Use Cases
Exalyze analyses your sample using many different techniques (metadata extraction, lightweight disassembly, Machoc hashing …). By doing this it allows to quickly get an overview of what the sample is doing and possibly find similar already known and reversed samples.
In that page, we would like to explain some use cases where we think Exalyze will be helpful!
Malware Triage
CERTs and SOCs often end up having to analyze samples in a very limited time to evaluate if they need and how to respond appropriately to a threat. In those critical situations, time is of the essence, so we made our executable analysis algorithm super quick.
Within seconds, Exalyze automatically disassembles all the sample code, analyze its functions and provides a summary of its important capabilities, to enable the response teams can quickly take action.
Our goal is to shrink to a few seconds the first 30 minutes of a reverse engineer work. For example, with Exalyze, you will get instantaneously:
An overview of what the sample is doing, its call tree and system calls used, using our sequences extraction technology
A first identification of the observed TTPs
The ability to generate with a single click Yara rule matching that sample
At Exatrack we use Exalyze on a daily basis in that scenario. It saves us the repetitive and time consuming process of “getting to know a sample” (looking at strings, looking at the PE / ELF metadata, opening Ghidra to get an overview of the call tree…) and allows us to really focus on where our expertise brings value.
Threat Hunting
During a Threat Hunting we often look for similar malwares, to get an understanding of where the sample we’re working on comes from and pivot based on the hashes or metadata we can extract from it.
It is fairly common to encounter multiple variations / versions of a sample, and thanks to our change resilient hashing and matching algorithms, we’re able to identify affiliations to a sample family. This gives us an edge in our attempt to discover the actor behind those samples.
With Exalyze you can search for code partially matching a sample, it is useful to identify code sharing between executables or evolutions of a malware.
You also can search our database for other samples using the extracted metadata (hashes, PDBs, network identifiers).
Building a community to fight malware actors
Often CERT analysts or Threat hunters work on the same malwares during the same time window, our goal is to connect them.
When two users submit a sensitive sample, and those samples share more than 75% of code, a match notification will be sent to both submitters, prompting them if they want to connect. They can freely decide accept and share a contact email or ignore it.
Speeding up reverse engineering
One of first thing that pops up in an Exalyze sample report is the entropy bitmap. With it you can quickly identify if that sample is compressed/crypted, how much code, textual content or data structures there are inside it. For example an entropy bitmap almost red like this one tells you that the sample is probably packed and needs to be unpacked for a better analysis.
You can then move on to our “capabilities” view, where we we provide a list of what the sample can do based on the various actions it performs / relies on.
Then, the sequence view will highlight the important actions (logic, strings, system calls…) identified in the sample. On some occurrences (like this one), this view clearly tells you what a sample is supposed to do, without having to open a reverse engineering tool. In that case if we look at the function 0x42faec we can clearly see what are some of the supported commands of this sample.
To finish, our search similar samples allows you to find binaries sharing a significant portion of logic with the sample you’re looking at, so you can gain a better idea of what your executable is doing and identify its various predecessors / evolutions.