Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It is designed to support the regular analysis of malicious software and the development of detection and defense measures. It allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes. It can be applied to recorded program behavior of various formats as long as monitored events are separated by delimiter symbols, e.g. as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox, and Joebox.
|Tags||Security Scientific/Engineering Log Analysis C|
|Operating Systems||POSIX Linux Mac OS X BSD|
Release Notes: The tool's persistent state is stored in the local state directory for better maintenance. Several minor bugs have been fixed.
Release Notes: Another major bug due to libconfig changes has been fixed.
Release Notes: A major bug in the parsing of configuration files has been fixed.
Release Notes: All configuration parameters can be specified on the command line. The manual page and documentation have been updated and extended. Minor bugs have been fixed.
Release Notes: Support was added for shared n-grams: when identifying a cluster of similar malware behavior, Malheur allows you to extract a set of instructions shared by the members in the cluster.