Endpoint Security

Radare Plugin is Here for Intezer Community

By Write a Comment on Radare Plugin is Here for Intezer Community

When you find yourself reverse engineering code as part of an incident response team, your main goal is to quickly gather information about the type of threat you are facing.

Some time ago, we introduced Intezer Analyze plugins for both IDA Pro and Ghidra to help you pinpoint a file’s malicious and distinctive code. Now, it’s Radare’s turn. Radare2 (r2) is an open-source tool chain designed for reverse engineering and forensics. With the launch of the community plugin r2analyze, Radare2 users can now enhance their reverse engineering process with code genomics from Intezer to attribute the malware family or threat actor.

The Radare Plugin for Reverse Engineering

Here’s how you can get started:

  1. Ensure you have an Intezer Analyze community account or a paid team account. (If not, register here.)

  2. Submit the file to Intezer Analyze.

  3. Install the plugin via pip: pip install r2analyze.

  4. Add your API key as an environment variable named INTEZER_API_KEY.

  5. Open the file in Radare2 and conduct an initial analysis (aaa).

  6. Execute the plugin as a Radare2 pipe command (#!pipe r2analyze).

For example, let’s take a look at a ScarCruft sample (7c82689142a415b0a34553478e445988980f48705735939d6d33c17e4e8dac94). The Intezer Analyze result is displayed below.


radare-plugin-reverse-engineering
Intezer Analyze result for a ScarCruft sample.

Upon opening the sample and running the plugin, you will see that four items in the flag space named gene have been generated.


Executing r2analyze as a r2pipe plugin
Executing r2analyze as a r2pipe plugin.

If you select only that flag space and list all the flags, you will see that four functions have been identified as unique to ScarCruft.


Listing detected functions
Listing detected functions.

If Radare2 is your preferred framework for reverse engineering and binary analysis, you can now utilize this Intezer Analyze plugin to save time and gain additional insights for your incident response team.

Intezer automates the malware analysis process to swiftly identify and classify malware families. Analyze malware and unknown files for free at analyze.intezer.com

Additional Resources


Joakim Kennedy

Dr. Joakim Kennedy is a Security Researcher analyzing malware and tracking threat actors on a daily basis. For the last few years, Joakim has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.

Tagged In

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *