This is a non-IMPACT record, meaning that access to the data is not
controlled by IMPACT. For access, see the directions below.
Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.
Disclaimer:
This Resource is offered and provided outside of the IMPACT mediation framework. IMPACT and the IMPACT Coordination Council/Blackfire Technology, Inc. expressly disclaim all conditions, representations and warranties including but not limited to Resource availability, quality, accuracy, non-infringement, and non-interference. All Resource information and access is controlled by entities and under terms that are external to the IMPACT legal framework.
Summary
DS-1369
Dorothy2
External Tool
External Data Source
GitHub
Unknown
Unknown
56 (lowest rank is 56)
Description
A malware/botnet analysis framework written in Ruby.
Dorothy2 is a framework created for suspicious binary analysis. Its main strengths are a very flexible modular environment, and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognise new spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behaviour analysis will be shortly introduced in the next versions. Dorothy2 analyses binaries by the use of pre-configured analysis profiles. An analysis profile is composed by the following elements:
- A certain sandbox OS type
- A certain sandbox OS version
- A certain sandbox OS language
- A fixed analysis timeout (how long to wait before reverting the VM)
- The number of screenshots requested (and the delay between them)
- A list of the supported extensions, and how the guest OS should execute them
Additional Details
N/A
false
Unknown
dorothy2, 1369, corporation, inferlink corporation, inferlink, external data source, source, external, analysis, framework, malware, written, botnet, ruby, os, sandbox, created, binary, other, wait, spawned, shortly, care, binaries, reverting, supported, timeout, screenshots, composed, environment, additionally, elements, processes, investigation, behaviour, network, guest, fixed, vm, profile, interactive, static, modular, pre, configured, recognise, introduced, analyses, improved, type, language, profiles, comparing, strengths, versions, flexible, delay, system, extensions, requested, execute, version, list, baseline, suspicious, main