Static malware analysis & sample storage system
Malware Analysis Zoo, abbreviated MAZ, was originally released in 2013 and written in Ruby with minimal functionality. After spending many years using several popular open source malware analysis systems and looking at what makes each incredibly useful and also where they fall short, MAZ is the culmination of all the lessons learned from the Ruby version and other projects. Development began in early 2014 in on and off again style, until recently when Malware Analysis Zoo 2.0 has reached a point where it is ready for public deployment!
MAZ is written in Python and C to provide analysts with a one-stop app for malware sample analysis and storage for both individual samples or bulk sample analysis. The core application can be used through either a set of command line utilities or the web application and REST API, with the web application offering role based access control. The application can be ran locally or built as a Docker container.
The system takes a modular approach so it is easy to extend functionality with a bit of Python. Some built-in features include support for dozens of common file formats, Yara and ClamAV scanning, AWS integration for S3 sample storage, modules to interact with 3rd party services for both enrichment and new sample ingestion from external sources. Users also have the option of selecting their database type; MongoDB or MongoDB + Elasticsearch, optionally with Kibana. The latter combo provides a great method for data persistence within Mongo, very fast searching for larger data sets via Elasticsearch and prebuilt Kibana dashboards and saved searches.
Some of the modules and features available in MAZ are listed below: