Home » Posts filed under Malware Analysis

Cuckoo Sandbox v1.1 - Automated Malware Analysis

in , , , , , , - on 8:57 PM - No comments
Cuckoo-Sandbox-v1.1-Automated-Malware-Analysis
Cuckoo Sandbox is a malware analysis system. It simply means that you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Cuckoo generates a handful of different raw data which include:

  • Native functions and Windows API calls traces
  • Copies of files created and deleted from the filesystem
  • Dump of the memory of the selected process
  • Full memory dump of the analysis machine
  • Screenshots of the desktop during the execution of the malware analysis
  • Network dump generated by the machine used for the analysis

In order to make such results more consumable to the end users, Cuckoo is able to process them and generate different type of reports, which could include:

  • JSON report
  • HTML report
  • MAEC report
  • MongoDB interface
  • HPFeeds interface

Even more interestingly, thanks to Cuckoo’s extensive modular design, you are able to customize both the processing and the reporting stages. Cuckoo provides you all the requirements to easily integrate the sandbox into your existing frameworks and storages with the data you want, in the way you want, with the format you want.

Changelog v1.1

  • Added imphash to static PE analysis
  • Added search for URLs in the web interface
  • Added search for PE Imphash in the web interface
  • Added possibility in web interface to queue to all machines
  • Added filtering by behavior category in Django web interface
  • Added analyzer log to Django web interface
  • Added REST API to retrieve screenshots associated with a task
  • Added REST API to retrieve the PCAP associated with a task
  • Added database migration utility
  • Added remote submission to submit.py utility
  • Added small stats utility (utils/stats.py)
  • Added analysis package for PowerShell scripts
  • Added overlay configuration for signatures (data/signatures_overlay.json)
  • Fixed bug in MAEC report
  • Fixed package selection for Office documents and CPL scripts
  • Fixed issue with tcpdump filters
  • Fixed unhandled exception when uploading files to the analysis machines
  • Fixed issues in CuckooMon that resulted in Internet Explorer crashes
  • Fixed bug in CuckooMon that caused mutexes to be resolved as file paths
  • Fixed bug in behavior processing module that resulted in a trailing backslash in summary’s registry keys

Read more
Labels: , , , , , ,

Pyew - A Python tool for static malware analysis

in , , , , , , - on 9:36 AM - No comments


Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.

Pyew have been successfully used in big malware analysis systems since almost 2 years, processing thousand of files daily. 


Read more
Labels: , , , , , ,

FakeNet - Windows Network Simulation tool for Malware Analysis

in , , , , , , , - on 4:54 PM - No comments

FakeNet is a tool that aids in the dynamic analysis of malicious software.  The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.  The goal of the project is to:
  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration
The tool is in its infancy of development.  We started working on the tool in January 2012 and we intend to maintain the tool and add new and useful features.  If you find a bug or have a cool feature you think would improve the tool please contact us.

Features
  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc.  The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.
Demo Video
Click here to watch a demo of version 0.9 of the tool in action.

How it works
FakeNet uses a variety of Windows and third party libraries.  It uses a custom HTTP and DNS server to respond to those request.  It uses OpenSSL to wrap any connection with SSL.  It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports.  It uses python 2.7 for the python extensions.  And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.

Read more
Labels: , , , , , , ,

Scout - Download and analyze webpage components to identify infected files

in , , , , , - on 5:06 PM - No comments

Uses the Pinpoint engine to download and analyze webpage components to identify infected files. Scout has a built-in HTTP Request Simulator that will render user-specified HTML files, catch the resulting HTTP requests, then drop the responses. Scout includes the ability to screenshot the webpage using PhantomJS (download PhantomJS and copy the .exe to the same folder as Scout). Use Scout in a VM since it could potentially cause your computer to become infected.

Read more
Labels: , , , , ,

CrowdInspect - Scan of your running processes on Windows with Virus Total, WOT & MHR

in , , , , , , , , , , - on 3:55 PM - No comments

CrowdInspect is a free professional grade tool for Microsoft Windows systems from CrowdStrike aimed to help alert you to the presence of malware that communicates over the network that may exist on your computer. It is a host-based real-time monitoring and recording tool utilizing multiple sources of information to detect untrusted or malicious network-active processes.

The tool runs on both 32 bit and 64 bit versions of Windows from XP and above.

Beyond simple network connections, CrowdInspect associates the connection entry with the process that is responsible for that activity. It can display the process name as a simple file name or as as an optional full file path.

In addition to the process name, the entry's process ID number, local port, local IP address, remote port, remote IP address and reverse resolved DNS name of the remote IP address is shown. The tool accommodates both IPv4 and IPv6 addresses.

CrowdInspect records details of any entry that is associated with a remote IP address and maintains a chronological list of these accessed by clicking the "Live/History" toolbar button to switch between the regular live netstat window and the history list window.

Perhaps the most useful aspect of CrowdInspect though is its ability to utilize several sources of information that can be used to determine the reputation of the process using the network connection and the reputation of the domain it is connecting to. This is achieved through the use of the following technologies and services:

Thread Injection Detection

Detection of code injection using custom proprietary code

Many pieces of malware achieve part of their goal by manipulating already running applications and injecting themselves into those processes. Regular antivirus products that only act upon the actual physical file contents would not identify this behavior. CrowdInspect features experimental detection of such behavior and the results of this test on each process can be seen in the “Inject” column.

--  (o Gray icon)
Not applicable/not available. No process is not able to be tested.

??  (o Gray icon)
The process did not allow us to test for code injection.

OK  (o Green)
The process did not appear to have any evidence of thread injection.

!!  (o Red icon)
The entry appeared to have had a thread injected into its process. This is generally not a good thing or something usually encountered. Note though that there may be some classes of specialized software that does exhibit this behavior. The process/application should be investigated further.


VirusTotal

Multiple antivirus engine analysis results queried by SHA256 file hash

<http://www.virustotal.com>

Shown in the "VT" column of the tool are the basic summary results of querying the VirusTotal service against the file in question (actually the SHA256 hash of the file contents). VirusTotal utilizes multiple antivirus engines to analyze submitted files and we query its database to see if the file hash is in the database and if so, how the antivirus engines rated it. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the VirusTotal database was made or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the VirusTotal database. This is probably good!

0% ... 100%  (o Green ... o Red icons)
The file is known to the VirusTotal database. This is the virus score. 0% means no antivirus vendor reported an issue with the process (very good). 100% means every antivirus vendor reported the process as problematic (very bad!)

More extensive details for the particular selected entry in the list can be seen by either clicking the "AV Results" toolbar button or selecting "View AV Test Results" from the right-click context menu for the selected item.

Note that it may take a short while before the results appear for each entry in the list due to rate throttling of connections to the service.


Team Cymru - Malware Hash Repository

Repository of known malware queried by MD5 file hash

<http://www.teamcymru.com>

Shown in the "MHR" column, Team Cymru maintains a repository of known malware that can be queried given an MD5 hash of the file contents. In this case we are simply querying for a yes/no answer so the results can be one of the following:

--  (o Gray icon)
Not applicable/not available. No response was received from the Team Cymru service or the process is not associated with a file.

??  (o Gray icon)
The entry does not exist in the MHR database. This is probably good, although the absence of a positive response doesn't necessarily mean the process is not malware.

!!  (o Red icon)
The entry DOES exist in the MHR database. The process is known to be malware. This is bad!



Web of Trust

Crowd-sourced domain name reputation system

<http://www.mywot.com>

Shown in the "WOT" column column of the tool are the basic summary results of querying the Web of Trust service against the reverse resolved domain name associated with the remote IP address of the connection's entry. The value here can be one of the following:

--  (o Gray icon)
Not applicable/not available. No connection to the WoT database was made or the entry's remote IP address does not have a usable valid domain name associated with it.

??  (o Gray icon)
The entry does not exist in the WoT database.

0% ... 100%  (o Red ... o Green icons)
The WoT reputation score. 0% means that everybody who has rated this domain thinks it is untrustworthy. 100% means that everybody who has rated this domain thinks it is reputable and can be trusted.


To avoid unnecessary querying of the above services all results are cached such that no unique process or domain is ever queried more than once for the duration the tool is running.


Read more
Labels: , , , , , , , , , ,

[Killtrojan Syslog] Tool to detect malware activity on a system

in , , , , , - on 3:27 PM - No comments

Killtrojan Syslog is a free application to create a report about characteristics of the system to further analyze and look for signs of malware, also is intended to put the report in a specialized forum for users to help.

The tool has a very intuitive and easy to use for non-technical users to create their reports. Also useful for more advanced users who want to analyze a computer.

With the support logs with BBCode mode, you can paste the log generated in any forum (SMF, PHPBB, Invision ...) which will be detailed with clear colors for your reading.


Read more
Labels: , , , , ,

[Pinpoint] Enumerates WebPage Components to help identify the Infected Files

in , , , , , - on 10:46 PM - No comments

Pinpoint works like wget/curl in that it just fetches a webpage without rendering any script. Pinpoint will then try to determine which links are used to make up the webpage such as Javascript, CSS, frames, and iframes and downloads those files too (some Javascript content will produce incorrect links). The list of links it finds shows up in the document tree on the main window.

At the same time, a log file is created which shows the links and in which file the link resided in. It will also download the file and calculate the “entropy”; the higher the value, the more rubbish characters it found which may help identify obfuscated Javascript.

You can of course spoof the user-agent string and referer values to ilicit a malicious response from the website. There’s also a function to clear your cookies (see Options menu item) since many exploit packs check for the presence of cookies on repeated visits. Use Tor to get another IP address since it’ll get banned usually after the first visit.

Read more
Labels: , , , , ,

[RDG Packer Detector 2014] Detector de Packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers

in , , , , , , , , , - on 8:59 PM - No comments

RDG Packer Detector es un detector de packers,Cryptors,Compiladores, Packers Scrambler,Joiners,Installers.

+Nuevas signaturas+Windows 7 Compatible
+Windows 8 Compatible
+Menos Falsos Positivos
+Mayor Estabilidad
+Deteccion 32/64 bits PE

-Posee sistema de detección Rápida.
-Posee sistema de detección Potente Analizando el archivo completo, permitiendo la muli-detección de packers en varios casos.
-Permite crear signaturas tus propias signaturas de detección.
-Posee Analizador Crypto-Grafico.
-Permite calcular el checksum de un archivo.
-Permite calcular el Entropy, informando si el programa analizado esta comprimido, encriptado o no.
-Detector de OEP (Punto de entrada Original) de un programa.
-Puedes Chequear y descargar signaturas.Así siempre tú RDG Packer Detector estará Actualizado.
-Loader de Plug-ins..
-Convertidor de Signaturas.
-Detector de Falseadores de Entry Point.
-De-Binder un extractor de archivos adjuntos.
-Sistema Heuristico Mejorado.

Read more
Labels: , , , , , , , , ,

[Malheur v0.5.4] Malware Analyzer

in , , , , , , , - on 2:26 PM - No comments

Malheur is a tool for the automatic analysis of malware behavior (program behavior recorded from malicious software in a sandbox environment). It has been designed to support the regular analysis of malicious software and the development of detection and defense measures. Malheur allows for identifying novel classes of malware with similar behavior and assigning unknown malware to discovered classes.

Analysis of malware behavior?

Malheur builds on the concept of dynamic analysis: Malware binaries are collected in the wild and executed in a sandbox, where their behavior is monitored during run-time. The execution of each malware binary results in a report of recorded behavior. Malheur analyzes these reports for discovery and discrimination of malware classes using machine learning.

Malheur can be applied to recorded behavior of various format, as long as monitored events are separated by delimiter symbols, for example as in reports generated by the popular malware sandboxes CWSandbox, Anubis, Norman Sandbox and Joebox
.
Read more
Labels: , , , , , , ,

[Comodo Instant Malware Analysis] Online Automated Analysis System

in , , , , , - on 4:55 PM - No comments

If you have a suspicious file, please submit it online by using the form below. Once the file is submitted, COMODO Automated Analysis System will scan it and report back its findings.

Read more
Labels: , , , , ,

[Anubis] Online Analyzing Unknown Binaries

in , , , , , , - on 4:34 PM - No comments
Anubis is a service for analyzing malware.

Submit your Windows executable or Android APK and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL. 




Read more
Labels: , , , , , ,

[Malware Classifier] Malware Analysis Tool

in , , , , , , - on 4:05 PM - No comments

Adobe Malware Classifier is a command-line tool that lets antivirus analysts, IT administrators, and security researchers quickly and easily determine if a binary file contains malware, so they can develop malware detection signatures faster, reducing the time in which users' systems are vulnerable.
Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.”

The tool was developed using models resultant from running the J48, J48 Graft, PART, and Ridor machine-learning algorithms on a dataset of approximately 100,000 malicious programs and 16,000 clean programs. 

The tool extracts seven key features from an unknown binary, feeds them to one of the four classifiers or all of them, and presents its classification of the unknown binary.


Read more
Labels: , , , , , ,

[VirusTotal] Online Malware Analysis Tool

in , , , , - on 3:54 PM - No comments

VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners.

VirusTotal’s mission is to help in improving the antivirus and security industry and make the internet a safer place through the development of free tools and services.


Read more
Labels: , , , ,

[Hook Analyser 3.0] A Freeware Malware Analysis and Cyber Threat Intelligence Software

in , , , - on 9:23 PM - No comments

In terms of improvements, a new module has been added - Cyber Threat Intelligence. Threat Intel module is being created to gather and analyse information related to Cyber Threats and vulnerabilities.

The module can be run using HookAnalyser.exe (via Option 6 ), or can be run directly.

The module present information on a web browser (with dashboard alike representation) with the following sections -
  1. Threat Vectors - by (%) Country
  2. Threat Vectors - by Geography 
  3. Vulnerability / Threat Feed.
Project documentation - Click Here

Here is the screenshot of the Cyber Threat Intelligence dashboard -




Read more
Labels: , , ,