or generally suspicious trails and featuring an reporting
    and analysis interface.
  • mitmproxy – Intercept network traffic on the fly.
  • Moloch – IPv4 traffic capturing, indexing
    and database system.
  • NetworkMiner – Network
    forensic analysis tool, with a free version.
  • ngrep – Search through network traffic
    like grep.
  • PcapViz – Network topology and
    traffic visualizer.
  • Python ICAP Yara – An
    ICAP Server with yara scanner for URL or content.
  • Squidmagic – squidmagic is a tool
    designed to analyze a web-based network traffic to detect central command
    and control (C&C) servers and malicious sites, using Squid proxy server and
    Spamhaus.
  • Tcpdump – Collect network traffic.
  • tcpick – Trach and reassemble TCP streams
    from network traffic.
  • tcpxtract – Extract files from network
    traffic.
  • Wireshark – The network traffic analysis
    tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS
    forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of
    Malware in Memory, built on Volatility.
  • evolve – Web interface for the
    Volatility Memory Forensics Framework.
  • FindAES – Find AES
    encryption keys in memory.
  • inVtero.net – High speed memory
    analysis framework developed in .NET supports all Windows x64, includes
    code integrity and write support.
  • Muninn – A script to automate portions
    of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework,
    forked from Volatility in 2013.
  • TotalRecall – Script based
    on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory
    images before and after malware execution, and report changes.
  • Volatility – Advanced
    memory forensics framework.
  • VolUtility – Web Interface for
    Volatility Memory Analysis framework.
  • WDBGARK
    WinDBG Anti-RootKit Extension.
  • WinDbg
    Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response
    script for gathering Windows artifacts.
  • python-evt – Python
    library for parsing Windows Event Logs.
  • python-registry – Python
    library for parsing registry files.
  • RegRipper
    (GitHub) –
    Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis
    Pipeline System.
  • CRITs – Collaborative Research Into Threats, a
    malware and threat repository.
  • FAME – A malware analysis
    framework featuring a pipeline that can be extended with custom modules,
    which can be chained and interact with each other to perform end-to-end
    analysis.
  • Malwarehouse – Store, tag, and
    search malware.
  • Polichombr – A malware analysis
    platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis
    framework with extensive plugin support, from input to output, and everything
    in between.
  • Viper – A binary management and analysis framework for
    analysts and researchers.

Miscellaneous

  • al-khaser – A PoC malware
    with good intentions that aimes to stress anti-malware systems.
  • CryptoKnight – Automated cryptographic algorithm reverse engineering and classification framework.
  • DC3-MWCP
    The Defense Cyber Crime Center’s Malware Configuration Parser framework.
  • FLARE VM – A fully customizable,
    Windows-based, security distribution for malware analysis.
  • MalSploitBase – A database
    containing exploits used by malware.
  • Malware Museum – Collection of
    malware programs that were distributed in the 1980s and 1990s.
  • Malware Organiser – A simple tool to organise large malicious/benign files into a organised Structure.
  • Pafish – Paranoid Fish, a demonstration
    tool that employs several techniques to detect sandboxes and analysis
    environments in the same way as malware families do.
  • REMnux – Linux distribution and docker images for
    malware reverse engineering and analysis.
  • Tsurugi Linux – Linux distribution designed to support your DFIR investigations, malware analysis and OSINT (Open Source INTelligence) activities.
  • Santoku Linux – Linux distribution for mobile
    forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Other

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button