Minotaur has added several new features of the last couple weeks. Most of these features have to do with backchannels. Backchannels are network communications that malware uses to “call home”. These communications can be anything from retrieving new commands and configurations to simple lookups of public information from public sources. Minotaur keeps track of all communications that take place during the execution of malware in the sandbox. It then correlates all of these communications with each other and produces a list of the top destinations of this traffic. Minotaur also produces a map of all communications that take place during the execution of the sample. Below is an example of such a map.
These capabilities are very much still a work in progress. We hope to soon provide much more information about each IP address and each communication. In the meantime we are building a database of all known back channels that Minotaur observes. The first fruits of this database can be seen in the link below.