Malcat dev
@malcat4ever.bsky.social
Main developer of http://malcat.fr, a hexadecimal editor / disassembler / decompiler for #malware analysis, #DFIR and #SOC.
Sticking to your "Goldoon" example, does your result table (7) only consider artifacts from the downloader part? If yes (hard to know, but it looks like it), this is a 13kb tiny downloader, it's definitely not worth 4-5 days of analysis. A couple of hours maybe. And I'm being pessimistic.
April 22, 2025 at 10:09 AM
Sticking to your "Goldoon" example, does your result table (7) only consider artifacts from the downloader part? If yes (hard to know, but it looks like it), this is a 13kb tiny downloader, it's definitely not worth 4-5 days of analysis. A couple of hours maybe. And I'm being pessimistic.
then how do you quickly confirm the AI assertion without input/output testing? It may be a sha256 variant. You know well malware authors like to modify standard algorithms.
If it's just saying "it looks like sha256", it's also very quick to say without AI:
If it's just saying "it looks like sha256", it's also very quick to say without AI:
April 22, 2025 at 9:49 AM
then how do you quickly confirm the AI assertion without input/output testing? It may be a sha256 variant. You know well malware authors like to modify standard algorithms.
If it's just saying "it looks like sha256", it's also very quick to say without AI:
If it's just saying "it looks like sha256", it's also very quick to say without AI:
Give the same task to the same person (or another evenly skilled one) with and without AI. Repeat with a few other malware analysts.
Bonus points if the task has clearly defined results, e.g. "extract the C2 url", "what files are modified", list all C2 commands, what encryption is used, etc.
Bonus points if the task has clearly defined results, e.g. "extract the C2 url", "what files are modified", list all C2 commands, what encryption is used, etc.
April 22, 2025 at 9:34 AM
Give the same task to the same person (or another evenly skilled one) with and without AI. Repeat with a few other malware analysts.
Bonus points if the task has clearly defined results, e.g. "extract the C2 url", "what files are modified", list all C2 commands, what encryption is used, etc.
Bonus points if the task has clearly defined results, e.g. "extract the C2 url", "what files are modified", list all C2 commands, what encryption is used, etc.
Humans may not report things because of time constraints or just plain lazyness (more to write). And even if not, "interesting" is subjective. You've found it interesting, maybe the original blog author did not.
April 22, 2025 at 8:46 AM
Humans may not report things because of time constraints or just plain lazyness (more to write). And even if not, "interesting" is subjective. You've found it interesting, maybe the original blog author did not.
For instance for Goldoon, my estimate for the blog post would be 12 hours from sample to finished article (I worked for an AV company, I have an idea how little they value such minimal blog posts).
My estimation for instance would change the conclusion of your paper. That's why estimations are bad.
My estimation for instance would change the conclusion of your paper. That's why estimations are bad.
April 22, 2025 at 8:31 AM
For instance for Goldoon, my estimate for the blog post would be 12 hours from sample to finished article (I worked for an AV company, I have an idea how little they value such minimal blog posts).
My estimation for instance would change the conclusion of your paper. That's why estimations are bad.
My estimation for instance would change the conclusion of your paper. That's why estimations are bad.