PeMCP

PeMCP (Arkana) is an MCP server that exposes a large suite of malware analysis tools behind a single AI-driven interface. It orchestrates decompilation, emulation, static and dynamic analysis, YARA/CAPA/signature scanning, data transforms, and cross-binary intelligence to help you investigate PE, ELF, Mach-O, .NET, Go, Rust, and shellcode samples. You can describe your information needs in natural language, and the MCP client (e.g., Claude Code) will direct Arkana to run the appropriate analysis tools, aggregate results, and present a unified report. The server also provides a real-time web dashboard on port 8082 to monitor binary summaries, function triage, call graphs, strings, notes, and analysis history. Use cases include rapid triage of a new sample, extracting IOCs and C2 indicators, identifying anti-analysis patterns, and iteratively refining hypotheses with AI-guided prompts.

To interact with PeMCP, connect your MCP client to the server and issue natural-language prompts describing what you want to know about a sample. The AI will orchestrate tools such as decompilation, symbolic execution, signature scanning, data transforms, and cross-referencing to deliver structured results, annotated findings, and actionable next steps. The dashboard provides a visual summary of the analysis timeline, function triage, and strings explorer to supplement the AI-driven output.

Prerequisites:

• Docker installed on your host (Docker Desktop or equivalent).
• Sufficient CPU/RAM for malware analysis workflows (at least 4 cores and 8 GB RAM recommended).

Installation steps:

1. Pull or prepare the PeMCP container image: docker pull jamezuk/pemcp

2. Run the MCP server container (exposing the dashboard on 8082): docker run -d --name pemcp -p 8082:8082 -p 8080:8080 jamezuk/pemcp

3. Verify the server is running: docker ps curl http://localhost:8082

4. If you need to customize ports or environment variables, pass them through -e and -p as needed, for example: docker run -d --name pemcp -p 8082:8082 -e ARKANA_PORT=8082 -e ARKANA_TOKEN=your-token jamezuk/pemcp

5. Access the MCP dashboard at http://localhost:8082 (token-based authentication may be configured via ARKANA_TOKEN).

6. Optional: Integrate with your MCP client using the standard MCP protocol to send analysis prompts and receive structured results.

Tips and common considerations:

• Docker-first deployment: The container is designed to run with real-time web UI on port 8082. Ensure your firewall allows access to this port if you’re connecting remotely.
• Environment variables: ARKANA_PORT controls the dashboard port inside the container, ARKANA_TOKEN enables optional authentication for the dashboard. Set them via -e when running the container.
• Resource planning: For large analyses or multiple concurrent samples, allocate additional CPU cores and memory to the container to avoid throttling.
• Data persistence: If you need persistence across restarts, consider mounting a volume for analysis results and notes and wiring the container’s paths accordingly.
• Troubleshooting: If the dashboard does not load, check container logs (docker logs pemcp) for startup errors, verify port mappings, and confirm the container is healthy.
• Updates: When updating, pull the latest image and recreate the container to ensure you have the newest tools and fixes.