New FREE Tool from Minerva – Mystique, automatically extract malware infection markers

September 19, 2017

 |  

Minerva Research Team

Minerva is proud to officially release Mystique – a free, open-source tool for automatically extracting mutex infection markers from malware for vaccination. You can download the tool from https://github.com/MinervaLabsResearch/Mystique

Mystique, like all automation tools, saves incident response teams time and makes it possible to analyze a large volume of samples to derive infection vectors. One of the tool’s main benefits is that it makes it possible for organizations to derive infection markers even if they lack dedicated reverse engineering personnel, or if they need that personnel focused on the tasks that cannot be automated.

Mystique receives as input a malware sample and automatically generates a list of mutexes that can be used to immunize endpoints against the associated malware. You can learn more about the potential of vaccinating systems in the enterprise setting in our earlier blog post.

Minerva’s researcher, Dana Iosifovich, has written Mystique from scratch in Python. The tool relies on the open-source malware analysis sandbox Cuckoo to monitor how the specimen reacts to the creation of possible mutex-based infection markers.

Mystique has two main components:

  1. manager.py – script for submitting samples to the sandbox, managing artifacts that are suspected of being infection markers and processing the analysis results.
  2. Cuckoo Mystique package - creates a mutex object per each analysis on the guest analysis machine.

The user launches Mystique by specifying the malware sample to analyze:

Mystique will first “detonate” the sample in the sandbox without using its package, collecting information about the created and opened mutexes. The tool filters this listing using a white list of known benign mutexes. Mystique will then execute the sample in the sandbox repeatedly, creating a single mutex in each execution to observe whether the sample behaves differently when the potential infection marker is present in its environment.

In the next stage, Mystique collects key data that might suggest that the mutex is an infection marker, which means that its creation can prevent the malware from infecting the system. The output of this stage is a CSV file with details such as:

  1. Overall execution time
  2. Number of dropped files
  3. Number of created processes

If Mystique’s users supply their private VirusTotal API key, it will report some extra valuable intel in the CSV output file. Mystique will search after other samples that created the mutex and report how many of them have a significantly high or low detection ratio. Using this extra intel, an analyst will have extra evidence that the tested mutex will prevent a lot of other in-the-wild malware besides the analyzed sample or alternatively, it will break benign software.

Minerva tested Mystique against multiple families of common threats from last year. In many cases, the tool automatically provided infection markers that could have been life savers in incident response scenarios. For example, it took Mystique about 10 minutes to extract a mutex to vaccinate endpoints against the notorious WannaCry worm. Combined with Minerva’s new powerful Endpoint Malware Vaccination module, Mystique is a powerful addition to the defenders’ arsenal. To learn more about the notion of endpoint malware vaccination, join our webcast on this topic.