Surja15/malware-analysis-quarantine

# Malware Analysis Quarantine A Python-based malware research and containment framework designed for static threat analysis, automated intelligence integration, and secure, reversible quarantine of malicious artifacts. ## Overview Malware Analysis Quarantine provides a modular toolkit that allows cybersecurity researchers and analysts to: - Analyze suspicious PE files for indicators of compromise. - Integrate threat intelligence from external sources like VirusTotal. - Securely quarantine potentially malicious files to prevent execution, while preserving the ability to restore them for offline analysis. ... The framework is designed for **Linux environments** and emphasizes **reproducibility, traceability, and analyst safety**. ## Key Features ### 1. Static Malware Analysis - Extract PE metadata, including: - Entry points - Image base - Compilation timestamps - Sections and imported libraries - Identify anomalies and potential malicious behavior patterns in binaries. - Compatible with `.exe` and `.dll` files. ### 2. Automated Threat Intelligence - Integrates with **VirusTotal API** for hash-based scanning. - Provides a concise summary of malicious, suspicious, harmless, and undetected detections. - Facilitates rapid triage of files before quarantine. ### 3. Secure Quarantine Module - Implements **XOR-based symmetric encryption** for file obfuscation, inspired by modern research on lightweight and scalable encryption techniques [Priyadarshi, 2025; Samriddhi et al., 2025]. - Splits files into **2–4 timestamped segments**, stored in a secure `/quarantine` folder. - Maintains a **log file mapping original filenames to encrypted segments**, ensuring traceable restoration. - Password-protected restoration ensures only authorized analysts can recover files. ### 4. Modular and Extensible - Malware analysis and quarantine modules are **fully decoupled**. - Can be integrated into larger automated malware research pipelines. - CLI interface supports both **quarantine** and **restore** commands. ## Installation 1. Clone the repository: git clone https://github.com/yourusername/malware-analysis-quarantine.git cd malware-analysis-quarantine Install required Python packages: pip install -r requirements.txt Requirements: Python 3.8+ pefile requests python-dotenv Usage Quarantine a File python quarantine.py /path/to/suspicious/file.exe Encrypts and splits the file. Stores it securely in /quarantine. Updates quarantine_log.txt with part mapping. Restore a Quarantined File python quarantine.py restore file.exe Requires password: Ganesh Fetches encrypted parts, combines and decrypts them. Restores the original file in the current directory. Integrate with Malware Scanner In your malware analysis pipeline: import quarantine if malicious_detected: quarantine.quarantine_file(file_path) Keeps scanner and quarantine logic modular and decoupled. Security Notes: XOR encryption is used for obfuscation and safe containment, not cryptographically strong encryption. Do not use this tool for live malware deployment. Always work in sandboxed or virtualized environments. Research & References This project is based on modern encryption research and XOR-based obfuscation techniques: Praveen Kumar Priyadarshi, Modernizing Data Security in .NET: In-House XOR, AES, and Base64 Encoding-Decoding for Scalable and Cost-Efficient Enterprise Solutions, International Research Journal of Engineering and Technology (IRJET), Volume 12, Issue 04, April 2025, IRJET. Samriddhi V, Sanjana, Shalini C, Sinchana A, Suma V Shetty, XOR Cipher, International Journal on Science and Technology (IJSAT), 2025, IJSAT. These papers highlight XOR cipher applications, lightweight encryption, and the foundational principles behind XOR encryption, which inspired the quarantine module’s secure obfuscation design. # Simple XOR Encryption Example # Data to encrypt data = b"Hello, Malware!" # Key key = b"Ganesh" # XOR encrypt/decrypt function def xor_encrypt(data, key): return bytes([b ^ key[i % len(key)] for i, b in enumerate(data)]) # Encrypt the data encrypted = xor_encrypt(data, key) print("Encrypted:", encrypted) # Decrypt the data decrypted = xor_encrypt(encrypted, key) print("Decrypted:", decrypted.decode()) Output example: Encrypted: b'\x07\x00\x1f\x03\x02S\x07\x1b\x0c\x0b\x02\x1f\x1d' Decrypted: Hello, Malware! # Limitations Supports Windows PE files only # TESTED OUTPUT: LIVE MALWARE FROM MALWAREBAZAR VirusTotal public API is rate-limited Performs static analysis only No sandbox or dynamic execution