Malware Analysis Frameworks | By Prasanna B Mundas

Malware Analysis Frameworks

As I have mentioned in an earlier post, there are many frameworks required to analyze malware behavior in an effective manner. There are plenty of frameworks available on the web and we can choose those framework based on various categories and requirement such as mentioned below:

Kind of Malware: There are multiple types of malware such as Browser-based malware which infect the system through the browser, Operating system based malware (Windows, Linux etc) and Malware infected software. These are some examples of malware.

The functionality of Malware: Based on what intention, malware might be constructed and how the malware will execute and what are the goals of it. For example: If the malware is intended to collect information and send it to CNC. Then, it is required to see what services, APIs, DLLs, drivers and Connections it is using. So observe these things framework should have the capabilities of monitoring all the required behavior.

Ease of installation and Use: Framework should have the easy installation with fewer dependents or should have automated dependency installations so that user must not download each and everything before the framework installation. Usage should be having a good user interface and should get the useful result in fewer clicks.

Opensource: It will be very useful for the malware researcher if the framework is opensource and customizable based on his needs and also it will be useful for other researchers for their research.

Add-On: The framework will be powerful if it supports hundreds of add-ons which can be integrated and used for various type of malware analysis. These add-ons boost the research or analysis to the top level with important artifacts.

Support (Usage & System): It is hard to install the framework successfully for the first time. So, in that case, it should have a forum or community which can help on the issues. Also, it should also support various vendors of software (Like Virtualization) and can be installed on the various Operating system and hardware configurations.

The above all are the basics needs to say it as a good framework and the list might extend based on the hands-on experience and the usage. Now we can see what framework offers what and what it capable of.


The most famous one which many researchers refer and it is originally developed by Claudio Guarnieri for the Google Summer of Code, the project became so popular it is now a mainstay of the Honeynet Project, a leading international research institution with a special focus on malware

  • Analyze many different malicious files (executables, office documents, pdf files, emails, etc) as well as malicious websites under Windows, Linux, Mac OS X, and Android virtualized environments.
  • Trace API calls and general behavior of the file and distill this into high-level information and signatures comprehensible by anyone.
  • Dump and analyze network traffic, even when encrypted with SSL/TLS. With native network routing support to drop all traffic or route it through InetSIM, a network interface, or a VPN.
  • Perform advanced memory analysis of the infected virtualized system through Volatility as well as on a process memory granularity using YARA.

The currently available default processing modules are:

AnalysisInfo (modules/processing/– generates some basic information on the current analysis, such as timestamps, version of Cuckoo and so on.

BehaviorAnalysis (modules/processing/– parses the raw behavioral logs and perform some initial transformations and interpretations, including the complete processes tracing, a behavioral summary and a process tree.

Debug (modules/processing/ – includes errors and the analysis.log generated by the analyzer.

Dropped (modules/processing/ – includes information on the files dropped by the malware and dumped by Cuckoo.

NetworkAnalysis (modules/processing/– parses the PCAP file and extract some network information, such as DNS traffic, domains, IPs, HTTP requests, IRC and SMTP traffic.

StaticAnalysis(modules/processing/ – performs some static analysis of PE32 files.

Strings(modules/processing/ – extracts strings from the analyzer binary.

TargetInfo(modules/processing/ – includes information on the analyzed file, such as hashes.

VirusTotal(modules/processing/ – lookup for AntiVirus signatures of the analyzed file.

For download, Installation and usage please refer the mentioned link here.


It is a free Linux toolkit for assisting malware analysts with reverse-engineering malicious software. It strives to make it easier for forensic investigators and incident responders to start using the variety of freely-available tools that can examine malware, yet might be difficult to locate or set up.

The heart of the project is the REMnux Linux distribution based on Ubuntu. This lightweight distro incorporates many tools for analyzing Windows and Linux malware, examining browser-based threats such as obfuscated JavaScript, exploring suspicious document files and taking apart other malicious artifacts. Investigators can also use the distro to intercept suspicious network traffic in an isolated lab when performing behavioral malware analysis.

The REMnux distribution includes many free tools useful for examining malicious software. These utilities are set up and tested to make it easier for you to perform malware analysis tasks without needing to figure out how to install them. The tools installed on REMnux can help you and details can be found here:

  • Examine browser malware
  • Analyze malicious document files
  • Extract and decode suspicious artifacts
  • Handle laboratory network interactions
  • Review multiple malware samples
  • Examine properties and contents of suspicious files
  • Investigate Linux and Windows malware
  • Perform memory forensics

One aspect of the REMnux project involves providing Docker images of popular malware analysis tools, with the goal of allowing investigators to conveniently utilize difficult-to-install applications without having to install the REMnux distro. Such images could be compared to lightweight virtual machines; though they don’t offer the same level of isolation as real VMs, they provide a container within which the application can be encapsulated along with its dependencies. It is available here for download.


One more interesting product is GRR (Google Rapid Response) and it is not intended only to analyse the malware and it does more than that.

GRR Rapid Response is an incident response framework focused on remote live forensics.

The goal of GRR is to support forensics and investigations in a fast, scalable manner to allow analysts to quickly triage attacks and perform analysis remotely.

GRR consists of 2 parts: client and server.

GRR client is deployed on systems that one might want to investigate. On every such system, once deployed, GRR client periodically polls GRR frontend servers for work. “Work” means running a specific action: downloading file, listing a directory, etc.

GRR server infrastructure consists of several components (frontends, workers, UI servers) and provides web-based graphical user interface and an API endpoint that allows analysts to schedule actions on clients and view and process collected data.

Client Features

  • Cross-platform support for Linux, OS X and Windows clients.
  • Live remote memory analysis using open source memory drivers for Linux, OS X and Windows via the Rekall memory analysis framework.
  • Powerful search and download capabilities for files and the Windows registry.
  • Secure communication infrastructure designed for Internet deployment.
  • Client automatic update support.
  • Detailed monitoring of client CPU, memory, IO usage and self-imposed limits.

Server Features

  • Fully fledged response capabilities handling most incident response and forensics tasks.
  • OS-level and raw file system access, using the SleuthKit (TSK).
  • Enterprise hunting (searching across a fleet of machines) support.
  • Fully scalable back-end to handle very large deployments.
  • Automated scheduling for recurring tasks.
  • Fast and simple collection of hundreds of digital forensic artifacts.
  • Asynchronous design allows future task scheduling for clients, designed to work with a large fleet of laptops.
  • AngularJS Web UI and RESTful JSON API.
  • Fully scriptable IPython console access.
  • Basic system timelining features.
  • Basic reporting infrastructure.

You can download GRR here:

Run the Docker image, info here:

Please let me know if you feel any other frameworks are effective in analyzing the malware and share your feedback.

Thank you!


Originally published here:

March 14, 2019
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013