malzoo: Mass static malware analysis tool
What is MalZoo?
MalZoo is a mass static malware analysis tool that collects the information in a Mongo database and moves the malware samples to a repository directory based on the first 4 chars of the MD5 hash. It was built as an internship project to analyze sample sets of 50 G.B.+ (e.g. from http://virusshare.com).
A few examples where it can be used for:
- Use the collected information to visualize the results (e.g. see most used compile languages, packers etc.)
- Gather intel of large open source malware repositories (original intent of the project)
- Monitor a mailbox, analyze the emails and attachments
Overview of data collected per filetype
PE-files
- Filename of the sample
- Filetype
- Filesize
- MD5 hash
- SHA-1 hash
- PE hash
- Fuzzy hash
- Imphash
- YARA rules that match
- PE compile time
- Imported DLL’s
- PE packer information (if available)
- PE language
- Original filename (if available)
- Strings
Office-documents
- MD5
- SHA-1
- Filetype
- Filename
- Indicators (with olevba)
ZIP
- MD5
- SHA-1
- Files in ZIP (each file will be pushed for static analysis)
- Filesize
- Filetype
E-mails
- From
- To
- CC
- BCC
- Subject
- Date
- Attachments (will be pushed for static analysis as well)
- Msg_id
- attachment filenames
- URL’s from the message body
Other-files
- Filename
- Filetype
- Filesize
- MD5
- SHA-1
- YARA results
Below screenshot is a basic example of data visualisation in Splunk.
Below screenshot is a basic example of data visualisation in Kibana. More examples will be added soon.
Install && Tutorial
Copyright (C) 2016 nheijmans
