Malware Analyse and System Security Tool is designed to perform security checks on machines with Windows operating system. For it to work, it is enough to have Python (3.10 or later) installed on the machines. It can be run from the command line.
Tool has two different option at first. Malware Analyse option can analyse malicious software with .exe extension running on the machine. However, it can be detected with which IPs or URLs that malware communicates.
Security Analyse is for analyse any .exe file on the device and to inform the person using the tool whether the file is harmful or not. With 6 different options, you can query the suspected file via VirusTotal and the results can be returned.
 |
|---|
| Main Menu |
The Malware Analyse option is used to scan a suspected file on the machine. It saves the file in HEX format or outputs the IP and URLs in the file to make it easier for the analysts. Outputs the file information of the file whose name is entered.
 |
|---|
| Malware Analysis |
In this option, the file name to be converted to HEX format is taken as input. The file name is searched in the C folder . It'll check if this file exists in C.
In the next step, the obtained file is read in binary format. Then it is grouped as HEX and ASCII together with the functions in the image. The user is then asked if the file is ready and if they want to open it.
 |
|---|
| Output: HEX format of the file |
In this option, the IPs and URLs in the selected file are listed. For this listing, the IPs and URLs that the file communicates with are revealed as a result of a regex-based search.
 |
|---|
| Output: IPs and URLs in the file |
With the system analyse option, .exe files on the device can be queried on VirusTotal and the IP addresses that the device connects to can be examined.
 |
|---|
| System Analyse |
-
With this option, the history of the default browser on the device is obtained. With the help of the API over VirusTotal, it is questioned whether the requested URLs are harmful.
Browser History
-
This option lists all services running on the device. In this way, any service that could threaten the security of the device is checked. Services are downloaded with the help of Psutil library.
Windows Services
-
It gives a list of files that start when the device is started. Malware can be contained in the startup files which runs when device starts up. Viewing these files can help to identify if malicious software is present.
Startups
-
With this option, the Netstat connection table of the device is saved in a .txt file and external IP addresses can be examined. All of the connected IP addresses and which processes they are running can be seen. Foreign IPs can be queried via VirusTotal.
Netstat Table 
Foreign IP Addresses VirusTotal query
-
With this option, you can upload the suspected file to VirusTotal and get the file analysis after the upload is complete. First, the file name to be uploaded is entered and the file is searched in the C directory. Once the file is found, it is uploaded to VirusTotal.
VirusTotal File Upload
-
With this option, all processes running on the device are queried with VirusTotal. First, all running processes and their unique hashes are obtained.
Process Scan Obtained hashes are queried one by one with the help of VirusTotal API. Query results are saved in an Excel file, the process can be followed from the terminal.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent