Malware analysis involves studying the functionality and potential impact of suspicious files or URLs. Understanding the behaviour and purpose of such files can help developers and security analysts mitigate any potential threat and improve the reliability
Malware analysis can be divided into two groups:
- Static analysis: involves examining malware samples without executing or running the underlying code. It can be used to detect malicious infrastructure, packed files, or libraries.
- Dynamic analysis: involves examining suspicious files by running them in a secure environment known as a sandbox. It allows analysts to watch the malware in action and extract more information about the threat.
Modern tools utilize both techniques (hybrid approach) to effectively detect malicious code and identify as many indicators of compromise as possible.
Below, listed some of the best malware analysis tools available in the market. For performing malware reverse engineering some of them are open source & rest are paid version. Below are the 15 tools that used widely in the year 2021
Written in: C, C++, Python
Yara is an open-source tool that helps you identify and classify malware samples. It allows you to create “descriptions” (or rules) for malware families based on text or binary patterns.You can write complex and powerful rules using binary strings with wildcards, regular expressions, special operators, and case-insensitive text strings.
Although you can install this tool to identify patterns for various purposes, it is mainly used by security analysts to detect malware. It runs on macOS, Windows, and Linux.
14. PE Studio
Written in: C++, C#
Price: $150 per year | Free version available
PeStudio is a static tool for analyzing Windows executable files. It starts with displaying useful information about a file’s properties.
This tool analyzes files or programs without running them. It can extract the hash code, size, entropy, as well as compile and debugger stamps. It also reveals various signatures and indicators, showing the integrity of the file.
More specifically, it reveals the information about DOS and file headers, libraries, resources, exported strings, symbols, bound imports, and debug information. You can use this data to determine whether the original file/code has been altered or not.
Written in: C#, VB.NET
dnSpy allows you to decompile certain assemblies in a more efficient way. It has a comprehensive user interface that packs a wide range of useful tools, including an assembly editor, a decompiler, and a debugger.Everything is organized in a beautiful way, so you can reverse engineer .NET assemblies and achieve quick, satisfactory results. You can configure every aspect of the decompiler and debugger and modify miscellaneous modules. You can even write extensions or use the C# interactive window to control the debugger.
The best thing about this software is it is portable. This means you don’t need to install it on your device; just unpack its archive and launch the executable file to gain full access to its functions. It does not create additional files on your device, nor does it modify registry entries without our explicit permission.
12. Google Rapid Response
Written in: Python
Google Rapid Response Framework (GRR) is an open-source tool for enterprise forensic investigations. It is based on a client-server architecture: the GRR client is deployed on systems that need to be investigated and the GRR server provides web-based UI and an API, allowing analysts to schedule actions on clients and process collected data.
The tool is designed to run at scale so analysts can effectively collect and process data from large numbers of machines. It facilities non-intrusive automated analysis to maintain users’ privacy. Overall, it strikes a balance between protecting access to user data and warranted forensically sound analysis.
Written in: Python, Java, PHP
A Cuckoo Sandbox is a tool for automating malware analysis. The Cuckoo Sandboxes built in the past have all been built on a Ubuntu host that runs the main Cuckoo application. Within the host is a Windows 7 VM which is nested within Virtual box. The VM has a Cuckoo agent installed which allows it to feed data back to the Ubuntu host running Cuckoo. The malware is submitted to the VM and the Cuckoo agent records the activity of the malware, once the analysis is complete a detailed report of the malware is generated.
A Cuckoo Sandbox is a great tool to have within an organization when you have an incident that involves malware analysis fascinating and always see it as a personal challenge to pull out as much information. It’s not always easy, but the tools outlined in this article should hopefully provide you with an understanding of what is involved in analysing malware and some of the tools that are available to start building out your own malware analysis lab.
10. Cerbero Suite
Written in: Python
Price: Standard version costs $100 | Free trial available
Plus, you can perform Windows memory analysis on physical memory images, crash dumps, and hibernation files. Inspect all aspects of kernel and mini-dumps. Since Cerbero doesn’t rely on WinDBG, it works on every supported platform, including macOS and Linux.
Written in: C++, Java
Ghidra is a reverse engineering software developed by the National Security Agency (NSA). It has an easy-to-use interface and functions meant to make reversing as easy as possible.Ghidra runs on macOS, Linux, and Windows, and has all the essential features security researchers would expect. Unlike other malware analysis tools, it is designed to facilitate collaborative work among multiple developers on the same reversing project.
The tool provides context-sensitive help on menu items, dialog, buttons, and undo/redo mechanism that allows you to test out theories about the sample code you are analyzing.You can also use it as a debugger it supports debugging user-mode Linux programs via GDB and Windows programs via WinDbg.
Written in: Java, .NET
Price: $10 per month per user | 30-day free trial available
Fiddler is a web debugging proxy that sits between your device and the internet and captures inflow and outflow HTTP(S) traffic between the two. It allows you to inspect requests/responses and modify them when required.Fiddler starts capturing sessions as soon as you load a web page in the browser. It can inspect HTTP traffic from any software that supports a proxy. This tool also allows you to exploit the application’s API, giving you the felicity to capture the exact resources you need.
There is a function called Autoresponder, which allows you to mock external services, simulate network latency, and analyze outputs triggered by the response. It can be extremely useful when testing and debugging live URLs.You can create new rules (based on URL, hostname, or file type) and specify actions to be performed. Set breakpoint, delay (to mimic network latency), reset or close all connections together.
Written in: Delphi
HxD is a hex editor, memory editor, and disk editor available in multiple languages. It is designed for raw disk editing and modifying the contents of RAM. More specifically, it can be used to change the binary and hex content, check malware, and repair structures.
The tool can handle files of any size and display and edit the memory used by running processes. Its detailed UI offers functions such as file shredder, search and replace, export, checksums/digests, insert byte patterns, split or concatenate files, statistics, and more.
And since the UI is tabbed, you can work on different projects in the same window.
Written in: C
Radare stands for RAw DAta REcovery. In 2014, it was replaced by Radare2 with a full rewrite and more advanced features.Using this open-source platform, you can perform analysis on images and files to retrieve valuable artifacts. It can help you better understand how malware works, recover lost files, and troubleshoot why software programs are crashing.
5. Binary Ninja
Written in: C, C++, Python
Price: $300 (on time fee) | Free demo available
Binary Ninja is a reverse-engineering tool that can efficiently disassemble a binary and display it in linear or graph views. It automatically carries out an in-depth analysis of a program and produces valuable data that helps you examine a binary. More specifically, it performs function detection, value-set analysis, cross-references for data and code, type interference, and jump table resolution. Its in-built decompiler works with all CPU architectures, including x86, ARMv7, ARMv8, PowerPC, and Thumb2.
Many components of Binary Ninja are open-source, including the C++, Python, and Rust bindings. This allows you to automate everything, from the user interface to decompilation and patching. What more? The platform has a free cloud version that allows you to collaborate with your team members and utilize the full power of interactive graphs and decompilers.
Written in: Java
Price: Starts at $120 per month per user | Free demo available
JEB is a reverse engineering tool for Android apps and native machine code. It is capable of performing static and dynamic analyses of all kinds of Android apps.With JEB, you can decompile obfuscated APKs, test Java code, and debug closed-source applications in minutes. It debugs both Dalvik and native code (Intel, ARM) seamlessly. Plus, there are options to reconstruct resources and obfuscated XML files.
The tool is packed with powerful analysis modules that support code refactoring, virtual hierarchy, and code cleaning to organize highly obfuscated code.As far as customizability is concerned, you can write your own scripts (in Python or Java) to automate the reverse engineering tasks. Power users can write full-featured analysis modules and headless front-ends.
3. Interactive Disassembler
Written in: C++
Price: $365 per year | Free version available
Interactive Disassembler is a complete integrated development environment. It efficiently generates assembly language source code from machine-executable code, making complex code more human-readable. The tool is packed with Fast Library Identification and Recognition technology, which identifies standard function calls for various compilers. This enhances the usability and readability of generated disassembled.
It also handles remote applications very well. The in-built debugging system enables quick debugging and easy connection to both local and remote processes.Perhaps the best thing about this tool is that it can handle multiple processors and show the binary instruction executed by each processor. This makes it easier to analyze suspicious programs that could be spyware or malware.
2. Burp Suite Professional
Written in: Ruby, Java, Python
Price: $1399 per Year | Free Trial Version Available
Burp Suite Professional is one of the most popular penetration testing tools available today and is also helpful when you want to use burp for SSL interception. This will help when malware encrypts the traffic over SSL. Burp Suite is great to help you capture all of this traffic and more.
Written in: C, C++
Wireshark is an open-source packet analyzer that allows you to see what’s happening on your network at a microscopic scale. It is used by many educational institutions, government agencies, and commercial and non-profit organizations.
the tool can inspect hundreds of protocols at multiple layers. It records live data and presents it in a way that’s relatively easy to read and analyze. It can also capture packets from network simulation software like NetSim and OPNET Modeler. Plus, it can read data captured by other network analyzers, such as Microsoft Network Monitor and Sniffer.
The tool applies unique colors to the packets based on rules that match specific fields in packets. This helps you identify the types of traffic at a glance. You can edit pre-defined rules for coloring packets, add new rules, or delete existing ones.