AccessData Professional Services is able to give you actionable intelligence around a malicious binary faster than any other service provider, because of our Cerberus Malware analysis technology. This initial analysis reveals critical data that other providers require a sandbox environment to uncover. Therefore, we’re able to give your behavior and intent information without triggering any sandbox avoidance or other defense mechanisms the malware may contain. Once we’ve triaged the binary, revealing the following attributes, we can then perform the traditional reverse engineering to provide even deeper details.

Initial Analysis with Cerberus Will Give you Immediate Actionable Intelligence…

Cerberus Stage One: Static Analysis

The following first-level analysis is conducted to quickly tally threat scores.
  • Product Name
  • Product Version
  • Company Name, etc.
  • Functions included in the Import Table
    • Network
    • Process
    • Security
    • Registry
  • Dynamic Loading, etc.
  • Does the binary have high entropy (obfuscated)?
  • Does the binary have signatures of:
    • Internet Relay Chat (“IRC”)
    • Shellcode
    • Cryptography (“Crypto”)
  • Does the binary contain strings associated with autoruns?
  • Digital Signature Verification

Stage Two: Disassembly and Emulation without the Sandbox

Stage two involves more complex disassembly analysis to give you more detailed behavioral information. This simulation and data flow analysis is possible without running binaries in a sandbox, and there is no reliance on white lists or signatures.

Basic Disassembly Analysis:
  • Integrated disassembly engine
  • If using network functionality, potentially what host it is communicating with and over what protocol(s)
  • If using network functionality, can it bypass proxy servers?
  • For functions that require usernames and/or passwords, does the executable contain a static string, indicating insider or advanced knowledge?

Advanced Disassembly Analysis:
  • Automated code and data flow analysis
  • More advanced Functionality Interpretation
    • IP addresses and Domain Names Used
    • Debugger and Sandbox avoidance
    • Command and Control Functionality
    • Hooking Techniques
    • Arbitrary Code Execution
    • Host Forensic Artifacts
    • Registry Settings
    • Temp Files
    • Configuration Files

Traditional Reverse Engineering of Malicious Binaries

Once we’ve given you the above detailed behavior and intent information that comes from our malware triage technology and correlation of that data with host and network information, we will run the binary in a controlled sandbox environment. We perform traditional behavioral, static and dynamic analysis. We can unpack the binary if necessary, while employing best practice methods to bypass the malware’s defense mechanisms. A detailed report will enumerate all possible data that can be gleaned, and we will work with you to develop a remediation plan and to incorporate that threat profile into your monitoring process to catch any recurrence of the exploit.