Welcome to Manalyze’s documentation!

Manalyze performs static analysis on PE files, in order to detect signs of malicious behavior. It is a versatile tool with a robust parser and a set of built-in tests, but can also be extended easily. You can use Manalyze to:

  • Detect packed executables
  • Apply ClamAV and Yara signatures
  • Look for suspicious import combinations (i.e. CreateRemoteThread + WriteProcessMemory)
  • Analyze and extract resources
  • Identify cryptographic algorithms used
  • Submit hashes to VirusTotal
  • Verify authenticode signatures
  • ...and more.

Here is a sample report generated by the tool for 643654975b63a9bb6f597502e5cd8f49, a sample taken from the Siesta campaign:

Summary:
--------
Architecture:       IMAGE_FILE_MACHINE_I386
Subsystem:          IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:   2014-Jan-14 04:38:30
Detected languages: Chinese - PRC

[ MALICIOUS ] Matching ClamAV signature(s):
                Win.Backdoor.Sloth

Matching compiler(s):
                MASM/TASM - sig4 (h)
                Microsoft Visual C++
                Microsoft Visual C++ v6.0

[ SUSPICIOUS ] PEiD Signature:
                Armadillo v1.71

Cryptographic algorithms detected in the binary:
                Uses constants related to DES

The PE contains common functions which appear in legitimate applications.
        [!] The program may be hiding some of its imports:
                GetProcAddress
                LoadLibraryA
        Possibly launches other programs:
                CreateProcessA
                ShellExecuteA
        Can create temporary files:
                CreateFileA
                GetTempPathA

[ MALICIOUS ] The PE is possibly a dropper.
                Resource 108 detected as a PDF document.
                Resource 109 detected as a PE Executable.
                Resources amount for 93.026% of the executable.

[ MALICIOUS ] VirusTotal score: 38/56 (Scanned on 2015-10-26 15:07:59)
                MicroWorld-eScan: Gen:Variant.Zusy.23178
                CAT-QuickHeal: Trojan.Comisproc.r4
                [...]

This sample is a dropper of (allegedly) Chinese origin which displays a PDF file upon launch and encrypts its strings with the DES algorithm: all of which could have been guessed from reading the analysis report.

In the first part of this documentation, you will learn how to obtain and use the tool. The second part focuses on Manalyze’s plugin system, should you wish to extend its capabilities.

Contents:

Indices and tables