Institutional Repository
Technical University of Crete
Technical University of Crete
EN
|
EL
| URI: | http://purl.tuc.gr/dl/dias/47C33382-1168-478A-BF2E-9E7EEB4F5C5C | ||
| Year | 2025 | ||
| Type of Item | Diploma Work | ||
| License |
|
||
| Bibliographic Citation | Christos Fotopoulos, "Leveraging Infrastructure-as-Code for Automated Malware Analysis and Intelligence Collection ", Diploma Work, School of Production Engineering and Management, Technical University of Crete, Chania, Greece, 2025 https://doi.org/10.26233/heallink.tuc.103904 | ||
| Appears in Collections |
In today’s digital age, Internet and computers are being used daily by both individuals and companies. Malicious actors are attempting to exploit this reliance by trying to gain unauthorized access to devices. An important tool in their arsenal is malicious software, commonly known as malware, which infects computers to perform tasks such as stealing sensitive data and destroying the availability of the system. To combat these threats of cyber attacks and malware infections effectively, Cyber Threat Intelligence is needed. This intelligence can provide information to potential victims and thus proactively prepare them. This thesis presents a novel approach for acquiring intelligence, emphasizing not the ingestion of existing reports but the proactive creation of new intelligence through automated dynamic malware analysis. To achieve this, a workflow and a proof-of-concept tool were created to help with the automated execution of malware and the extraction of the created artifacts. The tool draws inspiration from traditional sandboxes, but instead of performing typical malware analysis, it focuses on bulk investigation and easy customization. More specifically, by heavily focusing on automation and pioneering concepts such as infrastructure as code (IaC), it allows the analysis of multiple malware simultaneously. On top of that, using configuration management tools, such as Ansible, enables users to easily extract new artifacts by creating scripts with their desired language or tool. During the analysis phase, the collected artifacts were used to create intelligence in the form of Indication of Compromise (IOC), Tactics, Techniques, and Procedures (TTPs), Fingerprints, and Detections using Detection as Code (DaC) tools such as Sigma. Due to the nature of the approach, we managed to create intelligence from a large number of malware samples instead of analyzing their source code, which would have been a more time-consuming approach.
Copyright © DIAS 2013
