LiSa: Sandbox for automated Linux malware analysis


Project providing automated Linux malware analysis on various CPU architectures.


  • QEMU emulation.
  • Currently supporting x86_64, i386, arm, mips, aarch64.
  • Small images built w/ buildroot.
  • Radare2 based static analysis.
  • Dynamic (behavioral) analysis using SystemTap kernel modules – captured syscalls, openfiles, process trees.
  • Network statistics and analysis of DNS, HTTP, Telnet, and IRC communication.
  • Endpoints analysis and blacklists configuration.
  • Scaled with celery and RabbitMQ.
  • REST API | frontend.
  • Extensible through sub-analysis modules and custom images.

Install && Use

Copyright 2019 Daniel Uhříček