Tag: malware

Malware

VirusTotal Uploader for Debian

VirusTotal API Dependencies sudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-devsudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-dev Download git clone https://github.com/VirusTotal/c-vtapi.gitgit clone https://github.com/VirusTotal/c-vtapi.git cd c-vtapicd c-vtapi Compile autoreconf -fiautoreconf -fi ./configure./configure makemake sudo make installsudo make install Configure sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’ sudo ldconfigsudo ldconfig …

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis guess the key length (based on count of equal chars) guess the key (base on knowledge of most frequent char) Download https://github.com/hellman/xortool git clone https://github.com/hellman/xortool.gitgit clone https://github.com/hellman/xortool.git Usage xortool [-h|–help] [OPTIONS] [filename] Options: -l,–key-length length of the key (integer) -c,–char most possible char (one char or hex code) …

Malware Analysis

Ask questions about your Linux and OSX infrastructure

Kolide is an agentless osquery web interface and remote api server. Kolide uses the osquery remote apis to do ad-hoc distributed queries, osqueryd configurations and the collection and processing of scheduled queries (packs). Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. osquery allows you to easily …

Malware Analysis

Analyze Microsoft Office OLE2 files

libolecf is a library to access the OLE 2 Compound File (OLECF) format. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.   Source code Download from Github. git clone https://github.com/libyal/libolecfgit clone https://github.com/libyal/libolecf Note: that the git repository holds the development version of …

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …

Disassembler, Reverse Engineering

Fast Disassembler-Decomposer Library

diStorm is a lightweight, Easy-to-Use and Fast Disassembler/Decomposer Library for x86/AMD64. A Decomposer means that you get a binary structure that describes an instruction rather than textual representation. Features * Access to CPU flags that were affected by the instruction. * Basic Flow Control analysis support. * AVX and FMA instruction sets support. * Complete …

Security

Protocol Analysis-Decoder Framework

ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft. Note that ChopShop is still in perpetual beta and is dependent on libnids/pynids for the majority of its underlying functionality. Documentation for ChopShop can be found on ReadTheDocs. Pynids pynids is a …