b'Automated malware analysisNew open-source framework enables scalable graph analytics via dynamic sandboxes on over tens of thousands of malware samples at once.T his project used the rapid malware analysis capabilities provided by dynamic sandboxes to create an open-source framework for scalable malware analysis. This was accomplished through obtaining over 600,000 malware samples from open-source repositories, which were then categorized by file type. Sandbox guest virtual machines of several operating PROJECT NUMBER:systems were created to allow for execution of malware, and Malware 22A1059-060FP Configuration and Payload Extraction Version 2 (CAPEv2) was used to capture behavioral indicators. An additional virtual machine was created to provide TOTAL APPROVED AMOUNT:the appearance of internet connectivity in our off-line secure environment. $566,000 over 2 years Approximately 90,000 samples were processed through these sandboxes, PRINCIPAL INVESTIGATOR:producing a single report of behavioral indicators. These reports were then Michael Cutshaw converted into the graph-based Structured Threat Information eXpression (STIX) format. This format enabled us to combine all gathered behavioral indicators into CO-INVESTIGATORS: a single graph, each duplicate indicator forming a connection between individual Bryan Beckman, INL malware executions. The resultant graph was ingested into a well-known graph Manuel Maestas, INL database and pushed to a Trusted Automated eXchange of Indicator Information Manuel Vazquez, INL (TAXII) server to demonstrate ease of sharing. The produced indicator data set Micah Flack, INL contains over a million nodes. Additionally, scripts were created to generate a William Brant, INL virtual machine containing this framework to ensure reproducibility. The resulting Zachary Priest, INL data set and framework are open-source and enable scalable graph analysis on COLLABORATOR: thousands of malware samples at once.Voidlab Scientific andTechnical Research, LLC122'