malzoo: Mass static malware analysis tool
What is MalZoo?
MalZoo is a mass static malware analysis tool that collects the information in a Mongo database and moves the malware samples to a repository directory based on the first 4 chars of the MD5 hash. It was built as an internship project to analyze sample sets of 50 G.B.+ (e.g. from http://virusshare.com).
A few examples where it can be used for:
- Use the collected information to visualize the results (e.g. see most used compile languages, packers etc.)
- Gather intel of large open source malware repositories (original intent of the project)
- Monitor a mailbox, analyze the emails and attachments
Overview of data collected per filetype
- Filename of the sample
- MD5 hash
- SHA-1 hash
- PE hash
- Fuzzy hash
- YARA rules that match
- PE compile time
- Imported DLL’s
- PE packer information (if available)
- PE language
- Original filename (if available)
- Indicators (with olevba)
- Files in ZIP (each file will be pushed for static analysis)
- Attachments (will be pushed for static analysis as well)
- attachment filenames
- URL’s from the message body
- YARA results
Below screenshot is a basic example of data visualisation in Splunk.
Below screenshot is a basic example of data visualisation in Kibana. More examples will be added soon.
Copyright (C) 2016 nheijmans