Mystique: vaccinate endpoints against malware

by do son · Published July 28, 2018 · Updated July 28, 2018

Mystique

Mystique may be used to discover infection markers that can be used to vaccinate endpoints against malware. It receives as input a malicious sample and automatically generates a list of mutexes that could be used to as “vaccines” against the sample.

The concept implemented by Mystique is not new – academical paper discussing a similar framework as a PoC was already released over five years ago by researchers from the FKIE. However, Mystique is an open source tool, fully compatible with the common and easy to use Cuckoo.

Mystique is written in Python and integrates with the Cuckoo Sandbox to “detonate” the user-supplied specimen in a controlled environment to observe active mutex objects and their effects on the malicious program. After listing the mutex objects that appear after the specimen’s “detonation,” Mystique adjusts the sandbox by generating the likely mutex infection markers and runs the same sample again. Next, Mystique examines the sandbox to determine whether the mutex has changed the sample’s execution flow.

Mystique track’s the specimen’s execution time to determine whether it has decreased dramatically. It also determines whether the number of dropped files or launched processes has changed. Based on the tool’s output the analyst can decide whether the generated mutex can be used as a vaccine, on the basis of those and additional artifacts from Cuckoo’s report, such as a number of API calls, the use of exit()after mutex error, and so on. To minimize execution time and to ease the analyst’s work, Mystique includes a list of common non-malicious mutex objects. After executing the malware for the first time, it checks the generated mutexes against the whitelist to avoid false positives.

Installation && Tutorial

Mystique: vaccinate endpoints against malware

Search

Brilliantly

Content & Links