<div><div dir="auto">This is very cool! I am wondering if it might make sense to try to upstream this and enable your analyses for processing the samples we receive through malrec [1]. I have been meaning to switch malrec over to PANDA 2.0; and having these analyses available would be very nice...</div><div dir="auto"><br></div><div dir="auto">[1] <a href="https://giantpanda.gtisc.gatech.edu/malrec/dataset/">https://giantpanda.gtisc.gatech.edu/malrec/dataset/</a></div><br><div class="gmail_quote"><div>On Sun, May 6, 2018 at 5:23 AM Gabriele Viglianisi <<a href="mailto:vigliag@gmail.com">vigliag@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Dear PANDA users,<br>
I've finally finished my master thesis and I'm happy to share it with you.<br>
<br>
I've applied PANDA to the study of malware, with the goals of<br>
providing a replacement for debugging and making it easier to study<br>
malware that communicate with external servers. Some of the techniques<br>
I've used are similar to the ones described in the Dispatcher paper by<br>
Caballero et al., but instead of on performing protocol reverse<br>
engineering, my focus was on building an easy-to-employ tool to study<br>
a sample by inspecting its data-flow.<br>
<br>
My approach consists in:<br>
<br>
- Executing the malware sample in a virtual machine (manually or<br>
through Cuckoo Sandbox) and obtaining a PANDA recording<br>
- Collecting information on all processes in the recording via<br>
asidstory and rekall<br>
- Using network logs and "stringsearch" to find the processes of interest<br>
- Collecting statistics on the functions the malware processes called,<br>
and detecting encryption functions<br>
- Tracing system calls and applying taint analysis to find<br>
data-dependencies between them, as well as the function calls using<br>
the tracked data<br>
- Logging the collected data to disk, so that it can be interactively<br>
queried by an analyst to quickly locate relevant data and code,<br>
complementing both Cuckoo Sandbox's analyses and the usual reverse<br>
engineering tools.<br>
<br>
I've made changes to some existing PANDA plugins, and developed some new ones:<br>
<br>
- Callstack_instr was refactored and expanded, so that it assigns an<br>
identifier to each call, allowing per-call information to be<br>
collected.<br>
- A new "ProcInfoDump" plugin exposes the guest's memory to a<br>
python+rekall script embedded in the same process via PyBind11, so<br>
that it can be used to quickly inspect memory at various points in<br>
time.<br>
- "StringSearch2" is an easier to use version of StringSearch<br>
- "FnMemLogger" collects statistics about the functions the malware<br>
uses, by monitoring the first 5 calls to each function. For each call,<br>
it obtains the size, entropy and number of ASCII characters of each<br>
buffer the function reads or writes, together with the number of basic<br>
block and instructions executed, and the ratio of arithmetic<br>
operations over the total. This data is then analyzed by scripts to<br>
automatically detect encryption functions via heuristics.<br>
- "TCGTaint" is a tcg-based taint tracking implementation, adapted<br>
from Qtrace. The way it hooks in QEMU's TCG is not the ideal, but it's<br>
fast, flexible and gets the job done<br>
- "SysTaint" is the main analysis plugin, it collects information on<br>
selected system and function calls, monitoring memory accesses, and<br>
employing taint tracking.<br>
<br>
Additionally, I patched Cuckoo Monitor so that it emits hypercalls<br>
when it intercepts a call to a known system library. This allows, when<br>
the sample's execution is recorded while it is being analyzed by<br>
Cuckoo Sandbox, to be able to quickly jump from the entries in<br>
Cuckoo's behavioral log to the in-depth data collected by SysTaint.<br>
<br>
I tested my work by analyzing the execution of Zeus, Citadel, Dridex<br>
and Emotet, locating the data sent through the network, finding its<br>
provenance, and the code that transformed and encrypted the original<br>
data. More details are provided in the thesis. There are still many<br>
things that can be improved, but as a prototype this tool works<br>
already, and can provide the analysts with plenty of information<br>
without having to debug the malware or execute it more than once.<br>
<br>
You can find my work here:<br>
<br>
- Thesis: <a href="https://www.gabrieleviglianisi.com/files/GabrieleViglianisi-SysTaint-Thesis.pdf" rel="noreferrer" target="_blank">https://www.gabrieleviglianisi.com/files/GabrieleViglianisi-SysTaint-Thesis.pdf</a><br>
- Thesis defense slides:<br>
<a href="https://www.gabrieleviglianisi.com/files/GabrieleViglianisi-SysTaint-Thesis-Defense.pdf" rel="noreferrer" target="_blank">https://www.gabrieleviglianisi.com/files/GabrieleViglianisi-SysTaint-Thesis-Defense.pdf</a><br>
- PANDA fork with the added plugins: <a href="https://github.com/vigliag/panda" rel="noreferrer" target="_blank">https://github.com/vigliag/panda</a><br>
- Fork of Cuckoo Monitor with the added hypercalls:<br>
<a href="https://github.com/vigliag/cuckoo_monitor_panda" rel="noreferrer" target="_blank">https://github.com/vigliag/cuckoo_monitor_panda</a><br>
- I can also share my python scripts and jupyter notebooks. They still<br>
need some cleanup, but feel free to ask if interested<br>
<br>
Please feel free to contact me if you have any questions. I'd also be<br>
happy to upstream my changes and plugins to PANDA.<br>
<br>
Best regards,<br>
Gabriele<br>
_______________________________________________<br>
panda-users mailing list<br>
<a href="mailto:panda-users@mit.edu" target="_blank">panda-users@mit.edu</a><br>
<a href="http://mailman.mit.edu/mailman/listinfo/panda-users" rel="noreferrer" target="_blank">http://mailman.mit.edu/mailman/listinfo/panda-users</a><br>
</blockquote></div></div>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">Brendan Dolan-Gavitt<br>Assistant Professor, Department of Computer Science and Engineering<br>NYU Tandon School of Engineering</div>