{"id":29279583,"url":"https://github.com/dantex86/iremove-malware-analysis","last_synced_at":"2025-07-31T12:05:51.638Z","repository":{"id":300894486,"uuid":"1007485059","full_name":"DanteX86/iremove-malware-analysis","owner":"DanteX86","description":"Comprehensive analysis of iRemove malware targeting macOS systems - Security research and threat intelligence","archived":false,"fork":false,"pushed_at":"2025-06-24T14:38:31.000Z","size":443,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-07-05T14:09:26.512Z","etag":null,"topics":["cybersecurity","iocs","macos","malware-analysis","network-forensics","security-research","threat-intelligence","yara-rules"],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DanteX86.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-24T04:37:08.000Z","updated_at":"2025-06-24T14:38:35.000Z","dependencies_parsed_at":"2025-06-24T06:26:40.158Z","dependency_job_id":"f642d9c4-237f-4545-8f09-74d1ba96604c","html_url":"https://github.com/DanteX86/iremove-malware-analysis","commit_stats":null,"previous_names":["dantex86/iremove-malware-analysis"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/DanteX86/iremove-malware-analysis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanteX86%2Firemove-malware-analysis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanteX86%2Firemove-malware-analysis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanteX86%2Firemove-malware-analysis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanteX86%2Firemove-malware-analysis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DanteX86","download_url":"https://codeload.github.com/DanteX86/iremove-malware-analysis/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DanteX86%2Firemove-malware-analysis/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268035777,"owners_count":24185098,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-31T02:00:08.723Z","response_time":66,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","iocs","macos","malware-analysis","network-forensics","security-research","threat-intelligence","yara-rules"],"created_at":"2025-07-05T14:01:01.518Z","updated_at":"2025-07-31T12:05:51.607Z","avatar_url":"https://github.com/DanteX86.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🕵️ iRemove.tools Surveillance Malware Analysis\n\n**Historical Case Study \u0026 Threat Intelligence Research**\n\nThis repository contains the complete investigative analysis of the iRemove.tools surveillance malware campaign - a comprehensive 3+ year study (2022-2025) that uncovered a sophisticated global criminal enterprise operating surveillance software disguised as MDM bypass tools.\n\n[![Research](https://img.shields.io/badge/research-complete-green.svg)](docs/threat-intelligence/)\n[![License](https://img.shields.io/badge/license-MIT-green.svg)](LICENSE)\n[![Threat Intel](https://img.shields.io/badge/threat--intel-STIX%202.1-blue.svg)](iocs_stix.json)\n\n## 🎯 **OVERVIEW**\n\nThis repository documents the complete investigation into iRemove.tools - what began as analysis of a suspicious MDM bypass tool uncovered a global surveillance operation with advanced evasion techniques, multi-language support, and sophisticated criminal infrastructure.\n\nThe investigation led to the development of **ARTEMIS** (now maintained separately), but this repository preserves the original research, methodologies, and findings that exposed this significant threat.\n\n\u003e **📣 IMPORTANT NOTE**: The ARTEMIS malware analysis toolkit has been extracted into its own dedicated repository for ongoing development. For the latest version of the analysis tools, visit:\n\u003e \n\u003e **🏹 [ARTEMIS Malware Analysis Toolkit](https://github.com/your-username/artemis-malware-toolkit)**\n\u003e\n\u003e This repository remains focused on the historical iRemove.tools investigation and serves as a comprehensive case study in threat research methodology.\n### **🔍 Investigation Highlights:**\n\n- 📊 **3+ Year Timeline** - Complete operational analysis (2022-2025)\n- 🌍 **Global Scale** - 9-language international criminal enterprise\n- 🎭 **Advanced Evasion** - Sophisticated techniques to avoid detection  \n- 💰 **Commercial Operation** - Professional website, payment processing, customer support\n- 🔍 **Technical Analysis** - Complete malware teardown and IOC extraction\n- 📋 **Threat Intelligence** - STIX 2.1 formatted indicators and YARA rules\n- 🏛️ **Attribution Analysis** - Criminal infrastructure and operational assessment\n\n## 🔎 **ACCESSING THE RESEARCH**\n\n```bash\n# Clone the research repository\ngit clone \u003crepository-url\u003e\ncd iremove-malware-analysis\n\n# View threat intelligence reports\ncat docs/threat-intelligence/FINAL_THREAT_INTELLIGENCE_REPORT.md\ncat docs/threat-intelligence/OPERATIONAL_INTELLIGENCE_REPORT.md\n\n# Examine IOC data\ncat iocs_stix.json    # STIX 2.1 format\ncat iocs_csv.csv      # CSV format for SIEM\ncat src/rules/*.yar   # YARA detection rules\n\n# For active malware analysis, see ARTEMIS toolkit:\n# https://github.com/your-username/artemis-malware-toolkit\n```\n\n## 📦 **TOOLKIT COMPONENTS**\n\n### **Core Analysis Engine:**\n- **`src/scripts/auto_analysis.sh`** - Main automated analysis script\n- **`src/scripts/ioc_analyzer.sh`** - IOC extraction and analysis\n- **`src/scripts/network_monitor.sh`** - Network monitoring setup\n- **`src/rules/*.yar`** - YARA detection rules\n- **`examples/test_sample.txt`** - Test file with embedded IOCs for validation\n\n### **Professional Threat Intelligence:**\n- **`THREAT_INTELLIGENCE_PACKAGE.md`** - Comprehensive threat analysis report\n- **`iocs_stix.json`** - STIX 2.1 formatted indicators\n- **`iocs_csv.csv`** - CSV format for SIEM integration\n- **`iremove_malware.yar`** - YARA detection rules\n\n### **Documentation:**\n- **`docs/threat-intelligence/`** - Threat intelligence reports\n- **`docs/analysis-reports/`** - IOC and analysis reports  \n- **`docs/installation/`** - Setup and installation guides\n- **`docs/guides/`** - Usage guides and examples\n\n### **Archive:**\n- **`archive/analysis-sessions/`** - Historical analysis sessions\n- **`archive/legacy-docs/`** - Legacy documentation files\n\n## 🔍 **ANALYSIS CAPABILITIES**\n\n### **Static Analysis:**\n```bash\n✅ File metadata and hashing (SHA256, MD5)\n✅ String extraction and analysis\n✅ IOC identification (domains, IPs, emails)\n✅ Binary symbol extraction\n✅ Dependency analysis\n✅ macOS .app bundle support\n```\n\n### **Threat Intelligence Generation:**\n```bash\n✅ Professional markdown reports\n✅ STIX 2.1 threat intelligence format\n✅ YARA rule creation\n✅ CSV IOC feeds for SIEM integration\n✅ Network monitoring setup\n✅ Attribution analysis\n```\n\n## 📊 **SAMPLE OUTPUT**\n\n```bash\n$ ./auto_analysis.sh \"/Applications/1Password.app\"\n\n🔍 Starting Automated Malware Analysis\nTarget: /Applications/1Password.app/Contents/MacOS/1Password\nAnalysis Directory: malware_analysis_20250624_013624\n\n📋 PHASE 1: Basic File Information ✅\n🔤 PHASE 2: String Analysis ✅ \n🔧 PHASE 3: Binary Analysis ✅\n🌐 PHASE 4: Network Monitoring Setup ✅\n📊 PHASE 5: Generating Analysis Report ✅\n\n📈 Quick Summary:\nFile: /Applications/1Password.app/Contents/MacOS/1Password\nSHA256: b5e29be38a8ee1bde467edf46a0aceda924904b017165a1cdbb1eb41c620cc27\nStrings: 3077 extracted\nPotential domains: 151 identified\nAnalysis files: 6 generated\n```\n\n## 🎓 **REAL-WORLD CASE STUDY**\n\nARTEMIS was developed during the analysis of a sophisticated surveillance campaign:\n\n- **Target**: iRemove.tools MDM bypass malware\n- **Duration**: 3+ year surveillance operation (2022-2025)\n- **Scope**: Global criminal enterprise with 9-language support\n- **Impact**: Professional threat intelligence package generated\n- **Outcome**: Complete operational disruption analysis\n\n[View Complete Case Study →](FINAL_THREAT_INTELLIGENCE_REPORT.md)\n\n## 🛠️ **SYSTEM REQUIREMENTS**\n\n### **Operating System:**\n- macOS 10.15 or later (tested on macOS Sonoma)\n- ARM64 or Intel architecture\n\n### **Dependencies:**\n```bash\n# Built-in macOS tools (no additional installation required)\n- file, strings, shasum, md5\n- nm, otool (Xcode Command Line Tools)\n- grep, find, sort, wc\n\n# Optional enhancements\n- class-dump (for detailed Objective-C analysis)\n- tcpdump (for network monitoring)\n```\n\n## 📋 **USAGE EXAMPLES**\n\n### **Basic Analysis:**\n```bash\n# Analyze system binary\n./src/scripts/auto_analysis.sh /usr/bin/ssh\n\n# Analyze downloaded application\n./src/scripts/auto_analysis.sh ~/Downloads/suspicious.app\n\n# Analyze with test sample\n./src/scripts/auto_analysis.sh examples/test_sample.txt\n```\n\n### **Professional Workflow:**\n```bash\n# 1. Run analysis\n./src/scripts/auto_analysis.sh suspicious_file\n\n# 2. Review generated reports\ncd malware_analysis_YYYYMMDD_HHMMSS/\ncat analysis_report.md\n\n# 3. Check IOCs\ncat potential_iocs.txt\n\n# 4. Set up monitoring (if needed)\nsudo ./src/scripts/network_monitor.sh\n```\n\n## 🏆 **PROFESSIONAL APPLICATIONS**\n\n### **Cybersecurity Career Development:**\n- **Resume Enhancement**: \"Developed automated malware analysis toolkit\"\n- **Portfolio Projects**: Working security tools with professional output\n- **Interview Preparation**: Concrete examples of technical capabilities\n- **Certification Support**: Practical experience for GCIH, GCFA, GCTI\n\n### **Security Operations:**\n- **Incident Response**: Rapid analysis of suspicious files\n- **Threat Hunting**: IOC extraction and intelligence generation  \n- **Forensic Analysis**: Professional documentation and reporting\n- **Security Research**: Methodology template for threat investigation\n\n## 📚 **DOCUMENTATION**\n\n- [🚀 Usage Guide](docs/guides/USAGE_GUIDE.md)\n- [🧪 Lab Setup Instructions](docs/installation/LAB_SETUP_GUIDE.md)\n- [🔍 Threat Intelligence Reports](docs/threat-intelligence/)\n- [📊 Analysis Reports](docs/analysis-reports/)\n- [📝 Contributing Guidelines](CONTRIBUTING.md)\n- [🔒 Security Policy](SECURITY.md)\n\n## 🤝 **CONTRIBUTING**\n\nARTEMIS was developed through real-world malware investigation. Contributions are welcome:\n\n1. **Fork the repository**\n2. **Create feature branch** (`git checkout -b feature/enhancement`)\n3. **Commit changes** (`git commit -am 'Add new feature'`)\n4. **Push to branch** (`git push origin feature/enhancement`)\n5. **Create Pull Request**\n\n## 📄 **LICENSE**\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n## 🙏 **ACKNOWLEDGMENTS**\n\n- **iRemove.tools Investigation**: Real-world case study that drove development\n- **Cybersecurity Community**: Threat intelligence sharing and methodology\n- **macOS Security Research**: Apple platform analysis techniques\n\n## 📞 **CONTACT**\n\nFor questions, collaboration, or professional inquiries:\n- **GitHub Issues**: For bug reports and feature requests\n- **Security Research**: For threat intelligence collaboration\n- **Professional Development**: For career and certification discussions\n\n---\n\n## 🎯 **VALIDATION TESTING**\n\nARTEMIS has been successfully tested on multiple platforms:\n\n### **Test Results:**\n```bash\n✅ Custom Test Sample:    4 domains, 1 IP, 1 email extracted\n✅ System Binary (/usr/bin/curl):  2441 strings, 27 domains\n✅ macOS Application (1Password):  3077 strings, 151 domains\n✅ Binary Analysis:       Symbols, dependencies, class dumps\n✅ Report Generation:     Professional markdown with timestamps\n```\n\n### **Production Readiness:**\n- ✅ **Error Handling**: Comprehensive file validation and helpful messages\n- ✅ **macOS Integration**: Native .app bundle support with automatic executable detection\n- ✅ **Professional Output**: Industry-standard analysis reports and IOC formats\n- ✅ **Real-world Validation**: Successfully analyzed legitimate applications\n\n---\n\n**ARTEMIS - From Surveillance Detection to Security Excellence** 🏹\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdantex86%2Firemove-malware-analysis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdantex86%2Firemove-malware-analysis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdantex86%2Firemove-malware-analysis/lists"}