Yashin Mehaboobe, profile picture
Uploaded byYashin Mehaboobe
1,701 views

PyTriage: A malware analysis framework

The document discusses static malware analysis using the tool Pytriage, created by Yashin Mehaboobe, a security researcher. It highlights the importance of analyzing malware for identifying its origin, intent, and potential damage, while comparing static and dynamic analysis techniques. Pytriage simplifies the process by integrating multiple static analysis tools and automating signature generation for various security applications.

Embed presentation

STATIC MALWARE ANALYSIS WITH PYTRIAGE Yashin Mehaboobe Security Researcher Cyber Security and Privacy Foundation
#WHOAMI o Head, Icarus Labs (CSPF) o Author of PyTriage o Found a DoS bug in Android o Spoke at Defcon Kerala and Defcon Bangalore o Other contributions include a static file based web application fingerprinter for nmap • Interests: Hardware Hacking, Reverse Engineering, Malware Analysis and Open Source Contribution
WHY ANALYZE MALWARE? AKA PLAYING WITH FIRE • Deduce the origin and intent of the code • Reduce and contain the damage caused • Prevent further infections • Identify how it got in and how it can further spread • Sheer curiosity!
STATIC VS DYNAMIC • Static analysis would be obtaining the hashes, the import and export table as well as just plain disassembly. • Dynamic analysis would be running a debugger on it, checking the registry for changes and finding memory artifacts. • Static is safer but reasonable conclusions cannot be made with high precision. • Dynamic possesses a higher degree of danger to the system but gives a more accurate view of how the malware functions
PRECAUTIONS • Use a VM. • Better yet, use a dedicated workstation which is reimaged constantly. • Do not connect the analysis system to any production networks. • Malware sandboxes are fine too. • Use a sneakernet ;)
INTRODUCING PYTRIAGE • Quickly analyze malware • Find what sort of file it is • Identify the PE sections , their sizes and their hashes • Find out what DLLs and functions are imported and exported • Automatically generate signatures for ClamAV and YARA • Check if the file is infected against VirusTotal
WHY PYTRIAGE? • Other option would be to run an array of tools • Some are available only on certain platforms • PyTriage lets you run most static analysis tools within one tool • Easily extendible • Automated signature generation
BASIC FILE INFO AND HASHES
IMPORT AND EXPORT TABLES
VIRUSTOTAL INTEGRATION
REPORT GENERATION
TODO • Dynamic analysis • Malware communication analysis • Customized reports… • Yada yada yada…
FURTHER READING AND REFERENCE
“ ” THANK YOU Contact me: twitter.com/YashinMehaboobe yashinm@cysecurity.org

More Related Content

PDF
Hardware Reverse Engineering: From Boot to Root
byYashin Mehaboobe
 
PPTX
Hardware Hacking Primer
byYashin Mehaboobe
 
PPTX
Making and breaking security in embedded devices
byYashin Mehaboobe
 
PDF
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
bySilvio Cesare
 
PPTX
Hardware hacking 101
byTiago Henriques
 
PDF
Intro to Hardware Firmware Hacking
byAndrew Freeborn
 
PDF
Arduino Forensics
bySteve Watson
 
PDF
Hardware Hacking
byAndrew Brockhurst
 
Hardware Reverse Engineering: From Boot to Root
byYashin Mehaboobe
 
Hardware Hacking Primer
byYashin Mehaboobe
 
Making and breaking security in embedded devices
byYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
bySilvio Cesare
 
Hardware hacking 101
byTiago Henriques
 
Intro to Hardware Firmware Hacking
byAndrew Freeborn
 
Arduino Forensics
bySteve Watson
 
Hardware Hacking
byAndrew Brockhurst
 

What's hot

PPTX
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
PDF
BSides DFW2016-Hack Mode Enabled
bypricemcdonald
 
PDF
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
byDefconRussia
 
PDF
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
PDF
Bsides Puerto Rico-2017
byPrice McDonald
 
PDF
Securing a Raspberry Pi and other DIY IoT devices
byIan Kluft
 
PDF
Secure Coding in Perl
byIan Kluft
 
PDF
How security broken? - Android internals and malware infection possibilities
byFFRI, Inc.
 
PPTX
Security Testing: Fuzzing
byAndrei Rubaniuk
 
PDF
Solnik secure enclaveprocessor-pacsec
byPacSecJP
 
PDF
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
bySeunghun han
 
PDF
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
bySeunghun han
 
PPTX
RFID: EPC protocol
byAmjed Majid
 
PPTX
Randomized ciphers
byMichael Kangethe
 
PDF
HITBSecConf 2016-Create Your Own Bad Usb
bySeunghun han
 
PDF
Building Trojan Hardware at Home
byE Hacking
 
PPT
Fuzzing 101 Webinar on Zero Day Management
byCodenomicon
 
PDF
Inside Winnyp
byFFRI, Inc.
 
PDF
Predicting and Abusing WPA2/802.11 Group Keys
byvanhoefm
 
PPTX
Frog cipher
byHasan Hamad
 
Advanced SOHO Router Exploitation XCON
byLyon Yang
 
BSides DFW2016-Hack Mode Enabled
bypricemcdonald
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
byDefconRussia
 
A Hypervisor IPS based on Hardware Assisted Virtualization Technology
byFFRI, Inc.
 
Bsides Puerto Rico-2017
byPrice McDonald
 
Securing a Raspberry Pi and other DIY IoT devices
byIan Kluft
 
Secure Coding in Perl
byIan Kluft
 
How security broken? - Android internals and malware infection possibilities
byFFRI, Inc.
 
Security Testing: Fuzzing
byAndrei Rubaniuk
 
Solnik secure enclaveprocessor-pacsec
byPacSecJP
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
bySeunghun han
 
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
bySeunghun han
 
RFID: EPC protocol
byAmjed Majid
 
Randomized ciphers
byMichael Kangethe
 
HITBSecConf 2016-Create Your Own Bad Usb
bySeunghun han
 
Building Trojan Hardware at Home
byE Hacking
 
Fuzzing 101 Webinar on Zero Day Management
byCodenomicon
 
Inside Winnyp
byFFRI, Inc.
 
Predicting and Abusing WPA2/802.11 Group Keys
byvanhoefm
 
Frog cipher
byHasan Hamad
 

Viewers also liked

PDF
CNIT 126 4: A Crash Course in x86 Disassembly
bySam Bowne
 
PDF
CNIT 126 5: IDA Pro
bySam Bowne
 
PDF
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
PPT
Malware Analysis Made Simple
byPaul Melson
 
PPTX
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
PDF
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
byamrapalibuildersreviews
 
PDF
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
byAndres Lozano
 
PPTX
Hardware Hacking in schools (ACEC2014)
byDan Bowen
 
PPT
Playful
byTinker London
 
PDF
Hardware hacking
byTavish Naruka
 
PDF
Breaking Bad EACS Implementations
byOpposing Force S.r.l.
 
PPTX
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
byTakeda Pharmaceuticals
 
PDF
Coders need to learn hardware hacking NOW
byMatt Biddulph
 
PPTX
Router forensics
byTaruna Chauhan
 
PDF
JTAG Interface (Intro)
byNitesh Bhatia
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PPTX
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 
CNIT 126 4: A Crash Course in x86 Disassembly
bySam Bowne
 
CNIT 126 5: IDA Pro
bySam Bowne
 
'Malware Analysis' by PP Singh
byBipin Upadhyay
 
Malware Analysis Made Simple
byPaul Melson
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
bygrecsl
 
amrapali builders @@ hardware hacking and robotics using the raspberry pi.pdf
byamrapalibuildersreviews
 
Hardware Hacking caso práctico Ingeniería Inversa Smartcards
byAndres Lozano
 
Hardware Hacking in schools (ACEC2014)
byDan Bowen
 
Playful
byTinker London
 
Hardware hacking
byTavish Naruka
 
Breaking Bad EACS Implementations
byOpposing Force S.r.l.
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
byTakeda Pharmaceuticals
 
Coders need to learn hardware hacking NOW
byMatt Biddulph
 
Router forensics
byTaruna Chauhan
 
JTAG Interface (Intro)
byNitesh Bhatia
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
byLane Huff
 

Similar to PyTriage: A malware analysis framework

PPTX
Introduction to Malware Analysis
byAndrew McNicol
 
PPTX
Ch0 1
byTylerDerdun
 
PPTX
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
PPTX
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
PDF
Malware Analysis for cyber security & Network Security
bysurajpatil318663
 
PDF
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
PPTX
Malware Static Analysis
byHossein Yavari
 
PDF
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
PDF
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
PPTX
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
PDF
H@dfex 2015 malware analysis
byCharles Lim
 
PPT
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
PPTX
Malware forensic
bySumeraHangi
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
What Are The Types of Malware? Must Read
byBytecode Security
 
PDF
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
byIJNSA Journal
 
PPTX
Malware Classification and Analysis
byPrashant Chopra
 
PDF
Practical Incident Response - Work Guide
byEduardo Chavarro
 
PDF
Basic survey on malware analysis, tools and techniques
byijcsa
 
PPT
Chapter 1 malware analysis primer
byManjuA8
 
Introduction to Malware Analysis
byAndrew McNicol
 
Ch0 1
byTylerDerdun
 
Malware Analysis Techniques &Incident Response.pptx
byGol D Roger
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
bySam Bowne
 
Malware Analysis for cyber security & Network Security
bysurajpatil318663
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.pdf
byManjuAppukuttan2
 
Malware Static Analysis
byHossein Yavari
 
Malware analysis _ Threat Intelligence Morocco
byTouhami Kasbaoui
 
CH1- Introduction to malware analysis-v2.pdf
byWajdiElhamzi3
 
Malware 101 by saurabh chaudhary
bySaurav Chaudhary
 
H@dfex 2015 malware analysis
byCharles Lim
 
CHAPTER 1 MALWARE ANALYSIS PRIMER.ppt
byManjuAppukuttan2
 
Malware forensic
bySumeraHangi
 
Malware analysis
byPrakashchand Suthar
 
What Are The Types of Malware? Must Read
byBytecode Security
 
A FRAMEWORK FOR ANALYSIS AND COMPARISON OF DYNAMIC MALWARE ANALYSIS TOOLS
byIJNSA Journal
 
Malware Classification and Analysis
byPrashant Chopra
 
Practical Incident Response - Work Guide
byEduardo Chavarro
 
Basic survey on malware analysis, tools and techniques
byijcsa
 
Chapter 1 malware analysis primer
byManjuA8
 

Recently uploaded

PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PDF
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Agentic AI presentation with Python Exercises
byParth Mane
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PPTX
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
PDF
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
PDF
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Introduction to Shell Scripting - RHCSA+.pdf
byLinuxCert Guru
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Agentic AI presentation with Python Exercises
byParth Mane
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
OutSystsems User Group Brabant November 2025
bymail496323
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
How Design Systems and AI Agents Accelerate Product Delivery Sixt
byBoyan Dimitrov
 
IDSECCONF2025 - Ali - DursGo–Web Security Scanner with AI Analysis.pdf
byidsecconf
 
Mastering UiPath Maestro – Session 2 – Building a Live Use Case - Session 2
byDianaGray10
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 

PyTriage: A malware analysis framework

  • 1.
    STATIC MALWARE ANALYSIS WITHPYTRIAGE Yashin Mehaboobe Security Researcher Cyber Security and Privacy Foundation
  • 2.
    #WHOAMI o Head, IcarusLabs (CSPF) o Author of PyTriage o Found a DoS bug in Android o Spoke at Defcon Kerala and Defcon Bangalore o Other contributions include a static file based web application fingerprinter for nmap • Interests: Hardware Hacking, Reverse Engineering, Malware Analysis and Open Source Contribution
  • 3.
    WHY ANALYZE MALWARE? AKA PLAYINGWITH FIRE • Deduce the origin and intent of the code • Reduce and contain the damage caused • Prevent further infections • Identify how it got in and how it can further spread • Sheer curiosity!
  • 4.
    STATIC VS DYNAMIC •Static analysis would be obtaining the hashes, the import and export table as well as just plain disassembly. • Dynamic analysis would be running a debugger on it, checking the registry for changes and finding memory artifacts. • Static is safer but reasonable conclusions cannot be made with high precision. • Dynamic possesses a higher degree of danger to the system but gives a more accurate view of how the malware functions
  • 5.
    PRECAUTIONS • Use aVM. • Better yet, use a dedicated workstation which is reimaged constantly. • Do not connect the analysis system to any production networks. • Malware sandboxes are fine too. • Use a sneakernet ;)
  • 6.
    INTRODUCING PYTRIAGE • Quicklyanalyze malware • Find what sort of file it is • Identify the PE sections , their sizes and their hashes • Find out what DLLs and functions are imported and exported • Automatically generate signatures for ClamAV and YARA • Check if the file is infected against VirusTotal
  • 7.
    WHY PYTRIAGE? • Otheroption would be to run an array of tools • Some are available only on certain platforms • PyTriage lets you run most static analysis tools within one tool • Easily extendible • Automated signature generation
  • 8.
    BASIC FILE INFOAND HASHES
  • 9.
  • 10.
  • 11.
  • 12.
    TODO • Dynamic analysis •Malware communication analysis • Customized reports… • Yada yada yada…
  • 13.
  • 14.
    “ ” THANK YOU Contact me:twitter.com/YashinMehaboobe yashinm@cysecurity.org