Malware Analysis

Contact us to request malware analysis products. We specialize in advanced analysis. Our primary focus areas include reverse engineering Command and Control (C2) network protocols, custom cryptographic routines, and building yara rules based on unique code blocks we find while doing our deep dive analysis.

Please provide a description of what level of analysis you are interested in, if you have an expected time frame, if the malware sample is in Virus Total, and a hash (MD5 or SHA1) of the sample. We will review your request and get back to you to discuss the details.

Our analysis is typically sold in discreet blocks of time. The expected results are outlined below, but are just guidelines. Every implant is different and the results are typical for an average implant. More advanced implants will take more time, less sophisticated implants will get better results per time.

  • 10 hours – For most implants, we can provide all Indicators of Compromise (IOC) and a general overview of the capabilities at a 60% confidence level. This is our triage level where we skim every function in the malware and provide an educated guess of the capability. Because it is a triage level, we don’t dig down into every instruction to verify accuracy to 100%. This can be thought of as an executive summary of the malware.
  • 20 hours – For most implants, we can provide all IOC’s and a general overview of the capabilities at a 85% confidence level. This is our most popular level of analysis. At this level, we review every function to provide a relatively confident answer of the capability. We normally will work through the C2 network protocol at this level, to include building a simulated C2 server in python. We use this simulator to exercise 1 command from start to finish to verify no mistakes were made in the network protocol analysis. If there is a custom cryptographic routine, we may be able to reverse it at this package also, depending on the complexity.
  • 30 hours – For most implants, we can provide a complete, deep dive analysis at a 95% confidence level. We can usually reverse engineer the C2 network protocols, cryptographic routines, and analyze all implant capabilities. Because of the additional time it takes to go from 95% to 100% accuracy, it’s generally not productive to get the extra 5% accuracy. This level is what you would typically expect from an AV company deep dive analysis report