The last version of Dorothy introduces lots of improvements.
As first, a new analysis mode has been inserted: the manual analysis.
If Dorothy is executed with the -m parameter, it will fetch the malware, copy it in the sandbox, start the sniffer and pause the whole execution flow waiting for the analyst next action. This flow-controller allows the analyst to log into the sandbox (through RDP for example), and prepare it for ad-hoc runtime scenarios. Or simply to “watch” the system’s behavior once the malicious binary is executed. When Dorothy is executed in this way, the multi-threading is obviously disabled, so one malware at time. Finally, while manual analysis, an interactive console will be prompted by allowing the analyst to control the other Dorothy’s modules/actions e.g. Take screenshot, Save the running processes, etc.
I found it very handy for ad-hoc scenarios, or simply for malware analysis presentations/demos.
BTW: The next version of Dorothy will spawn a VNC session, and connect to the sandbox via the VMWare VNC port (in this way, the network sniffer wont see usual RDP traffic).
Next, Dorothy is now able to detect new spawned processes. Its approach is completely off-the-box and relies on the very basic forensic technique: compare the processes in execution with the ones taken during a “baseline” analysis.
The “baseline” analysis is the novelty of this version. During the first configuration of Dorothy the analyst is driven to make the “baseline” of his sandboxes (currently, is supposed that all the sandboxes are the same i.e. same OS, running process).
Once completed, the baseline analysis will create a yaml file into the Dorothy’s folder, with all the processes in execution among all their details e.g. Creation date, exit Code, etc.
In the future, Dorothy may use this technique to calculate also the filesystem modifications (there is already a method coded into its libs).
Thus, a new table has been created into Dorothive in order to store all the processes information. So if you are upgrading Dorothy from a past version, be sure to read the UPDATE file.
Another important improvement introduced is the extensions file. In order to instruct the sandbox about how to execute the fetched binaries, the analyst can now edit the extenions.yml file and decide how to manage them – e.g. Open PDF file with certain version of Acrobat, Execute exe with certain parameters, and so on.
Lastly, lot of improvements have been made to the code, and now is more readable and reliable.
That’s all for the moment, hope you will enjoy the new version of Dorothy!