Malware Analysis: To Examine Malicious Software functionality.
The method by which malware analysis is performed typically falls under one of two types:
Static malware analysis: Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA.
The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then make sense of the assembly instructions and have an image of what the program is supposed to perform. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
Dynamic malware analysis: Dynamic or Behavioral analysis is performed by observing the behavior of the malware while it is actually running on a host system. This form of analysis is often performed in a sandbox environment to prevent the malware from actually infecting production systems; many such sandboxes are virtual systems that can easily be rolled back to a clean state after the analysis is complete.
The malware may also be debugged while running using a debugger such as GDB or WinDbg to watch the behavior and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.
Examining malicious software involves several stages, including, but not limited to the following:
- Manual Code Reversing
- Interactive Behavior Analysis
- Static Properties Analysis
- Fully-Automated Analysis
Binary analysis tools
- Resource hacker : free resource extraction utility and resource compiler for Windows by Angus Johnson
- HxD : hex editor for Windows by Mael Horz
- IDA Pro: Disassembler by Hex-Rays
- Radare2 : Disassembler by pancake
- BinaryNinja : Disassembler by Vector 35
- GNU Debugger: Debugger by GNU
- WinDbg: Debugger by Microsoft
- OllyDbg: Debugger by OllyDbg
- x64Dbg: Debugger by x64Dbg
Malware Analysis Tools:
Threat intelligence and IOC resources.
- AMIRA – To Analyse Automated Malware Incident Response
- Autoshun (list) – Snort plugin and blocklist.
- Bambenek Consulting Feeds – OSINT feeds based on malicious DGA algorithms.
- Fidelis Barncat – Extensive malware config database (must request access).
- CI Army (list) – Network security blocklists.
- Critical Stack- Free Intel Market – Free intel aggregator with deduplication featuring 90+ feeds and over 1.2M indicators.
- Cybercrime tracker – Multiple botnet active tracker.
- FireEye IOCs – Indicators of Compromise shared publicly by FireEye.
- FireHOL IP Lists – Analytics for 350+ IP lists with a focus on attacks, malware and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retention Policy, Overlaps.
- hpfeeds – Honeypot feed protocol.
- Internet Storm Center (DShield) – Diary and searchable incident database, with a web API. (unofficial Python library).
- malc0de – Searchable incident database.
- Malware Domain List – Search and share malicious URLs.
- Metadefender Threat Intelligence Feeds – List of the most looked up file hashes from Metadefender malware feed.
- OpenIOC – Framework for sharing threat intelligence.
- Proofpoint Threat Intelligence – Rulesets and more. (Formerly Emerging Threats.)
- Ransomware overview – A list of ransomware overview with details, detection and prevention.
- STIX – Structured Threat Information eXpression – Standardized language to represent and share cyber threat information. Related efforts from MITRE:
- ThreatMiner – Data mining portal for threat intelligence, with search.
- threatRECON – Search for indicators, up to 1000 free per month.
- Yara rules – Yara rules repository.
- ZeuS Tracker – ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
- AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
- Assemblyline – A scalable distributed file analysis framework.
- BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
- chkrootkit – Local Linux rootkit detection.
- ClamAV – Open source antivirus engine.
- Detect-It-Easy – A program for determining types of files.
- ExifTool – Read, write and edit file metadata.
- File Scanning Framework – Modular, recursive file scanning solution.
- hashdeep – Compute digest hashes with a variety of algorithms.
- Loki – Host based scanner for IOCs.
- Malfunction – Catalog and compare malware at a function level.
- MASTIFF – Static analysis framework.
- MultiScanner – Modular file scanning/analysis framework
- nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
- PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
- Rootkit Hunter – Detect Linux rootkits.
- ssdeep – Compute fuzzy hashes.
- totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
- TrID – File identifier.
- YARA – Pattern matching tool for analysts.
- Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.
Online Scanners and Sandboxes
Web-based multi-AV scanners, and malware sandboxes for automated analysis.
- anlyz.io – Online sandbox.
- AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
- AVCaesar – Malware.lu online scanner and malware repository.
- Cryptam – Analyze suspicious office documents.
- Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
- cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
- cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
- DeepViz – Multi-format file analyzer with machine-learning classification.
- detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
- DRAKVUF – Dynamic malware analysis system.
- firmware.re – Unpacks, scans and analyzes almost any firmware package.
- HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
- Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
- Intezer – Detect, analyze, and categorize malware by identifying code reuse and code similarities.
- IRMA – An asynchronous and customizable analysis platform for suspicious files.
- Joe Sandbox – Deep malware analysis with Joe Sandbox.
- Jotti – Free online multi-AV scanner.
- Limon – Sandbox for Analyzing Linux Malware.
- Malheur – Automatic sandboxed analysis of malware behavior.
- malsub – A Python RESTful API framework for online malware and URL analysis services.
- Malware config – Extract, decode and display online the configuration settings from common malwares.
- Malwr – Free analysis with an online Cuckoo Sandbox instance.
- Metadefender – Scan a file, hash or IP address for malware (free).
- Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
- PacketTotal – PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
- PDF Examiner – Analyse suspicious PDF files.
- ProcDot – A graphical malware analysis tool kit.
- Recomposer – A helper script for safely uploading binaries to sandbox sites.
- SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
- SEKOIA Dropper Analysis – Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
- VirusTotal – Free online analysis of malware samples and URLs
- Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
- Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.
Inspect domains and IP addresses.
- badips.com – Community based IP blacklist service.
- boomerang – A tool designed for consistent and safe capture of off network web resources.
- Cymon – Threat intelligence tracker, with IP/domain/hash search.
- Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
- Dig – Free online dig and other network tools.
- dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
- IPinfo – Gather information about an IP or domain by searching online resources.
- Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
- mailchecker – Cross-language temporary email detection library.
- MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
- Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
- NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
- SpamCop – IP based spam block list.
- SpamHaus – Block list based on domains and IPs.
- Sucuri SiteCheck – Free Website Malware and Security Scanner.
- Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
- TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
- URLQuery – Free URL Scanner.
- Whois – DomainTools free online whois search.
- Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
- ZScalar Zulu – Zulu URL Risk Analyzer.
- Firebug – Firefox extension for web development.
- Java Decompiler – Decompile and inspect Java apps.
- Java IDX Parser – Parses Java IDX cache files.
- Krakatau – Java decompiler, assembler, and disassembler.
- Malzilla – Analyze malicious web pages.
- RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
- swftools – Tools for working with Adobe Flash files.
- xxxswf – A Python script for analyzing Flash files.
Documents and Shellcode
Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.
- AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
- diStorm – Disassembler for analyzing malicious shellcode.
- libemu – Library and tools for x86 shellcode emulation.
- malpdfobj – Deconstruct malicious PDFs into a JSON representation.
- OfficeMalScanner – Scan for malicious traces in MS Office documents.
- olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
- Origami PDF – A tool for analyzing malicious PDFs, and more.
- PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
- PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
- peepdf – Python tool for exploring possibly malicious PDFs.
- QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
For extracting files from inside disk and memory images.
- bulk_extractor – Fast file carving tool.
- EVTXtract – Carve Windows Event Log files from raw binary data.
- Foremost – File carving tool designed by the US Air Force.
- hachoir3 – Hachoir is a Python library to view and edit a binary stream field by field.
- Scalpel – Another data carving tool.
- SFlock – Nested archive extraction/unpacking (used in Cuckoo Sandbox).
Reverse XOR and other code obfuscation methods.
- Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
- de4dot – .NET deobfuscator and unpacker.
- ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
- FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
- NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
- PackerAttacker – A generic hidden code extractor for Windows malware.
- unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
- unxor – Guess XOR keys using known-plaintext attacks.
- VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
- XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
- XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
- xortool – Guess XOR key length, as well as the key itself.
Tools for dissecting malware in memory images or running systems.
- BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
- DAMM – Differential Analysis of Malware in Memory, built on Volatility.
- evolve – Web interface for the Volatility Memory Forensics Framework.
- FindAES – Find AES encryption keys in memory.
- inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
- Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
- Rekall – Memory analysis framework, forked from Volatility in 2013.
- TotalRecall – Script based on Volatility for automating various malware analysis tasks.
- VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
- Volatility – Advanced memory forensics framework.
- VolUtility – Web Interface for Volatility Memory Analysis framework.
- WDBGARK – WinDBG Anti-RootKit Extension.
- WinDbg – Live memory inspection and kernel debugging for Windows systems.
- AChoir – A live incident response script for gathering Windows artifacts.
- python-evt – Python library for parsing Windows Event Logs.
Storage and Workflow
- Aleph – Open Source Malware Analysis Pipeline System.
- CRITs – Collaborative Research Into Threats, a malware and threat repository.
- FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
- Malwarehouse – Store, tag, and search malware.
- Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
- stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
- Viper – A binary management and analysis framework for analysts and researchers.
ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures.
Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions.
ODA is an online Web Based Disassembler for when you don’t have time or space for a thick client. ODA is a BETA release that is limited by the resource constraints of the server on which it is hosted and the spare time of its creators.
- Malware analysis
- Vulnerability research
- Visualizing the control flow of a group of instructions
- Disassembling a few bytes of an exception handler that is going off into the weeds
- Reversing the first few bytes of a Master Boot Record (MBR) that may be corrupt
- Debugging an embedded systems device driver