Malware Analysis Tools (draft)

This post is part of a series of posts categorized as “Wiki” that contain basic how-to information. The intent is to create a reference repository for myself, but I’m not selfish so if anyone else can also benefit from it then I’m happy to share the knowledge!

There are so many great tools that can help with malware analysis and I find myself forgetting which ones I’ve heard of. A lot of the tools in this list I originally learned about from one of two sources: the book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig; the SANS FOR610: Reverse-Engineering Malware course by Lenny Zeltser and Anuj Soni.

Many of these tools can be found bundled together for Windows in “FLARE VM” or for Linux in “REMnux.” Both are free.

Basic Static Analysis

NameUsage Cases
base64[Linux] Encode or decode base64
BinText[Windows] Examine ASCII and Unicode strings in a file
Detect It Easy[Linux/Windows] Identify PE header details, compiler, programming language; Linux GUI is die, command line is diec
CFF Explorer[Linux/Windows] PE editing
CScript[Windows] JavaScript and VBScript interpreter for deobfuscation
Exeinfo PE[Windows] Identify PE header details, compiler, programming language, and extract artifacts
exiftool[Linux] Extracts file metadata
HxD[Windows] Hex editor (file and memory), file hash, file comparison
MASTIFF ([Linux] Automated extraction of properties, including fuzzy hash, hex dump, section hashes, imports, yara rule checking, strings , resource extraction, and other helpful properties
Notepad++[Windows] Text editor with plugins: JSTool (minify JavaScript to remove extraneous code, beautify to make JavaScript readable); Npp Converter (convert ASCII/Hex); MIME Tools (Base64 encode/decode, URL encode/decode, SAML decode); Compare (compare files side by side)
peframe[Linux] Hashes, interesting functionality, suspicious API, and other helpful properties
pescan[Linux] Windows executable anomalies detection[Linux/Windows] Section hashes, entry point, imports and suspicious IAT entries, and other helpful properties
pestr[Linux] Extract strings from Windows executable (ASCII and Unicode at same time); –net extracts only networking strings
PeStudio[Windows] Section hashes, strings, indicators of maliciousness, entropy, imports, exports, and other helpful properties
portex[Linux/Windows] Section hashes, entropy, imports, API functionality summary, anomaly detection, and other helpful properties
signsrch[Linux/Windows] Identify compression, crypto functionality
SpiderMonkey[Linux/Windows] JavaScript interpreter for deobfuscation
strings[Linux/Windows] Extract strings from file (ASCII by default, Unicode with –encoding=-l); -a all file if compiled
strings2[Windows] Extract ASCII and Unicode strings from file or active running process[Linux/Windows] Bitwise operations on file, such as XOR, ROL/ROR, etc.
trid[Linux] Identify file type
V8[Linux/Windows] JavaScript interpreter for deobfuscation[Linux/Windows] Derive XOR key and perform XOR operations
xxd[Linux] Make a hex dump or revert a hex dump to binary

Basic Dynamic Anlysis

NameUsage Cases
accept-all-ips[Linux] Wrapper script to enable and disable iptables intercepting and redirecting direct IP connections
Apache/httpd[Linux] Webserver
ApateDNS[Windows] Responds to DNS queries redirecting traffic to user-specified IP address
box-js[Linux] Analyze JavaScript while emulating Windows runtime components
Burp[Linux/Windows] Display host HTTP and HTTPS traffic and debug web applications
CapTipper[Linux/Windows] Analyze and extract files from a .pcap
curl[Linux/Windows] Download files or website assets
fakedns[Linux] Responds to DNS queries redirecting traffic to the host IP running fakedns
FakeNet-NG[Windows] Emulate network protocols and redirect network connections
Fiddler[Windows] Display host HTTP and HTTPS traffic and debug web applications
iptables[Linux] Redirect IP traffic
INetSim[Linux] Emulate network protocols, as well as view decrypted HTTPS traffic
Netcat[Linux/Windows] Listen to port
NetworkMiner[Linux/Windows] GUI analysis and extraction of files from a .pcap
PE Capture[Windows] Monitors for and and records any executables that run
ProcDOT[Windows] Visually examine a Process Monitor log
Process Explorer[Windows] Monitor system resources and other helpful features
Process Hacker[Windows] Monitor system resources, view open network connections, examine runtime memory, and other helpful features
Process Monitor[Windows] Realtime file system, Registry, process and thread activity recording
RegShot[Windows] Capture and compare Registry snapshots
strings2[Windows] Extract ASCII and Unicode strings from file or active running process
TcpLogView[Windows] Records opening and closing of TCP connections
Thug[Linux/Windows] Low-interaction honeyclient for looking at malicious websites
TOR[Linux/Windows] Hide IP when interacting with C2 servers or other malicious hosts
VPN[Linux/Windows] Hide IP when interacting with C2 servers or other malicious hosts
wget[Linux/Windows] Download files or website assets
Wireshark[Linux/Windows] Network packet capture and extract files from .pcap

Advanced Static and Dynamic Analysis

NameUsage Cases
API Monitor[Windows] Monitor and examine API calls of a running process
Binary Ninja[Linux/Windows] Disassembler and decompiler (beta at this time)
dnSpy[Windows] Debugger and .NET assembly editor
Ghidra[Windows] Disassembler and decompiler, static code analysis
Hopper[Linux] Disassembler and decompiler
IDA[Windows] Disassembler and decompiler, static code analysis
Radare2[Linux/Windows] Disassembler, debugger, and other helpful features
scdbg[Windows] Shellcode emulator
x32dbg & x64dbg[Windows] Debugging, static code analysis
Windbg[Windows] Debugging, static code analysis

Malicious Documents

NameUsage Cases[Linux/Windows] Extract encoded strings from file, base64 by default but others available[Linux/Windows] Examine OLE2 files and streams
olecfexport[Linux/Windows] Examine OLE2 file streams
olecfinfo[Linux/Windows] Examine OLE2 files[Linux/Windows] Examine OLE2 files[Linux/Windows] Explore Microsoft Office file contents and identify and dump streams with macros (part of oletools)[Linux/Windows] Parse Microsoft Office files and extract macros
Origami PDF[Linux] Parse and analyze PDF documents[Linux/Windows] Locate and extract macro p-code from Microsoft Office files[Linux/Windows] Identify high risk keywords and dictionary entries in a PDF
PDF Stream Dumper[Windows] PDF analysis, JavaScript deobfuscation, shellcode[Linux/Windows] Examine structure of PDF and look at its contents[Linux/Windows] Get stats for a PDF and identify high risk keywords and dictionary entries, as well as examine structure of PDF and look at its contents
qpdf[Linux/Windows] Convert encrypted, password protected PDF or PDF streams to unencrypted[Linux/Windows] Examine and dump contents of RTF files[Linux/Windows] Dump objects from RTF files[Linux/Windows] Convert shellcode to Windows executable
SSview[Windows] View and extract OLE2 contents[Linux/Windows] Extract Flash from PDF
unicode2hex-escaped[Linux] Convert Unicode to hex
unicode2raw[Linux] Convert Unicode to raw