Dorothy2

Dorothy2 is a framework created for suspicious binary analysis. Its main strengths are a very flexible modular environment, and an interactive investigation framework with a particular care of the network analysis. Additionally, it is able to recognise new spawned processes by comparing them with a previously created baseline. Static binary analysis and an improved system behaviour analysis will be shortly introduced in the next versions. Dorothy2 analyses binaries by the use of pre-configured analysis profiles. An analysis profile is composed by the following elements: - A certain sandbox OS type - A certain sandbox OS version - A certain sandbox OS language - A fixed analysis timeout (how long to wait before reverting the VM) - The number of screenshots requested (and the delay between them) - A list of the supported extensions, and how the guest OS should execute them