Please wait ...

MalFe Logo

Malware Feature Engineering

A one-stop hub for all security machine learning researchers.

About MalFe

The goal of this platform is to bring forth a new stronger data platform that can be used to generate custom datasets that can aid security researchers in building better machine learning models to combact malware. This platform relies on cuckoo reports of analysed malware samples and then gives security researchers the ability to use these reports to build their own datasets, add reports, add public datasets and even use it for private use.

Number of Public Datasets
Number of Public Reports
Number of Private Datasets
Number of Private Reports

How MalFe Works?

To use MalFe is relatively easy, but requires you to have a knowledge of machine learning and security. The functionality and workflow is presented in the video below:

Popular Datasets

Ransomware_Detection_Using_PE_Imports
A dataset of the function names of PE imports and the DLL the functions are called from.


function_name dll category label SHA256
0 SysFreeString oleaut32.dll Ransomware M 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 SysReAllocStringLen oleaut32.dll Ransomware M 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
... ... ... ... ... ...
140259 VariantClear oleaut32.dll Ransomware M eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
140260 VariantInit oleaut32.dll Ransomware M eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

140261 rows × 5 columns

Created by: Tanatswa Dendere
Downloaded 6 times
April 26, 2023, 9:22 a.m.
API CALL FREQUENCY
Frequency of API call types in samples
Ransomware(2512), Development(20), Education(9), Games(52), Graphics(55), Internet(83), Music / Video(47), Office(54), Security(30), Utilities(222)

Sample Name category label SetErrorMode OleInitialize LdrGetDllHandle LdrLoadDll LdrGetProcedureAddress NtOpenSection NtMapViewOfSection RegOpenKeyExW RegQueryValueExW RegCloseKey NtClose NtOpenKey NtQueryValueKey GetSystemWindowsDirectoryW NtCreateFile NtCreateSection RegOpenKeyExA CreateActCtxW GetSystemDirectoryW GetVolumeNameForVolumeMountPointW NtDuplicateObject LoadStringW NtCreateMutant GetNativeSystemInfo RegEnumKeyW NtQuerySystemInformation RegQueryValueExA NtQueryDirectoryFile GlobalMemoryStatusEx CoCreateInstance NtAllocateVirtualMemory CreateDirectoryW DeleteFileW GetFileSizeEx NtReadFile GetFileInformationByHandleEx GetSystemTimeAsFileTime GetVolumePathNamesForVolumeNameW LdrUnloadDll CoInitializeEx NtOpenProcess CoUninitialize NtFreeVirtualMemory NtOpenFile NtQueryInformationFile GetFileAttributesW FindFirstFileExW NtQueryAttributesFile NtUnmapViewOfSection SetFilePointerEx SetFilePointer GetTempPathW GetFileSize NtWriteFile FindResourceExW LoadResource SHGetFolderPathW NtProtectVirtualMemory GetFileType ReadProcessMemory GetForegroundWindow GetSystemMetrics SetFileTime NtSetInformationFile SearchPathW NtOpenMutant RegEnumKeyExW DrawTextExW GetAsyncKeyState GetDiskFreeSpaceExW GetKeyState FindWindowW FindWindowExA CreateThread MoveFileWithProgressW SetFileAttributesW RemoveDirectoryW NtTerminateProcess CreateToolhelp32Snapshot Process32FirstW Process32NextW FindWindowExW SetEndOfFile GetCursorPos SetUnhandledExceptionFilter OutputDebugStringA GetSystemInfo FindResourceW SizeofResource NtDelayExecution GetKeyboardState WSAStartup socket setsockopt NtDeviceIoControlFile closesocket GetBestInterfaceEx GetAdaptersAddresses NtQueryKey RegCreateKeyExW GetAddrInfoW GetUserNameExW RegSetValueExW RegDeleteValueW InternetQueryOptionA URLDownloadToFileW IsDebuggerPresent CreateProcessInternalW GetTimeZoneInformation LookupAccountSidW SendNotifyMessageW UuidCreate GetFileVersionInfoSizeW GetFileVersionInfoW NtEnumerateValueKey EnumWindows OpenSCManagerW GetComputerNameW GetUserNameW NetShareEnum GetFileInformationByHandle DeviceIoControl ShellExecuteExW RegQueryInfoKeyW RegEnumValueW RegDeleteKeyW NtReadVirtualMemory NtOpenKeyEx NtSetValueKey NtCreateKey GetVolumePathNameW GetFileAttributesExW GetUserNameExA RegCreateKeyExA CryptAcquireContextW NtEnumerateKey NtDeleteKey OpenServiceW NtOpenDirectoryObject CreateJobObjectW SetInformationJobObject RegEnumKeyExA __exception__ GetShortPathNameW LoadStringA FindResourceA DrawTextExA RegQueryInfoKeyA RegSetValueExA SHGetSpecialFolderLocation NtCreateThreadEx NtResumeThread gethostbyname GetSystemDirectoryA FindResourceExA GetDiskFreeSpaceW CertOpenStore CryptDecodeObjectEx CertControlStore CryptHashData NtOpenThread MessageBoxTimeoutW LookupPrivilegeValueW CryptAcquireContextA SetFileInformationByHandle RemoveDirectoryA SetWindowsHookExW CopyFileW GetFileVersionInfoSizeExW GetFileVersionInfoExW CoInitializeSecurity WSASocketW WSAConnect UnhookWindowsHookEx CertOpenSystemStoreW getaddrinfo InternetCrackUrlW CoCreateInstanceEx CoGetClassObject IWbemServices_ExecQuery SetStdHandle GlobalMemoryStatus NetGetJoinInformation CryptCreateHash GetComputerNameA InternetOpenA InternetOpenUrlA InternetCloseHandle ReadCabinetState InternetOpenW InternetConnectW HttpOpenRequestW HttpSendRequestW NtDeleteValueKey HttpQueryInfoA RegEnumValueA CryptProtectMemory CreateServiceW WriteConsoleA CopyFileA WriteProcessMemory SendNotifyMessageA RegDeleteKeyA WriteConsoleW JsGlobalObjectDefaultEvalHelper ObtainUserAgentString StartServiceW NtQueueApcThread RtlAddVectoredContinueHandler CryptExportKey CryptGenKey CryptEncrypt NetUserGetInfo GetUserNameA InternetOpenUrlW system GetAdaptersInfo Module32FirstW NtGetContextThread Module32NextW RtlAddVectoredExceptionHandler NtSuspendThread OpenSCManagerA OpenServiceA NtQueryMultipleValueKey MessageBoxTimeoutA ControlService NtTerminateThread EncryptMessage DecryptMessage DeleteService FindWindowA RtlRemoveVectoredExceptionHandler ioctlsocket connect select SetWindowsHookExA CreateServiceA bind listen getsockname accept InternetCrackUrlA InternetConnectA HttpOpenRequestA HttpSendRequestA sendto shutdown RtlDecompressBuffer NtSetContextThread Thread32First Thread32Next CreateRemoteThread InternetReadFile CreateRemoteThreadEx timeGetTime DnsQuery_A InternetGetConnectedState RegisterHotKey CryptDecrypt CopyFileExW NtDeleteFile send DeleteUrlCacheEntryA EnumServicesStatusW recv NtWriteVirtualMemory InternetSetOptionA NtLoadDriver __anomaly__ EnumServicesStatusA RegDeleteValueA CertCreateCertificateContext InternetSetStatusCallback IWbemServices_ExecMethod AssignProcessToJobObject StartServiceA CryptProtectData CryptUnprotectData CryptUnprotectMemory SHA256
0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a.exe Ransomware 1 245 6 141 253 1426 49 64 1547 1308 7834 18734 413 172 58 7398 41 6553 6 25 21 46 243 24 9 8 7 6417 920 1 53 3346 9 12 6 11208 3 192 48 74 34 15 40 3771 65 15 149 17478 14 50 0 51483 1 14 40704 32 31 8 6 406 0 4 670 3317 6 0 1 128 86 0 0 0 0 0 6 3507 7016 0 75 0 0 0 134 3314 0 21 0 10 2 1 6552 0 8 6 6 48 6 4 2 12 235 2 8 271 69 0 0 2 28 1 6 0 2 9 9 0 6 2 15 0 1 0 0 5 72 128 0 0 0 0 0 5 16 0 4 1 0 0 2 7 0 0 90 1 0 93 0 0 0 4 6 1 4 0 4 0 0 0 0 0 0 8 0 6 2 0 0 0 1 0 0 8 0 0 0 0 0 4 8 10 4 0 2 0 0 2 3 2 7 0 0 0 0 0 0 0 0 4 0 2 0 3 0 0 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 36 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 GandCrab.exe Ransomware 1 2 0 11 2 24 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 22299 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
3081 Zeppelin_7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51.exe Ransomware 1 0 0 14 20 252 0 0 33 17 28 44 8 2 0 1 0 25 0 1 0 3 0 0 1 0 0 0 0 0 5 21 0 1 0 0 0 3 0 0 3 0 3 2 0 0 0 22 4 0 0 0 0 0 1 0 0 0 12 0 0 0 5 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 23 0 4 3 3 22 3 2 1 4 4 1 0 7 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 31 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
3082 Zeppelin_eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5.exe Ransomware 1 71 0 68 60 324 0 13 155 230 6836 20656 143 79 10 8282 11 6413 0 5 3 16 6 2 3 0 0 6325 1209 0 30 7682 0 3 0 12412 0 32 8 27 12 6 12 10603 52 2 20 19088 12 12 0 58288 0 0 47094 0 0 0 0 82 0 0 9 3836 3 0 0 2 0 0 0 0 0 0 2 3836 8070 0 39 0 0 0 0 3836 0 10 0 0 0 0 6407 0 14 12 12 67 12 4 2 8 337 2 4 347 5 0 0 2 14 0 4 0 0 0 0 0 0 1 13 0 0 0 0 1 2 0 0 0 0 0 0 1 0 0 4 0 0 0 1 2 0 0 7 1 0 93 0 0 0 4 2 0 2 0 0 0 0 0 0 0 0 6 0 6 0 0 0 0 1 0 0 4 0 0 0 0 0 4 6 6 2 0 0 0 0 2 3 2 7 0 0 0 0 0 0 0 0 0 0 2 0 6 0 4 53 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0 0 0 0 0 0 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

3083 rows × 284 columns

Created by: VHUHWAVHO
Downloaded 6 times
June 19, 2024, 7:11 p.m.
Ransomware_Detection_Using_Features_of_PE_Imports_2
A dataset of Portable Executable files and the features extracted from their imports (PE Imports). The following are the features extracted: 1. The number of functions utilized per DLL imported as a ratio, 2. The number of 'bogus' functions, that is functions that are made-up and typically have additional (non-alphabetic) characters in the name, 3. The number of functions utilized by that PE file that are blacklisted as functions typically imported by ransomware files, 4. The number of functions utilized by that PE file that are typically imported and used exclusively by good-ware files 'whitelisted' functions, 5. The difference of the number of register keys opened/ created and those deleted by the end of the application, and 6. The number of native functions utilized by the PE file.


label ave_functions_utilised_from_dlls_imported bogus_functions num_blacklisted_functions num_whitelisted_functions persistent_reg_key num_native_functions SHA256
0 M 1.115312 37 2 1 -1 0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 M 24.500000 0 1 0 0 0 bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
... ... ... ... ... ... ... ... ...
1829 M 2.950617 2 3 0 0 0 7d809e8c9b98c16647bbfac49854c28ecc3fe6d4345410deeaa79445cc50cf51
1830 M 0.813333 0 0 1 0 0 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

1831 rows × 8 columns

Created by: Tanatswa Dendere
Downloaded 5 times
Sept. 27, 2023, 10:28 p.m.
Crypt API Statistics of Ransomware
This dataset explores the API calls that utilize Crypt functionality as outlined by the study S. H. Kok, A. Abdullah, and N. Z. Jhanjhi, “Early detection of crypto-ransomware using pre-encryption detection algorithm,” Journal of King Saud University - Computer and Information Sciences, vol. 34, no. 5, pp. 1984–1999, May 2022, doi: 10.1016/j.jksuci.2020.06.012.


category label NtWriteVirtualMemory UuidCreate NtDelayExecution NtSetInformationFile NtWriteFile CreateThread NtReadVirtualMemory VirtualFreeEx CreateDirectoryW VirtualProtectEx SetFilePointer SHA256
0 Ransomware M 0 0 0 0 0 0 0 0 0 0 51 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
1 Ransomware M 0 0 0 0 0 0 0 0 2 0 0 4e0d1edb76747fd945b87dd18299298f0df719edbea946119d91db59a9b6527a
... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
11428 Ransomware M 0 0 0 0 0 0 0 0 0 0 1 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5
11429 Ransomware M 0 0 0 0 0 0 0 0 0 0 1 eb920e0fc0c360abb901e04dce172459b63bbda3ab8152350885db4b44d63ce5

11430 rows × 14 columns

Created by: Avinash
Downloaded 4 times
June 19, 2023, 11:36 a.m.

Contact Us

Department of Computer Science, University of Pretoria

Loading
Your message has been sent. Thank you!