---------------------
Anti-MalwareID
---------------------
This program will detect unknown malware sample with heuristics based on API imports acting as a virtual sandbox and
defining the probable behaviour of a malware exe. There are limitations as this will work only on unpacked and normal
malware files as API imports will be not be retrieved statically from import table for executables which are
packed, unless they are unpacked.
The heuristics are:
- Import APIs for prevalent malware
- Import APIs for Anti-Sandbox/Anti-VM tricks
- Import APIs for Anti-Debugging tricks
Signatures:
Sample signature file is included, this will provide json based db where youcan define signatures with
attributes like syscall number, behaviour description, threat type and a probable score.
Score: Score is weight attached to a particular API, and there will be max, min and avg score calculated for all API matches.
Limitation:
The APIs included in signatures will form the deciding factor as some APIs might exist in whitelisted files too and not
based solely on API, but on the combination or order of APIs which are generally involed in malware will help in
efficient detection.
Setup:
Dependencies:
Python module: pefile
Python module: hashlib
Usage: python malwareid.py pe_file
Output:
python malwareid.py ThreatExpert.exe
[+] Loaded 3 signatures from signatures.json
[+] Filename: ThreatExpert.exe (MD5: 8ede75ae8410623bb3cdcf8d699b490c, SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855)
[+] ThreatExpert.exe has 29 imports. Checking against 3 signatures.
[[+]] Found NtDelayExecution: "Delay execution of program using Sleep" (Score: 4)
[[+]] Found IsDebuggerPresent: "Anti-Debugging technique- Check presence of debugger" (Score: 4)
[+] Found 2 matches (MIN: 4, MAX: 4, AVG: 4.00)