Open Source Malware Analysis Platform: FAME


FAME is an open source malware analysis platform that is meant to facilitate analysis of malware-related files, leveraging as much knowledge as possible in order to speed up and automate end-to-end analysis. FAME should be seen as a malware analysis framework. Instead of developing several scripts for different tasks related to malware analysis, develop FAME modules that will be able to collaborate with each other.

FAME was built to facilitate malware analysis by automating as many tasks as possible.  The real work of malware analysis is done by processing modules. FAME will do its best to determine what processing modules should be run during each analysis, and will chain modules’ execution in order to achieve end-to-end analysis.

Each processing module can produce the following analysis elements:

  • Probable Name: this is the malware family. A module should only set the probable name if it has a very high confidence in its diagnostic.
  • Extractions: this is text information that should be the most useful for the analyst. A typical example would be malware’s configuration.
  • Tags: a tag is a computer-friendly piece of information that describes the analysis. Can be seen as a form of signature name.
  • Generated Files: files that were produced by the analysis, such as memory dumps.
  • Support Files: files that can be downloaded by the analyst, such as a sandbox analysis report.
  • Extracted Files: files that deserve an analysis of their own.
  • IOCs: indicators of compromise that could be used to detect this malware.
  • Detailed Results: any kind of information that would be useful to the analyst.

    When analyzing a file, the first step is to determine the file type. FAME will try to determine the file type based on the file extension and python-magic. A FAME-specific file type will then be associated to the file using different indicators (examples: “executable”, “word”, “pdf”, etc.). Then, the analyst has to choose between two types of analysis: Just Do Your Magic (recommended) or Targeted analysis.


FAME relies on modules to add functionality. Modules are actually Python classes that inherit from the fame.core.module.Module class.

Several kind of modules can be created:

  • ProcessingModule: this is where FAME’s magic is. A ProcessingModule should define some automated analysis that can be performed on some types of files / analysis information.
  • ReportingModule: this kind of module enables reporting options, such as send analysis results by email, or post a Slack notification when the analysis is finished.
  • ThreatIntelligenceModule: this kind of modules acts on IOCs. a ThreatIntelligenceModule has two roles:
    • Enrich the analysis, by adding Threat Intelligence information on IOCs when they are added to the analysis.
    • Enrich the Threat Intelligence Platform with IOCs extracted by FAME.
  • AntivirusModule: modules that act on files, and send them to antivirus vendors.

Download Link & Source :