SANS Digital Forensics and Incident Response Blog

Automating Static Malware Analysis With MASTIFF

MASTIFF is an open source framework for automating static malware analysis. This tool, created by Tyler Hudak, determines the type of file that is being analyzed and then applies only the static analysis techniques that are appropriate for that file type. Being selective about the analysis techniques decreases the likelihood that an analysis tool will crash when examining an unfamiliar file type. It also decreases the amount of noise in the resulting analysis report. The framework includes a number of plugins for extracting useful details about suspicious files, and includes a queuing mechanism for handling many files in an organized and orderly manner.

You can install MASTIFF by following directions on its Github repository. The tool is already installed on the REMnux Linux distribution for reverse-engineering malware.

Consider a situation where you have a large set of suspicious files to examine. Before reverse-engineering them using behavioral or code-level techniques, you might want to scan them using MASTIFF to assess their nature and prioritize your next steps. You can do this by running MASTIFF's "" command, pointing the tool to its configuration file and the directory where your malware samples are located.

On REMnux, MASTIFF is configured to save the output of its analysis in the /var/log/mastiff directory. The tool will create a new subdirectory for every sample it examines, saving detailed analysis logs as well as extracting and saving any relevant data that it could obtain by using the appropriate analysis plugins.

As you can see in the example above, MASTIFF extracted lots of useful information about each file that it analyzed. In the case of kiwi.exe, it even carved out the certificate used to sign that malicious executable.

In addition to creating individual directories for each analyzed sample, MASTIFF also saves the listing of the analyzed files in SQLite database located on REMnux in /var/log/mastiff/mastiff.db. The database lists MD5, SHA1, SHA256, and fuzzy hashes of the analyzed files and includes their file type. REMnux doesn't presently include a tool for reading contents of a SQLite database, but you can easily install one using a command such as:

sudo apt-get install sqlitebrowser

The MASTIFF configuration file on REMnux is /etc/mastiff/mastiff.conf. You might want to tweak that file based on your requirements, for instance by adding your VirusTotal API key or to point it to your own collection of Yara rules.

Since MASTIFF is a framework, you have the opportunity to not only modify the existing analysis plugins, but also create your own. On REMnux, the plugins that are installed as part of MASTIFF are located in /usr/lib/python2.7/dist-packages/mastiff. You can add your own plugins by copying their files to /etc/mastiff.

For more examples of using MASTIFF for malware analysis, take a look at the article by TekTip demonstrating how MASTIFF can be combined with Maltrieve. Also check out their MASTIFF2HTML tool for examining MASTIFF results using a web interface.

Thanks to Tyler Hudak for creating MASTIFF!

Lenny Zeltser

Lenny Zeltser teaches malware analysis at SANS Institute and focuses on safeguarding customers' IT operations at NCR Corp. He is active on Twitter and writes a security blog.


Posted October 16, 2013 at 8:55 PM | Permalink | Reply


You might consider throwing in this hashing tool into the mix as well.
We posted pehash source code: