Carbon Black announced the launch of Binee an open-source binary emulator that bridges the gap between static and dynamic analysis of real-world malware. Binee empowers researchers to extract run-time data from binaries at a cost, speed and scale previously only possible with static analysis tools, opening up a wealth of run-time malware data for behavioral analysis and machine learning applications. Malware detection through standard static analysis has become increasingly difficult and researchers are becoming more reliant on dynamic analysis techniques to understand the behavior of the malware they are studying. Unfortunately, dynamic analysis is costly and time-consuming, meaning only a very small portion of it can be assessed in this way. Binee addresses this gap delivering run-time analysis of malware at the speed and cost of static analysis through mock process emulation. The ability to emulate x86 and other architectures has been around for some time – malware analysts have several tools readily available in the public domain. However, most of the tools stop short of full emulation, either halting or doing strange things when emulating library functions or system calls not implemented in the emulator. Binee creates a nearly identical Windows process memory model inside the emulator, including dynamically loaded libraries and other Windows process structures. Binee mimics much of the OS kernel and outputs a detailed description of all function calls with human readable parameters throughout the duration of the process, providing greater insight into a malware’s API calls and other IOCs than static analysis. Binee offers the ability to extract features of a binary that were only visible to dynamic binary analysis, with a cost closer to that of static analysis. The team has designed the tool with two primary use cases in mind. First, for data extraction at scale with a cost and speed similar to common static analysis tools and, second, for malware analysts that need a custom operating system and framework without the overhead of spinning up various configurations of virtual machines.