Analyzing malware
Analyzing malware and extracting useful detection indicators (Indicators of Compromise, IOCs) for protecting your customers is a recurrent task if you do incident response. If you have your own malware analysis environment and you receive a suspected malicious file then uploading the file for processing and waiting for the analysis is one of the first steps in this process. However sometimes you have to rely on using different public online malware analyser tool for getting the results.
I used VMRay a couple of times for doing automated malware analysis for CERTs but for a recent sample I wanted to rely on public available information.
dfsdfff.exe
I got a sample of a suspected malicious file dfsdfff.exe.
MD5 = c37edcda89acf163085649cf139879a9 SHA1 = c656188aa246424429175b9094a20633ab97f3b6
Extracting the strings from this file returns that it uses one DLL (mscoree.dll) and has a reference to a path on the D: drive.
d:\vpVi\NqXLnduw\OtsTfDSSGytSWwMZGpTvSLvloj\GwjJRUknKVkFjufLKLk\YihSgAir \OlxRpTrg\DnG\DLm\wnrMdjv\YBNHidcnSZJWKWiGVYpAD.pdb
A PDB file is created when you enable debug mode when compiling a C/C++ program. The reference to this file might have been an error by the malware author.
It also contains parts of a .NET manifest file with the requested privileges
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
Search for online malware analysis reports
The above data is more than enough to use Google to search for online analysis reports.
I found that the sample was analysed by different online sandboxes. I did not submit a new sample (except for Virustotal) because most of the analysis was already done previously.
The results of the different analysis are these IOCs :
| Payload Security | |||
| 3-Apr-2015 | Windows 8.1 | ||
| 68.232.34.200 | 80 | – | |
| 151.252.48.36 | 8080 | POST | |
| 23.67.143.229 | 443 | – | |
| 23.9.211.69 | 80 | POST | |
| 157.55.236.125 | 443 | – | |
| 23.9.212.165 | 80 | – | |
| 157.56.122.47 | 443 | – | |
| g7JrvSCyloK8C13.in | DNS | 151.252.48.36 | |
| foodanddrink.tile.appex.bing.com | DNS | 92.122.214.57 | |
| en-us.appex-rf.msn.com | DNS | 92.122.214.57 | |
| finance.services.appex.bing.com | DNS | 92.122.214.57 | |
| cdf-anon.xboxlive.com | DNS | 23.9.212.165 | |
| dfsdfff.exe | |||
| Sophos | |||
| 3-Apr-2015 | |||
| 151.252.48.36 | 8080 | – | |
| 212.62.246.210 | 8080 | – | |
| 74.123.9.41 | 8080 | – | |
| 82.151.131.129 | 8080 | – | |
| c:\edg2.exe | |||
| Malwr.com | |||
| 3-Apr-2015 | |||
| 151.252.48.36 | ??? | POST | |
| kansp1.exe | |||
| edg1.tmp | |||
| Virustotal | |||
| 5-Apr-2015 | |||
| dfsdfff.exe | |||
| output.63790949.txt | |||
| 63790949 | |||
| dfsdfff.exe.dr | |||
| kansp1.exe | |||
| UrinaryRestoredSilent.exe | |||
| kansp1.jpg | |||
Summary of the results
If you take a look at the different malware analysis results you see a big difference between the one from Payload Security and the other ones.
The comments from Virustotal learned us that this is a Dridex malware. Dridex is a strain of banking malware that leverages macros in Microsoft Office to infect systems. Dridex operates by first arriving on a user’s computer as a malicious spam e-mail with a Microsoft Word document attached to the message.
Indicators of Compromise
Our goal of these exercises is to extract useful threat intelligence and indicators of comprise. These IOCs serve as indicators to protect our constituency against further infection.
Based on these online results we can warn our constituency of a new banking malware called Dridex.
- It needs Microsoft Office
- Search for files dfsdfff.exe, output.63790949.txt, 63790949, dfsdfff.exe.dr ,kansp1.exe, UrinaryRestoredSilent.exe, kansp1.jpg, kansp1.exe, edg1.tmp, edg2.exe, dfsdfff.exe
- Alert on DNS queries for g7JrvSCyloK8C13.in, foodanddrink.tile.appex.bing.com, en-us.appex-rf.msn.com, finance.services.appex.bing.com, cdf-anon.xboxlive.com
- Monitor TCP traffic to 68.232.34.200, 151.252.48.36, 23.67.143.229, 23.9.211.69, ,157.55.236.125, 23.9.212.165, 157.56.122.47
One of the IPs that shows up in the different analysis’s is 151.252.48.36. This IP is hosted in Germany with Vautron Serverhousing.
inetnum: 151.252.48.0 - 151.252.51.255 netname: VAUTRON-HOUSING5-NET descr: Vautron Serverhousing country: DE
If you have limited capabilities to set detection rules then monitoring connections towards this IP will already greatly increases your chances of catching infections.
Conclusions
The online malware analysis returned different results. I found the results coming from Payload Security most useful. Additionally they allow you to download the full network capture so you can do further offline analysis.
If you want to provide useful IOCs for your constituency and you do not have your own malware analysis tool then it’s worth to
- Get the hashes of the malware file
- Upload the samples to different online sandboxes
- Make sure you get approval!
- Verify that these files do not contain *your* credentials (in the case of targeted malware)
- Be aware that by submitting the samples you basically give away that you are doing an investigation. This is not an issue for ‘standard’ malware but you might want to refrain from this if you suspect it’s a targeted malware. You should use your own private analysis environment for this.
- Use Google (based on the different hashes) to search for previous analysis
- Combine the results to extract protection filters
You can propagate the indicators manually or use STIX and CybOX to automate the process.
Have you tried using the Anubis tool from iSec for analysis as well? https://anubis.iseclab.org/
Would be curious to see how it compares in terms of understanding what kind of activity the malicious software performs? If you haven’t looked at iseclabs before, check out wepawet as well.
Cheers,
-T
Thanks, I forgot about that one!
I’ve been playing (evaluation account) with VMRay and got some very good results. AFAICT one of the people behind VMRay also contributed to Anubis …
joesecurity.org is a great sandbox but at some point of time they decided to go fully commercial way. No more free service :/
BR
mutifo
On malwr you can also download the pcap file if you register and login as well as files created.
Indeed, same goes for the reports at Payload Security; getting the pcap file allows you to do further analysis (tshark etc). It’s one of the great + of these sites.