Wednesday, February 17, 2010

Executables Feed for Malware Analysis

Someone sent me an email wondering why I don't continue to publish a feed for recent executables (like the older version of jsunpack), and I do! I thought the answer could be useful to others wanting to perform malware analysis so keep reading if that interests you.

You can perform a search with the term "executable" under the recent submissions of jsunpack.jeek.org. These are not guaranteed to be malicious, but there is a high likelihood that most of them are malicious. Many of the URLs are from decoded javascript or environment variables pointing to executables.

Here are the links for you,

Search http://jsunpack.jeek.org/dec/go?list=1&search=executable
RSS Feed: http://jsunpack.jeek.org/dec/go?search=executable&list=search

For each executable you find, you may choose not to download it from the actual server (the server may not offer the file anymore). In that case, you can download the executables from jsunpack instead.

Each link in the RSS feed contains a link to the decoding report like this:
http://jsunpack.jeek.org/dec/go?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df

If you replace the "go" part with "download" you'll get all the files created and the executable file.
http://jsunpack.jeek.org/dec/download?report=d6257c1932efa718fe424fbdd92ae7e0779aa9df

Please enjoy and send me any reports for malware that you analyze and I'll post them on the site.

No comments:

Post a Comment

Post a Comment