Spike

Objective

A common way of detecting malware is to search for strings in the binary. It could improve the fidelity of malware emulation if strings (or other data) could be injected into the agent binary at runtime by the island. The objective of this spike is to prototype an approach for injecting data into pyinstaller binaries.

Approach and Considerations

Based on some simple testing, it appears that arbitrary data can be appended to the end of an executable (Linux or Windows) with no ill effects. More thorough testing is required.

Strings should be separated with null characters.

Testing the PoC

1. Collect a set of YARA rules based on strings, such a found in [1] and [2]
2. Inject/append strings to the binary
3. Run YARA against the modified agent binary and verify that YARA identifies the binary as the expected malware.

Output

A report detailing:

1. The approach
2. tradeoffs, lessons learned, or alternate approaches that can be or were considered
3. Confirmation that appending random data does not effect execution of the agent binary