Regression testing
Introduction
Memory dumping is one of the core functionalities used for automated malware analysis. Unpacked or decrypted memory is saved for futher analysis with YARA rules or configuration extraction. Thus, it’s important to ensure that DRAKVUF development does cause any regressions that would break existing sample analysis.
Preparing a test set
Regression test set is a list of JSON objects that represent a number of sample submissions and the expected malware family name that should be detected.
Dump analysis is performed by providing a directory with malduck extractor modules. Here, you can learn more about them.
sha256 - SHA256 hash of the sample file
extension - file extension, supported by the sanbox, e.g. “exe” or “dll”
ripped - malware family name
path - (optional) path to the malware sample
Example:
[
{
"sha256": "35e756ef1b3d542deaf59f093bc4abe5282a1294f7144b32b61f4f60c147cabb",
"extension": "dll",
"ripped": "emotet"
},
{
"sha256": "4239335443cbf3d45db485d33c13346c67d5ac717a57856315a166c190dde075",
"extension": "exe",
"ripped": "raccoon",
"path": "samples/4239335443cbf3d45db485d33c13346c67d5ac717a57856315a166c190dde075"
}
]
Test submitter supports two methods for obtaining the malware sample.
Manual - if the test case has a
path
key deinfed, malware sample will be read from this location (relative and absolute paths are allowed).Automated - otherwise, sample will be downloaded from the mwdb.cert.pl service. Make sure to run the submitter with
MWDB_API_KEY
environment variable if you intend to use this method
Running the receiver daemon
First, configure the extractor module path in /etc/drakrun/config.ini
[draktestd]
; path to the extraction modules for
; https://github.com/CERT-Polska/malduck
modules=/opt/extractor-modules/
Next, uncomment sample_testing
line and enable it
[drakrun]
; (advanced) Enable testing codepaths. Test sample artifacts will not be uploaded
; to persistent storage. Their lifetime will be bound to karton tasks produced by drakrun
sample_testing=1
Then, execute
$ draktestd
This will spawn a new karton service listening for test analysis results and printing the results.
Executing a test set
To submit a test set, execute:
$ draktest test_set.json
The command will submit samples to the sandbox and wait until all the testing is finished.