Skip to content

malware

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

malware

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
build_samples.py
build_samples.py
 
 

README.md

Evil Binaries - Multi-Architecture Test Samples

This directory contains inert test binaries used for CrowdStrike Falcon detection testing.

Files

  • build_samples.py - Generates obfuscated, self-decrypting ELF binaries (no libc, raw syscalls)
  • sample-<arch> - Compiled binary for the given architecture (e.g., sample-aarch64, sample-x86_64)

What the Test Binary Does

The sample binaries are inert test tools that:

  1. Attempt to create a TCP connection to 192.168.0.1 on port 4444
  2. Are designed to trigger CrowdStrike Falcon's on-sensor machine learning detection
  3. Do NOT contain any actual malicious code or payloads
  4. Exit immediately (either blocked by Falcon or due to connection failure)

Building

Build self-decrypting ELF binaries for all supported architectures (aarch64, x86):

./build_samples.py

These binaries use raw syscalls, XOR self-decryption, and a minimal ELF layout (single RWE segment, no sections) to trigger ML-based detection. Build specific architectures with:

./build_samples.py --arch aarch64
./build_samples.py --arch aarch64 --arch x86
./build_samples.py --outdir ../../bin/evil/

Note

These are legitimate security testing tools used by CrowdStrike for detection validation. They are not actual malware and contain no harmful code.