10.23721/100/1504411
External Data Source
Dorothy2
IMPACT
2018
en
dorothy2, 1369, external, source, inferlink, inferlink corporation, external data source, corporation, analysis, framework, ruby, malware, written, botnet, os, sandbox, created, binary, shortly, guest, care, binaries, reverting, spawned, wait, other, timeout, versions, screenshots, network, composed, processes, environment, additionally, elements, investigation, behaviour, supported, comparing, main, language, type, improved, analyses, introduced, recognise, configured, pre, modular, static, profile, profiles, fixed, suspicious, baseline, list, version, execute, requested, extensions, system, delay, flexible, interactive, strengths, vm
1504411
1369
A malware/botnet analysis framework written in Ruby.
Dorothy2 is a framework created for suspicious binary analysis. Its main strengths are a very flexible modular environment, and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognise new spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behaviour analysis will be shortly introduced in the next versions. Dorothy2 analyses binaries by the use of pre-configured analysis profiles. An analysis profile is composed by the following elements:
- A certain sandbox OS type
- A certain sandbox OS version
- A certain sandbox OS language
- A fixed analysis timeout (how long to wait before reverting the VM)
- The number of screenshots requested (and the delay between them)
- A list of the supported extensions, and how the guest OS should execute them