Malware Muncher is a Python proof-of-concept script that utilizes the Frida framework to enable binary instrumentation and API hooking. It is designed to intercept commonly-used API calls by malware, allowing users to analyze their behavior and identify potential threats. Furthermore, the script can leverage GPT to enhance the analysis output, providing more detailed and accurate insights into the malware's activities and identifying potential Mitre ATT&CK techniques. This tool was demonstrated at the Malware & Reverse Engineering conference in Melbourne.
Note: It's important to keep in mind that Malware Muncher is a proof-of-concept tool and may contain bugs or limitations. Additionaly this script is intended for use in a controlled environment such as a virtual machine. Use at your own risk.
To ensure proper execution of the script, it is necessary to have the "jsscripts" folder accessible. This folder contains the necessary Frida scripts that are used during the binary instrumentation and API hooking process.
git clone https://github.com/fr0gger/MalwareMuncher.git
pip install -r requirement.txt
python .\malwaremuncher.py -h
usage: malwaremuncher.py [-h] [-f FILE] [-d] [-g] [-m] [-r] [-i] [-c] [-w] [-a] [-o]
MalwareMuncher version 1.0 by Thomas Roccia
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE File to process
-d, --dump Dump file from the memory
-g, --getproc Deobfuscate API calls
-m, --mutex Extract mutex
-r, --registry Shows registry modification
-i, --internet Shows remote connection
-c, --fileactivity Shows file creation and more
-w, --wscript Hook wscript.exe for js script
-a, --allscripts Run all hooking functions
-o, --openai Request GPT for enrichment
python .\malwaremuncher.py --dump --file beacon2.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: beacon2.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
[+] VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
03050000 4d 5a e8 00 00 00 00 5b 89 df 52 45 55 89 e5 81 MZ.....[..REU...
03050010 c3 50 81 00 00 ff d3 68 f0 b5 a2 56 68 04 00 00 .P.....h...Vh...
03050020 00 57 ff d0 00 00 00 00 00 00 00 00 00 00 00 00 .W..............
03050030 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................
03050040 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 ........!..L.!Th
03050050 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
03050060 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 t be run in DOS
03050070 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 mode....$.......
03050080 af c6 3b f4 eb a7 55 a7 eb a7 55 a7 eb a7 55 a7 ..;...U...U...U.
03050090 56 e8 c3 a7 ea a7 55 a7 f5 f5 d1 a7 c3 a7 55 a7 V.....U.......U.
030500a0 f5 f5 c0 a7 ff a7 55 a7 f5 f5 d6 a7 69 a7 55 a7 ......U.....i.U.
030500b0 cc 61 2e a7 e0 a7 55 a7 eb a7 54 a7 31 a7 55 a7 .a....U...T.1.U.
030500c0 f5 f5 dc a7 27 a7 55 a7 f5 f5 c7 a7 ea a7 55 a7 ....'.U.......U.
030500d0 f5 f5 c4 a7 ea a7 55 a7 52 69 63 68 eb a7 55 a7 ......U.Rich..U.
030500e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
030500f0 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 ........PE..L...
[+] MZ header at address: 0x3050000
[+] Dumped executable: 0x3050000dumped.exe
{'type': 'send', 'payload': {'api_call': 'VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20', 'mz_header': 'MZ', 'dumped_exe': '0x3050000dumped.exe'}}
###########################################################################
python .\malwaremuncher.py --registry --file demo.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: demo.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
{'type': 'send', 'payload': {'hook': 'RegCreateKey', 'regkey': 'HKEY_CURRENT_USER\\Software\\MRE', 'handle': 720}}
###########################################################################
python .\malwaremuncher.py --wscript --file demo.vbs
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: demo.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
{'type': 'send', 'payload': {'name': 'instr', 'hookdata': {'hook': 'shell', 'nshow': 'SW_HIDE', 'cmd': 'C:\\Users\\rever\\AppData\\Local\\Temp\\rad045FA.tmp\\REIIVDoCWfI.exe', 'params': None}}}
###########################################################################
python .\malwaremuncher.py --mutex --file beacon2.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: beacon2.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
{'type': 'send', 'payload': {'hook': 'CreateMutex', 'mutex': 'Local\\SM0:7292:168:WilStaging_02'}}