Abstract
Malware analysis is a long process. It’s also not a very well known process among most IT professionals. In some corporate environments a dedicated malware analyst might not be available. In that case, one of the available IT staff might need to perform some preliminary analysis on the binary. It is for this reason PyTriage is available.
This tool provides a simple to use interface to perform preliminary static analysis of the binary. One of it’s features is to generate hashes in a variety of standards. Currently it supports MD5, SHA1 and sshdeep but more can be added quite easily. It also supports file type recognition with “file magic” technique so one can be sure of the type of the file before starting detailed analysis. PyTriage also has some PE dissection capabilities. It splits the PE into required sections and then displays the section information along with it’s hash and size. One can also peek into the imported DLLs as well as the exported functions which will hint at the possible usage of the binary. It can also generate signatures in two different formats: One for the open source malware analysis tool YARA and the other for the popular antivirus ClamAV. PyTriage also has support for submitting the file via the VirusTotal API. This allows you to look up if the file has been detected previously by antivirus providers. There is also a report generation feature that allows you to generate a concise report.
All of this is available with an easy to use GUI so newcomers to malware analysis can find analysis easy. The presentation will also take a look at how one can write plugins for the tool so as to contribute and make it a better tool.