Free Toolkits for Automating Malware Analysis

Free toolkits for automating malware analysis include Truman framework for behavioral analysis, Minibis from CERT.at, Cuckoo sandbox, Zero Wine (Windows malware in WINE on Linux), Buster Sandbox Analyzer (Sandboxie wrapper), and Malheur for analyzing behavioral sandbox output volumes.

Automating some aspects of malware analysis is critical for organizations that process large numbers of malicious programs. Such automation allows analysts to focus on the tasks that require human insights. There are several free toolkits you can use as the starting point for building your own automated malware analysis lab. The focus of this post is on the tools you can install locally; I wrote about free web-based behavioral analysis services earlier.

Two feature-rich and highly customizable options are outlined below:

Jim Clausing documented his approach to building an automated behavioral malware analysis environment (PDF), building upon the Truman framework. Jim also provided several scripts to make it easier to make use of this methodology.
Christian Wojner documented his approach to building a customized malware analysis system, describing the methodology employed at CERT.at. You can download the associated toolkit called Minibis.

There are several other toolkits you may find useful for automating aspects of behavioral malware analysis:

Cuckoo by Claudio Guarnieri is an open-source toolkit you can install locally for analyzing malicious files.
Zero Wine by Joxean Koret is a full-featured tool for dynamically analyzing the behavior of Windows malware by running it within the WINE emulator on Linux.
Buster Sandbox Analyzer by Buster is a wrapper around the Sandboxie tool for Windows, which helps you examine the key actions of applications executed by Sandboxie in your lab.
Malheur by Konrad Rieck is a very promising tool for analyzing the volumes of data collected by behavioral sandboxes.
REMnux by yours truly is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software.

If you’re interested in building your own malware analysis toolkit manual behavioral review, take a look at the article I wrote earlier. You may also be interested in reading about the limitations of automated malware analysis.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →