SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Automating Static Malware Analysis With MASTIFF

MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. Being selective about the analysis techniques decreases the likelihood that an analysis tool will crash when examining an unfamiliar file type. It also decreases the amount of noise in the resulting analysis report. The framework includes a number of plugins for extracting useful details about suspicious files, and includes a queuing mechanism for handling many files in an organized and orderly manner.

You can install MASTIFF by following directions on its author's blog. The tool is already installed on the REMnux Linux distribution for reverse-engineering malware starting with version 4 of the distro.

Consider a situation where you have a large set of suspicious files to examine. Before reverse-engineering them using behavioral or code-level techniques, you might want to scan them using MASTIFF to assess their nature and prioritize your next steps. You can do this by running MASTIFF's "" command, pointing the tool to its configuration file and the directory where your malware samples are located:

On REMnux, MASTIFF is configured to save the output of its analysis in the /var/log/mastiff directory. The tool will create a new subdirectory for every sample it examines, saving detailed analysis logs as well as extracting and saving any relevant data that it could obtain by using the appropriate analysis plugins.

As you can see in the example above, MASTIFF extracted lots of useful information about each file that it analyzed. In the case of kiwi.exe, it even carved out the certificate used to sign that malicious executable.

In addition to creating individual directories for each analyzed sample, MASTIFF also saves the listing of the analyzed files in SQLite database located on REMnux in /var/log/mastiff/mastiff.db. The database lists MD5, SHA1, SHA256, and fuzzy hashes of the analyzed files and includes their file type. REMnux doesn't presently include a tool for reading contents of a SQLite database, but you can easily install one using a command such as:

sudo apt-get install sqlitebrowser

An updated version of MASTIFF was made available shortly after the release of REMnux v4. You should upgrade (and slightly fix up) the version of MASTIFF before using it on REMnux v4. You can do this quite easily by following these steps, assuming your REMnux environment is connected to the Internet:
wget --no-check-certificate
cd mastiff-upgrade
sudo ./
cd ..
rm -rf mastiff-upgrade

The MASTIFF configuration file on REMnux is /usr/local/etc/mastiff.conf. You might want to tweak that file based on your requirements, for instance by adding your VirusTotal API key or to point it to your own collection of Yara rules:

Since MASTIFF is a framework, you have the opportunity to not only modify the existing analysis plugins, but also create your own. On REMnux, the plugins that are installed as part of MASTIFF--assuming you've updated MASTIFF as outlined above--reside in /usr/local/lib/python2.7/dist-packages/mastiff-0.6.0-py2.7/egg/plugins.

For more examples of using MASTIFF for malware analysis, take a look at the article byTekTip demonstrating how MASTIFF can be combined with Maltrieve. Also check out their MASTIFF2HTML tool for examining MASTIFF results using a web interface.

To learn more about using and extending MASTIFF, download its installation archiveand review the documentation in the "docs" subdirectory.

Thanks toTyler Hudak for creating MASTIFF!

-- Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute. At the "day job," Lenny focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.


Posted October 16, 2013 at 8:55 PM | Permalink | Reply


You might consider throwing in this hashing tool into the mix as well.

We posted pehash source code:

Post a Comment


* Indicates a required field.