Malwasm is a Cuckoo Sandbox based open source tool that is designed to help malware reverse engineering tasks.
How Malwasm Works:
- The malware to analyse is executed through Cuckoo Sandbox.
- During the execution, Malwasm logs all activities of the malware with pintool.
- All activities are stored in a database (Postgres).
- A web service is available to visualise and manage the data stored in the database.
Features:
- Offline programs debugging
- Possibility to go back or forward in the execution’s time (with a time slide bar)
- States of registers and flags
- Values of the stack/heap/data
- “Following dump” options
- Fully works in the browser
Folders:
- conf/malwasm.conf – is the configuration file for malwasm
- core/ – contains malwasm python lib
- cuckoo/ – contains the cuckoo package that needs to be copied in your cuckoo install folder
- doc/ – contains some doc
- pin/ – contains the malwpin dll source code and makefile
- utils/ – contains scripts to run analysis and data insertion
- create_db.py – script to force the creation of the database (usefull to reset the db)
- file2db.py – script to insert sample data into the db
- db2file.py – script to extract sample data from the db
- submit.py – all in one script, to submit sample to cuckoo and insert data into malwasm db
- web/ – contains the webservice python script
- malwasm_web.py – the webservice listening on http://127.0.0.1:5000
Installation
Dependencies
- python2.7
- python-psycopg2
- python-argparse
- python-flask
- python-progressbar
- cuckoo
- postgresql
- pintool
To install python dependencies:
sudo apt-get install python-psycopg2 python-flask python-progressbar python-argparse
or
pip install psycopg2 flask progressbar argparse
Pintool cannot be put directly inside malwasm due to licence issue. You have to download it by yourself.
Once downloaded you have to extract all the .dll and .exe files of the subfolder
- /pin-2.12-53271-msvc10-windows/ia32/bin/ to the folder:
- malwasm/cuckoo/analyzer/windows/bin
Cuckoo part
- You need to have cuckoo correctly set up
- You have to copy files from malwasm/cuckoo/analyzer/windows/ into your cuckoo installation in the subfolder cuckoo/analyzer/windows/
- Your cuckoo VM needs to have a share folder with write permission on it
- Update cuckoo section of conf/malwasm.conf to match your configuration
- Run cuckoo.py
Database
- Run your postgresql database
- The current config in conf/malwasm.conf works with an out of box config of postgresql
- WARNING: if you want to use the create_db scripts, you have to use the default postgres account otherwise you can use the schema available in conf/schema.sql
Run analysis
- You can directly run a sample analysis with utils/submit.py
# standard analysis of the a binary utils/submit.py malware/r.exe # only start record instruction when it pass on adr-start and stop on adr-stop utils/submit.py --options adr-start=0x401290,adr-stop=0x401384 malware/r.exe
- If data insertion into malwasm db failed you can re run the insertion with
utils/file2db -d /tmp/data/13508268572/ # where /tmp/data is the share folder utils/file2db -d /tmp/data/13508268572/ --pin-param foo # where /tmp/data is the share folder
If you want to clean the database you can use
- utils/create_db.py –force
Note: data insertion can take some serious time, so just be patient!
Webservice
- To see the report you have to run the webservice
web/malwasm_web.py
- Go to http://127.0.0.1:5000 and select your sample
