Installation

eva@paradise:~$ git clone https://github.com/Th3Hurrican3/PEpper/
eva@paradise:~$ cd PEpper
eva@paradise:~$ pip3 install -r requirements.txt
eva@paradise:~$ python3 pepper.py ./malware_dir

Screenshot

and more rows..

CSV output

and more columns..

Feature extracted

Suspicious entropy ratio
Suspicious name ratio
Suspicious code size
Suspicious debugging time-stamp
Number of export
Number of anti-debugging calls
Number of virtual-machine detection calls
Number of suspicious API calls
Number of suspicious strings
Number of YARA rules matches
Number of URL found
Number of IP found
Cookie on the stack (GS) support
Control Flow Guard (CFG) support
Data Execution Prevention (DEP) support
Address Space Layout Randomization (ASLR) support
Structured Exception Handling (SEH) support
Thread Local Storage (TLS) support
Presence of manifest
Presence of version
Presence of digital certificate
Packer detection
VirusTotal database detection
Import hash

Notes

Can be run on single or multiple PE (placed inside a directory)
Output will be saved (in the same directory of pepper.py) as output.csv
To use VirusTotal scan, add your private key in the module called "virustotal.py" (Internet connection required)

Credits

Many thanks to those who indirectly helped me in this work, specially:

The LIEF project and its awesome library
PEstudio, a really amazing software to analyze PE
PEframe from guelfoweb, an incredible widespread tool to perform static analysis on Portable Executable malware and malicious MS Office documents
Yara-Rules project, which provides compiled signatures, classified and kept as up to date as possible

Recommend Projects