Malware Collection

Anonymizers

Web traffic anonymizers for analysts.

  • Anonymouse.org - A free, web based anonymizer.
  • OpenVPN - VPN software and hosting solutions.
  • Privoxy - An open source proxy server with some privacy features.
  • Tor - The Onion Router, for browsing the web without leaving traces of the client IP.

Honeypots

Trap and collect your own samples.

  • Conpot - ICS/SCADA honeypot.
  • Dionaea - Honeypot designed to trap malware.
  • Glastopf - Web application honeypot.
  • Honeyd - Create a virtual honeynet.
  • HoneyDrive - Honeypot bundle Linux distro.
  • Kippo - Medium interaction SSH honeypot.
  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.
  • Thug - Low interaction honeyclient, for investigating malicious websites.

Malware Corpora

Malware samples collected for analysis.

  • Clean MX - Realtime database of malware and malicious domains.
  • Contagio - A collection of recent malware samples and analyses.
  • Exploit Database - Exploit and shellcode samples.
  • theZoo - Live malware samples for analysts.
  • maltrieve - Retrieve malware samples directly from a number of online sources.
  • Zeltser's Sources - A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code - Source for the Zeus trojan leaked in 2011.
  • Malshare - Large repository of malware actively scrapped from malicious sites.
  • VirusShare - Malware repository, registration required.
  • ViruSign - Malware database that detected by many anti malware programs except ClamAV.

Open Source Threat Intelligence

Tools

Harvest and analyze IOCs.

  • Combine - Tool to gather Threat Intelligence indicators from publicly available sources.
  • IOC Editor - A free editor for XML IOC files, from Mandiant.
  • ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
  • MISP - Malware Information Sharing Platform.
  • threataggregator - Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • TIQ-test - Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources

Threat intelligence and IOC resources.

Detection and Classification

Antivirus and other malware identification tools

  • AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
  • chkrootkit - Local Linux rootkit detection.
  • ClamAV - Open source antivirus engine.
  • ExifTool - Read, write and edit file metadata.
  • hashdeep - Compute digest hashes with a variety of algorithms.
  • MASTIFF - Static analysis framework.
  • MultiScanner - Modular file scanning/analysis framework
  • nsrllookup - A tool for looking up hashes in NIST's National Software Reference Library database.
  • packerid - A cross-platform Python alternative to PEiD.
  • PEiD - Packer identifier for Windows binaries.
  • PEV - A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter - Detect Linux rootkits.
  • ssdeep - Compute fuzzy hashes.
  • totalhash.py - Python script for easy searching of the TotalHash.com database.
  • TrID - File identifier.
  • YARA - Pattern matching tool for analysts.

Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • AVCaesar - Malware.lu online scanner and malware repository.
  • Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
  • DRAKVUF - Dynamic malware analysis system.
  • Hybrid Analysis - Online malware analysis tool, powered by VxSandbox.
  • Jotti - Free online multi-AV scanner.
  • Malheur - Automatic sandboxed analysis of malware behavior.
  • Malwr - Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online - Online static analysis of malware.
  • Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • Recomposer - A helper script for safely uploading binaries to sandbox sites.
  • VirusTotal - Free online analysis of malware samples and URLs
  • Zeltser's List - Free automated sandboxes and services, compiled by Lenny Zeltser.
  • AVCaesar - A malware analysis engine and repository.
  • Metascan Online - Free file scanning with multiple antivirus engines.

Domain Analysis

Inspect domains and IP addresses.

  • Dig - Free online dig and other network tools.
  • IPinfo - Gather information about an IP or domain by searching online resources.
  • TekDefense Automator - OSINT tool for gatherig information about URLs, IPs, or hashes.
  • Whois - DomainTools free online whois search.
  • Zeltser's List - Free online tools for researching malicious websites, compiled by Lenny Zeltser.

Browser Malware

Analyze malicious URLs. See also the domain analysis and documents and shellcode sections.

  • Firebug - Firefox extension for web development.
  • Java Decompiler - Decompile and inspect Java apps.
  • Java IDX Parser - Parses Java IDX cache files.
  • JSDetox - JavaScript malware analysis tool.
  • jsunpack-n - A javascript unpacker that emulates browser functionality.
  • Malzilla - Analyze malicious web pages.
  • RABCDAsm - A "Robust ActionScript Bytecode Disassembler."
  • swftools - Tools for working with Adobe Flash files.
  • xxxswf - A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malwaresection.

  • AnalyzePDF - A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • diStorm - Disassembler for analyzing malicious shellcode.
  • JS Beautifier - JavaScript unpacking and deobfuscation.
  • libemu - Library and tools for x86 shellcode emulation.
  • malpdfobj - Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner - Scan for malicious traces in MS Office documents.
  • olevba - A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF - A tool for analyzing malicious PDFs, and more.
  • PDF Tools - pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite - A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf - Python tool for exploring possibly malicious PDFs.
  • Spidermonkey - Mozilla's JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor - Fast file carving tool.
  • EVTXtract - Carve Windows Event Log files from raw binary data.
  • Foremost - File carving tool designed by the US Air Force.
  • Hachoir - A collection of Python libraries for dealing with binary files.
  • Scalpel - Another data carving tool.

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard - A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • ex_pe_xor & iheartxor - Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • NoMoreXOR - Guess a 256 byte XOR key using frequency analysis.
  • unxor - Guess XOR keys using known-plaintext attacks.
  • XORBruteForcer - A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings - A couple programs from Didier Stevens for finding XORed data.
  • xortool - Guess XOR key length, as well as the key itself.

Debugging and Reverse Engineering

Disassemblers, debuggers, and other static and dynamic analysis tools.

  • Bokken - GUI for Pyew and Radare.
  • Evan's Debugger (EDB) - A modular debugger with a Qt GUI.
  • GDB - The GNU debugger.
  • IDA Pro - Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger - Debugger for malware analysis and more, with a Python API.
  • ltrace - Dynamic analysis for Linux executables.
  • objdump - Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg - An assembly-level debugger for Windows executables.
  • pestudio - Perform static analysis of Windows executables.
  • Process Monitor - Advanced monitoring tool for Windows programs.
  • Pyew - Python tool for malware analysis.
  • strace - Dynamic analysis for Linux executables.
  • Radare2 - Reverse engineering framework, with debugger support.
  • Udis86 - Disassembler library and tool for x86 and x86_64.
  • Vivisect - Python tool for malware analysis.

Network

Analyze network interactions.

  • Bro - Protocol analyzer that operates at incredible scale; both file and network protocols.
  • chopshop - Protocol analysis and decoding framework.
  • Fiddler - Intercepting web proxy designed for "web debugging."
  • Hale - Botnet C&C monitor.
  • INetSim - Network service emulation, useful when building a malware lab.
  • Malcom - Malware Communications Analyzer.
  • mitmproxy - Intercept network traffic on the fly.
  • Moloch - IPv4 traffic capturing, indexing and database system.
  • NetworkMiner - Network forensic analysis tool, with a free version.
  • ngrep - Search through network traffic like grep.
  • Tcpdump - Collect network traffic.
  • tcpick - Trach and reassemble TCP streams from network traffic.
  • tcpxtract - Extract files from network traffic.
  • Wireshark - The network traffic analysis tool.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • DAMM - Differential Analysis of Malware in Memory, built on Volatility
  • FindAES - Find AES encryption keys in memory.
  • Muninn - A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall - Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall - Script based on Volatility for automating various malware analysis tasks.
  • VolDiff - Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility - Advanced memory forensics framework.
  • WinDbg - Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

Storage and Workflow

  • Aleph - OpenSource Malware Analysis Pipeline System.
  • CRITs - Collaborative Research Into Threats, a malware and threat repository.
  • Malwarehouse - Store, tag, and search malware.
  • Viper - A binary management and analysis framework for analysts and researchers.

Miscellaneous

  • DC3-MWCP - The Defense Cyber Crime Center's Malware Configuration Parser framework.
  • REMnux - Linux distribution and docker images for malware reverse engineering and analysis.
  • Santoku Linux - Linux distribution for mobile forensics, malware analysis, and security.

Resources

Books

Essential malware analysis reading material.

Twitter

Some relevant Twitter accounts.

Other

Related Awesome Lists