Tycho is a reverse-engineering sandbox that increases the efficacy of malware analysis.

Tycho Brahe

Tycho moves the operating system into a virtual machine and provides a super debugger that offers advanced features to improve malware analysis times. At the same time it does not create the artifacts that usually makes debuggers visible to the debuggee - Tycho is invisible to malware.

With these properties it increases the effectivity and efficiency of malware analysts: It reduces the setup time of complicated analysis scenarios significantly. Automate complex analysis proceduces easily! With Tycho the analyst can make better use of his time and focus on the difficult and complex details of tricky malware.

Tycho is the ultimate tool for exploring and examining the world of malware. The name takes its inspiration from the great Danish star observer Tycho Brahe, who discovered what we call today supernovae.


4.2 seconds between malware samples

One new sample every 4.2 seconds is the rate in which malware is discovered worldwide. Malware analysts can't possibly analyse all the samples as they appear.

Tycho enhances this situation by enabling the analyst to do the following:

  • Jumpstart into analysis with reduced setup time.
  • Avoid additional training costs and time with its integration into existing Tools.
  • Cut short tedious hiding from malware that tries to evade analysis, because Tycho is invisible by default.
  • Automation of otherwise tedious manual analysis procedures with a Python API.
  • Perform a deeper behavior based analysis by creating and using semantic breakpoints.

Discovery of new malware samples every year in millions.
Source: G DATA Security Blog


Invisible Debugging

The VM part of Tycho is invisible to analysed processes because only the CPU and memory are virtualized. The rest of the guest system is the real hardware.

Running a VM detection tool in Windows on top of KVM vs. the Cyberus VM.

Tycho’s guest instrumentation is completely invisible to the inspected process, and even to the guest operating system.

Virtual Machine Introspection

Tycho closes the semantic gap and gives the user access to extra information in kernel- and process structures by performing OS fingerprinting and introspection.

This way Tycho controls guest processes like a debugger without cooperating or knowledge of the guest system.

Semantic Breakpoints

In addition to ordinary breakpoints and single-stepping that is not visible from within the guest system, Tycho provides a unique Semantic Breakpoints mechanism that accelerates malware analysis by stopping samples on signs of interesting behavior.

Semantic breakpoints are triggered by e.g. system call instructions with specific parameters, execute-after-write access, or when the malware makes itself persistent on the system.

You can increase the efficacy of semantic breakpoints even further by creating your own custom semantic breakpoint, based on specific instructions, interrupts, and architectural state.

Seamless Tools Integration

Tycho provides multiple interfaces and interacts seamlessly with IDA Pro, Binary Ninja, and GDB-compatible tools and debuggers.

IDA Pro Logo. This is a registered trademark by Hex Rays SA. Hex rays and IDA are not affiliated to Cyberus Technology. Binary Ninja Logo. This is a registered trademark by VECTOR 35 LLC. VECTOR 35 and Binary Ninja are not affiliated to Cyberus Technology.
Radare Logo. Radare is its own project that is not affiliated to Cyberus Technology. GDB Logo. GDB is part of the GNU Project. GDB and GNU are not affiliated to Cyberus Technology. Python Logo. The python project is not affiliated to Cyberus Technology.

("IDA Pro" is a trademark of Hex Rays SA and "Binary Ninja" one of VECTOR 35 LLC. "GDB" is part of the GNU Project and "Radare2" as well as "Python" are independent open source projects. These are the copyright holders of the displayed logos. "Python" and the Python logos are trademarks or registered trademarks of the Python Software Foundation, used by Cyberus Technology with permission from the Foundation. GDB fish logo: Jamie Guinan, licensed CC BY-SA 3.0 US. None of these are affiliated to Cyberus Technology GmbH.)

Tycho interacts with the user via its Python API. This way it can be easily integrated with Volatility etc. in your Python scripts.

Cuckoo Sandbox Integration

Tycho enhances the effectivity of Cuckoo sandbox by substituting its visible agent service in the guest operating system.

Cuckoo Sangbox Logo. The Cuckoo Sandbox Project and team are not affiliated to Cyberus Technology.

("Cuckoo Sandbox" is an open source project that is not affiliated to Cyberus Technology GmbH)

Invisibility and superior level of detail provide for automatic detection of more malware samples. This way not only the detection rate is increased, but also the level of detail of the analysis.

Effortless Deployment

The hypervisor can be deployed to any system just by rebooting it via network boot (PXE), via an USB stick or from the harddisk. It will then chainload the already installed operating system.

After rebooting again, it is no longer part of the system state. The guest operating system remains unmodified.