Malware Analysis Opinion about behavioral analysis

lowdetection

Level 7
Thread author
Verified
Well-known
Jul 1, 2017
317
Why the ThreatScore is 100/100 if the software is ok?

I would like to understand why these behaviors:


details
"f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
"iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
source
Registry Access
relevance
8/10

details
Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"

And mainly this: I saw other places, this is a trojan downloader:

Filepath
%TEMP%\is-9IN4T.tmp\itdownload.dll
Size
201KiB (205312 bytes)
Runtime Process
f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp (PID: 3344)
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
 
Last edited:

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
Why the ThreatScore is 100/100 if the software is ok?

I would like to understand why these behaviors:


details
"f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
1- "iexplore.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
source
Registry Access
relevance
8/10


details
Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"

2- And mainly this: I saw other places, this is a trojan downloader:

Filepath
%TEMP%\is-9IN4T.tmp\itdownload.dll
Size
201KiB (205312 bytes)
Runtime Process
f3e3e324ec4a47b539b25345a6581e74ed0ba3858fe20c9f780dfb65b7b10af3.tmp (PID: 3344)
MD5
d82a429efd885ca0f324dd92afb6b7b8
SHA1
86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256
b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3

1-SUMo (Software Update Monitor) by its nature has some behaviors that are similar to malware, like check for installed applications, contact different hosts (to check for newer app builds) and act like a downloader.

2- It isnt a trojan, but it is a downloader, it is a .dll component of Inno Setup that can download additional files or setups.

Inno Setup (free installer for Windows programs)
Inno Setup


Those files actually are signed by valid certificates and arent detected at all in VirusTotal, so my verdict is that those files are clean and legitimate.
 

lowdetection

Level 7
Thread author
Verified
Well-known
Jul 1, 2017
317
All this was done by a machine, machine has no preferences or taste, there is a Metadefender scan inside saying about adware
 
  • Like
Reactions: Sunshine-boy

Nightwalker

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
May 26, 2014
1,339
All this was done by a machine, machine has no preferences or taste, there is a Metadefender scan inside saying about adware

SUMo has some versions that may contain optional "sponsors" (adware) like Relevant Knowledge, but that isnt the case here (Lite installer = Does not contain any sponsor), so it is a false positive of "Filseclab".

Metadefender Cloud

Refer to this page about the different installers:
KC Softwares


Well I'm done here, good luck.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
As already said it is not malware.
As usual an automated analysis has to be interpreted according to objective evaluations.
Functions, imports, behavioral patterns can lead to a wrong assessment because they can easily be very similar to malware components even when a file is clean.
 

lowdetection

Level 7
Thread author
Verified
Well-known
Jul 1, 2017
317
So there are reasons analyzed by malware expert, and not only machine to have a negative verdict.
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
So if the developer is good, why other software of him score this:

Antivirus scan for cc8b720fd52121ddf53f28f953230fc8c2445f5a944ed8b35b762a781fe4a8f8 at 2017-07-11 02:00:40 UTC - VirusTotal

Give me good reasons to not believe is gray behavior, because I only see gray.
VideoInspector from KC Software is free but it will install various adware during the installation process if you accept the default settings (Bundleware). So you have to check your setup options carefully, and clear the boxes next to anything you don't want to install.
In this case, the software itself is clean, but it drops adware that's the reason of the VT detections.
 
D

Deleted member 65228

Detected alert "ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)" (SID: 2015744, Rev: 4, Severity: 3) categorized as "Misc activity"
This one is actually quite common in commercial software where the owners are trying to protect their product against reverse-engineering a bit more; its a reverse-engineering technique to prevent debugging on their processes. It isn't a very good anti-debugging method because it can be bypassed by setting a break-point and then changing the value of the EAX register to 0 but it is better than nothing.

IsDebuggerPresent function (Windows)
If the current process is not running in the context of a debugger, the return value is zero.
 

Azure

Level 28
Verified
Top Poster
Content Creator
Oct 23, 2014
1,712
  • Like
Reactions: lowdetection

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
This one is actually quite common in commercial software where the owners are trying to protect their product against reverse-engineering a bit more; its a reverse-engineering technique to prevent debugging on their processes. It isn't a very good anti-debugging method because it can be bypassed by setting a break-point and then changing the value of the EAX register to 0 but it is better than nothing.

IsDebuggerPresent function (Windows)
Yes, to see if a process is under a debugger using IsDebuggerPresent is a common method.

For example:

Code:
function IsDebuggerPresent:boolean; external 'kernel32.dll' ;

procedure CheckDebugger;
begin
if IsDebuggerPresent then
MessageBox('ok');
else
MessageBox('no');
end;

This function does exactly the same thing i.e. to check the third byte of the PEB, only that it uses a little different method:

Code:
64:A1 1800000 MOV EAX,DWORD PTR FS:[18] //get the address of the TEB itself
8B40 30 MOV EAX,DWORD PTR DS:[EAX+30]//get the address of PEB
0FB640 02 MOVZX EAX,BYTE PTR DS:[EAX+2]//Gets the third byte and uses it as a response

If the byte is 1 then the answer will be positive; otherwise it is not.
 
D

Deleted member 65228

If the byte is 1 then the answer will be positive; otherwise it is not.
This is why I said by changing the value within EAX to 0 it will be bypassed (or RAX for 64-bit). But cool!

That ASM method you will only work for a 32-bit process, on a 64-bit process you'll be using the RAX register as well (64-bit version of EAX - AX -> EAX -> RAX). RAX returns the result on a 64-bit process.

- You can use the __readfsdword() (32-bit) and __readgsqword() (64-bit) to get the Thread Environment Block.
- Retrieve the PEB address from the TEB.

There's a function called NtCurrentTeb which will return the Thread Environment Block of the thread you executed the call from, also. Then you can ->ProcessEnvironmentBlock with the returned PTEB type variable.
 
Last edited by a moderator:
D

Deleted member 65228

Is there anything i could fix to make my EXE / installers OK for ESET ?
Don't bundle the installation with other potentially unwanted software/adware, then let them know you changed your ethics and they should remove the detection. You can keep the bundleware but also keep the detection, or remove the bundleware and have the detection removed - you can't have it both ways.
 
D

Deleted member 65228

OK, all my installers seems detected as "green / safe".
Do you confirm ?

Thanks for you help !
If the newest builds are not flagged at VirusTotal or Metadefender, they may still be flagged by AV products because the engines on these cloud services aren't always accurate representations of the engines incorporated into the actual vendors products.

I would not worry about it, you may as well spend the time focusing on making as good software as you can. Take precautions to keep everything ethical and wanted over the opposite and you'll be fine.

As for behavioral analysis services which are web-based, they are bound to have inaccurate scoring. Most safe genuine binaries I upload for testing come back with a malicious score. For example, one sandbox service in-particular flags the same things across all Win32 binaries for things like anti-debugging just because Kernel32.dll/KernelBase.dll does internal checks for different things, or something along those lines - even though it had nothing to do with the authors code for the sample. Such is mainly only useful for analysts actually checking the logs.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top