Malware Analysis

repo: rshipp/awesome-malware-analysis
category: Security
related: Hacking · Ctf · Application Security

Awesome Malware Analysis

A curated list of awesome malware analysis tools and resources. Inspired by
awesome-python and
awesome-php.

• Malware Collection
  • Anonymizers
  • Honeypots
  • Malware Corpora
• Open Source Threat Intelligence
  • Tools
  • Other Resources
• Detection and Classification
• Online Scanners and Sandboxes
• Domain Analysis
• Browser Malware
• Documents and Shellcode
• File Carving
• Deobfuscation
• Debugging and Reverse Engineering
• Network
• Memory Forensics
• Windows Artifacts
• Storage and Workflow
• Miscellaneous
• Resources
  • Books
  • Other
• [Related Awesome Lists](#related-awesome-lists)
• Contributing
• Thanks

View Chinese translation: 恶意软件分析大合集.md.

Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

• Anonymouse.org - A free, web based anonymizer.
• OpenVPN - VPN software and hosting solutions.
• Privoxy - An open source proxy server with some
  privacy features.
• Tor - The Onion Router, for browsing the web
  without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

• Conpot - ICS/SCADA honeypot.
• Cowrie - SSH honeypot, based
  on Kippo.
• DemoHunter - Low interaction Distributed Honeypots.
• Dionaea - Honeypot designed to trap malware.
• Glastopf - Web application honeypot.
• Honeyd - Create a virtual honeynet.
• HoneyDrive - Honeypot bundle Linux distro.
• Honeytrap - Opensource system for running, monitoring and managing honeypots.
• MHN - MHN is a centralized server for management and data collection of honeypots. MHN allows you to deploy sensors quickly and to collect data immediately, viewable from a neat web interface.
• Mnemosyne - A normalizer for
  honeypot data; supports Dionaea.
• Thug - Low interaction honeyclient, for
  investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

• Clean MX - Realtime
  database of malware and malicious domains.
• Contagio - A collection of recent
  malware samples and analyses.
• Exploit Database - Exploit and shellcode
  samples.
• Infosec - CERT-PA - Malware samples collection and analysis.
• InQuest Labs - Evergrowing searchable corpus of malicious Microsoft documents.
• Javascript Mallware Collection - Collection of almost 40.000 javascript malware samples
• Malpedia - A resource providing
  rapid identification and actionable context for malware investigations.
• Malshare - Large repository of malware actively
  scrapped from malicious sites.
• Ragpicker - Plugin based malware
  crawler with pre-analysis and reporting functionalities
• theZoo - Live malware samples for
  analysts.
• Tracker h3x - Agregator for malware corpus tracker
  and malicious download sites.
• vduddu malware repo - Collection of
  various malware files and source code.
• VirusBay - Community-Based malware repository and social network.
• ViruSign - Malware database that detected by
  many anti malware programs except ClamAV.
• VirusShare - Malware repository, registration
  required.
• VX Vault - Active collection of malware samples.
• Zeltser's Sources - A list
  of malware sample sources put together by Lenny Zeltser.
• Zeus Source Code - Source for the Zeus
  trojan leaked in 2011.
• VX Underground - Massive and growing collection of free malware samples.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

• AbuseHelper - An open-source
  framework for receiving and redistributing abuse feeds and threat intel.
• AlienVault Open Threat Exchange - Share and
  collaborate in developing Threat Intelligence.
• Combine - Tool to gather Threat
  Intelligence indicators from publicly available sources.
• Fileintel - Pull intelligence per file hash.
• Hostintel - Pull intelligence per host.
• IntelMQ -
  A tool for CERTs for processing incident data using a message queue.
• IOC Editor -
  A free editor for XML IOC files.
• iocextract - Advanced Indicator
  of Compromise (IOC) extractor, Python library and command-line tool.
• ioc_writer - Python library for
  working with OpenIOC objects, from Mandiant.
• MalPipe - Malware/IOC ingestion and
  processing engine, that enriches collected data.
• Massive Octo Spice -
  Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs
  from various lists. Curated by the
  CSIRT Gadgets Foundation.
• MISP - Malware Information Sharing
  Platform curated by The MISP Project.
• Pulsedive - Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
• PyIOCe - A Python OpenIOC editor.
• RiskIQ - Research, connect, tag and
  share IPs and domains. (Was PassiveTotal.)
• threataggregator -
  Aggregates security threats from a number of sources, including some of
  those listed below in other resources.
• ThreatConnect - TC Open allows you to see and
  share open source threat data, with support and validation from our free community.
• ThreatCrowd - A search engine for threats,
  with graphical visualization.
• ThreatIngestor - Build
  automated threat intel pipelines sourcing from Twitter, RSS, GitHub, and
  more.
• ThreatTracker - A Python
  script to monitor and generate alerts based on IOCs indexed by a set of
  Google Custom Search Engines.
• TIQ-test - Data visualization
  and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

• Autoshun (list) -
  Snort plugin and blocklist.
• Bambenek Consulting Feeds -
  OSINT feeds based on malicious DGA algorithms.
• Fidelis Barncat -
  Extensive malware config database (must request access).
• CI Army (list) -
  Network security blocklists.
• Critical Stack- Free Intel Market - Free
  intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
• Cybercrime tracker - Multiple botnet active tracker.
• FireEye IOCs - Indicators of Compromise
  shared publicly by FireEye.
• FireHOL IP Lists - Analytics for 350+ IP lists
  with a focus on attacks, malware and abuse. Evolution, Changes History,
  Country Maps, Age of IPs listed, Retention Policy, Overlaps.
• HoneyDB - Community driven honeypot sensor data collection and aggregation.
• hpfeeds - Honeypot feed protocol.
• Infosec - CERT-PA lists (IPs - Domains - URLs) - Blocklist service.
• InQuest REPdb - Continuous aggregation of IOCs from a variety of open reputation sources.
• InQuest IOCdb - Continuous aggregation of IOCs from a variety of blogs, Github repos, and Twitter.
• Internet Storm Center (DShield) - Diary and
  searchable incident database, with a web API.
  (unofficial Python library).
• malc0de - Searchable incident database.
• Malware Domain List - Search and share
  malicious URLs.
• MetaDefender Threat Intelligence Feed -
  List of the most looked up file hashes from MetaDefender Cloud.
• OpenIOC - Framework for sharing threat intelligence.
• Proofpoint Threat Intelligence -
  Rulesets and more. (Formerly Emerging Threats.)
• Ransomware overview -
  A list of ransomware overview with details, detection and prevention.
• STIX - Structured Threat Information eXpression -
  Standardized language to represent and share cyber threat information.
  Related efforts from MITRE:
  • CAPEC - Common Attack Pattern Enumeration and Classification
  • [CybOX - Cyber Observables eXpression](http://cyboxproject.github.io)
  • MAEC - Malware Attribute Enumeration and Characterization
  • TAXII - Trusted Automated eXchange of Indicator Information
• SystemLookup - SystemLookup hosts a collection of lists that provide information on
  the components of legitimate and potentially unwanted programs.
• ThreatMiner - Data mining portal for threat
  intelligence, with search.
• threatRECON - Search for indicators, up to 1000
  free per month.
• ThreatShare - C2 panel tracker
• Yara rules - Yara rules repository.
• YETI - Yeti is a platform meant to organize observables, indicators of compromise, TTPs, and knowledge on threats in a single, unified repository.
• ZeuS Tracker - ZeuS
  blocklists.

Detection and Classification

Antivirus and other malware identification tools

• AnalyzePE - Wrapper for a
  variety of tools for reporting on Windows PE files.
• Assemblyline - A scalable file triage and malware analysis system integrating the cyber security community's best tools..
• BinaryAlert - An open source, serverless
  AWS pipeline that scans and alerts on uploaded files based on a set of
  YARA rules.
• capa - Detects capabilities in executable files.
• chkrootkit - Local Linux rootkit detection.
• ClamAV - Open source antivirus engine.
• Detect It Easy(DiE) - A program for
  determining types of files.
• Exeinfo PE - Packer, compressor detector, unpack
  info, internal exe tools.
• ExifTool - Read, write and
  edit file metadata.
• File Scanning Framework -
  Modular, recursive file scanning solution.
• fn2yara - FN2Yara is a tool to generate
  Yara signatures for matching functions (code) in an executable program.
• Generic File Parser - A Single Library Parser to extract meta information,static analysis and detect macros within the files.
• hashdeep - Compute digest hashes with
  a variety of algorithms.
• HashCheck - Windows shell extension
  to compute hashes with a variety of algorithms.
• Loki - Host based scanner for IOCs.
• Malfunction - Catalog and
  compare malware at a function level.
• Manalyze - Static analyzer for PE
  executables.
• MASTIFF - Static analysis
  framework.
• MultiScanner - Modular file
  scanning/analysis framework
• Nauz File Detector(NFD) - Linker/Compiler/Tool detector for Windows, Linux and MacOS.
• nsrllookup - A tool for looking
  up hashes in NIST's National Software Reference Library database.
• packerid - A cross-platform
  Python alternative to PEiD.
• PE-bear - Reversing tool for PE
  files.
• PEframe - PEframe is an open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents.
• PEV - A multiplatform toolkit to work with PE
  files, providing feature-rich tools for proper analysis of suspicious binaries.
• PortEx - Java library to analyse PE files with a special focus on malware analysis and PE malformation robustness.
• Quark-Engine - An Obfuscation-Neglect Android Malware Scoring System
• Rootkit Hunter - Detect Linux rootkits.
• ssdeep - Compute fuzzy hashes.
• totalhash.py -
  Python script for easy searching of the TotalHash.cymru.com
  database.
• TrID - File identifier.
• YARA - Pattern matching tool for
  analysts.
• Yara rules generator - Generate
  yara rules based on a set of malware samples. Also contains a good
  strings DB to avoid false positives.
• Yara Finder - A simple tool to yara match the file against various yara rules to find the indicators of suspicion.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

• anlyz.io - Online sandbox.
• any.run - Online interactive sandbox.
• AndroTotal - Free online analysis of APKs
  against multiple mobile antivirus apps.
• BoomBox - Automatic deployment of Cuckoo
  Sandbox malware lab using Packer and Vagrant.
• Cryptam - Analyze suspicious office documents.
• Cuckoo Sandbox - Open source, self hosted
  sandbox and automated analysis system.
• cuckoo-modified - Modified
  version of Cuckoo Sandbox released under the GPL. Not merged upstream due to
  legal concerns by the author.
• cuckoo-modified-api - A
  Python API used to control a cuckoo-modified sandbox.
• DeepViz - Multi-format file analyzer with
  machine-learning classification.
• detux - A sandbox developed to do
  traffic analysis of Linux malwares and capturing IOCs.
• DRAKVUF - Dynamic malware analysis
  system.
• filescan.io - Static malware analysis, VBA/Powershell/VBS/JS Emulation
• firmware.re - Unpacks, scans and analyzes almost any
  firmware package.
• HaboMalHunter - An Automated Malware
  Analysis Tool for Linux ELF Files.
• Hybrid Analysis - Online malware
  analysis tool, powered by VxSandbox.
• Intezer - Detect, analyze, and categorize malware by
  identifying code reuse and code similarities.
• IRMA - An asynchronous and customizable
  analysis platform for suspicious files.
• Joe Sandbox - Deep malware analysis with Joe Sandbox.
• Jotti - Free online multi-AV scanner.
• Limon - Sandbox for Analyzing Linux Malware.
• Malheur - Automatic sandboxed analysis
  of malware behavior.
• malice.io - Massively scalable malware analysis framework.
• malsub - A Python RESTful API framework for
  online malware and URL analysis services.
• Malware config - Extract, decode and display online
  the configuration settings from common malwares.
• MalwareAnalyser.io - Online malware anomaly-based static analyser with heuristic detection engine powered by data mining and machine learning.
• Malwr - Free analysis with an online Cuckoo Sandbox
  instance.
• MetaDefender Cloud - Scan a file, hash, IP, URL or
  domain address for malware for free.
• NetworkTotal - A service that analyzes
  pcap files and facilitates the quick detection of viruses, worms, trojans, and all
  kinds of malware using Suricata configured with EmergingThreats Pro.
• Noriben - Uses Sysinternals Procmon to
  collect information about malware in a sandboxed environment.
• PacketTotal - PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
• PDF Examiner - Analyse suspicious PDF files.
• ProcDot - A graphical malware analysis tool kit.
• Recomposer - A helper
  script for safely uploading binaries to sandbox sites.
• sandboxapi - Python library for
  building integrations with several open source and commercial malware sandboxes.
• SEE - Sandboxed Execution Environment (SEE)
  is a framework for building test automation in secured Environments.
• SEKOIA Dropper Analysis - Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
• VirusTotal - Free online analysis of malware
  samples and URLs
• Visualize_Logs - Open source
  visualization library and command line tools for logs. (Cuckoo, Procmon, more
  to come...)
• Zeltser's List - Free
  automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

• AbuseIPDB - AbuseIPDB is a project dedicated
  to helping combat the spread of hackers, spammers, and abusive activity on the internet.
• badips.com - Community based IP blacklist service.
• boomerang - A tool designed
  for consistent and safe capture of off network web resources.
• Cymon - Threat intelligence tracker, with IP/domain/hash
  search.
• Desenmascara.me - One click tool to retrieve as
  much metadata as possible for a website and to assess its good standing.
• Dig - Free online dig and other
  network tools.
• dnstwist - Domain name permutation
  engine for detecting typo squatting, phishing and corporate espionage.
• IPinfo - Gather information
  about an IP or domain by searching online resources.
• Machinae - OSINT tool for
  gathering information about URLs, IPs, or hashes. Similar to Automator.
• mailchecker - Cross-language
  temporary email detection library.
• MaltegoVT - Maltego transform
  for the VirusTotal API. Allows domain/IP research, and searching for file
  hashes and scan reports.
• Multi rbl - Multiple DNS blacklist and forward
  confirmed reverse DNS lookup over more than 300 RBLs.
• NormShield Services - Free API Services
  for detecting possible phishing domains, blacklisted ip addresses and breached
  accounts.
• PhishStats - Phishing Statistics with search for
  IP, domain and website title
• Spyse - subdomains, whois, realted domains, DNS, hosts AS, SSL/TLS info,
• SecurityTrails - Historical and current WHOIS,
  historical and current DNS records, similar domains, certificate information
  and other domain and IP related API and tools.
• SpamCop - IP based spam block list.
• SpamHaus - Block list based on
  domains and IPs.
• Sucuri SiteCheck - Free Website Malware
  and Security Scanner.
• Talos Intelligence - Search for IP, domain
  or network owner. (Previously SenderBase.)
• TekDefense Automater - OSINT tool
  for gathering information about URLs, IPs, or hashes.
• URLhaus - A project from abuse.ch with the goal
  of sharing malicious URLs that are being used for malware distribution.
• URLQuery - Free URL Scanner.
• urlscan.io - Free URL Scanner & domain information.
• Whois - DomainTools free online whois
  search.
• Zeltser's List - Free
  online tools for researching malicious websites, compiled by Lenny Zeltser.
• ZScalar Zulu - Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis and
documents and shellcode sections.

• Bytecode Viewer - Combines
  multiple Java bytecode viewers and decompilers into one tool, including
  APK/DEX support.
• Firebug - Firefox extension for web development.
• Java Decompiler - Decompile and inspect Java apps.
• Java IDX Parser - Parses Java
  IDX cache files.
• JSDetox - JavaScript
  malware analysis tool.
• jsunpack-n - A javascript
  unpacker that emulates browser functionality.
• Krakatau - Java decompiler,
  assembler, and disassembler.
• Malzilla - Analyze malicious web pages.
• RABCDAsm - A "Robust
  ActionScript Bytecode Disassembler."
• SWF Investigator -
  Static and dynamic analysis of SWF applications.
• swftools - Tools for working with Adobe Flash
  files.
• xxxswf - A
  Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also
the browser malware section.

• AnalyzePDF - A tool for
  analyzing PDFs and attempting to determine whether they are malicious.
• box-js - A tool for studying JavaScript
  malware, featuring JScript/WScript support and ActiveX emulation.
• diStorm - Disassembler for analyzing
  malicious shellcode.
• InQuest Deep File Inspection - Upload common malware lures for Deep File Inspection and heuristical analysis.
• JS Beautifier - JavaScript unpacking and deobfuscation.
• libemu - Library and tools for x86 shellcode
  emulation.
• malpdfobj - Deconstruct malicious PDFs
  into a JSON representation.
• OfficeMalScanner - Scan for
  malicious traces in MS Office documents.
• olevba - A script for parsing OLE
  and OpenXML documents and extracting useful information.
• Origami PDF - A tool for
  analyzing malicious PDFs, and more.
• PDF Tools - pdfid,
  pdf-parser, and more from Didier Stevens.
• PDF X-Ray Lite - A PDF analysis tool,
  the backend-free version of PDF X-RAY.
• peepdf - Python
  tool for exploring possibly malicious PDFs.
• QuickSand - QuickSand is a compact C framework
  to analyze suspected malware documents to identify exploits in streams of different
  encodings and to locate and extract embedded executables.
• Spidermonkey -
  Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

• bulk_extractor - Fast file
  carving tool.
• EVTXtract - Carve Windows
  Event Log files from raw binary data.
• Foremost - File carving tool designed
  by the US Air Force.
• hachoir3 - Hachoir is a Python library
  to view and edit a binary stream field by field.
• Scalpel - Another data carving
  tool.
• SFlock - Nested archive
  extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

• Balbuzard - A malware
  analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
• de4dot - .NET deobfuscator and
  unpacker.
• ex_pe_xor
  & iheartxor -
  Two tools from Alexander Hanel for working with single-byte XOR encoded
  files.
• FLOSS - The FireEye Labs Obfuscated
  String Solver uses advanced static analysis techniques to automatically

truncated — full list on GitHub