malware-check
Static and dynamic analysis tool for detecting malicious code, suspicious binaries, and privacy violations. Analyzes source code, compiled executables (.exe, .dll, .elf), macOS bundles (.app, .dmg, .pkg), mobile apps (.apk, .ipa), and application packages with YARA rules, Docker behavioral sandboxing, MobSF mobile analysis, payload deobfuscation, and multi-format reporting (JSON, HTML, SARIF).
Features
- Source Code Scanner – Detects reverse shells, backdoors, web shells, obfuscated payloads, crypto miners, ransomware patterns, keyloggers, credential theft, supply chain attacks, and persistence mechanisms across 15+ languages
- Binary Analyzer – PE (Windows), Mach-O (macOS), and ELF (Linux) analysis with entropy detection, import table inspection, string extraction, code signing verification, and RWX section detection
- YARA Engine – Signature-based scanning with bundled rules for malware families, packers, and suspicious patterns. Supports custom rule directories
- Privacy Analyzer – Detects tracking SDKs, PII field handling, invasive permissions (Android/iOS manifests), device fingerprinting, clipboard monitoring, and unauthorized data transmission
- Runs suspicious binaries in an isolated Docker container with:
- syscall tracing via strace (network, file, process calls)
- network monitoring via tcpdump (DNS queries, HTTP requests, C2 connections)
- filesystem monitoring (file creation, modification, deletion)
- process monitoring (child process spawning, injection attempts)
- Full isolation: no network (default), memory limits, dropped capabilities, read-only rootfs
- Behavioral findings: C2 port detection, mass file modification (ransomware), sensitive file access, anti-debugging
- Console – Rich terminal output with severity-colored tables and detailed findings
- JSON – Machine-readable findings for automation pipelines
- HTML – Professional dark-themed dashboard with severity bars, finding details, and evidence
- SARIF 2.1.0 – Direct integration with GitHub Code Scanning, Azure DevOps, and GitLab SAST
Coverage
| Category | Detection Examples |
|---|---|
| Reverse Shells | Python socket+subprocess, bash /dev/tcp, netcat, PowerShell TCPClient, socat |
| Backdoors | Web shells (PHP/JSP/ASP.NET), command injection (Python/JS/Java/Ruby/Go/C), bind shells, hidden routes, remote code loading, user creation, SSTI, unsafe deserialization |
| Obfuscation | Base64+eval chains, char code construction, hex payloads, dynamic imports |
| Crypto Miners | Stratum pool connections, mining APIs, wallet addresses (BTC/ETH/XMR) |
| Ransomware | File encryption walks, ransom messages, encrypt+rename patterns |
| Credential Theft | Hardcoded secrets, clipboard theft, environment harvesting, browser credential files |
| Supply Chain | Suspicious npm/pip install hooks, dependency confusion, custom registries |
| Persistence | Cron/schtasks creation, registry Run keys, LaunchAgent/Daemon, SUID manipulation |
| Privilege Escalation | SUID bit manipulation, setuid(0), chown root |
| Anti-Analysis | Debugger detection, VM detection, TLS callbacks, ptrace usage |
| Keyloggers | GetAsyncKeyState, SetWindowsHookEx, pynput, CGEventTapCreate |
| Privacy | Tracking SDKs (40+), PII fields (SSN, credit cards, biometrics, health), invasive permissions, device fingerprinting |
| Binary Indicators | Packed binaries (UPX, high entropy), RWX sections, suspicious imports, unsigned/tampered code |
