Supercharge your malware analysis workflow - Ryan Samaroo & Jean Pierre Vigneault

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Supercharge-your-malware-analysis-workflow.pptx ↓ Paper: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/papers/Supercharge-your-malware-analysis-workflow.pdf → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/supercharge-your-malware-analysis-workflow/ ✪ PRESENTED BY ✪ • Ryan Samaroo (Canadian Centre for Cyber Security) • Jean-Pierre Vigneault (Canadian Centre for Cyber Security) ✪ ABSTRACT ✪ Assemblyline is an MIT-licensed open-source scalable file triage and malware analysis system developed by the Canadian Centre for Cyber Security (CCCS). This talk will highlight how Assemblyline is used by the CCCS to defend the Government of Canada’s computer networks and electronic information. Features of interest discussed in this presentation will include: load-balancing, caching, configurability, and the integration of popular open-source tools such as CAPE Sandbox, OleTools, Yara, EmlParser, and more. New features such as malware archiving and Yara retro-hunting will also be touched on. The main content of the presentation will be a live demonstration of Assemblyline’s capabilities involving a malicious file seen in a recent global campaign. Aspects of the system will be highlighted, such as suspicious heuristics and scoring, tagging and pivoting, recursive file analysis, and potential password extraction. The presentation will wrap up with an overview of the REST API and Python client for post-analysis workflows such as data mining and automation.