Segugio: Tracking Malware from Click to Configuration
Segugio
Segugio allows the execution and tracking of critical steps in the malware detonation process, from clicking on the first stage to extracting the malware’s final stage configuration.
Segugio was created to address the need for speeding up the extraction of IoCs from malicious artifacts within the analysis environment.
Malware analysis often involves time-consuming activities like static and dynamic analysis, which require extensive knowledge in reverse engineering and code analysis.
It is fully automated and designed to simplify the life of security analysts and specialists working in cyber incident response (DFIR), enabling them to quickly identify malicious artifacts without needing to perform complex static and dynamic analyses, and focus instead on behavioral analysis.
How it works
Integration with the .NET wrapper for the yara.dll library by airbus-cert (a big thanks to them for their excellent work 👏) allows YARA rules to be used to search for indicators related to known malware families within the private memory of processes. The functionality can be summarized in three key steps:
- The user selects a file to execute, possibly defining options such as the command line or the parent process of the one to be created.
- After clicking the Segugio button, Segugio starts scanning the process related to the selected file’s execution, as well as its parent process (in the example, explorer.exe). Be aware that some systems might have multiple explorer.exe instances.
- Once Segugio identifies a process that matches a YARA rule, if a dedicated Python script for the identified YARA rule exists (e.g., AgentTesla), it begins dumping the process that matched the rule to automatically extract the malware’s configuration from the private memory (for example, AgentTesla).
Feature
Segugio uses Parent Process ID (PPID) Spoofing to launch the artifact to be analyzed from a set of arbitrary parent processes. This allows the artifact to appear as if it is being executed by a user, while Segugio tracks the kill chain and identifies various stages.
Segugio allows the execution of files of any type through a customized command line. This feature is useful if you want to execute a DLL using the rundll32 utility and possibly invoke a specific export.
Segugio provides a tree view of processes involved after a file execution.
The graphical interface provides real-time summaries of the following information for each process involved in the file’s execution:
- Process name and associated PID
- Process status (running / terminated)
- Process Command Line
- Malware family (if matched by yara rule)
- Any configurations extracted from memory (if config extractor is present) With these features, it becomes easier to trace malicious behavior across processes (e.g., if the malware performs injection into other processes or reveals malicious stages).
