Some tips to identify malicious samples during the analysis.

Discussion in 'Malware Analysis' started by LabZero, Mar 6, 2016.

  1. LabZero

    LabZero Guest

    How to tell if a sample is malicious or clean?

    It isn't always easy to understand this and the first check of course is VirusTotal.

    Malware scanning made with VirusTotal is based on signature database by the various producers of antivirus and antimalware. Sending a file to VirusTotal for analysis, it is possible to check which scan engines indicate it as being harmful or potentially harmful.
    But an approach based on the use of security products are based almost exclusively on the use of virus signatures is now discouraged although a simultaneous scan with multiple engines can often identify possible threats.

    I have posted on VT a definitely malicious sample ihttps://www.virustotal.com/en/file/6d845f8acf5eacd8cbe23b88a425c88b43400cfd9ca89767bc3972998b8393db/analysis/1457195451/

    In this case no doubt but It is clear that a high detection ratio most likely indicates a malicious file while a low ratio (2/57 for example) may indicate a not-malicious file.

    An efficient implementation is scannig a file, not using viral signatures of antivirus engines, but using a scan engine that allows you to examine the behavior of any submitted file.

    Malwr, Hybrid Analysis and other online analysis tools can analyze the behavior by highlighting the operations associated with the activity of dangerous and potentially damaging elements by extracting the most relevant character strings contained in the scanned file and process it.

    It is very difficult for me to explain all the features and behaviors that are related to a malware sample but here I want to list some of the most common ones that you can find on these online services (names and terms may differ but the meaning is similar).


    • Attempts connections to suspicious countries. The file tries to connect to remote servers placed in foreign Nations that are not members of the European or American sphere. This type of connection are sometimes considered suspicious.
    • Binds network ports. The file makes the "port binding" by adding a new service to a specific IP address or a network interface.
    • Contains anti-debugging code. The file uses anti-debugging and anti-disassembly. They used techniques to make more difficult the analysis of the behavior of the file.
    • Contains Windows Firewall manipulation routines. It is automatically altered the configuration of Windows firewall.
    • Creates autorun registry key. It's expected inclusion in the registry information for the automatic loading of the file or its components.
    • Creates hook to unknown module. The sample "hook" Itself at low level with a software module unknown and therefore considered as suspect
    • Injects code into other processes. The file injects code within other processes, common feature to most dangerous malware.
    • Gathers system data and steals local browser data. It is in fact request stolen data stored on your system or web browser anyway (think password archives).
    • May be packed or encrypted. Attackers increasingly use stronger encryption to protect their malware and botnets.
    • Strings contain recently registered domain. A malware executable can contains visible strings of domain names.
    • Strings contain known file types searched by ransomware. Obvious in this case.
    • Manipulates Internet Explorer settings. Direct manipulation of the IE registry settings by malware
    • Attempts connection to recently registered domain. If we collect information about domain names that are related to malicious code, some of the results include the domain names that the malware attempts to resolve.
    • Makes DNS lookup of recently registered domain. Monitoring network's requests for domain lookups can reveal network problems and potential malware infections
    • Automatically unpack its own code. The identified packing code can be instrumented and transformed, then executed to perform the unpacking.


    Even PDF files can hide shellcode and potentially harmful code written to exploit one or more security flaws in the document viewer.

    These are the common features of a malicious sample but there are many other behaviors that may be known by the experience and it is not possible to explain everything in this thread but I hope this can help.
     
  2. Online_Sword

    Online_Sword New Member
    Trusted

    Mar 23, 2015
    575
    1,807
    Why should the malware writer register a domain name for his control server? Why not use the IP address directly?
     
    Alkajak, safe1st, Rishi and 4 others like this.
  3. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,823
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    I thought this is why we run an AV software. ;)
     
    ispx, JM Security, safe1st and 6 others like this.
  4. LabZero

    LabZero Guest

    This is about a variety of domain techniques to make command-and-control servers harder to locate (Botnet).
     
    JM Security, safe1st, Rishi and 5 others like this.
  5. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,823
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
    Sorry it is hard to be serious sometimes. ;)
     
    ispx, JM Security, DardiM and 7 others like this.
  6. CySecy825

    CySecy825 Guest

    This helps me a lot

    Thanks
     
  7. Rishi

    Rishi Level 19
    Trusted

    Dec 3, 2015
    910
    8,149
    India
    Windows 10
    Webroot
    Blackhat/hackers usually use evasive techniques like NMAP IP spoofing, Dynamic dns and domain redirection, proxy tables, no-log vpn etc. to hide the data transmissions.
     
    JM Security, safe1st, LabZero and 5 others like this.
  8. frogboy

    frogboy Level 61
    Trusted

    Jun 9, 2013
    6,228
    64,823
    Heavy Duty Mechanic.
    Western Australia
    Windows 10
    Emsisoft
     
    JM Security, safe1st, LabZero and 4 others like this.
  9. Raheel99

    Raheel99 Level 1

    Sep 15, 2016
    31
    329
    Accountant
    Karachi
    Windows 7
    Avast
    Thanks for great writing. I will add that some file has functions, which can set permission on folder/registry access. During analysising malware in VM, I can't access some registry keys though I was login as administrator.
     
    LabZero likes this.
  10. puww1010

    puww1010 New Member

    Sep 27, 2016
    2
    0
    shanghai
    Windows 7
    McAfee
    its very useful for me to understand why we can't see data transmitted even though we always mentioned APT incident.
     
  11. 2010barba

    2010barba Level 1

    Apr 7, 2014
    33
    150
    Windows 7
    Qihoo 360
    Many thanks for all the information, To do more exhaustive analysis hehe
     
Loading...
Similar Threads Forum Date
thank you malwaretips community New Member Introductions Jan 5, 2018
dvnkt: Hello MalwareTips New Member Introductions Nov 24, 2017
Malware Analysis Dynamic Forking identification [TIPS ONLY] Malware Analysis Nov 20, 2017