Unveiling Dorothy2: a malware/botnet analysis framework written in Ruby.

09 Jun 2013 Marco Riccardi botnet dorothy malware sandbox

Howdy all,
I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby.

Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions.
Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere. So if you have 5 VMs for example, 5 binaries will be analyzed at time, by giving you 5 different output folders containing their network traffic and screenshots accordingly.
It is a very modular framework, and customizing/extending it can be very easy.

For more details, refer to its README

During the last years Dorothy2 helped me in several analysis/research on botnets and I
really hope that can now be useful to someone else.

Links below:

Ruby gem download

Code Repository


A redmine repository will be provided soon.

m4rco- The Italian Honeynet Project