Graph me, I’m famous! – Automated static malware analysis and indicator extraction for binaries

March 23, 2017 (at 2:30 p.m.) in Attack and Research

Stirring around in a binary is the RE's biggest joy; the biggest joy of the incident responder is to have her RE tell her a long-ish list of indicators to dig for; within the first five minutes of incident response. If not sooner, even?

This talk will present a tool which helps both, reverse engineers as well as incident responders. It is based on radare2, and dumps call graphs along with API calls and string references to a Neo4j database. Dubbed r2graphity, it is intended for one as a standalone tool, which supports the reverse engineer when exploring a binary; but also aids the incident responder’s job, when integrated with MISP. MISP is a sharing platform where one can store, and share, relevant threat indicators for one specific case, but also uncover correlations with other incidents.

We will briefly discuss the shortcomings of sandboxes, and why static malware analysis makes sense at all. We will explain how an accurate call graph can be reconstructed from a compiled Windows binary, and also how these graphs are feasibly stored within a graph database. Finally, a case study using binaries from the notorious APT28 will show how automated extraction of binary intestines within MISP helps during incident response.

Marion Marschalek

Marion Marschalek is a Security Researcher, focusing on the analysis of emerging threats and exploring novel methods of threat detection. Marion started her career within the anti-virus industry and also worked on advanced threat protection systems where she built a thorough understanding of how threats and protection systems work and how both occasionally fail. Next to that Marion teaches malware analysis at University of Applied Sciences St. Pölten and has presented at a number of international conferences, among others Blackhat, RSA, SyScan, hack.lu and Troopers. She also serves as a review board member for Black Hat Europe and was listed as one of Forbes’ "30 under 30" in the technology Europe division in 2016. Once year, Marion runs BlackHoodie, a reverse engineering workshop for women, in order to increase the number of femgineers in the field of low level technology.

Raphael Vinot

Raphaël is a CERT operator at CIRCL, the CERT for the private sector, communes and non-governmental entities in Luxembourg. His main activity is developing or participating to the development of tools[1] [2] [3] [4] to improve and ease the day-to-day incident response capabilities of the CSIRT he works for but also for other teams doing similar activities.Another big part of his activities is to administrate the biggest MISP instance in Europe [5] with >150 companies, 400 users and more than 250.000 attributes. This is the source used in this research project.

[1] Personal account: https://github.com/Rafiot

[2] Work account: https://github.com/CIRCL/

[3] MISP account: https://github.com/MISP

[4] Wrote the MISP module: https://github.com/viper-framework/viper

[5] Information on how to get access to the platform: https://www.circl.lu/services/misp-malware-information-sharing-platform/