Some tips to identify malicious samples during the analysis.

  • This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.
L

LabZero

Guest
#1
How to tell if a sample is malicious or clean?

It isn't always easy to understand this and the first check of course is VirusTotal.

Malware scanning made with VirusTotal is based on signature database by the various producers of antivirus and antimalware. Sending a file to VirusTotal for analysis, it is possible to check which scan engines indicate it as being harmful or potentially harmful.
But an approach based on the use of security products are based almost exclusively on the use of virus signatures is now discouraged although a simultaneous scan with multiple engines can often identify possible threats.

I have posted on VT a definitely malicious sample ihttps://www.virustotal.com/en/file/6d845f8acf5eacd8cbe23b88a425c88b43400cfd9ca89767bc3972998b8393db/analysis/1457195451/

In this case no doubt but It is clear that a high detection ratio most likely indicates a malicious file while a low ratio (2/57 for example) may indicate a not-malicious file.

An efficient implementation is scannig a file, not using viral signatures of antivirus engines, but using a scan engine that allows you to examine the behavior of any submitted file.

Malwr, Hybrid Analysis and other online analysis tools can analyze the behavior by highlighting the operations associated with the activity of dangerous and potentially damaging elements by extracting the most relevant character strings contained in the scanned file and process it.

It is very difficult for me to explain all the features and behaviors that are related to a malware sample but here I want to list some of the most common ones that you can find on these online services (names and terms may differ but the meaning is similar).


  • Attempts connections to suspicious countries. The file tries to connect to remote servers placed in foreign Nations that are not members of the European or American sphere. This type of connection are sometimes considered suspicious.
  • Binds network ports. The file makes the "port binding" by adding a new service to a specific IP address or a network interface.
  • Contains anti-debugging code. The file uses anti-debugging and anti-disassembly. They used techniques to make more difficult the analysis of the behavior of the file.
  • Contains Windows Firewall manipulation routines. It is automatically altered the configuration of Windows firewall.
  • Creates autorun registry key. It's expected inclusion in the registry information for the automatic loading of the file or its components.
  • Creates hook to unknown module. The sample "hook" Itself at low level with a software module unknown and therefore considered as suspect
  • Injects code into other processes. The file injects code within other processes, common feature to most dangerous malware.
  • Gathers system data and steals local browser data. It is in fact request stolen data stored on your system or web browser anyway (think password archives).
  • May be packed or encrypted. Attackers increasingly use stronger encryption to protect their malware and botnets.
  • Strings contain recently registered domain. A malware executable can contains visible strings of domain names.
  • Strings contain known file types searched by ransomware. Obvious in this case.
  • Manipulates Internet Explorer settings. Direct manipulation of the IE registry settings by malware
  • Attempts connection to recently registered domain. If we collect information about domain names that are related to malicious code, some of the results include the domain names that the malware attempts to resolve.
  • Makes DNS lookup of recently registered domain. Monitoring network's requests for domain lookups can reveal network problems and potential malware infections
  • Automatically unpack its own code. The identified packing code can be instrumented and transformed, then executed to perform the unpacking.


Even PDF files can hide shellcode and potentially harmful code written to exploit one or more security flaws in the document viewer.

These are the common features of a malicious sample but there are many other behaviors that may be known by the experience and it is not possible to explain everything in this thread but I hope this can help.
 
Sep 15, 2016
31
329
Operating System
Windows 7
Installed Antivirus
Avast
#9
Thanks for great writing. I will add that some file has functions, which can set permission on folder/registry access. During analysising malware in VM, I can't access some registry keys though I was login as administrator.
 
Likes: LabZero

puww1010

New Member
Sep 27, 2016
2
0
Operating System
Windows 7
Installed Antivirus
McAfee
#10
Blackhat/hackers usually use evasive techniques like NMAP IP spoofing, Dynamic dns and domain redirection, proxy tables, no-log vpn etc. to hide the data transmissions.
its very useful for me to understand why we can't see data transmitted even though we always mentioned APT incident.
 
Apr 7, 2014
33
150
Operating System
Windows 7
Installed Antivirus
Qihoo 360
#11
Many thanks for all the information, To do more exhaustive analysis hehe