About Azul
ASD has released Azul, an open‑source malware analysis tool, designed for large-scale malware analysis by network defenders, incident responders and malware analysts in large organisations and government agencies. It is designed to be highly scalable and store tens of millions of samples.
Azul provides the capability to explore, analyse and correlate malware at scale, and was created by ASD to help malware analysts save time on routine analysis tasks, enabling them to use their expertise to analyse the malware that poses the biggest threat.
Manual reverse engineering can take hours to get basic Indicators of Compromise (IOCs) out of samples, days to determine the capabilities of malware, and months to get an in-depth understanding of families of malware. Azul can turn common analysis steps into analysis plugins, which can be used as part of an automated workflow and assist in identifying variants of a malware family more efficiently.
How Azul works
The tool combines a structured repository with plugins and tooling to extract metadata, perform binary analysis and support clustering of related samples.
Access to Azul’s open-source code is available on ASD’s ACSC GitHub. This includes documentation and components for integrating additional analytical features or building custom workflows aligned with organisational needs.
Please note, Azul does not identify whether files are malicious. Anything stored in Azul should first be identified as suspicious or malicious through binary triage tools like Assemblyline, incident response activities, threat hunting, or honeypots.
Malware repository
Azul tracks the origin information of malware that is supplied during upload. This information is configurable and can include hostnames, filenames, network information, timestamps, and other contextual information. Files are stored in an s3-compatible system.
Azul is designed to be highly scalable, and intended to store tens of millions of samples for all time.
Analytical engine
Once malware is uploaded to the repository, Azul provides a framework for automating scripts that have been derived from reverse engineering efforts, to pull out IOCs or other interesting features. This automation saves time on repetitive manual tasks.
Users can access a variety of static analysis tooling to handle archive decompression, common Microsoft Office formats, Yara rules, snort signatures and more.
As plugins are improved and updated, analysis can be repeated on historical artefacts as necessary, which can give new insights into past incidents.
Clustering suite
By using features of Opensearch, Azul can also help users find commonalities between different samples of malware, to determine common upstream infrastructure, patterns of development and more. This, combined with integrating data from industry reporting, leads to more effective outcomes for reverse engineering efforts.
Intended audience
Azul is designed to support malware investigators, incident responders, analysts and cyber teams in large organisations and government agencies.
Benefits of using Azul
Leveraging open-source tools like Azul supports a broad and enduring uplift in malware analysis capability. Such tools enable government and private sector partners to collaborate on threat understanding, quickly identify common malware behaviours, and improve the speed and precision of response activities.
- Scalable, fully open-source malware analysis automation framework built on industry standard technologies.
- Safely share, store and retrieve malware.
- One-stop overview of CTI outputs, enabling intrusion analyst, incident responder and threat hunter self-service.
- Cloud-native technology with asynchronous distributed processing.
- Granular security markings to control visibility and access for sensitive samples.
- Browser based, no desktop application required.
- Seamless integration into existing user authentication, processing workflows, and automation pipelines.
- Web-based analyst UI for quick and easy access, in-browser searchable hex and strings view.
- Built-in viewer for detailed tool output, such as decompilation, system call log, detected capabilities, raw file structure and layout.
- Detailed view of all extracted sample features and their source plugins, assisting with file triage or informing manual reverse engineering.
- Automatic extraction and linkage of nested files and fragments: archive files, executable file segments and resources, embedded images.
- Extensible plugin framework designed for ongoing development of your own detection, analysis, and extraction logic.
- Python plugin templates for quick start, REST API allows for development in any other language.
- Search, correlate, and compare based on shared sample features or context-sensitive hashes (SSDEEP and TLSH).
- Pivot on any feature of interest to find related binary samples, or search by any combination of feature values.
- Automatically detect and decode obfuscated features of interest such as URI and User-Agent strings under many XOR or base64 encodings.
- Built-in support for common analysis and detection standards including Yara rules and MACO malware config extraction routines.
- Azul is built in Python, Golang and Typescript, and makes use of many other great open source software projects.
- Azul is designed to run on the Kubernetes software stack via Helm chart, and supports monitoring/alerting via Prometheus, Loki & GrafanaContainerised processing system deployable via Helm chart to any Kubernetes cluster.
- OpenSearch document-store backend supports bulk metadata storage and correlation, scalable to your requirements and budget.
- File content storage using an S3-compatible blob store for easy portability.
- Event queueing system built on Apache Kafka for reliable tracking of processing jobs.
- Flexible identity management using existing OAuth2 user accounts.
- REST API and Python client to insert or query samples, allowing integration with existing manual or automated workflows.
- Configurable age-off of sample data and metadata to fit your storage and policy requirements.
More information
- Learn more about the tool through ASD’s ACSC Azul website and the GitHub site.
- For help with Azul, please raise a Discussion or Issue on the GitHub site.
- For more guidance on how to create an Issue, please refer to the Known Issues before looking at the Contributing Guide.