Abstract

In this Cyberworld the perfect phrase to describe malware hunting is " Catch me if you can? “. Well, this is a cat and mouse game. Researcher wins the first time and malware authors the other.

Confinement of a malware, running it in a sandbox and studying malware has been a frequent practice. Malware authors decided to burst the bubble by evading sandboxes either by exhibiting a different behaviour or staying quiet. The malware author knows how sandboxes operate and the intelligence Is passed on to malwares.

The new age malwares like Trickbot, Ryuk Ransowmare , Paradise and Annatove all evade , detect and study sandboxes. The moment it detects sandbox it either calls out to noise C&C domains or does not execute. Well, F.R.I.D.A.Y was built to defect and extract the exact behaviours of such malwares.

F.R.I.D.A.Y does the following: F.R.I.D.A.Y points out and brings out what specific process or services the malware kills to evade sandboxes F.R.I.D.A.Y sniffs packed malware and uses a concept called “Remote triggering”. This fools the malware to run on a box with no usual tools but captures every detail about the malware. ,monitors and extracts IOC like process id, loaded dlls, unsigned dlls and even the memory address of the loaded dll F.R.I.D.A.Y extracts domains from unpacked files, runs it against the open source threat intel and even takes it to a machine , runs it and captures screenshots of the C&C and gives suggestions on what domains can be blocked F.R.I.D.A.Y predicts what sort of DLL or process injection the malware is up to so that we can look for the right spots in memory for malicious dlls F.R.I.D.A.Y brings down the time to investigate a malware or make a decision on malware from 25 mins to 5 mins