Analyze PE file’s header and sections (number of sections, entropy of sections/PE file, suspicious section names, suspicious flags in the characteristics of the PE file, etc.)
Searches for possible domains, e-mail addresses, IP addresses in the strings of the file.
Checks if domains are blacklisted based on abuse.ch’s Ransomware Domain Blocklist and malwaredomains.com’s blocklist.
Looks for Windows functions commonly used by malware.
Get results from VirusTotal and/or upload files.
Malware detection based on Yara-rules
Detect well-known software packers.
Detect the existence of cryptographic algorithms.
Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
Find if documents have been crafted to leverage malicious code.
Requirements
Python
Python 2.6, 2.7
Python >= 3.2
PyPy >= 2.0
ssdeep/libfuzzy >= 2.10 (Some features might not be available with older versions. See ssdeep.Hash)
cffi
pip
six
Usage
git clone https://github.com/secrary/SSMA
cd SSMA
sudo pip3 install -r requirements.txt
python3 ssma.py -h
Using virtualenv
git clone https://github.com/secrary/SSMA
cd SSMA
virtualenv -p python3 env
source env/bin/activate
pip3 install -r requirements.txt
python3 ssma.py -h
Download
