Linux Malware Analysis Tools
Static Analysis

file – Displays the type of a file (Mach-O, FAT, other types).

strings – Extracts strings from a file.

diff – Differentiate between files

nm – Extracts symbol table (function imports, exports).

curl – Download and send files via HTTP protocol.

strace – trace system calls and signals

wget – Downloads files from HTTP and FTP protocols.

DiE (Detect it Easy) – Packer identifier (recommended).

Malwoverview.pyIncident response tool to perform an initial and quick triage in a directory containing malware samples and more.

Dynamic Analysis

Wireshark – Network analysis tool.

tcpdump – Network analysis tool.

MiTMProxyAn interactive SSL/TLS-capable intercepting HTTP proxy (great for HTTPS inspection).

NetworkMiner – Sniffer and PCAP parser.

Burp Suite – The free web proxy for any browser, system or platform.

INetSim – Internet Services Simulation Suite.

Procmon for Linux

Reverse Engineering

GDB – GNU Debugger.

IDA Free/Pro – Disassembler and debugger.

Hopper (Demo/Pro) – Disassembler and debugger.

radare2 – Free and open source disassembler and debugger.

Cutter – GUI for radare2.

Binary Ninja – A New Type of Reversing Platform.

angr –  Platform-agnostic binary analysis framework.

Unpacking & Deobfuscation

FLOSS – Automatically extract obfuscated strings from malware.

NoMoreXor – Tool to help guess files 256 byte XOR key by using frequency analysis.

XorSearch -XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file.


dd – Hard drive forensics acquisition tool.

Autopsy – Hard drive forensics analysis tool.

LiME – Memory acquisition tool.

dwarfdump – Linux profile creation for Volatility.

Volatility – Memory forensics analysis framework.

FOG Project – A free open-source network computer cloning and management solution.


Limon Sandbox – Free and open-source automated Linux malware analysis sandbox.

Cuckoo Sandbox – Free and open-source automated malware analysis sandbox.