Today marks a significant milestone for Malcat users with the release of version 0.9.6, introducing Kesakode, a remote hash lookup service.
This innovative tool is tightly integrated into Malcat’s UI and is designed to match known functions, strings, and constant sets against a comprehensive database of clean malware and library files.
This article delves into the features, functionality, and potential use cases of Kesakode.
Indexing Process
According to Malcat’s blog, a vast library comprising over 300 recent malware families and a million unique, clean programs and libraries has been built over the past months.
ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service
This includes the extensive 2000+ malware families corpus from Malpedia. For each sample, three sets of features are extracted:
These hashes are stored in a massive relational database linked to their corresponding samples.
Query Time
When a Kesakode query is made, the same three sets of hashes are computed and sent to the matching service.
The cloud service then queries the database to identify if and where these hashes have been seen before. The decision tree used is straightforward:
For code immediates and data constants, a different approach is taken.
Only malicious samples are focused on a single fuzzy hash summarizing the whole constant/immediate sets is stored.
At query time, this fuzzy hash is compared to its nearest neighbors, and all malware families with a similarity score greater than 80% are returned.
Kesakode is designed to handle the complexities of malware, often using deception techniques like code obfuscation or data/string encryption.
By using three different sets of features, Kesakode can identify the vast majority of malware samples.
Typical lookup queries take between 1 and 4 seconds, depending on the number of functions and strings in the program.
Users can help improve the database by submitting false positives and negatives with just a few clicks.
Malware Identification
Kesakode’s primary use is malware identification, helping users determine to which malware family a sample belongs.
Unlike public Yara rules, which can be incomplete or outdated, Kesakode uses more patterns for identification.
It works best on unpacked/dumped samples like those from the Triage sandbox.
Detection Engineering
For detection engineers, Kesakode aids in writing Yara rules by identifying unique portions of code and strings in malware.
The coloring scheme (LIBRARY, MALICIOUS, and CLEAN labels) is applied across Malcat’s views, making it easier to build Yara’s rules.
Faster Reverse Engineering
Even for standard application reverse engineering, Kesakode helps identify low-value functions, allowing users to focus on unique parts of the program.
The disassembly view in Malcat labels/colors every known function found in CLEAN programs or LIBRARY, speeding up the reversing process.
Kesakode is a powerful addition to Malcat, offering a robust solution for identifying malware samples, assisting in detection engineering, and speeding up reverse engineering processes.
With its comprehensive database and efficient query system, Kesakode is set to become an indispensable tool for cybersecurity professionals.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…