We’re going to start opening up about some of the projects we’re working on that we think will benefit the research community at large.
Minotaur is a lot of things to us internally. Mostly, it is an experimental platform for malware analysis. It contains a few different sandboxes and sandnets but it itself is not. The sandboxes just provide the data for the bigger projects.
Below, you are looking at the first screenshots of the internal platform, just recently constructed. The four-plex view is a view of several analyst workstations using mRemoteNG. The single screenshot is the result of our efforts to adapt TRUMAN to our environment, which was a serious challenge as not that much information exists on the TRUMAN SandNet at all. The current version of the project is something we’re calling NUMAN, since it is a new version of TRUMAN, and well, MUMAN sounded funny…
NUMAN is able to successfully run under proxmox and has a hybrid approach to the imaging required by a sandnet. If there is sufficient interest, we’d be happy to detail the steps we took and publish our changes. In some ways there’s almost nothing left of TRUMAN, and it has been replaced by our own code/methods.
Along with NUMAN, we are running 20 zerowine images in a queued system, and all samples deemed malicious are sent through that system and the data is parsed into our databases. We are looking for commonality in dropfiles, naming conventions, calls, packers, evasion technologies and many other attributes of each sample.
Analysts/researchers/volunteers are also given full remote desktop to workstations in the research network. A common wiki/portal for all research and information is called the “Oracle”
Access to the research network is provided by VPN, and we are accepting informal applications. If you are interested in access to the platform, or sharing samples, output, stats, etc, please let us know at email@example.com
More to come…