PyTriage: A malware analysis framework

1,383 views

Published on

PyTriage is an easily extensible malware analysis framework. This is based on version 1. A new version is in the works.

Published in: Technology
4 Comments
2 Likes
Statistics
Notes
No Downloads
Views
Total views
1,383
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
4
Likes
2
Embeds 0
No embeds

No notes for slide

PyTriage: A malware analysis framework

  1. 1. STATIC MALWARE ANALYSIS WITH PYTRIAGE Yashin Mehaboobe Security Researcher Cyber Security and Privacy Foundation
  2. 2. #WHOAMI o Head, Icarus Labs (CSPF) o Author of PyTriage o Found a DoS bug in Android o Spoke at Defcon Kerala and Defcon Bangalore o Other contributions include a static file based web application fingerprinter for nmap • Interests: Hardware Hacking, Reverse Engineering, Malware Analysis and Open Source Contribution
  3. 3. WHY ANALYZE MALWARE? AKA PLAYING WITH FIRE • Deduce the origin and intent of the code • Reduce and contain the damage caused • Prevent further infections • Identify how it got in and how it can further spread • Sheer curiosity!
  4. 4. STATIC VS DYNAMIC • Static analysis would be obtaining the hashes, the import and export table as well as just plain disassembly. • Dynamic analysis would be running a debugger on it, checking the registry for changes and finding memory artifacts. • Static is safer but reasonable conclusions cannot be made with high precision. • Dynamic possesses a higher degree of danger to the system but gives a more accurate view of how the malware functions
  5. 5. PRECAUTIONS • Use a VM. • Better yet, use a dedicated workstation which is reimaged constantly. • Do not connect the analysis system to any production networks. • Malware sandboxes are fine too. • Use a sneakernet ;)
  6. 6. INTRODUCING PYTRIAGE • Quickly analyze malware • Find what sort of file it is • Identify the PE sections , their sizes and their hashes • Find out what DLLs and functions are imported and exported • Automatically generate signatures for ClamAV and YARA • Check if the file is infected against VirusTotal
  7. 7. WHY PYTRIAGE? • Other option would be to run an array of tools • Some are available only on certain platforms • PyTriage lets you run most static analysis tools within one tool • Easily extendible • Automated signature generation
  8. 8. BASIC FILE INFO AND HASHES
  9. 9. IMPORT AND EXPORT TABLES
  10. 10. VIRUSTOTAL INTEGRATION
  11. 11. REPORT GENERATION
  12. 12. TODO • Dynamic analysis • Malware communication analysis • Customized reports… • Yada yada yada…
  13. 13. FURTHER READING AND REFERENCE
  14. 14. “ ” THANK YOU Contact me: twitter.com/YashinMehaboobe yashinm@cysecurity.org

×