Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR

Balbuzard is a package of malware analysis tools in python to extract patterns from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

Quick links: Download - Install - Documentation - Contact - Report issues - Updates on Twitter

Balbuzard tools:

  • balbuzard is a tool to extract patterns of interest from malicious files, such as IP addresses, URLs, embedded files and typical malware strings. It is easily extensible with new patterns, regular expressions and Yara rules.
  • bbcrack uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms/keys have been used.
  • bbharvest extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys. It is especially useful when several keys or several transforms are used in a single file.
  • bbtrans can apply any of the transforms from bbcrack (XOR, ROL, ADD and various combinations) to a file.

When to use these tools:

  • If you need to analyze a new malicious file, you can first try balbuzard to extract strings/patterns of interest and detect embedded files in cleartext.
  • Then if you think the malicious file might use an obfuscation algorithm such as XOR to hide interesting data (e.g. an embedded executable file), try bbcrack to find the algorithm and the key(s).
  • Alternatively, if bbcrack is not successful, or if you think the file may use several algorithms and/or keys, try bbharvest. bbharvest is especially targeted at single strings obfuscated within an executable or malicious file.

5 minutes demo

See the Demo page to see examples and test the tools by yourself in a few minutes using the provided samples.

Help wanted:

  • if you have malware samples or malicious documents with known obfuscation algorithms such as XOR, please contact me. That will help me a lot to improve bbcrack and bbharvest.
  • if you know other strings, patterns, file headers useful for malware analysis that Balbuzard should support, or other obfuscation algorithms, please contact me.

News

Follow all updates and news on Twitter: https://twitter.com/decalage2

  • 2014-03-23 v0.19: bugfix when Yara is not installed, improved documentation.
  • 2014-02-26 v0.18: Initial release of Balbuzard tools
  • 2013-03-15: added harvest mode (bbharvest)
  • 2011-05-06: added bruteforce functions (bbcrack)
  • 2008-06-06: first public release as reScan for SSTIC08
  • 2007-07-11: first versions of reScan
  • see changelog in source code for more info.

Download:

The archive is available on the project page on Bitbucket.

Installation

See the installation instructions.

Main Features

  • search for string or regular expression patterns
  • default set of patterns for malware analysis: IP addresses, e-mail addresses, URLs, typical EXE strings, common file headers, various malware strings
  • optional use of the Yara engine and Yara rules as patterns
  • includes Yara signatures from the Malware Analyst's Cookbook (capabilities, packer and magic), signsrch/clamsrch (standard encryption constants) and AlienVault Labs (malware signatures such as APT1).
  • provided with a large number of obfuscation transforms such as XOR, ROL, ADD (including combined transforms)
  • easily extensible with new patterns in python scripts and Yara rules, and new obfuscation transforms
  • effective on malware with multiple obfuscations/keys
  • can open malware in password-protected zip files without writing to disk
  • batch analysis of multiple files/folders on disk or within zips
  • CSV output
  • pure python 2.x, no dependency or compilation

How to contribute / report bugs:

These are open-source tools developed on my spare time. Any contribution such as code improvements, ideas, bug reports, additional patterns or transforms would be highly appreciated. You may contact me using this online form, by e-mail (decalage at laposte.net) or use the issue page on Bitbucket to report bugs/ideas, or clone the project then send me pull requests to suggest changes.

Important note: while balbuzard and bbharvest are straightforward and readily usable, bbcrack is still an experimental tool and it has not been tested on many samples yet. Please contact me if you test these tools on malware samples to tell me if it works or not.