Graph me, I’m famous! – Automated static malware analysis and indicator extraction for binaries

Stirring around in a binary is the RE’s biggest joy; the biggest joy of the incident responder is to have her RE tell her a long-ish list of indicators to dig for; within the first five minutes of incident response. If not sooner, even?

This talk will present a tool which helps both, reverse engineers as well as incident responders. It is based on radare2, and dumps call graphs along with API calls and string references to a Neo4j database. Dubbed r2graphity, it is intended for one as a standalone tool, which supports the reverse engineer when exploring a binary; but also aids the incident responder’s job, when integrated with MISP. MISP is a sharing platform where one can store, and share, relevant threat indicators for one specific case, but also uncover correlations with other incidents.

We will briefly discuss the shortcomings of sandboxes, and why static malware analysis makes sense at all. We will explain how an accurate call graph can be reconstructed from a compiled Windows binary, and also how these graphs are feasibly stored within a graph database. Finally, a case study using binaries from the notorious APT28 will show how automated extraction of binary intestines within MISP helps during incident response.

Download Slides

About the Speakers