THE ANALYST'S BEST FRIEND
THE BEST CHOICE
FOR SAFE DYNAMIC MALWARE ANALYSIS
Tycho is a reverse-engineering sandbox that increases the efficacy of malware analysis.
Tycho moves the operating system into a virtual machine and provides a super debugger that offers advanced features to improve malware analysis times. At the same time it does not create the artifacts that usually makes debuggers visible to the debuggee - Tycho is invisible to malware.
With these properties it increases the effectivity and efficiency of malware analysts: It reduces the setup time of complicated analysis scenarios significantly. Automate complex analysis proceduces easily! With Tycho the analyst can make better use of his time and focus on the difficult and complex details of tricky malware.
Tycho is the ultimate tool for exploring and examining the world of malware. The name takes its inspiration from the great Danish star observer Tycho Brahe, who discovered what we call today supernovae.
invisible for Malware
Zero Training, Faster Analysis
Tycho interacts with IDA Pro, Binary Ninja, GDB, Python, etc.
Invisible to Malware
No cooperation with the debuggee's observable environment
Tycho combines debugging with virtualization technology
Tycho's API allows to easily automate new analysis vectors
4.2 seconds between malware samples
One new sample every 4.2 seconds is the rate in which malware is discovered worldwide. Malware analysts can't possibly analyse all the samples as they appear.
Tycho enhances this situation by enabling the analyst to do the following:
- Jumpstart into analysis with reduced setup time.
- Avoid additional training costs and time with its integration into existing Tools.
- Cut short tedious hiding from malware that tries to evade analysis, because Tycho is invisible by default.
- Automation of otherwise tedious manual analysis procedures with a Python API.
- Perform a deeper behavior based analysis by creating and using semantic breakpoints.
Discovery of new malware samples every year in millions.
Source: G DATA Security Blog
WHY TYCHO IS FOR YOU
The VM part of Tycho is invisible to analysed processes because only the CPU and memory are virtualized. The rest of the guest system is the real hardware.
Tycho’s guest instrumentation is completely invisible to the inspected process, and even to the guest operating system.
Virtual Machine Introspection
Tycho closes the semantic gap and gives the user access to extra information in kernel- and process structures by performing OS fingerprinting and introspection.
This way Tycho controls guest processes like a debugger without cooperating or knowledge of the guest system.
In addition to ordinary breakpoints and single-stepping that is not visible from within the guest system, Tycho provides a unique Semantic Breakpoints mechanism that accelerates malware analysis by stopping samples on signs of interesting behavior.
Semantic breakpoints are triggered by e.g. system call instructions with specific parameters, execute-after-write access, or when the malware makes itself persistent on the system.
You can increase the efficacy of semantic breakpoints even further by creating your own custom semantic breakpoint, based on specific instructions, interrupts, and architectural state.
Seamless Tools Integration
("IDA Pro" is a trademark of Hex Rays SA and "Binary Ninja" one of VECTOR 35 LLC. "GDB" is part of the GNU Project and "Radare2" as well as "Python" are independent open source projects. These are the copyright holders of the displayed logos. "Python" and the Python logos are trademarks or registered trademarks of the Python Software Foundation, used by Cyberus Technology with permission from the Foundation. GDB fish logo: Jamie Guinan, licensed CC BY-SA 3.0 US. None of these are affiliated to Cyberus Technology GmbH.)
Tycho interacts with the user via its Python API. This way it can be easily integrated with Volatility etc. in your Python scripts.
Cuckoo Sandbox Integration
Tycho enhances the effectivity of Cuckoo sandbox by substituting its visible agent service in the guest operating system.
("Cuckoo Sandbox" is an open source project that is not affiliated to Cyberus Technology GmbH)
Invisibility and superior level of detail provide for automatic detection of more malware samples. This way not only the detection rate is increased, but also the level of detail of the analysis.
The hypervisor can be deployed to any system just by rebooting it via network boot (PXE), via an USB stick or from the harddisk. It will then chainload the already installed operating system.
After rebooting again, it is no longer part of the system state. The guest operating system remains unmodified.