Cerberus

Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

Cerberus Triage vs. Traditional Malware Analysis
Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.

  • Stage one:

    The following first-level analysis is conducted to quickly tally  threat scores.

    • Product Name
    • Product Version
    • Company Name, etc.
    • Functions included in the Import Table
      • Network
      • Process
      • Security
      • Registry
    • Dynamic Loading, etc.
    • Does the binary have high entropy (obfuscated)?
    • Does the binary have signatures of:
      • Internet Relay Chat ("IRC")
      • Shellcode
      • Cryptography ("Crypto")
    • Does the binary contain strings associated with autoruns?
    • Digital Signature Verification
  • Stage two:
  • Stage two involves more complex disassembly analysis to give you  more detailed behavioral information. This simulation and data flow  analysis is possible without running binaries in a sandbox, and there  is no reliance on white lists or signatures.

    Basic Disassembly Analysis:

    • Integrated disassembly engine
    • If using network functionality, potentially what host it is  communicating with and over what protocol(s)
    • If using network functionality, can it bypass proxy servers?
    • For functions that require usernames and/or passwords, does  the executable contain a static string, indicating insider or advanced  knowledge?
    • More advanced Functionality Interpretation
      • IP addresses and Domain Names Used
      • Debugger and Sandbox avoidance
      • Command and Control Functionality
      • Hooking Techniques
      • Arbitrary Code Execution
      • Host Forensic Artifacts
      • Registry Settings
      • Temp Files
      • Configuration Files
more...