An Open Source Script To Perform Malware Static Analysis On Portable Executable – Digitalmunition




Pentest Tools An Open Source Script To Perform Malware Static Analysis On Portable Executable

Published on August 21st, 2019 📆 | 4374 Views ⚑

0

An Open Source Script To Perform Malware Static Analysis On Portable Executable

An open source tool to perform malware static analysis on Portable Executable

Installation

[email protected]:~$ git clone https://github.com/Th3Hurrican3/PEpper/
[email protected]:~$ cd PEpper
[email protected]:~$ pip3 install -r requirements.txt
[email protected]:~$ python3 pepper.py ./malware_dir


Screenshot

CSV output

Feature extracted

  • Suspicious entropy ratio
  • Suspicious name ratio
  • Suspicious code size
  • Suspicious debugging time-stamp
  • Number of export
  • Number of anti-debugging calls
  • Number of virtual-machine detection calls
  • Number of suspicious API calls
  • Number of suspicious strings
  • Number of YARA rules matches
  • Number of URL found
  • Number of IP found
  • Cookie on the stack (GS) support
  • Control Flow Guard (CFG) support
  • Data Execution Prevention (DEP) support
  • Address Space Layout Randomization (ASLR) support
  • Structured Exception Handling (SEH) support
  • Thread Local Storage (TLS) support
  • Presence of manifest
  • Presence of version
  • Presence of digital certificate
  • Packer detection
  • VirusTotal database detection
  • Import hash

Notes

  • Can be run on single or multiple PE (placed inside a directory)
  • Output will be saved (in the same directory of pepper.py) as output.csv
  • To use VirusTotal scan, add your private key in the module called “virustotal.py” (Internet connection required)

Credits
Many thanks to those who indirectly helped me in this work, specially:

  • The LIEF project and its awesome library
  • PEstudio, a really amazing software to analyze PE
  • PEframe from guelfoweb, an incredible widespread tool to perform static analysis on Portable Executable malware and malicious MS Office documents
  • Yara-Rules project, which provides compiled signatures, classified and kept as up to date as possible
Download PEpper

Tagged with:



Leave a Reply ✍


loading...