MalwaRE - Malware Repository Framework

malwaRE is a malware repository website created using PHP Laravel framework, used to manage your own malware zoo. malwaRE was based on the work of Adlice team with some extra features.

If you guys have any improvements, please let me know or send me a pull request.

Features

• Self-hosted solution (PHP/Mysql server needed)
• VirusTotal results (option for uploading unknown samples)
• Search filters available (vendor, filename, hash, tag)
• Vendor name is picked from VirusTotal results in that order: Microsoft, Kaspersky, Bitdefender
• Add writeup url(s) for each sample
• Manage samples by tag
• Tag autocomplete
• VirusTotal rescan button (VirusTotal's score column)
• Download samples from repository

Download MalwaRE

Read More

CuckooAutoInstall - Auto Installer Script for Cuckoo Sandbox

What is Cuckoo Sandbox?
In three words, Cuckoo Sandbox is a malware analysis system.

What does that mean?
It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

CuckooAutoInstall was created to avoid wasting time installing Cuckoo Sandbox in Debian Stable.

Usage

• Execute the script: sh cuckooautoinstall.sh
• Add a password for the user 'cuckoo' created by the script. Use: passwd cuckoo command.
• Create the virtual machines http://docs.cuckoosandbox.org/en/latest/installation/guest/ or import virtual machines using VBoxManage import virtual_machine.ova
• Add to the virtual machines with HostOnly option using vboxnet0: vboxmanage modifyvm “virtual_machine" --hostonlyadapter1 vboxnet0 (use this command to list the VMs: VBoxManage list vms)
• Configure cuckoo: cuckoo/conf/cuckoo.conf, cuckoo/conf/auxiliary.conf & cuckoo/conf/virtualbox.conf
• Execute cuckoo (check the image output): cd cuckoo && python cuckoo.py
• Execute also webpy (default port 8080): cd cuckoo/utils && python web.py
• Execute also django using port 6969: cd cuckoo/web && python manage.py runserver 0.0.0.0:6969

Script features 
It installs by default Cuckoo sandbox with the ALL optional stuff: yara, ssdeep, django ...
It installs the last versions of: ssdeep, yara, pydeep-master & jansson.
It tries to solve common problems during the installation: ldconfigs, autoreconfs...
It installs by default virtualbox and creates the hostonlyif.
It creates the iptables rules and the ip forward to enable internet in the cuckoo virtual machines:

sudo iptables -A FORWARD -o eth0 -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

It enables run tcpdump from nonroot user:

sudo apt-get -y install libcap2-bin
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

It creates the 'cuckoo' user in the system and it is also added this user to vboxusers group.
It enables mongodb in conf/reporting.conf
It fix the "TEMPLATE_DIRS setting must be a tuple" error when running python manage.py from the DJANGO version >= 1.6. Replacing in web/web/settings.py:

    TEMPLATE_DIRS = (
    "templates"
    )
For:
    TEMPLATE_DIRS = (
    ("templates"),
    )

Download CuckooAutoInstall

Read More

Detekt - scans your Windows computer for traces of known surveillance spyware

Detekt is a free tool that scans your Windows computer for traces of FinFisher and Hacking Team RCS, commercial surveillance spyware that has been identified to be also used to target and monitor human rights defenders and journalists around the world.

In recent years we have witnessed a huge growth in the adoption and trade in communication surveillance technologies. Such spyware provides the ability to read personal emails, listen-in skype conversations or even remotely turn on a computers camera and microphone without its owner knowing about it.

Some of this software is widely available on the Internet, while some more sophisticated alternatives are made and sold by private companies based in industrialized countries to state law enforcement and intelligence agencies in countries across the world.

There is little to no regulation currently in place to safeguard against these technologies being sold or used by repressive governments or others who are likely to use them for serious human rights violations and abuses.

Download Detekt

Read More

DAMM - Differential Analysis of Malware in Memory

An open source memory analysis tool built on top of Volatility. It is meant as a proving ground for interesting new techniques to be made available to the community. These techniques are an attempt to speed up the investigation process through data reduction and codifying some expert knowledge.

Features

• ~30 Volatility plugins combined into ~20 DAMM plugins (e.g., pslist, psxview and other elements are combined into a 'processes' plugin)
• Can run multiple plugins in one invocation
• The option to store plugin results in SQLite databases for preservation or for "cached" analysis
• A filtering/type system that allows easily filtering on attributes like pids to see all information related to some process and exact or partial matching for strings, etc.
• The ability to show the differences between two databases of results for the same or similar machines and manipulate from the cmdline how the differencing operates
• The ability to warn on certain types of suspicious behavior
• Output for terminal, tsv or grepable

Usage

NOTE: Most DAMM output looks better piped through 'less -S' (upper 'S') as in: 
#python damm.py <some DAMM functionality> | less -S (for default output format)

python damm.py -h
usage: damm.py [-h] [-d DIR] [-p PLUGIN [PLUGIN ...]] [-f FILE] [-k KDBG]
               [--db DB] [--profile PROFILE] [--debug] [--info] [--tsv]
               [--grepable] [--filter FILTER] [--filtertype FILTERTYPE]
               [--diff BASELINE] [-u FIELD [FIELD ...]] [--warnings] [-q]

DAMM v1.0 Beta

optional arguments:
  -h, --help            show this help message and exit
  -d DIR                Path to additional plugin directory
  -p PLUGIN [PLUGIN ...]
                        Plugin(s) to run. For a list of options use --info
  -f FILE               Memory image file to run plugin on
  -k KDBG               KDBG address for the images (in hex)
  --db DB               SQLite db file, for efficient input/output
  --profile PROFILE     Volatility profile for the images (e.g. WinXPSP2x86)
  --debug               Print debugging statements
  --info                Print available volatility profiles, plugins
  --tsv                 Print screen formatted output.
  --grepable            Print in grepable text format
  --filter FILTER       Filter results on name:value pair, e.g., pid:42
  --filtertype FILTERTYPE
                        Filter match type; either "exact" or "partial",
                        defaults to partial
  --diff BASELINE       Diff the imageFile|db with this db file as a baseline
  -u FIELD [FIELD ...]  Use the specified fields to determine uniqueness of
                        memobjs when diffing
  --warnings            Look for suspicious objects.
  -q                    Query the supplied db (via --db).

Supported plugins

See #python damm.py --info

apihooks callbacks connections devicetree dlls evtlogs handles idt injections messagehooks mftentries modules mutants privileges processes services sids timers

Download DAMM

Read More

Viper - A binary management and analysis framework dedicated to malware and exploit researchers

Viper is a binary analysis and management framework. Its fundamental objective is to provide a solution to easily organize your collection of malware and exploit samples as well as your collection of scripts you created or found over the time to facilitate your daily research. Think of it as a Metasploit for malware researchers: it provides a terminal interface that you can use to store, search and analyze arbitraty files with and a framework to easily create plugins of any sort.

Download Viper

Read More

Cuckoo Sandbox v1.1 - Automated Malware Analysis

Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

• Native functions and Windows API calls traces
• Copies of files created and deleted from the filesystem
• Dump of the memory of the selected process
• Full memory dump of the analysis machine
• Screenshots of the desktop during the execution of the malware analysis
• Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

• JSON report
• HTML report
• MAEC report
• MongoDB interface
• HPFeeds interface

Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Changelog v1.1

• Added imphash to static PE analysis
• Added search for URLs in the web interface
• Added search for PE Imphash in the web interface
• Added possibility in web interface to queue to all machines
• Added filtering by behavior category in Django web interface
• Added analyzer log to Django web interface
• Added REST API to retrieve screenshots associated with a task
• Added REST API to retrieve the PCAP associated with a task
• Added database migration utility
• Added remote submission to submit.py utility
• Added small stats utility (utils/stats.py)
• Added analysis package for PowerShell scripts
• Added overlay configuration for signatures (data/signatures_overlay.json)
• Fixed bug in MAEC report
• Fixed package selection for Office documents and CPL scripts
• Fixed issue with tcpdump filters
• Fixed unhandled exception when uploading files to the analysis machines
• Fixed issues in CuckooMon that resulted in Internet Explorer crashes
• Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
• Fixed bug in behavior processing module that resulted in a trailing backslash in summary’s registry keys

Download  Cuckoo Sandbox v1.1

Read More

Pyew - A Python tool for static malware analysis

Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Pyew have been successfully used in big malware analysis systems since almost 2 years, processing thousand of files daily. 

Download Pyew

Read More

FakeNet - Windows Network Simulation tool for Malware Analysis

FakeNet is a tool that aids in the dynamic analysis of malicious software.  The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.  The goal of the project is to:

1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
2. Support the most common protocols used by malware
3. Perform all activity on the local machine to avoid the need for a second virtual machine
4. Provide python extensions for adding new or custom protocols
5. Keep the malware running so that you can observe as much of its functionality as possible
6. Have a flexible configuration, but no required configuration

The tool is in its infancy of development.  We started working on the tool in January 2012 and we intend to maintain the tool and add new and useful features.  If you find a bug or have a cool feature you think would improve the tool please contact us.

Features

• Supports DNS, HTTP, and SSL
• HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc.  The files being served are user configurable.
• Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
• Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
• Built in ability to create a capture file (.pcap) for packets on localhost.
• Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.

Demo Video

Click here to watch a demo of version 0.9 of the tool in action.

How it works

FakeNet uses a variety of Windows and third party libraries.  It uses a custom HTTP and DNS server to respond to those request.  It uses OpenSSL to wrap any connection with SSL.  It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports.  It uses python 2.7 for the python extensions.  And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.

Download FakeNet

Read More

Scout - Download and analyze webpage components to identify infected files

Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.

Download Scout

Read More

CrowdInspect - Scan of your running processes on Windows with Virus Total, WOT & MHR

CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

● --  (o Gray icon)

○ Not applicable/not available. No process is not able to be tested.

● ??  (o Gray icon)

○ The process did not allow us to test for code injection.

● OK  (o Green)

○ The process did not appear to have any evidence of thread injection.

● !!  (o Red icon)

○ The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.

VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

<http://www.virustotal.com>

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the VirusTotal database. This is probably good!

● 0% ... 100%  (o Green ... o Red icons)

○ The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.

Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

<http://www.teamcymru.com>

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

● ??  (o Gray icon)

○ The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

● !!  (o Red icon)

○ The entry DOES exist in the MHR database. The process is known to be malware. This is bad!

Web of Trust

Crowd-sourced domain name reputation system

<http://www.mywot.com>

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

● --  (o Gray icon)

○ Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

● ??  (o Gray icon)

○ The entry does not exist in the WoT database.

● 0% ... 100%  (o Red ... o Green icons)

○ The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.

To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.

Download CrowdInspect

Read More

[Killtrojan Syslog] Tool to detect malware activity on a system

Killtrojan Syslog is a free application to create a report about characteristics of the system to further analyze and look for signs of malware, also is intended to put the report in a specialized forum for users to help.

The tool has a very intuitive and easy to use for non-technical users to create their reports. Also useful for more advanced users who want to analyze a computer.

With the support logs with BBCode mode, you can paste the log generated in any forum (SMF, PHPBB, Invision ...) which will be detailed with clear colors for your reading.

Download Killtrojan Syslog

Read More

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Download Pinpoint

Read More

[RDG Packer Detector 2014] Detector de Packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers

RDG Packer Detector es un detector de packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers.

+Nuevas signaturas+Windows 7 Compatible
+Windows 8 Compatible
+Menos Falsos Positivos
+Mayor Estabilidad
+Deteccion 32/64 bits PE

-Posee sistema de detección Rápida.
-Posee sistema de detección Potente Analizando el archivo completo, permitiendo la muli-detección de packers en varios casos.
-Permite crear signaturas tus propias signaturas de detección.
-Posee Analizador Crypto-Grafico.
-Permite calcular el checksum de un archivo.
-Permite calcular el Entropy, informando si el programa analizado esta comprimido, encriptado o no.
-Detector de OEP (Punto de entrada Original) de un programa.
-Puedes Chequear y descargar signaturas.Así siempre tú RDG Packer Detector estará Actualizado.
-Loader de Plug-ins..
-Convertidor de Signaturas.
-Detector de Falseadores de Entry Point.
-De-Binder un extractor de archivos adjuntos.
-Sistema Heuristico Mejorado.

Descargar RDG Packer Detector

Read More

[Malheur v0.5.4] Malware Analyzer

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox

.

Download Malheur

Read More

[Comodo Instant Malware Analysis] Online Automated Analysis System

If you have a suspicious file, please submit it online by using the form below. Once the file is submitted, COMODO Automated Analysis System will scan it and report back its findings.

Comodo Instant Malware Analysis

Read More

[Anubis] Online Analyzing Unknown Binaries

Anubis is a service for analyzing malware.

Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. 

Anubis

Read More

[Malware Classifier] Malware Analysis Tool

Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.

Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs. 

The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary.

Download Malware Classifier

Read More

[VirusTotal] Online Malware Analysis Tool

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.

VirusTotal

Read More

[Hook Analyser 3.0] A Freeware Malware Analysis and Cyber Threat Intelligence Software

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -

1. Threat Vectors - by (%) Country
2. Threat Vectors - by Geography 
3. Vulnerability / Threat Feed.

Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -

Download Hook Analyser 3.0

Read More

[Hook Analyser v2.6] Application (and Malware) Analysis tool

Application (and Malware) Analysis tool. Hook Analyser is a hook tool which could be potentially helpful in reversing application and analysing malwares.

Changelog v2.6

• Added new signatures (and removed redundant ones)
• Bug fixes – Many thanks for community users to reporting them.
• Fixed start-up error.

More Information:

• http://hookanalyser.blogspot.com

Download Hook Analyser v2.6

Read More