Certego has always been strongly involved in researching new ways to analyze malware.
We have been working for some time on new projects aimed to evolve how the threat intelligence analysts work and what kind of tools they need.
You may have heard of the open source project IntelOwl and the recognition it received by the community: we have just reached 2k stars on Github in less than 2 years!
But it is not the only one! We started experimenting and working closely with the community that develops binary emulation frameworks.
And we came up with a new idea! A next generation malware sandbox built on binary emulation tools. We called it Dragonfly.
Today we are proud to announce that we are finally ready to publish the Alpha release of this project to the community!
“So yeah, this is all very exciting! but how does it work?”
The process Dragonfly uses when analyzing a binary can be split in three phases:
1. Environment configuration
Dragonfly differentiates from other sandboxes thanks to the granularity of the customization that its users can do: the emulators, and therefore Dragonfly, allow you to specify which processes are present in the emulated system; which files are where; what system registries have been configured and with what value.
Users can create their own configuration, or use the ones that Certego offers publicly.
Figure A: Profile Creation Modal
2. Sample emulation
The sample is emulated through the engines that the user has selected with the corresponding profile: parallel emulation of more than one configuration is supported by Dragonfly. For each profile, a Report is made, containing every artifact that Dragonfly has been able to retrieve through the emulation process.
All this information is then grouped together and displayed by Dragonfly, allowing users to evaluate every aspect of the emulation.
Figure B: Details of every API called
Each piece of information is accessible either through its detail view, or through the Timeline, where artefacts are grouped together by their timestamp, the moment when they have been retrieved.
Figure C: Details of every artifact for a particular point in time
3. Behaviour evaluation
Dragonfly evaluates the sample behaviour through Rules: a rule is made by Modules; each module matches a particular artifact that has been found during the emulation phase.
Figure D: Rules List
Rules are characterized by a positive or negative weight based on the confidence that the behaviour is malicious or not.
Figure E: Details of the composition of a Rule
A Match is created when the behaviour defined by a rule matches the one expressed by the sample during emulation: according to rules matching a sample, its evaluation will change from clean, to suspicious or even malicious.
Figure F: Example of matched Rules
It is possible to learn more about Dragonfly rules and its modules in the official documentation at readthedocs.
Figure G: Rule Creation Modal
Writing your own rules is encouraged but it is not necessary for using Dragonfly: Certego will continue to improve the builtin set of rules available to every Dragonfly user.
The release of Dragonfly is an important milestone for Certego and its Threat Intelligence Team. Our research and knowledge in the malware analysis field, developed in years of fighting threats, has been leading us to incredible new achievements.
The Alpha version is operated as an invite-only trust group. We encourage all security researchers and threat intelligence analysts to request access here. The next Beta release will provide open registration to everyone.
For more information about Dragonfly, what it offers and how to use it, please refer to the FAQs or send us an email to cti[at]certego.net: we will be more than happy to answer every question that you may have!
Thank you for reading and happy hunting!