Initial analysis with Cerberus will give you immediate actionable intelligence.
Cerberus Stage One: Static Analysis
The following first-level analysis is conducted to quickly tally threat scores.
- Product Name
- Product Version
- Company Name, etc.
- Functions included in the Import Table
- Dynamic Loading, etc.
- Does the binary have high entropy (obfuscated)?
- Does the binary have signatures of:
- Internet Relay Chat (“IRC”)
- Cryptography (“Crypto”)
- Does the binary contain strings associated with autoruns?
- Digital Signature Verification
Stage Two: Disassembly And Emulation Without The Sandbox
Stage two involves more complex disassembly analysis to give you more detailed behavioral information. This simulation and data flow analysis is possible without running binaries in a sandbox, and there is no reliance on white lists or signatures. Basic Disassembly Analysis:
- Integrated disassembly engine
- If using network functionality, potentially what host it is communicating with and over what protocol(s)
- If using network functionality, can it bypass proxy servers?
- For functions that require usernames and/or passwords, does the executable contain a static string, indicating insider or advanced knowledge?
Advanced Disassembly Analysis:
- Automated code and data flow analysis
- More advanced Functionality Interpretation
- IP addresses and Domain Names Used
- Debugger and Sandbox avoidance
- Command and Control Functionality
- Hooking Techniques
- Arbitrary Code Execution
- Host Forensic Artifacts
- Registry Settings
- Temp Files
- Configuration Files
Traditional Reverse Engineering of Malicious Binaries
Once we’ve given you the above detailed behavior and intent information that comes from our malware triage technology and correlation of that data with host and network information, we will run the binary in a controlled sandbox environment. We perform traditional behavioral, static and dynamic analysis. We can unpack the binary if necessary, while employing best practice methods to bypass the malware’s defense mechanisms. A detailed report will enumerate all possible data that can be gleaned, and we will work with you to develop a remediation plan and to incorporate that threat profile into your monitoring process to catch any recurrence of the exploit.