Using different public online malware analyser tools

Analyzing malware

Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for getting the results.

I used VMRay a couple of times for doing automated malware analysis for CERTs but for a recent sample I wanted to rely on public available information.

dfsdfff.exe

I got a sample of a suspected malicious file dfsdfff.exe.

MD5 = c37edcda89acf163085649cf139879a9
SHA1 = c656188aa246424429175b9094a20633ab97f3b6

Extracting the strings from this file returns that it uses one DLL (mscoree.dll) and has a reference to a path on the D: drive.

d:\vpVi\NqXLnduw\OtsTfDSSGytSWwMZGpTvSLvloj\GwjJRUknKVkFjufLKLk\YihSgAir
\OlxRpTrg\DnG\DLm\wnrMdjv\YBNHidcnSZJWKWiGVYpAD.pdb

A PDB file is created when you enable debug mode when compiling a C/C++ program. The reference to this file might have been an error by the malware author.

It also contains parts of a .NET manifest file with the requested privileges

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

Search for online malware analysis reports

The above data is more than enough to use Google to search for online analysis reports.

I found that the sample was analysed by different online sandboxes. I did not submit a new sample (except for Virustotal) because most of the analysis was already done previously.

The results of the different analysis are these IOCs :

Payload Security    
  3-Apr-2015 Windows 8.1
 
  68.232.34.200   80
  151.252.48.36   8080 POST
  23.67.143.229   443
  23.9.211.69   80 POST
  157.55.236.125   443
  23.9.212.165   80
  157.56.122.47   443
 
  g7JrvSCyloK8C13.in   DNS 151.252.48.36
  foodanddrink.tile.appex.bing.com   DNS 92.122.214.57
  en-us.appex-rf.msn.com   DNS 92.122.214.57
  finance.services.appex.bing.com   DNS 92.122.214.57
  cdf-anon.xboxlive.com   DNS 23.9.212.165
 
  dfsdfff.exe      
 
Sophos    
  3-Apr-2015  
 
  151.252.48.36   8080
  212.62.246.210   8080
  74.123.9.41   8080
  82.151.131.129   8080
 
  c:\edg2.exe      
 
Malwr.com    
  3-Apr-2015  
 
  151.252.48.36   ??? POST
 
  kansp1.exe      
  edg1.tmp      
 
Virustotal    
  5-Apr-2015  
 
  dfsdfff.exe      
  output.63790949.txt      
  63790949      
  dfsdfff.exe.dr      
  kansp1.exe      
  UrinaryRestoredSilent.exe      
  kansp1.jpg      

Summary of the results

If you take a look at the different malware analysis results you see a big difference between the one from Payload Security and the other ones.

The comments from Virustotal learned us that this is a Dridex malware. Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Dridex operates by first arriving on a user’s computer as a malicious spam e-mail with a Microsoft Word document attached to the message.

Indicators of Compromise

Our goal of these exercises is to extract useful threat intelligence and indicators of comprise. These IOCs serve as indicators to protect our constituency against further infection.

Based on these online results we can warn our constituency of a new banking malware called Dridex.

  • It needs Microsoft Office
  • Search for files dfsdfff.exe, output.63790949.txt, 63790949, dfsdfff.exe.dr ,kansp1.exe, UrinaryRestoredSilent.exe, kansp1.jpg, kansp1.exe, edg1.tmp, edg2.exe, dfsdfff.exe
  • Alert on DNS queries for g7JrvSCyloK8C13.in, foodanddrink.tile.appex.bing.com, en-us.appex-rf.msn.com, finance.services.appex.bing.com, cdf-anon.xboxlive.com
  • Monitor TCP traffic to 68.232.34.200, 151.252.48.36, 23.67.143.229, 23.9.211.69, ,157.55.236.125, 23.9.212.165, 157.56.122.47

One of the IPs that shows up in the different analysis’s is 151.252.48.36. This IP is hosted in Germany with Vautron Serverhousing.

inetnum:        151.252.48.0 - 151.252.51.255
netname:        VAUTRON-HOUSING5-NET
descr:          Vautron Serverhousing
country:        DE

If you have limited capabilities to set detection rules then monitoring connections towards this IP will already greatly increases your chances of catching infections.

Conclusions

The online malware analysis returned different results. I found the results coming from Payload Security most useful. Additionally they allow you to download the full network capture so you can do further offline analysis.

If you want to provide useful IOCs for your constituency and you do not have your own malware analysis tool then it’s worth to

  • Get the hashes of the malware file
  • Upload the samples to different online sandboxes
    • Make sure you get approval!
    • Verify that these files do not contain *your* credentials (in the case of targeted malware)
    • Be aware that by submitting the samples you basically give away that you are doing an investigation. This is not an issue for ‘standard’ malware but you might want to refrain from this if you suspect it’s a targeted malware. You should use your own private analysis environment for this.
  • Use Google (based on the different hashes) to search for previous analysis
  • Combine the results to extract protection filters

You can propagate the indicators manually or use STIX and CybOX to automate the process.

5 thoughts on “Using different public online malware analyser tools

  1. Have you tried using the Anubis tool from iSec for analysis as well? https://anubis.iseclab.org/
    Would be curious to see how it compares in terms of understanding what kind of activity the malicious software performs? If you haven’t looked at iseclabs before, check out wepawet as well.

    Cheers,
    -T

    • Koen Van Impe on said:

      Thanks, I forgot about that one!
      I’ve been playing (evaluation account) with VMRay and got some very good results. AFAICT one of the people behind VMRay also contributed to Anubis …

  2. mutifo on said:

    joesecurity.org is a great sandbox but at some point of time they decided to go fully commercial way. No more free service :/

    BR
    mutifo

    • Koen on said:

      Indeed, same goes for the reports at Payload Security; getting the pcap file allows you to do further analysis (tshark etc). It’s one of the great + of these sites.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.