YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.
malware malware-analysis threat-analysis security virustheZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev. theZoo's purpose is to allow the study of malware and enable people who are interested in malware analysis (or maybe even as a part of their job) to have access to live malware, analyse the ways they operate, and maybe even enable advanced and savvy people to block specific malware within their own environment.
malware malware-analysis malware-samplesSimplify virtually executes an app to understand its behavior and then tries to optimize the code so that it behaves identically but is easier for a human to understand. Each optimization type is simple and generic, so it doesn't matter what the specific type of obfuscation is used. The code on the left is a decompilation of an obfuscated app, and the code on the right has been deobfuscated.
deobfuscation optimization android reverse-engineering malware-analysis dalvik malware deobfuscator virtual-machine emulator malware-analyzerExploit Development and Reverse Engineering with GDB Made Easy
gdb peda gdbinit pwndbg reverse-engineering debugging ctf gef hack disassembler ida-pro binary-ninja defcon capture-the-flag malware malware-analysis pwnableA curated list of awesome malware analysis tools and resources. Inspired by awesome-python and awesome-php. View Chinese translation: 恶意软件分析大合集.md.
malware-analysis awesome awesome-list list malware-samples analysis-framework dynamic-analysis static-analysis threat-intelligence automated-analysis domain-analysis network-traffic threatintel malware-collection malware-research threat-sharing chinese-translation chineseMalice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company. NOTE: On the first run malice will download all of it's default plugins which can take a while to complete.
malice docker malware infosec virustotal elasticsearch antivirus cloud cybersecurity dfir malware-analysis malware-researchThe purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
reverse-engineering malware-analysis binary-analysis parser modification executable-formats elf macho pe lief parsing sdk android dex oat art vdexMISP, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs.
misp threat-sharing threat-hunting threatintel malware-analysis stix information-exchange fraud-management tip security cti cybersecurity fraud-detection fraud-prevention threat-analysis information-security information-sharing threat-intelligence threat-intelligence-platform intelligenceMobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static, dynamic and malware analysis. It can be used for effective and fast security analysis of Android, iOS and Windows mobile applications and support both binaries (APK, IPA & APPX ) and zipped source code. MobSF can do dynamic application testing at runtime for Android apps and has Web API fuzzing capabilities powered by CapFuzz, a Web API specific security scanner. MobSF is designed to make your CI/CD or DevSecOps pipeline integration seamless. Your generous donations will keep us motivated.
static-analysis dynamic-analysis mobsf android-security mobile-security windows-mobile-security ios-security mobile-security-framework api-testing web-security malware-analysis runtime-security ci-cd devsecops apk ipaMalcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world. The aim of Malcom is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.
malware network-traffic pcap threat-intelligence malware-analysis infosec dfircapa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. Check out the overview in our first capa blog post.
reverse-engineering malware-analysisSpeakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware. Check out the overview in the first Speakeasy blog post.
emulation malware-analysisAPKiD gives you information about how an APK was made. It identifies many compilers, packers, obfuscators, and other weird stuff. It's PEiD for Android. You can also run APKiD with Docker! Of course, this requires that you have git and Docker installed.
android machine-learning antivirus malware-analysis malware-research yara packers malware-detection rasp yara-forensics android-protect-apps android-protection appshieldingSandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
sandbox malware-analysis malware-research virtualizationFAME is a recursive acronym meaning “FAME Automates Malware Evaluation”. It is meant to facilitate analysis of malicious files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis.
malware malware-analysis malware-research framework infosec incident-responseflare-emu marries a supported binary analysis framework, such as IDA Pro or Radare2, with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. It is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems. Currently, flare-emu supports the x86, x86_64, ARM, and ARM64 architectures. It currently provides five different interfaces to serve your emulation needs, along with a slew of related helper and utility functions.
emulation malware-analysis fireeye-flareStringSifter is a machine learning tool that automatically ranks strings based on their relevance for malware analysis. The pip install command installs two runnable scripts flarestrings and rank_strings into your python environment. When developing from source, use pipenv run flarestrings and pipenv run rank_strings.
machine-learning strings reverse-engineering learning-to-rank malware-analysis fireeye-flare fireeye-data-scienceThe main principle is the creation of yara rules from strings found in malware files while removing all strings that also appear in goodware files. Therefore yarGen includes a big goodware strings and opcode database as ZIP archives that have to be extracted before the first use. Since version 0.12.0 yarGen does not completely remove the goodware strings from the analysis process but includes them with a very low score depending on the number of occurences in goodware samples. The rules will be included if no better strings can be found and marked with a comment /* Goodware rule */. Force yarGen to remove all goodware strings with --excludegood. Also since version 0.12.0 yarGen allows to place the "strings.xml" from PEstudio in the program directory in order to apply the blacklist definition during the string analysis process. You'll get better results.
yara malware malware-research malware-analysis malwareanalysisUploaded for research purposes and so we can develop IoC's and such. See "post.txt" (transcribed in post.md) for the post in which it leaks, if you want to know how it is all set up and the likes.
mirai ioc mirai-source iot malware ioc-development malware-development malware-research malware-analysis leak botnetHaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. The tool help security analyst extracting the static and dynamic features from malware effectively and efficiently. The generated report provides significant information about process, file I/O, network and system calls. The tool can be used for the static and dynamic analysis of ELF files on the Linux x86/x64 platform.
malware-analysis dynamic-analysis security static-analysis elf
We have large collection of open source products. Follow the tags from
Tag Cloud >>
Open source products are scattered around the web. Please provide information
about the open source projects you own / you use.
Add Projects.