polichombr: Collaborative malware analysis framework

Polichombr

This tool aims to provide a collaborative malware analysis framework. It was originally presented at SSTIC 2016,

Analysis platform

Polichombr is designed to help analysts to reverse malware, as a team. It provides an engine to automate the analysis tasks, and identify hotpoints in the binary, a script to collaborate during the reverse of binaries, and can be used to store and manage pieces of information about malware families.

Taking notes right from IDA

screenshot

Plugins / tasks

Tasks are loaded from the app/controllers/tasks directory and must inherit from the Task object. In particular, several tasks are already implemented:

  • AnalyzeIt, a ruby script based on metasm, which is used to identify interesting points in the binary. The goal is to help the analyst by giving hints about where to start. For example, we try to identify crypto loops, functions which call sensitive API (file, process, network, …)
  • Peinfo: We load the PE metadata with the peinfo library.
  • Strings: extract ASCII and Unicode strings

Signatures

We use several signature models to classify malware:

  • Yara
  • imphash
  • Machoc

Machoc

Machoc is a CFG-based algorithm to classify malware. For more information, please refer to this paper.

Skelenox

This is an IDAPython script, which is used to synchronize the names and comments with the knowledge base, and with other users database

Install

Usage

Example

Scripts under the folder examples permit some basic actions for a Polichombr instance.

Generic sample information

screenshot

Family/Threat overview

screenshot

Online disassembly

screenshot

Share IDA Pro information from the WebUI / directly to other users

screenshot

Automated hotpoints detection

screenshot

Tutorial

Source: https://github.com/ANSSI-FR/

Share