The sea urchin — headless executable analyzer with MITRE ATT&CK mapping.
Wana is a static malware analysis engine in 2.5MB. Feed it a PE or ELF binary and it returns a threat verdict backed by import table intelligence, entropy analysis, packer detection, string forensics, and behavioral pattern matching — all mapped to MITRE ATT&CK techniques.
No sandbox. No VM. No signatures to update. Just structural analysis at the binary level.
wana suspicious.exe
wana --json malware_sample.dll
leviathan -d target.com -s | mano -s | xargs -I{} wget {} -O sample && wana sampleOne binary in. Threat verdict out.
$ wana dropper.exe
Threat Score: 87/100 | Category: MALICIOUS | Confidence: High
Top Findings:
1. [!!] Process injection pattern (VirtualAllocEx + WriteProcessMemory + CreateRemoteThread)
2. [!!] Packer detected: UPX (modified)
3. [!!] Known mutex: "d4rkc0met_mtx" → DarkComet RAT
4. [!] Anti-debug APIs (IsDebuggerPresent, NtQueryInformationProcess)
5. [!] File download capability (URLDownloadToFileA, InternetOpenA)
- Import table intelligence — every imported API mapped to MITRE ATT&CK technique, tactic, and severity
- Behavioral pattern detection — DLL injection, process hollowing, keylogging, screen capture, ransomware, credential theft, privilege escalation, lateral movement, service manipulation
- Section analysis — per-section entropy, RWX detection, size ratio anomalies
- Rich header parsing — compiler/toolchain fingerprinting via XOR-decrypted Rich header
- TLS callback detection — code that runs before main()
- Resource extraction — embedded data inventory
- Imphash — import hash for malware family clustering
- Packer detection — 24 signatures (UPX, Themida, VMProtect, MPRESS, Enigma, ASPack, etc.)
- Dynamic symbol analysis — imports, exports, needed libraries
- Security properties — PIE, RELRO, executable stack, BIND_NOW
- Section entropy — packed/encrypted section detection
- Suspicious function detection — ptrace, memfd_create, mprotect, dlopen patterns
- ASCII + UTF-16LE extraction with automatic categorization
- Categories: URLs, IPs, registry paths, file paths, emails, mutex candidates, PDB paths, crypto wallet addresses
- C2 indicator matching — gate.php, Cobalt Strike beacons, dynamic DNS, PowerShell cradles, suspicious user-agents
- Suspicious mutex matching — 45+ known malware family mutexes (Emotet, Trickbot, DarkComet, njRAT, Remcos, WannaCry, Formbook, Agent Tesla, etc.)
- Registry persistence paths — Run keys, AppInit_DLLs, IFEO, COM hijack, security policy tampering
- ROR13 hash table — 120+ common APIs with precomputed hashes
- Detects shellcode-style API resolution by hash value
- Covers kernel32, ntdll, user32, advapi32, ws2_32, wininet, urlmon
- 0-100 threat score with confidence level (Low/Medium/High)
- 20 scoring rules weighted by severity
- Categories: Clean (<25), Suspicious (25-49), Likely Malicious (50-74), Malicious (75+)
- Top 5 reasons sorted by impact
| Tactic | Techniques |
|---|---|
| Execution | T1059 (Command Execution), T1106 (Native API) |
| Persistence | T1547 (Registry Run Keys), T1543 (Services), T1053 (Scheduled Tasks), T1574 (DLL Side-Loading) |
| Privilege Escalation | T1134 (Token Manipulation) |
| Defense Evasion | T1055 (Process Injection), T1497 (Anti-Debug/Sandbox), T1070 (Indicator Removal), T1027 (Obfuscation), T1140 (Deobfuscation) |
| Credential Access | T1003 (Credential Dumping) |
| Discovery | T1082 (System Info), T1033 (User Discovery), T1057 (Process Discovery), T1083 (File Discovery), T1012 (Registry Query), T1135 (Network Share) |
| Collection | T1056 (Keylogging), T1113 (Screen Capture), T1115 (Clipboard) |
| Command and Control | T1071 (Web/Socket Protocols), T1105 (Tool Transfer), T1048 (DNS Exfiltration) |
| Lateral Movement | T1021 (SMB/Admin Shares) |
| Impact | T1486 (Ransomware Encryption), T1490 (System Recovery Inhibition) |
# Basic analysis
wana sample.exe
# JSON output (pipe to jq, feed to SIEM)
wana --json sample.exe | jq '.verdict'
# Just the verdict
wana --verdict-only sample.exe sample2.dll sample3.sys
# Analyze multiple files
wana *.exe
# Show all extracted strings
wana --all-strings sample.exe
# Custom minimum string length
wana --min-string-len 8 sample.exe
# Quiet mode (no banner)
wana -q --json sample.exe| Table | Entries | Purpose |
|---|---|---|
| API → MITRE ATT&CK | 160+ mappings | Import categorization by technique/tactic/severity |
| API ROR13 hashes | 120+ entries | Shellcode API hash resolution |
| Packer signatures | 24 packers | Section names + entry point byte patterns |
| Suspicious registry paths | 50+ paths | Persistence/policy manipulation detection |
| Suspicious file paths | 30+ paths | Common drop location detection |
| Malware mutexes | 45+ patterns | Family identification by mutex name |
| C2 indicators | 80+ patterns | Beacon URLs, user-agents, DNS patterns |
| Crypto wallet regex | 7 currencies | BTC, ETH, XMR, LTC, BCH, DASH, ZEC |
All data is compiled into the binary as static arrays. No config files, no database, no network access. 2.5MB standalone.
leviathan → puhi → mano → wana
find map probe analyze
subdomains DNS HTTP binaries
git clone https://github.com/copyleftdev/wana.git
cd wana
cargo build --release
cp target/release/wana /usr/local/bin/Requires Rust 1.70+. No runtime dependencies.
MIT