Hiding in Plain Sight: An Empirical Study of Web Application Abuse in Malware
MARSEA is an extensible concolic analysis framework built on top of S2E. To gain a general understanding of how concolic analysis works, please read the S2E documentation.
Before working with MARSEA, please read the accompanying paper to gain a thorough understanding of the tool and its potential extensions.
For detailed deployment steps, refer to the README files for s2e_win and s2e_linux.
This repository includes a malware sample named Razy. This section demonstrates how to use MARSEA to analyze it.
- Copy your
custom-hook.dll
from the Windows machine to the s2e_template folder. For instructions on generatingcustom-hook.dll
, refer to s2e_win. - Unzip the Razy sample.
- Activate the S2E environment. For activation instructions, refer to s2e_linux. Since
pipeline.py
has dependency ontqdm
, please install it by executingpip install tqdm
. - Start the pipeline to analyze the unzipped file by executing
python pipeline.py -e [s2e_template] -s [sample_path] --run
, wheres2e_template
points to the absolute path of the s2e_template folder on your system, andsample_path
points to the absolute path of the unzipped sample. - When the analysis is complete, you should see output similar to the following:
Analysis Done!
{'JS': {'twitter.com/pidoras6': ['WinHttpReadData',
'StrStr',
'WinHttpCrackUrl']},
'FU': {'virustotal.com': ['WinHttpSendRequest']}}
The demo video can be found here
The purpose of this section is to explain the output of this demo, which will help users verify the results generated by MARSEA.
- Users should locate the
debug.txt
file in$S2EDIR/projects/[sample_name]/s2e-last
or its subfolders (if using MARSEA in multiprocessing mode). - Users should find the line containing the keywords
[W] WinHttpCrackUrl
. In this line, there should be a print that looks liketag_in:CyFi_StrStrA
, followed by a number (e.g., 5). This indicates that MARSEA found the argument passed toWinHttpCrackUrl
originates fromStrStrA
. - By searching backward using
tag_out:CyFi_StrStrA5
, users should locate theStrStrA
function call. - If that line also contains
tag_in
, users can use the new tag to repeat steps similar to step 3 until the information source is found. - In this demo, users should be able to determine that the source of
WinHttpCrackUrl
is fromWinHttpReadData
, which is associated with the connection totwitter.com/pidoras6
.