Back

Equivocal Behaviour Tool Thesis

I built an asynchronous sandbox-analysis tool for my BSc thesis to detect equivocal behaviours in trusted Windows software.

Repository
malware analysissupply chain securityMITRE ATT&CKsandboxingVirusTotalANY.RUNPython

Equivocal Behaviour Tool Thesis

This project is my Bachelor of Engineering thesis at the University of Sannio: Extracting Equivocal Behaviours from Trusted Systems.

The work studies software that appears trustworthy but performs behaviours that are undocumented, privacy-sensitive, or potentially useful in an attack chain. The thesis frames those behaviours as a software supply-chain security problem: trusted software can still expose users to hidden telemetry, reconnaissance, or advanced operating-system utility abuse.

What I Built

I designed an asynchronous multithreaded Python CLI that orchestrates sandbox analysis across Hybrid Analysis, VirusTotal, and ANY.RUN. The tool collects and normalizes execution traces for Windows 10/11 binaries, then supports MITRE ATT&CK-based analysis of behaviours observed during execution.

Research Method

  • Reviewed 60 MITRE ATT&CK Enterprise techniques
  • Defined 12 Equivocal Software Behaviours
  • Analyzed 36 SourceForge-categorized goodware binaries
  • Cleaned and explored sandbox JSON outputs with Python, Pandas, Seaborn, and Jupyter
  • Mapped observed behaviours to ATT&CK-inspired categories

Outcome

The analysis detected system reconnaissance and advanced OS utility exploitation in all analyzed trusted-system samples. The result is a reproducible thesis workflow for making hidden software behaviours visible and discussable, especially in software transparency and supply-chain security contexts.

Public Proof