Malware Analysis Opinion about behavioral analysis

Discussion in 'Malware Analysis' started by lowdetection, Jul 9, 2017.

  1. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    Online Malware Analysis Report:
    https://www.reverse.it/sample/f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3?environmentId=100

    https://www.reverse.it/sample/bf0a56305b6d97fd8970387d379f2f549ec852adbc4ca6c70d8ed19afe135605?environmentId=100
    Analysis mode:
    Static and Dynamic Analysis
    Containment:
    VxStream Sandbox v6.80 © Payload Security
    I would like an opinion of some expert in behavioral analysis about this two .exe files.
     
    MalwareTracker likes this.
  2. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    Seems clean and legitimate SUMo software to me.

    KC Softwares
     
  3. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    #3 lowdetection, Jul 9, 2017
    Last edited: Jul 9, 2017
    Why the ThreatScore is 100/100 if the software is ok?

    I would like to understand why these behaviors:


    details
    "f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
    "iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
    source
    Registry Access
    relevance
    8/10

    details
    Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"

    And mainly this: I saw other places, this is a trojan downloader:

    Filepath
    %TEMP%\is-9IN4T.tmp\itdownload.dll
    Size
    201KiB (205312 bytes)
    Runtime Process
    f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp (PID: 3344)
    MD5
    d82a429efd885ca0f324dd92afb6b7b8
    SHA1
    86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
    SHA256
    b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
     
  4. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    1-SUMo (Software Update Monitor) by its nature has some behaviors that are similar to malware, like check for installed applications, contact different hosts (to check for newer app builds) and act like a downloader.

    2- It isnt a trojan, but it is a downloader, it is a .dll component of Inno Setup that can download additional files or setups.

    Inno Setup (free installer for Windows programs)
    Inno Setup


    Those files actually are signed by valid certificates and arent detected at all in VirusTotal, so my verdict is that those files are clean and legitimate.
     
  5. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    All this was done by a machine, machine has no preferences or taste, there is a Metadefender scan inside saying about adware
     
  6. Nightwalker

    Nightwalker Level 7

    May 26, 2014
    325
    1,287
    Lawyer
    Windows 10
    Emsisoft
    SUMo has some versions that may contain optional "sponsors" (adware) like Relevant Knowledge, but that isnt the case here (Lite installer = Does not contain any sponsor), so it is a false positive of "Filseclab".

    Metadefender Cloud

    Refer to this page about the different installers:
    KC Softwares


    Well I'm done here, good luck.
     
  7. Winter Soldier

    Winter Soldier Level 25

    Feb 13, 2017
    1,466
    10,341
    PLC programmer - Robotics industry
    Wormhole
    Windows 10
    Emsisoft
    As already said it is not malware.
    As usual an automated analysis has to be interpreted according to objective evaluations.
    Functions, imports, behavioral patterns can lead to a wrong assessment because they can easily be very similar to malware components even when a file is clean.
     
  8. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    ESET-NOD32 a variant of Win32/Kcsoft.A potentially unwanted
     
  9. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    So there are reasons analyzed by malware expert, and not only machine to have a negative verdict.
     
  10. lowdetection

    lowdetection Level 5

    Jul 1, 2017
    209
    639
    China
    Linux
    Isolation
    frogboy likes this.
  11. Winter Soldier

    Winter Soldier Level 25

    Feb 13, 2017
    1,466
    10,341
    PLC programmer - Robotics industry
    Wormhole
    Windows 10
    Emsisoft
    VideoInspector from KC Software is free but it will install various adware during the installation process if you accept the default settings (Bundleware). So you have to check your setup options carefully, and clear the boxes next to anything you don't want to install.
    In this case, the software itself is clean, but it drops adware that's the reason of the VT detections.
     
  12. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    This one is actually quite common in commercial software where the owners are trying to protect their product against reverse-engineering a bit more; its a reverse-engineering technique to prevent debugging on their processes. It isn't a very good anti-debugging method because it can be bypassed by setting a break-point and then changing the value of the EAX register to 0 but it is better than nothing.

    IsDebuggerPresent function (Windows)
     
    frogboy, tim one and lowdetection like this.
  13. Azure Phoenix

    Azure Phoenix Level 19

    Oct 23, 2014
    921
    2,464
    Puerto Rico
    lowdetection likes this.
  14. tim one

    tim one Level 18
    Trusted AV Tester

    Jul 31, 2014
    885
    8,975
    Europe
    Windows 10
    Emsisoft
    Yes, to see if a process is under a debugger using IsDebuggerPresent is a common method.

    For example:

    Code:
    function IsDebuggerPresent:boolean; external 'kernel32.dll' ;
    
    procedure CheckDebugger;
    begin
    if IsDebuggerPresent then
    MessageBox('ok');
    else
    MessageBox('no');
    end; 
    This function does exactly the same thing i.e. to check the third byte of the PEB, only that it uses a little different method:

    Code:
    64:A1 1800000 MOV EAX,DWORD PTR FS:[18] //get the address of the TEB itself
    8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]//get the address of PEB
    0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]//Gets the third byte and uses it as a response
    If the byte is 1 then the answer will be positive; otherwise it is not.
     
    frogboy and lowdetection like this.
  15. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    #16 Opcode, Sep 1, 2017
    Last edited: Sep 1, 2017
    This is why I said by changing the value within EAX to 0 it will be bypassed (or RAX for 64-bit). But cool!

    That ASM method you will only work for a 32-bit process, on a 64-bit process you'll be using the RAX register as well (64-bit version of EAX - AX -> EAX -> RAX). RAX returns the result on a 64-bit process.

    - You can use the __readfsdword() (32-bit) and __readgsqword() (64-bit) to get the Thread Environment Block.
    - Retrieve the PEB address from the TEB.

    There's a function called NtCurrentTeb which will return the Thread Environment Block of the thread you executed the call from, also. Then you can ->ProcessEnvironmentBlock with the returned PTEB type variable.
     
    frogboy and lowdetection like this.
  16. Kyle_Katarn

    Kyle_Katarn From KC Softwares
    Developer

    Sep 28, 2013
    273
    275
    Is there anything i could fix to make my EXE / installers OK for ESET ?
     
    lowdetection likes this.
  17. Opcode

    Opcode Level 18
    Content Creator

    Aug 17, 2017
    890
    6,285
    Caille
    Windows 10
    Don't bundle the installation with other potentially unwanted software/adware, then let them know you changed your ethics and they should remove the detection. You can keep the bundleware but also keep the detection, or remove the bundleware and have the detection removed - you can't have it both ways.
     
    frogboy and lowdetection like this.
Loading...
Similar Threads Forum Date
Antivirus companies opinions on testing labs General Security Discussions Nov 20, 2017
Q&A What's your opinion about BD database? Bitdefender Nov 6, 2017
Opinions on Immunet? Other Security for Windows Sep 25, 2017