Malware Analysis Zoo 2.0

Static malware analysis & sample storage system


Share project

Brief

Malware Analysis Zoo, abbreviated MAZ, was originally released in 2013 and written in Ruby with minimal functionality. After spending many years using several popular open source malware analysis systems and looking at what makes each incredibly useful and also where they fall short, MAZ is the culmination of all the lessons learned from the Ruby version and other projects. Development began in early 2014 in on and off again style, until recently when Malware Analysis Zoo 2.0 has reached a point where it is ready for public deployment!

MAZ is written in Python and C to provide analysts with a one-stop app for malware sample analysis and storage for both individual samples or bulk sample analysis. The core application can be used through either a set of command line utilities or the web application and REST API, with the web application offering role based access control. The application can be ran locally or built as a Docker container.

The system takes a modular approach so it is easy to extend functionality with a bit of Python. Some built-in features include support for dozens of common file formats, Yara and ClamAV scanning, AWS integration for S3 sample storage, modules to interact with 3rd party services for both enrichment and new sample ingestion from external sources. Users also have the option of selecting their database type; MongoDB or MongoDB + Elasticsearch, optionally with Kibana. The latter combo provides a great method for data persistence within Mongo, very fast searching for larger data sets via Elasticsearch and prebuilt Kibana dashboards and saved searches.

Some of the modules and features available in MAZ are listed below:

  • PE, ELF, Mach-O, SWF, JAR, PDF, Email, and PCAP file analysis
  • Upload and scan with Yara signatures
  • Scan against a local ClamAV instance
  • Microsoft Office file analysis
  • Beautify obsfuscated JavaScript
  • Detect anti-debugging and anti-RE measures in PE's
  • Apply custom tags and classifications
  • Extract IOCs from multiple file types
  • Query external sources such as VirusTotal, Detux, URLQuery, PassiveTotal, Censys, Shodan, and more
  • Submit samples to Cuckoo sandbox
  • Search across all samples using extracted features from analysis
  • Upload, export, or analyze multiple samples simultaneously
  • Find similar samples by ssdeep, imphash, and text similarity
  • Schedule Yara rule syncing from a remote webserver
  • Submit email samples to MESC

Key Features

  • Static Malware Analysis
  • Sample Storage & Artifact Indexing
  • Usable via CLI, Web server, REST API
  • Supports Bulk Sample Analysis
  • Easily Expandable Modular System
  • Analysis Enrichment via 3rd Parties