Static Malware Analysis with PyTriage

Malware analysis is a long process. It’s also not a very well known process among most IT professionals. In some corporate environments a dedicated malware analyst might not be available. In that case, one of the available IT staff might need to perform some preliminary analysis on the binary. It is for this reason PyTriage is available.

This tool provides a simple to use interface to perform preliminary static analysis of the binary. One of it’s features is to generate hashes in a variety of standards. Currently it supports MD5, SHA1 and sshdeep but more can be added quite easily. It also supports file type recognition with “file magic” technique so one can be sure of the type of the file before starting detailed analysis. PyTriage also has some PE dissection capabilities. It splits the PE into required sections and then displays the section information along with it’s hash and size. One can also peek into the imported DLLs as well as the exported functions which will hint at the possible usage of the binary. It can also generate signatures in two different formats: One for the open source malware analysis tool YARA and the other for the popular antivirus ClamAV. PyTriage also has support for submitting the file via the VirusTotal API. This allows you to look up if the file has been detected previously by antivirus providers. There is also a report generation feature that allows you to generate a concise report.

All of this is available with an easy to use GUI so newcomers to malware analysis can find analysis easy. The presentation will also take a look at how one can write plugins for the tool so as to contribute and make it a better tool.

Yashin Mehaboobe
Yashin is a security researcher with the Cyber Security and Privacy Foundation. My areas of interest in this field span hardware security, social engineering, network security, malware analysis and reverse Engineering. He had discovered a denial of service vulnerability in Android that he reported to Google and presented at Defcon Kerala. His work includes creating a static file based web application fingerprinting script for nmap, automated malware detection system for the Raspberry Pi, a network proxy in Python and a malware analysis framework in Python. He was the winner of the Defkthon CTF held at Defcon Kerala. He has also presented at Defcon Bangalore and c0c0n 2013.