Resources

Table of Contents

• Malware Detonation sandboxes
• Malware Samples
  • General Live Malware
  • Network Packet Samples
  • Lists of malicious URLs hosting malware
• Automated malware unpacking
• Malware Techniques examples
• Malware Analysis Platforms
• Reverse Engineering Disassemblers
• Emulators
• Other Tools

---

Malware Detonation sandboxes

The following are a few malware detonation sandboxes I have used and have been valuable:

Name	Link
Cuckoo Box	https://cuckoosandbox.org/
Hybrid Analysis	https://www.hybrid-analysis.com/
Intezer Analyze	https://analyze.intezer.com/
Joe Sandbox	https://www.joesandbox.com/
ANY.RUN	https://any.run/

Malware Samples

The following are some locations where you can grab samples of malware for analysis.

General Live Malware

Name	Link
The Zoo	https://github.com/ytisf/theZoo
InQuest	https://github.com/InQuest/malware-samples
VirusTotal	https://www.virustotal.com/gui/
CyberLab	https://cyberlab.pacific.edu/resources/malware-samples-for-students
MacOS Malware	https://objective-see.com/malware.html
MacOS Malware Encyclopedia	https://macos.checkpoint.com/
Das Malwerk	https://dasmalwerk.eu/
MalShare	https://malshare.com/
Malpedia	https://malpedia.caad.fkie.fraunhofer.de/
TotalHash	https://totalhash.cymru.com
MalwareBazaar	https://bazaar.abuse.ch/

Network Packet Samples

Name	Link
PacketTotal	https://packettotal.com/
Malware-Traffic-Analysis	https://www.malware-traffic-analysis.net/

Lists of malicious URLs hosting malware

Name	Link
URLHause	https://urlhaus.abuse.ch/browse/
Zeltser	https://zeltser.com/malicious-ip-blocklists/#

Automated malware unpacking

Name	Link
OpenAnalysis UNPACME	https://www.unpac.me/#/

Malware Techniques examples

A few GitHub repos that I found of which have examples of anti-analysis techniques (Anti-Debug, Anti-VM, Anti-Analysis, etc). These can be useful to compile and see what it looks like in the disassembler when you run into them. This also can help in seeing what types of techniques may be found in malware attempting to make reverse engineering more difficult for the analyst.

Name	Link
alichtman: malware-techniques	https://github.com/alichtman/malware-techniques
LordNoteworthy: al-khaser	https://github.com/LordNoteworthy/al-khaser
Ultimate Anti-Reversing Reference	The_Ultimate_Anti-Reversing_Reference.pdf

Malware Analysis Platforms

These are images, VM’s, or scripts to build out a VM that is suitable to reverse engineer or otherwise deal with analyzing malware. Granted, you can build your own (I did for a long time) but being able to automate the creation of an environment in minimal time has proven to be more valuable.

Name	Link
FlareVM	https://github.com/fireeye/flare-vm
REMnux	https://remnux.org/

Reverse Engineering Disassemblers

While there are tons of disassemblers and decompilers out there, the following list seems to the standard ones that come up in conversation over and over that you should be aware of.

Name	Link
Hex Rays IDA Pro	https://www.hex-rays.com/products/ida/
Ghidra	https://ghidra-sre.org/
Hopper	https://www.hopperapp.com/
Binary Ninja	https://binary.ninja/
Radare2	https://rada.re/n/
Cutter	https://cutter.re/

Emulators

There are several tools and frameworks that can help emulate the CPU and crawl a binary in an attempt to capture what the instructions are trying to do, what API calls it is making, etc. They can be hit and miss and often give you a partial view of what is happening. The information you can get, however, may be critical and substantial.

Name	Link
SpeakEasy	https://github.com/fireeye/speakeasy
Qiling Framework	https://qiling.io/ https://docs.qiling.io/en/latest/install/
x86Emulator	https://github.com/AmrThabet/x86Emulator

Other Tools

Additional tools that add or augment analysis.

Name	Link
BinDiff (for use by IDA Pro)	https://zynamics.com/software.html
BinDiff Quick Walkthrough	https://www.youtube.com/watch?v=BLBjcZe-C3I