This project provides an automated, agent-driven environment for deep malware reverse engineering. It targets security researchers and analysts by streamlining the repetitive initial analysis phases, transforming raw binaries into structured, actionable intelligence with AI assistance, thereby accelerating the deep-dive investigation process.

How It Works

This solution utilizes a Kali Linux Docker container equipped with over 50 reverse engineering tools. It integrates with disassembler backends like Binary Ninja (recommended) or Ghidra via MCP. A core malware-analysis-orchestrator skill, powered by AI agents (Claude Code or Codex CLI), drives a structured, multi-phase workflow. This process automates tasks such as fingerprinting, string extraction, API analysis, signal ranking, hypothesis generation, and component modeling, culminating in a prioritized deep-analysis plan, all managed externally via a persistent case directory.

Quick Start & Requirements

• Primary install/run command: Clone the repository (git clone https://github.com/mrphrazer/agentic-malware-analysis.git), navigate into it (cd agentic-malware-analysis), optionally copy your Binary Ninja zip (cp /path/to/binaryninja_linux.zip ./binaryninja.zip), then execute ./run_docker.sh.
• Prerequisites: Docker with buildx, an Anthropic API key (for Claude Code) or OpenAI API key (for Codex CLI). A headless-capable Binary Ninja Linux zip with a valid license is recommended for optimal results; Ghidra is used as a fallback.
• Setup: The run_docker.sh script builds the Docker image, clones necessary MCP server repositories, seeds API credentials and Binary Ninja licenses from host directories, and launches the container. Analysis is initiated within the container using claude or codex commands.
• Links: Repository

Highlighted Details

• Comprehensive Kali Linux container pre-loaded with 50+ RE and malware analysis tools.
• Automatic selection and configuration of MCP backends: Binary Ninja (preferred) or Ghidra.
• Structured, multi-phase malware-analysis-orchestrator skill for Claude Code and Codex CLI.
• Generates a persistent, detailed case directory per sample, containing artifacts like profile, ranked strings, hypotheses, component maps, and deep-analysis plans.
• Includes bundled YARA rules (GPL-2.0) for crypto, anti-debug/anti-VM, capabilities, and packers.
• Supports analysis of PE, ELF, and Mach-O file formats.

Licensing & Compatibility

The bundled YARA rules are provided under the GPL-2.0 license. The project itself does not explicitly state its license in the README. Binary Ninja requires a separate commercial license. Compatibility for commercial use is not explicitly detailed, though API key usage suggests potential integration into commercial workflows.

Limitations & Caveats

Agent analysis runs are non-deterministic, meaning repeated analyses may yield different results. Context-window limitations are mitigated by externalized state management, but single-pass depth can still be constrained. AI agents may produce overconfident or incorrect claims, necessitating expert validation. The orchestrator primarily focuses on static analysis; dynamic analysis tools are available but not automatically orchestrated. The container and agent wrappers run with elevated permissions (SYS_PTRACE, seccomp=unconfined, full container permissions) by design for autonomous operation, requiring careful security considerations regarding untrusted networks or users. MCP communication uses an unauthenticated stdio transport.