What is MalZoo?
MalZoo is a mass static malware analysis tool that collects the information in a Mongo database and moves the malware samples to a repository directory based on the first 4 chars of the MD5 hash. It was build as a internship project to analyze sample sets of 50 G.B.+ (e.g. from http://virusshare.com).
A few examples where it can be used for:
- Use the collected information to visualize the results (e.g. see most used compile languages, packers etc.)
- Gather intell of large open source malware repositories (original intend of the project)
- Monitor a mailbox, analyze the emails and attachments
For more information, check out the Wiki of this repository.
Information collected
See the wiki page Information collected which data is collected for which sample.
Installation
See the wiki page Installation to see how to install MalZoo. The best option is to use the auto installation script bootstrap.sh and once that is done running you only have to execute export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
Configuration
After the installation you need to adjust the configuration file malzoo.conf in the config directory. If you are using the Splunk functionality, create a HTTP event collector token in your Splunk instance and copy the token to the configuration file (behind the Splunk part, so you replace the xxx-'es).
Usage
See this Wiki page on how to use Malzoo
Currently being developed
- AWS CloudFormation script to deploy Malzoo in AWS
- Make parts serverless for Cloud computing
- Create new modules for threat intelligence context
Credit
Special thanks goes to the Viper project (http://viper.li). I learned alot about how to automate malware analyse by this project. Also a big thanks to all the developers of the modules and software used and making it available for everyone to use.
License
This project is released under the GPL 2.0 License. See the LICENSE for details.