Dorothy 2: A malware/botnet analysis framework


Dorothy 2

Dorothy 2 is a malware/botnet analysis framework written in Ruby.

Dorothy 2 is a framework created for suspicious binary analysis. Main strengths of Dorothy are a very flexible modular environment and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognize newly spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behavior analysis will be shortly introduced in the next versions. Dorothy 2 analyses binaries by the use of pre-configured analysis profiles.


Dorothy 2 analysis profile is composed of the following elements:


The use of profiles gives the researcher the possibility to run analysis on a set of binaries by using different environments. As it is known, some malwares are configured to run only in the specific environment.

The first three modules of Dorothy are publicly released under GPL 2/3 license as tribute to the the Honeynet Project Alliance. All the information generated by the framework – i.e. binary info, timestamps, dissected network analysis.

Dorothy needs the following software:

  • VMWare ESX >= 5.0 (tip: if you download ESXi, you can evaluate ESX for 30 days)
  • Ruby 1.9.3
  • Postgres >= 9.0
  • At least one Windows virtual machine
  • One unix-like machine dedicated to the Network Analysis Engine(NAM) (tcpdump/ssh needed)
  • pcapr-local (only used by doroParser)
  • MaxMind libraries (only used by doroParser)


The framework is mainly composed of five modules that can be even executed separately.

  • The Binary Fetcher Module (BFM)
  • The Dorothy analysis engine
  • The (network) Data Extraction Module (old dparser)
  • The (dummy) Webgui
  • The Java Dorothy Drone

Most Popular Training Courses at Indian Cyber Security Solutions

Summer Training for CSE, IT, BCA & MCA Students 

Network Penetration Tester Training

Ethical Hacking  training

Python Programming training

 RHCE  training

CEH V9  training

Diploma in Network Security Training

Secure Coding in Java

Diploma in Web Application Security 

Certified Web Application Penetration Tester 

Certified Android Penetration Tester 

Certified Python Programming 

Advanced Python Training 

Reverse Engineering Training  

Amazon Web Services Training  

VMware Training 

Digital marketing

CCNA training

Android Training

Cybersecurity services that can protect your company:

Web Security | Web Penetration Testing

Network Penetration Tester – NPT

Android App Penetration Testing

Source Web Development

Source Code Review

Android App Development

Digital Marketing Consultancy

Data Recovery

Leave a Reply

Your email address will not be published. Required fields are marked *



Click one of our representatives below to chat on WhatsApp or send us an email to [email protected]

× Hi How can we help you