A simple script to analyse malware in ruby

Source Code : 
#!/usr/bin/env ruby
 
# Malware_Analysis.rb
# A ruby malware analyser for analysing
# executable files and displaying interesting
# system calls.
 
 
if RUBY_PLATFORM =~ /win/
    
clearCmd "cls"
else
    
clearCmd "clear"
end
 
malware 
ARGV[0]
 
system(clearCmd)
 
puts "+-----------------------------------+"
puts "| Malware Analysis Ruby Script       |"
puts "| http://megawrz.com                  |"
puts "| Written by Keiran Smith              |"
puts "+-----------------------------------+"
puts ""
 
def isBinary(fileName)
    
begin
        analysis 
File.new(fileName"r")
        
typeanalysis.read(4)
        if 
type =~ /MZ/    
            return 
true
        
else
            if 
type =~ /EL/
                return 
true
            
else
                return 
false
            end
        end
    rescue Errno
::ENOENT
        puts 
"[!] File Error!"
    
end
end
 
def checkSystem
(line)
    
systemCalls = ["CreateMutex""CopyFile""CreateFile.*WRITE""NtasdfCreateFile""call shell32""advapi32.RegOpenKey",
    
"KERNEL32.CreateProcess""shdocvw""gethostbyname""ws2_32.bind""ws2_32.listen""ws2_32.htons"
    
"advapi32.RegCreate""advapi32.RegSet""http://","Socket",  "OutputDebugString",  "FindWindow""IsDebuggerPresent"]
 
    
systemCalls.each do | call |
        if 
line =~ /#{call}/
            
puts "[+] System Call made to : #{call}"
        
end

[Login or Register to remove this advertisement]

    end
end
 
def checkRegistry
(line)
    
registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
 
    
registryHives.each do | hive |
        if 
line =~ /#{hive}/
            
puts "[+] Registry Access to Hive : #{hive}"
        
end
    end
end
 
def checkNetwork
(line)
    
networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
 
    
networkCalls.each do | call |
        if 
line =~ /#{call}/
            
puts "[+] Network Activity Detected : #{call}"
        
end
    end
end
 
if isBinary(malware)
    
puts "[+] Valid Executable Found beginning Analysis"
    
puts ""
    
analysis File.new(malware"r:ASCII-8BIT")
    
analysis.readlines.each do | line |
        
checkSystem(line)
        
checkRegistry(line)
        
checkNetwork(line)
    
end
else
        
puts "[!] Not a valid Executable file"
end 
Mobile_Guru Reviewed by Mobile_Guru on . Malware Analysis Script A simple script to analyse malware in ruby #!/usr/bin/env ruby # Malware_Analysis.rb # A ruby malware analyser for analysing # executable files and displaying interesting # system calls. Rating: 5