Kesakode lookup

The Kesakode lookup view is accessed using the F11 shortcut in Full & Pro versions of Malcat. It displays the scan results of several online scan services for the current file. Kesakode queries are performed on demand, either from the Summary view or using the shortcut Ctrl+K.

It can be used to match known functions, strings and constant sets against a database of known clean, malware and library files. The Kesakode service can be used in various situation, such as:

  • identify unpacked (e.g. a sandbox dump) malware samples

  • show similarities shared between malware families

  • assist in the creation of better Yara rules

  • speed up reverse engineering by identifying know libraries / runtime code

During the whole process, only hashes are sent to our platform, your sample never leaves your computer. For more information on the technology, see Kesakode.

Running Kesakode

Kesakode queries in Malcat are performed on demand. You can initiate one either from the Summary view (using the Kesakode lookup button) or using the shortcut Ctrl+K from any view. This will consume one query of your monthly quota (see Kesakode frequently asked questions). Once the query has finished (you can monitor the progress through the statusbar’s gauge control), Malcat will automatically open the Kesakode lookup view.

Note

You need a running license of Malcat, i.e you must be within the 1 year update period, to run Kesakode queries.

Displaying results

On the top of the Kesakode view, you will find a global attribution graph, that shows you the best malware family candidates that your sample is likely to belong to. If you want to dive deeper into Kesakode results, you can explore the data three separate tabs:

  • Function matches (shows which function hashes were found in out database)

  • Strings matches (shows which string hashes were found in out database)

  • Constant fuzzy match (shows a similarity score computed over the set of all constants)

Clicking on any result which is associated to one or more malware families will addionally display information (taken from Malpedia) about the matching families in the right panel:

../../_images/kesakode_ui.png

Kesakode helping to identify your sample

In the functions and strings tabs, clicking on a result will display the corresponding string / function in the quickview tab. Double-clicking a row will jump to the corresponding string / function in either the Hexadecimal view or the Disassembly view. The function / string context menu is also available through right-clicking.

Effects on other views

Once a Kesakode lookup has been performed, Kesakode information such has the danger level of functions and strings is also available to and displayed in other views. For instance, known malicious functions will be colored in red in the Hexadecimal view and the Structure/text view, libraries in blue, while known clean functions will be shown in green (this can be toggled on or off via the Highlighting menu).

In a similar manner, the Strings list will also display Kesakode danger levels using the same color scheme, alongside threat information from the Anomaly scanner and Yara signatures. This should help you selecter better string candidates for your Yara rule.

../../_images/kesakode_colors.png

Kesakode results displayed in other views

The Disassembly view also displays Kesakode information at call sites using a similar color scheme. The interprocedural call graph can also display this information, to help you naviguate quicker to the interesting parts of the analyzed file:

../../_images/kesakode_re.png

Kesakode information in code views

This is particularly useful when dealing with statically linked programs (you can ignore known libraries) or around program entry points (you can ignore most runtime startup code).

Submitting false positives/negatives

While Kesakode works fine, it is still in its early development stage and its database may have blind spots. By chance, Malcat makes it really easy for you to deal with missed malware (false negaives) or wrognly detected cleanware (false positives). If you encounter any of these, just click on the Upload FP/FN button:

../../_images/kesakode_fp.png

How to submit a false postive / false negative

This will send your sample to our server where it will be stored, manually reviewed and eventually used in the next Kesakode indexation. This process can span over several days, so don’t be too impatient! But at the end, this will ensure that Kesakode’s detection rate keeps improving!

Warning

Since your sample will be sent to us, a third party, please make sure that you are allowed to share the sample. Also for malicious samples, don’t send packed malware, only dumped/unpacked ones, as the former can’t be used by Kesakode.