Skip to main content

ATLAS: The Birth

· One min read
Mert Degirmenci


I am passionate about developing a standalone version of the distinct capabilities of the malware, attack vector that I analyze. It helps me to understand the specimen much more deeply. The other advantage is that your code breaks when the actor updates the capability. That means I can track them. In one of my other blog posts, I described how I tracked two highly active malware families, Remcos and Emotet, for months. It is for fun and profit.

But there was a problem. Each effort that I made was too far to create a memory. It needs enormous labor to understand what you've done months or years ago and use it in the current. For the community, it is far worse. Security vendors and malware researchers worldwide analyze and share their understanding with the community. But it is hard to mention collective memory. So we can't combine those researches to ease future analyses.


ATLAS is a proposed solution for the problems above and hopefully many more. It is an analysis description, a standardization to ease creating collective memory, to meet the past and the future.

I am happy to share it with the community.

             .:                                 ;.           
;xkl' .,ox;
.cOd,kK0k 0xcl.cxl.
.lOl. .:dOko;.. .':okd:. doko.
ckc. .'cdkOxol:,,'.....',;:ldxkdc'. dx0l.
,ko. .':loxkkkkkkkkkkxdl:,. .k0k;
.lx' x0KKKK00k: ,xoc.
.dl l33t ,l.c.
.d: '' .;'
.o; o,.
.::. .0.
.lxl. .c.
.lOl. ,;K.
.okc. lO,x
.oOxc. .;cddl' .oOl.
.l0KOo. .d00KKKk, .lx:.
.l0K0xclooc;;:cc:,;d0KKKK0x' .'cdOd'
.ck0KKKKKK00KKKK00KKKKK0d,..... ,x0KOl.
'x0KKKKKKx. .oKKK0l.
'd0KKKKK0: .xKK0l.
'x0KKKK0l. ,kKOc.
.:c;. ..,cldxO0KKKK0l .d00l.
.,:ok0K0OxxkO0KK0000KK00x' .o0K0o;..
.,;;;;;;;;;;;;;;;;;;;;,.. .clllll:,.

ATLAS - Malware Analysis Description

To discover the full potential of the ATLAS, you could check the documentation: