Malcom – Malware Communications Analyzer 2019

Malcom is a tool designed to analyze a system’s network communication using graphical representations of network traffic, and cross-reference them with known malware sources.

This comes handy when analyzing how certain malware species try to communicate with the outside world. This tool can help you for the following;

  • detect central command and control (C&C) servers
  • understand peer-to-peer networks
  • observe DNS fast-flux infrastructures
  • quickly determine if a network artifact is ‘known-bad’

The aim of this tool is to make malware analysis and intel gathering faster by providing a human-readable version of network traffic originating from a given host or network. Convert network traffic information to actionable intelligence faster.

Also Read:Evilginx2 : Standalone Man-In-The-Middle Attack Framework

Malcom Installation

It is written in python. Provided you have the necessary libraries, you should be able to run it on any platform. I highly recommend the use of python virtual environments (virtualenv) so as not to mess up your system libraries.

The following was tested on Ubuntu server 14.04 LTS:

Install git, python and libevent libs, mongodb, redis, and other dependencies

$ sudo apt-get install build-essential git python-dev libevent-dev mongodb libxml2-dev libxslt-dev zlib1g-dev redis-server libffi-dev libssl-dev python-virtualenv

Clone the Git repo:

$ git clone malco

Create your virtualenv and activate it:

$ cd malcom
$ virtualenv env-malcom
$ source env-malcom/bin/activate

Get and install scapy:

$ cd ..
$ wget
$ tar xvzf scapy-latest.tar.gz
$ cd scapy-2.1.0
$ python install

Still from your virtualenv, install necessary python packages from the requirements.txt file:

$ cd ../malcom
$ pip install -r requirements.txt

For IP geolocation to work, you need to download the Maxmind database and extract the file to the malcom/Malcom/auxiliary/geoIP directory. You can get Maxmind’s free (and thus more or less accurate) database from the following link:

$ cd Malcom/auxiliary/geoIP
$ wget
$ gunzip -d GeoLite2-City.mmdb.gz
$ mv GeoLite2-City.mmdb GeoIP2-City.mmdb

Launch the webserver from the tools directory using ./ Check ./ –help for listen interface and ports.

For starters, you can copy the malcom.conf.example file to malcom.conf and run ./ -c malcom.conf.

Technical specs

It was written mostly from scratch, in Python. It uses the following frameworks to work:

  • flask – a lightweight python web framework
  • mongodb – a NoSQL database. It interfaces to python with pymongo
  • redis – An advanced in-memory key-value store
  • d3js – a JavaScript library that produces awesome force-directed graphs (
  • bootstrap – a CSS framework that will eventually kill webdesign, but makes it extremely easy to quickly “webize” applications that would only work through a command prompt.


This tool was coded during my free time. Like a huge number of tools we download and use daily, we wouldn’t recommend to use it on a production environment where data stability and reliability is a MUST.

  • It may be broken, have security gaps (running it as root in uncontrolled environments is probably not a good idea), or not work at all.
  • It’s written in python, so don’t expect it to be ultra-fast or handle huge amounts of data easily.
  • I’m no coder, so don’t expect to see beautiful pythonic code everywhere you look. Or lots of comments.

It’s in early stages of development.

Credit: Thomas Chopitea