Triage Thursday

New extractors, expanded family support and Android analysis


Welcome to this week’s Triage Thursday blogpost. In this weekly series we go over updates made in the last week to provide an overview of newly available features and family support.

In this post, we’ll give a brief overview of the following changes:

Android Analysis

This week saw the release of the first version of our new Android analysis sandbox, allowing full dynamic analysis of Android binaries on Triage.

For more information on this and a case study of the Anubis Android banking trojan, check out the full blogpost published earlier this week.

Example Android Analyses:

Configuration Extractors

We’re always updating and expanding our support for config extraction during analysis, and this week we have improved handling of a few families.


This new extractor dumps all URLs for the sample and distinguishes between the real C2 and the fake domains included as decoys. These are all clearly reported after the analysis completes:

Example Formbook Analyses:


A private researcher, @fr3dhk, passed us some DiamondFox Kettu samples while researching the family for their recent blogpost (which you can find here). To go along with the post, we released an automated config extractor for Triage which dumps C2 URLs and the XOR key used for communications.

Example DiamondFox Kettu Analysis:


The ZLoader extractor has also received a small update, and now extracts the RSA public key when possible as well as the RC4 key used for C2 communications. As before it also extracts the botnet ID and all C2 URLs.

Updated ZLoader Analysis:

You may also like: