How the Malware Analysis Appliance (MAA) analyzes DLL files


Article ID: 168427


Updated On:


Malware Analysis Software - MA


This article explains the analysis of dlls using the rundll32 iVM plugin 


Step 1: Importing the rundll plugin
  1. Import the MAA plugin and verify that it is available for tasks.
  2. Login to your MAA appliance using SSH with the g2 user.
  3. Run this command to import the plugin: $ python /opt/mag2/github/Malware-Analyzer-G2/utilities/ import-ivm-plugin /opt/mag2/github/Malware-Analyzer-G2/ivm_plugins/bluecoat/
  4. Output should read:  imported as sample resource id XXX
  5. Verify that the plugin has imported correctly by creating a new task and opening the plugins tab
User-added image

Step 2: Run the dll sample in the SBX or iVM with default options and determine what EXPORTS (entry points) are available for the sample being submitted.

This step can be completed in lieu of performing manual analysis on the file.  Note: In most cases, SBX execution takes just a few seconds and is much faster than invoking manual analysis.  Once analysis has completed, select View Static Event List from the report

Step 3: Pick the dll export you want to invoke with the plugin with and create a new task.  

When creating a new task with the dll select the advanced options tab. Enter the chosen export and optional arguments using this syntax: {SAMPLE.EN_US}, export [optional arguments]


Select the rundll32 plugin from the Plugins tab.