Showing posts sorted by date for query multisandbox. Sort by relevance Show all posts
Showing posts sorted by date for query multisandbox. Sort by relevance Show all posts

Monday, April 18, 2022

, , , , , , , , ,

VirusTotal Multisandbox+= ELF DIGEST

VirusTotal welcomes ELF DIGEST, the first integrated multi-sandox fully dedicated to only processing linux files. This addition helps put the spotlight on linux malware.


In the words of the founder Tolijan Trajanovski:

ELF DIGEST is a cloud-based Linux malware analysis service provided to security researchers, analysts, and academics. The service performs static, behavioral, and network analysis to extract IoCs and IoAs. The static analysis searches for IoCs in the strings and may also identify obfuscation in the form of string encoding and executable packing. The behavioral analysis can recognize various malicious actions, including VM detection, anti-debugging, persistence, process injection, loading of kernel modules, firewall configuration changes, and others. The network analysis can identify C2 endpoints, resolved domains, HTTP requests, and port scanning. In addition, ELF DIGEST utilizes the open-source malware labeling tool AvClass to determine the most probable malware family the analyzed sample belongs to. The currently supported CPU architectures include ARMv5, ARMv7, MIPS, x86 and x86_64. The detailed findings of the analysis are presented in an aggregated view and can be also downloaded as a JSON report.

Let's take a deeper dive on some samples:


Botnet on ARM with iptables kernel modules

This sample is part of the Mirai botnet. At the top of the report we can see the network communication, possibly the command and control server.

 

In the shell commands we can observe the iptables firewall stopped and tables flushed. This would allow the malware to communicate without the firewall obstructing it.

The linux kernel modules being loaded, which are most likely related to the iptables command line interactions.

We can explore other pivots either on the relationships tab, or within VirusTotal Graph. Here we can see more details with respect to the command and control infrastructure as well as relations to other files, URL, and IPs.



Mozi botnet with bittorrent

Within this sample we see DNS resolutions to common bittorrent trackers and traffic on common bittorrent port 6881.

In the HTTP requests section, scanning for other vulnerable devices on the internet

Using a file search modifier we can find similar samples that perform the same request. behaviour_network:"boaform/admin"




ELF DIGEST, uploads the PCAP network traffic capture. When sandboxes or users upload PCAPs to VirusTotal, we analyze them with snort and suricata, using rules from community contributors.


Other Interesting samples to have a look at:

ELF DIGEST is a great addition to VirusTotal, and will help further shine the spotlight on linux malware. Happy Hunting!
Read More

Friday, January 28, 2022

, , , ,

VirusTotal Multisandbox += SecneurX


VirusTotal welcomes SecneurX to the multi-sandbox project. This new behavioral analysis platform is helping provide additional details on Windows executables, Office documents, and Android APKs.

In their own words:

SecneurX Advanced Malware Analysis (SnX) platform provides visibility and context into advanced threats with its extensive malware analysis & detection capabilities. The analysis platform is based on a unique architecture that emulates an enterprise environment for analyzing the most evasive and concealed malware. It performs both static and dynamic behavior analysis of different file types (.doc, .pdf, .msg, .eml, .xlsx, .exe, .ppt, .csv, .apk etc.) and generates a detailed report describing the malware behavior. Extracted Indicators of compromise (IOCs) and human-readable behavior reports can be used to augment existing intelligence data and help to give "context" about IPs, domains, URLs, Registry, Process activity, file names, and hashes.

On VirusTotal you can find the SecneurX reports on the Behavior tab:

Let's take a deeper look at some interesting samples showcasing SecneurX capabilities:

EXE file which spreads via SMB protocol

602b3c6dba465a535293d06ff498354a6a5631299f8edbaba4bec7d4df98e1e6

This EXE is a crypto mining worm that uses exploits to steal credentials and spreads laterally to other machines in the network. It communicates with its CNC and transfers its malicious binary through SMB protocol to other machines on the local network.

Click on the full report icon, to see the SecneurX detailed report.
A few interesting points in the full report are highlighted:


VirusTotal enterprise customers may search other samples on VirusTotal that use this firewall command you can use the behaviour_processes file search modifier in a query similar to:

behaviour_processes:"netsh firewall add portopening tcp 65533 DNSd"

An example searching for scheduled tasks:

behaviour_processes:"schtasks /create /ru system"

Email with attached password-protected XLS spreadsheet which launches PowerShell


This email message contains an attached password-protected XLS spreadsheet which when triggered launches a Living of the Land attack using an obfuscated PowerShell script to download a second-stage attack payload. SecneurX extracts and executes them




Within the process tree we can see powershell commands to create a TLS connection, You can search VirusTotal to find other samples using this technique with a query like behaviour_processes:"System.Net.SecurityProtocolType" and behaviour_processes:powershell

Android App (APK) with multi-stage payload downloader showing Joker malware behavior

The APK: 1e2c99c68390baefa7d9eba4a429f9b009aa4ade281909831fa2c50a944ae5ab downloads malicious payload via HTTP. In this VT-Graph view we can investigate how it is related to other malware samples.

Excel spreadsheet abusing the legacy equation editor to execute a custom payload

This excel spreadsheet https://www.virustotal.com/gui/file/1a022d0240a252df61e043a2a17a0a41da0dfb94c3e3de8d0a9f4d411559cfa3/behavior/SecneurX exploits Office’s legacy equation editor to download a remote artifact and execute it



We welcome this new addition to VirusTotal, SecneurX will help put the spotlight on malware. Happy hunting.
Read More

Wednesday, October 20, 2021

, , , , , ,

VirusTotal Multisandbox += Microsoft Sysinternals

We welcome the new multisandbox integration with Microsoft sysinternals. It was also recently announced on the sysinternals blog as part of their 25th anniversary. This industry collaboration will greatly benefit the entire cybersecurity community helping put the spotlight on indicators of compromise that may be seen if malware is detonated within your own environment.


In their own words:

"The new Microsoft Sysinternals behavior report in VirusTotal, including an extraction of Microsoft Sysmon logs for Windows executables (EXE) on Windows 10, is the latest milestone in the long history of collaboration between Microsoft and VirusTotal. Microsoft uses VirusTotal reports as an accurate threat intelligence source, and VirusTotal uses detections from Microsoft Defender Antivirus and Microsoft Sysinternals Autoruns, Process Explorer and Sigcheck tools. This cross-industry collaboration has a significant impact on improving customers protection. " says Andi Comisioneru, Group Program Manager, Cloud Security, Microsoft.


Let's take a look at a few example reports. For example in the file with sha256 1bb93d8cc7440ca2ccc10672347626fa9c3f227f46ca9d1903dd360d9264cb47

Here we see a report from Microsoft sysinternals sysmon with DNS resolutions, process tree and shell commands:





From the DNS resolution seen, we can make use of VT-Graph to pivot on other samples that also resolve the same hostname.



For our second example let's look at 1247bb4e1d0aa5aec6fadccaac6e898980ac33b16b69a4aa48fc6e2fb570141d.  Here we see a suspicious email address contained within some files written to the disk:





If we wish to pivot on that, we can search for other similar samples with the same modus operandi with a search query like:
behaviour_files:@tutanota.com



Finally our last example is:

4bb1227a558f5446811ccbb15a7bfe3e1f93fce5a87450b2f2ea05a0bca36bb2. This sample is a coinminer that stores a dropped file in %USERPROFILE%\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

It also registers a scheduled task on logon. It is possible to find other samples doing the same thing with the following intelligence query:
behaviour_processes:"\"AppData\\Microsoft\\Telemetry\\sihost32.exe\""

For more ways to search, see documentation on the available file search modifiers.
 

Happy hunting!

Read More

Thursday, December 10, 2020

, , , , , , , ,

VirusTotal Multisandbox += Sangfor ZSand

VirusTotal multisandbox project welcomes Sangfor ZSandThe ZSand currently focuses on PE files,with extensions to other popular file types like javascript and Microsoft office to be released soon.


In their own words:
ZSand, developed by Sangfor Technologies’ Cloud Computing & Security Team, is an agentless behavioral analysis engine incorporating multiple innovative techniques. At the systems level, zSand employs Two-Dimensional Paging (TDP) techniques to inject hidden breakpoints, enabling accurate monitoring of the API calling sequence of a given process for further fine-grained analysis. At the GUI level, interactions are simulated by the virtual network console (VNC) and visual artificial intelligence (AI) techniques, providing a lifelike and fully functional sandbox. At the detection level, zSand identifies all forms of malware, including vulnerability exploits, by uncovering malicious behaviors and synergistically applying both conventional rule-based approaches and advanced AI algorithms. As a core innovation of the Sangfor anti-malware research group, zSand is a significant improvement in cyber-security capability for both Sangfor Technologies and its clients, customers and partners. Use cases include proactive hunting for unknown threats and the near real-time production of threat intelligence identifying malicious URLs, domain names, files, memory fingerprints, and malicious behavioral patterns. zSand is an agentless behavior monitoring engine, allowing users to deploy real-time defenses in a virtual environment.

In comparison with other sandboxes, the key advantages of zSand include:
  • High runtime performance -- By optimising the configuration of TDP and reducing the number of VMExit events, zSand minimizes monitoring overhead and resource utilization.
  • Strong anti-evasion measures -- Thanks to high performance hardware virtualisation and agentless features, zSand is immune to anti-sandbox detection. 
  • Comprehensive monitoring -- zSand retrieves detailed malware behavioral events and associated states of hardware including CPU, memory, disks, and network interfaces. 
  • Extensive and in-depth analysis -- Designed by cyber-security specialists and AI specialists, zSand is able to dynamically detect elusive and concealed malicious behavior, vulnerability exploits, malware persistence, and privilege escalation, at low levels.


Take take a look in the behavior tab to view these new sandbox reports:



Example reports:

You can also take a look at a couple of Sangfor ZSand behavior analysis reports here and here.
In case you are interested in searching for specific Sangfor ZSand reports, VirusTotal premium services customers may specify so using sandbox_name:sangfor in their queries.

Pivot on interesting behavioural characteristics

All malware uploaded to VirusTotal is detonated in multiple sandboxes, providing security analysts with many interesting and powerful possibilities. Having multiple fine-tuned sandboxes increases the possibilities of malware detonating properly (remember malware usually implements different anti-sandboxing techniques), and provides valuable dynamic data on how the malware behaves.


Why is this data valuable? Because it gives us details that are not visible at static analysis time. For instance, we can use this data to land some TTPs into something more actionable. We will get back on this topic on a future blogpost.


For example, taking in the following sandbox report we find some potentially interesting mutex names. 


We can use this data to pivot and find other malware having the same mutexes when detonated on our sandboxes. By clicking on one of the interesting mutexes, in this case ENGEL_12, we will create a new search ( behaviour:ENGEL_12) which provides us with samples belonging to a common family of padodor malware.




It turns out that this is a valuable dynamic indicator we can use to identify malware samples belonging to this particular malware strain.   From VirusTotal, we welcome this new addition to our Sandboxing arsenal. Happy hunting!

Read More

Thursday, February 20, 2020

, , , , , , ,

VirusTotal MultiSandbox += QiAnXin RedDrip


VirusTotal would like to welcome QiAnXin RedDrip to the multi-sandbox project! QiAnXin is now sending execution behavior reports to the VirusTotal ecosystem for a wide variety of file types.





In their own words:
QiAnXin RedDrip Sandbox, developed by QI-ANXIN Threat Intelligence Center, is a cloud‐based malware analysis service provided to security researchers, analysts as well as ordinary individuals. Based on hardware virtualization technology, the sandbox contains less traits inside the monitored guest system that the malware could be aware of. The runtime environment also gets tailored to behave like a potential victim, rather than an analysis machine. We do this through invalidating available checkpoints, simulating keyboard/mouse interactions, and so on. It is able to handle many file types, probe and trigger infection vectors. These features help us to discover APTs easier and result in the discovery of zero-day attacks in the wild. By using the service, people gain better understanding of the malware and could perform intelligence hunting more conveniently.

 On VirusTotal you can find the QiAnXin reports on the Behavior tab:



Here are some interesting samples to highlight QiAnXin RedDrip’s capabilities:


LNK File


Example:
529177610e30a96c2c8a5b40f5015ce449eb611e06d5d75e66730236cc83bdc6

Within the processes and services actions section we can see that the victim would launch a VBE script silently in the background while opening the HWP document. HWP files are popular in South Korea.



Knowing about this, advanced users can then leverage VT Intelligence modifiers to build logic to flag suspicious LNK files, for instance:
type:lnk behaviour_processes:start

 

RAR File with malicious DLL side loading with goodware EXE


Example:
9155afcf50ee1c2a4b217034ddd43ceb48ea8ead94fa6d9e289753f2fadb82dc

This RAR file is interesting because it contains a trusted, and digitally signed WinWord executable from Microsoft, as well as a malicious DLL to be side loaded. Attackers often use DLL side loading to avoid detection.



As usual in our multisandbox effort, network observations contribute to the file’s relations, meaning that we can use VT Graph to shed light into a threat campaign:


 

A ZIP file that contains executables and scripts


Example:
97eabe0eda591b9a7059b71156f5d3a50f371c2a6a9ef7136943b8b80925704c

RedDrip will use 7z to decompress ZIP packages, it will run through the package contents and identify interesting files to execute. This is particularly useful for multi-modular malware, where a given malicious file has certain dependencies and will not be executed unless it can find them. Packaging up all dependencies in a single bundle overcomes this limitation.

Outlook email


Example:
216ac0a63ce9103a1b5c7d659806675e7188893e98fbaed56e9a90a2a17b53c7

This example illustrates email being used as an attack vector by adversaries. In this example there is a malicious document attachment that gets extracted and runs a powershell script. RedDrip extracts the attachment and opens/executes it, revealing the entire attack chain and allowing us to tie network infrastructure to the original bait.



If we switch over to the relations tab, the network-recordings are immediately visible. We can see that the contacted URLs, domains and IPs are most likely benign. From here would could pivot and continue investigating in VT Graph:



Most importantly, the fact that RedDrip will follow subsequent executions allows performing advanced searches to identify suspicious patterns in VT Intelligence, for instance:

type:outlook behaviour_processes:"winword.exe" have:behaviour_network

This enables us to unearth malicious files that may not yet be detected. This particualr query is asking VirusTotal to return all those outlook messages that upon being opened have launched Microsoft Word (they contained a document attachment) and gave rise to network communications (the document reached out to some URL, domain or IP, probably as a consequence of an exploit or a macro execution).

 

MS Word Document


Example:
e5b3792c99251af6a9581cd2e27e5a52b9c39c6d704985c4631a0ea49173793e

By now, given all of the previous examples, it is obvious that RedDrip will open documents and execute macros. It records all of the activity observed for the macro and any subsequent payloads that it may drop or download:


Switching over to the relations tab we can see how it relates to other contacted URLs, Domains, and IP addresses, and the detections of those entities. This is rich contextual information to make better decisions even when an individual file might not yet be widely detected.


 All of the actions are also indexed in VT Intelligence, such that a simple click on the pertinent observation allows us to discover other samples exhibiting a given pattern. For instance, we can click on the HTTP requests in order to get to other files that reach out to the same URL:

 VT Intelligence will then automatically surface commonalities (shared patterns) that may be used as IoCs in your security toolset:

Seeing the wide variety of file types handled by QiAnXin RedDrip, it is a very interesting addition to the VirusTotal multi-sandbox project.

Welcome and happy hunting! 
Read More

Tuesday, January 28, 2020

, , , , , , , , ,

VirusTotal MultiSandbox += BitDam ATP

VirusTotal would like to welcome BitDam to the multi-sandbox project!


In their own words:

BitDam Advanced Threat Protection (ATP) is a cloud-based engine that proactively detects threats, pre-delivery, preventing hardware and logical exploits, ransomware, spear-phishing and zero-day attacks contained in files and URLs. BitDam’s patented attack-agnostic technology shows remarkably higher protection rates compared to engines that are based on knowledge of previous threats. It learns the normal code-level executions of business applications such as MS-Word and Acrobat Reader, creating a whitelist knowledge-base. Based on this knowledge, the detection engine determines whether a given file or weblink is malicious or not, regardless of the specific malware it may contain.

Let's take a deeper look at some interesting samples showcasing BitDam's capabilities:

XLS spreadsheet with macro in a hidden sheet which launches powershell

 

This file contains a macro which accesses certain cells in a hidden sheet to retrieve the payload and then runs powershell with an obfuscated command line. The powershell script spawns a .NET related processes to compile the payload.

218178c583a2479ee6330f374f9e015db55c339d5b55cfd4f8b7a2fb78e8ab9d

BitDam not only generates execution reports, it also produces behaviour-based detection verdicts, we see BitDam detects the file as malware.




Doc with macro and VBA and WMI

 

This word document has a macro with some benign code, likely for deception and to make static analysis more difficult. The document also uses some basic obfuscation techniques.


BitDam highlights the network communications observed during the execution and populates the pertinent file to domain/IP address/URL relationships back into VirusTotal, as illustrated by the sample’s graph:




Discovering detection blindspots

 

VT Enterprise customers can use search modifiers to dig deeper. For example, we can look for files with low AV detections that BitDam ATP detects as malware:

bitdam_atp:malware and positives:7- and fs:2020-01-01+


Note that this task can also be automated via APIv3.

Welcome BitDam, glad to have you onboard!
Read More

Wednesday, October 23, 2019

, , , ,

VirusTotal multisandbox += VenusEye

VirusTotal multisandbox project welcomes VenusEye. The VenusEye sandbox is currently contributing reports on PE Executables, documents and javascript.

In their own words:

VenusEye Sandbox, as a core component product of VenusEye Threat Intelligence Center, is a cloud-based sandbox service focused on analyzing malwares and discovering potential vulnerabilities. The sandbox service takes multiple(~100) types of files as input, performs both static analysis and behavior analysis after then, and eventually generates a detailed human-readable report in several supported formats like PDF or HTML. Being weaponized with MITRE ATT&CK knowledge base, VenusEye Sandbox combines the product and the service as a whole. With the help of our sandbox service, users can track threat actors or gather threat intelligence for their hunting in a much easier way.

You can find VenusEye reports under the “Behavior” tab:




Take a look at a few example reports within VirusTotal:
https://www.virustotal.com/gui/file/e728fbb5099d17dbe43b48e2fb5295fdd8a25f3790aac3e353c609b1745bd432/behavior/VenusEye%20Sandbox
https://www.virustotal.com/gui/file/6d395a6e0c6899b7bf827099f30cb5abf2da0e6bb766d730cf9cbe014b5e6a9f/behavior/VenusEye%20Sandbox
https://www.virustotal.com/gui/file/8c64086f3a31ebd87963b832e1327587499e0866dce9ad865363d2d2cb8b40c9/behavior/VenusEye%20Sandbox
https://www.virustotal.com/gui/file/0883847c6958cac651ebc2764ec5a5e223d29d5a0a80cb9e08b8ec83bfde6f00/behavior/VenusEye%20Sandbox
https://www.virustotal.com/gui/file/8143a2c2666575152896609c1d8d918717a358d4611a57a0cce2559e3c5cabbf/behavior/VenusEye%20Sandbox

Document with macros

Taking a look at the embedded content preview for the sample 8143a2c2666575152896609c1d8d918717a358d4611a57a0cce2559e3c5cabbf we see that the malware is attempting to trick users to enable macros.



The VenusEye sandbox automatically enables macros and allows us to see the execution details, including the HTTP requests, DNS resolutions and process tree.



Javascript files

Wide use of online email services that automatically block executable attachments has led to attackers using alternative file formats for their spam campaigns. As depicted above, documents with macros are one example, Javascript files have also become quite popular. VenusEye represents a very interesting addition to the multi-sandbox project in that, unlike some of the other integrated sandboxes, it also analyses javascript files.



In this particular example, the simple fact that a javascript file that can execute in Windows (as opposed to being a website resource) performs DNS resolutions should be enough to consider the file highly suspicious. More so if we take into account the registry keys with which it interacts:



Rich relationships

The two examples above illustrate VenusEye acting as a microscope to understand what an individual threat does. However, thanks to the network traffic recordings, VenusEye also contributes macroscopic patterns that can be easily understood using VT Graph.

For example, when looking at the javascript file above we can make use of the file action menu in order to open it in VT Graph:



By default a one level depth inspection is performed, but we can always dig deeper. By expanding the files communicating with poly1374.mooo.com we get to discover a Windows executable that seems to be using such domain as its command-and-control:



In other words, VenusEye also helps in tracking entire campaigns thanks to the contributed file/domain/IP/URL relationships.

Advanced pivoting

As usual, all of this information is indexed in the elasticsearch database powering VT Enterprise, this makes it trivial to pivot to other variants of a given malware family or other tools built by a same attacker.

Let us now return to the document with macros above, VT Enterprise users can click on any of the behavior report contents in order to launch a VT Intelligence search for files exhibiting the same pattern when executed. Let us click on the first HTTP request entry:



This launches the search behaviour_network:"http://mediaprecies.online/cgi-bin/58lt9/", finding other samples that communicate with that very same URL. Now that we have identified other variants belonging to the same campaign or threat actor, it is trivial to automatically generate commonalities that we can use as IoCs to power-up our security defenses:



Thank you VenusEye for joining the multi-sandbox family that aggregates more than 10 dynamic analysis partners and counting. If your organization has some kind of dynamic analysis setup, don’t hesitate to contact us to get it integrated in VirusTotal, we will be more than happy to grant you free VT Enterprise quota in exchange.
Read More

Wednesday, July 17, 2019

, , , , , ,

VirusTotal MultiSandbox += SNDBOX

Today, VirusTotal is happy to welcome SNDBOX to the Multi-sandbox project. SNDBOX is a cloud based automated malware analysis platform. SNDBOX advanced dynamic analysis capabilities gives additional insights and visibility intro a variety of file-types.


In their own words:
  • SNDBOX malware research platform developed by researchers for researchers and provides static, dynamic and network analysis. 
  • SNDBOX is the first malware research solution to leverage multiple AI detection vectors and undetectable kernel driver analysis. 
  • SNDBOX kernel agent is located between the user mode and kernel mode. The agent has the ability to detect all malicious activities going from the running application to its execution in the operating system.
  • SNDBOX technology delivers in-depth results, quickly while providing AI and big data insights necessary for comprehensive malware research and false positive rate reduction.

Highlighting some examples

Detecting ZBOT variant, with high visibility to “Process Hollowing” and “Process Injection” techniques used by the malware.



On the SNDBOX site you can see malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.



For VirusTotal Enterprise users, you may click on the mutex, to search for other samples with this same mutex. 



This links to a search of behavior:"7EF531C0" which will lead you to other behaviour reports with the same mutex name.



Revealing malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.



 



On VirusTotal take note of the DNS resolutions, and dropped files.  Dropped files are defined as the interesting files that are written to disk by the sample under analysis. 



Pykspa variant, network activity detected with Suricata and dropped files being sent for second stage analysis & detection:






Within the “Registry Keys Set” section we find that the sample is set to RunOnce on next startup, possibly a method to achieve persistence. 


VT Enterprise customers can click on the registry value which uses the “behavior_registry” search modifier  to search for other files that also use the same registry value:  behavior_registry:"nrsyjl"  



Bancteian variant data stealer caught and detected by SNDBOX's signatures:



Within the SNDBOX report check out the detections:

Read More
Subscribe to: Posts (Atom)