Category: Malware Analysis

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis guess the key length (based on count of equal chars) guess the key (base on knowledge of most frequent char) Download https://github.com/hellman/xortool git clone https://github.com/hellman/xortool.gitgit clone https://github.com/hellman/xortool.git Usage xortool [-h|–help] [OPTIONS] [filename] Options: -l,–key-length length of the key (integer) -c,–char most possible char (one char or hex code) …

Malware Analysis

Ask questions about your Linux and OSX infrastructure

Kolide is an agentless osquery web interface and remote api server. Kolide uses the osquery remote apis to do ad-hoc distributed queries, osqueryd configurations and the collection and processing of scheduled queries (packs). Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. osquery allows you to easily …

Malware Analysis

Analyze Microsoft Office OLE2 files

libolecf is a library to access the OLE 2 Compound File (OLECF) format. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.   Source code Download from Github. git clone https://github.com/libyal/libolecfgit clone https://github.com/libyal/libolecf Note: that the git repository holds the development version of …

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …

Forensics, Malware Analysis

Automater – IP URL and MD5 OSINT Analysis

Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources like the following: IPvoid.com, Robtex.com, Fortiguard.com, unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert, VxVault, and VirusTotal. Options …

Honeypot, Malware Analysis

Glastopf – Web Application Honeypot

Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. This tool is designed to capture information on the latest web application attacks using a scalable and easy to deploy …

Forensics, Malware Analysis, Reverse Engineering

Dump running Win32 process memory image

User Mode Process Dumper ver. 8.1 (userdump) dumps any running Win32 processes memory image (including system processes such as csrss.exe, winlogon.exe, services.exe, etc) on the fly, without attaching a debugger, or terminating target processes. Generated dump file can be analyzed or debugged by using the standard debugging tools. The userdump generates dump file by several …

Honeypot, Malware Analysis

A Simple Elasticsearch Honeypot

ElasticHoney is a simple elasticsearch honeypot designed to catch attackers exploiting RCE vulnerabilities in elasticsearch. How it Works This honeypot is pretty simple. It takes requests on the /, /_search, and /_nodes endpoints and returns a JSON response that is identical to a vulnerable ES instance (should be identical – I took the responses straight …