Custom Cyberchef instance that contains modules created to aid malware analysis.

Blackguard string deobfuscator using Dnlib.

Cutter plugin used to deobfuscate strings in an executable using gobfuscate.

Helper tool that can be used in rizin, radare2, or Cutter to easily parse a GoLang executable's gopclntab. The parsed functions are added to the disassembler for easy access.

Gunslinger is a hunting tool that is based around URLScan's Search API. Gunslinger can crawl URLScan for JavaScript files that match a set of user-defined rules and reports the information back to Slack.

Spam trap honeypot created in Python. SnakeOil sets up a fake open SMTP relay and reports any emails it receives to Slack.

Based on the fuzzy hashing mechanism Machoc, Machamp is a fuzzy hashing algorithm based on the Call Flow Graph (CFG) of a function. With Machamp there is another layer of abstraction, where the hash for a function is based on the individual hash of each basic block. The purpose of this hash is to match functions to easily "unstrip" a binary by renaming functions based on their hash.

Python script used to unpack the JavaScript code used in Valak malware samples.