PEpper is an open source tool to perform malware static analysis on Portable Executable. Following are some of the features supported by the tool;
- Suspicious entropy ratio
- Suspicious name ratio
- Suspicious code size
- Suspicious debugging time-stamp
- Number of export
- Number of anti-debugging calls
- Number of virtual-machine detection calls
- Number of suspicious API calls
- Number of suspicious strings
- Number of YARA rules matches
- Number of URL found
- Number of IP found
- Cookie on the stack (GS) support
- Control Flow Guard (CFG) support
- Data Execution Prevention (DEP) support
- Address Space Layout Randomization (ASLR) support
- Structured Exception Handling (SEH) support
- Thread Local Storage (TLS) support
- Presence of manifest
- Presence of version
- Presence of digital certificate
- Packer detection
- VirusTotal database detection
- Import hash
Installation
eva@paradise:~$ git clone https://github.com/Th3Hurrican3/PEpper/ eva@paradise:~$ cd PEpper
eva@paradise:~$ pip3 install -r requirements.txt
eva@paradise:~$ python3 pepper.py ./malware_dir
CSV Output
![outcome](https://raw.githubusercontent.com/Th3Hurrican3/PEpper/media/csv.png)
and more columns..
Also Read – PwnedOrNot : OSINT Tool To Find Passwords For Compromised Email Addresses
Notes
- Can be run on single or multiple PE (placed inside a directory)
- Output will be saved (in the same directory of pepper.py) as output.csv
- To use VirusTotal scan, add your private key in the module called “virustotal.py” (Internet connection required)
Screenshots
![](https://1.bp.blogspot.com/-WvZNWol8p9Q/XV1zZpskK2I/AAAAAAAACFg/tKsvi6e61NwGN7YRFeczLPCB6IQ74U3wQCLcBGAs/s1600/Screenshot-1.png)
![](https://1.bp.blogspot.com/-2AeqCQpv1Lg/XV1zZnFJDaI/AAAAAAAACFc/bhjwzopjBMQZrzGVq8zNxG6M25BnzSfOwCLcBGAs/s1600/Screenshot-2.png)
![](https://1.bp.blogspot.com/-kxfac7yMVeo/XV1zZtqIWpI/AAAAAAAACFk/FnV6S86TRywrMAjvO-Akyxr-rgAdmfC3QCLcBGAs/s1600/Screenshot-3.png)
![](https://1.bp.blogspot.com/-47rmwpUX2HM/XV1za3jBCtI/AAAAAAAACFo/MxWRpYb3ZRM9i7RvjmN-G8k2SLad1o9mQCLcBGAs/s1600/Screenshot-4.png)