Abstract

ATT&CK framework has become a benchmark in the security domain. ATT&CK provides data about each technique used across different attack stages. Hachi was created to contribute to the ATT&CK community. Hachi is based on the radare2 framework and uses data provided by ATT&CK to map the symptoms of malware on ATT&CK matrix.

Following modules of Hachi make this tool a great addition to an analyst’s or company’s armaments:

Threat Intel: Hachi provides threat intelligence data like a possible parent campaign or author of a malware file. Malware behavior: It uncovers core malware behaviors using automated static analysis coupled with symbolic execution to explore multiple execution paths and maps it on ATT&CK matrix. Binary Emulation: In addition to symbolic execution, it also emulates the file and finds out possible behavior and side effects of the malware. RESTful API: Hachi provides RESTful API which enables this tool to seamlessly integrate with malware processing frameworks. Visualization: It allows for the creation of detailed visual reports. Integration with Threat Intel feeds: It can be integrated with different threat intelligence feeds for enhanced security or expanded insights. Multiplatform: Hachi analyses PE(Portable executable) as well as ELF files. *Side Effects Extraction: This tool also extracts side effects which the file may cause if executed on the system. The primary aim of this tool is to act as a force multiplier for the InfoSec community and aid the analysis of malware.