What are
/r/Malware's
favorite Products & Services?
From 3.5 billion Reddit comments
The most popular Products mentioned in /r/Malware:
The most popular Services mentioned in /r/Malware:
Malwr
Hybrid-Analysis.com
RKill
Any.Run
How-To Geek
Shodan
Have I been pwned?
Joe Sandbox
AV-Comparatives.org
VirusTotal
Academic Torrents
Darik's Boot and Nuke
AV-TEST
Amazon Web Services
AdwCleaner
The most popular Android Apps mentioned in /r/Malware:
tPacketCapture
Sophos Mobile Security
Colorfy: Coloring Book for Adults - Free
The most popular reviews in /r/Malware:
Put up an article on Locky here. This thing also encrypted unmapped network shares.
I am pretty sure Fabian of Emsisoft is taking a look and seeing it can be cracked.
As I was writing it, I kept thinking about how this could be a ransomware my kids named.
This is an old scam. They know your password because it was in one of the leaked databases and they looked it up and sent you, and thousands of others, this email. Checkout https://haveibeenpwned.com and search for your email address. Make sure you change the passwords on every site that comes up.
That link requires some registration and karma bullshit.
I haven't tested this myself but here is a quick link I found after using google and the torrent name: http://academictorrents.com/details/34ebe49a48aa532deb9c0dd08a08a017aa04d810/tech&dllist=1
Also this torrent is about 5 years old...
Oh, CryptoWall, yeah. Most likely from my current knowledge someone opened an email extension that contained this.
Read this http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information
Edit: Also to be completely honest, if you've gotten this twice, somebody needs to train your entire staff what phishing email looks like. The old saying fool me once...
Hey I found this too! at work about a year ago we had a file called IMG001.exe spread throughout our network (mainly from unprotected systems that we were not aware of...). It was harmless, it was the same exact bitcoin miner, but it was attempting to send stuff to pools that were not running anymore!
It's hilarious. THe miner itself is found on github, it's an open sourced mining program. You should be able to get the real name of the program found on github, and the version # by running a strings tool or searching for the MD5 hashes online.
The tool used to build it was some dinky little free installer program, that you could build using graphical representations!
It propagates via shared folders and such. Symantec Endpoint Protection will remove it, as will most other programs.
What exactly are you looking for? I'll dig up my analysis of it!
Here is SYmantec's take on it:
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2016-101713-2556-99
EDIT: Found the installer -- cannot find my own writeup...
http://nsis.sourceforge.net/Main_Page
Still will look for my writeup.
Malware will often arrive as a weaponised Word or PDF document, as opposed to an executable binary such as an EXE file.
It's often worth reviewing your SPAM folder or creating a dedicated email address with which to sign up for lots of junk. You'll soon get a load of samples coming in.
I'd also recommend checking out the likes of Malwr to download and review samples.
And as a extra precaution, analyse samples in a virtual machine to Prevent accidental infection of your own machine. I'd personally suggest REMnux which is a Linux district specially designed for malware analysis.
Good luck!
The problem is google always puts CNET links at the top of search results for software downloads even if CNET doesn't have that particular program listed! They will do anything to trick you and get millions of downloads a day. This means that the money rushing in from bloatware companies and won't change.
This is also relavent: http://www.howtogeek.com/198622/heres-what-happens-when-you-install-the-top-10-download.com-apps/
There are two good methods that I know to be most reliable:
1) you create an application that injects into newly, unknown spawned processes inside vm, intercepts all api calls and modifies api responses to avoid detecting driver names, vm processes or vm files
2) modify the source code of virtualbox(or other virtual environment) and create your own custom build with modified driver names, virtual device names, addresses, etc. - none that resembles the original build.
> But Virustotal doesn't check for RATs and other malware that relies on vulnerabilities in software like PDF readers.
Virustotal doesn't "check" for anything, it's an array of AV solutions that scan a file and returns a list of results. Nothing more. AV scanners are perfectly capable of determining if there are exploits, or exploit-like objects, within a file.
With that being said, just use a Sandbox that can handle apks, such as https://www.joesandbox.com/#android
Edit 0: formatting
Edit 1: I have now downloaded the file - I'd assumed you meant an apk as you said "it was designed to run on Android", but it's a plain PDF - no scripts, attachments, no obvious shellcode or anything similar. In fact, beside plaintext, the only things of note are 3 different fonts and 1 image.
I work in Malware Data Science. It's really cool.
I believe that Data Science is the future of most Cybersecurity disciplines.
If you want a good beginner introduction I can recommend you this book:
Malware Data Science: Attack Detection and Attribution: Saxe, Joshua, Sanders, Hillary: 9781593278595: Amazon.com: Books
That page returns a 404.
This is the original to the best of my knowledge: http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/
FYI, this info has been out for almost two weeks now.
Nmap doesn't have a '--rate' option so it can't be it.
It looks like it's a windows build of masscan: https://github.com/robertdavidgraham/masscan/blob/master/README.md
It's basically a very fast asynchronous port scanner that is used to scan large parts of the internet in a short time. It's scanning the hosts in list.txt in the specified ports.
MD5 9bdd2e72708584c9fd6761252c9b0fb8. https://malwr.com/analysis/ZDZlNTcyMzg3ZDEwNDgyMmE5Y2QwZWNmZDIwNjJjZjI/#
same internal name as the screenshot in the blog: http://breakingmalware.com/wp-content/uploads/2015/10/suspended-thread.png Same anti-debug tricks same argument for CreateProcessInternalW Same EntryPoint Same filename Same unpacking routine Same Icon Same UAC bypass It's Moker for sure
If you don't have a viable backup, you can try to recover your files using TeslaDecoder.
$ python /shared/investigations/oledump/oledump.py -a -v -s A3 059-12r21-8g.srk5hg.dot > 059-12r21-8g.srk5hg.dot.3 $ file 059-12r21-8g.srk5hg.dot.3 059-12r21-8g.srk5hg.dot.3: ASCII text, with CRLF line terminators $ md5sum 059-12r21-8g.srk5hg.dot.3 bdb50e3219a2b3d31b00f5105516f005 059-12r21-8g.srk5hg.dot.3
I can't get this code to unwrap itself even trying to run it by itself or in another doc.
tried a few different sandboxes as well (here's a few public attempts for record purposes): https://malwr.com/submission/status/YTk4YzMxYjA0OTk3NGFhMDg2MmU4MTRkMDdhMDQ4ZWI/ https://malwr.com/submission/status/NTIyYmYyMzZmNGMxNDUzMmExMWFkYjhmYjNmOWE2YWQ/
As far as obfuscating this manually, honestly my lack of care is great. But I'll play with it as time allows. I'm sure there's a tool somewhere that plays off of the entire possible range of methods used by macros to pull this without running it though to see what it tried to do. But what's the fun in using someone else's tools anyways?
Here are some general places where you can get free classes. The classes vary in quality but are free and you can pick one that applies most closely to getting you to your goal: https://www.cybrary.it/ https://www.coursera.org/
There is also other algorithms being used like in CTB-Locker with Elliptic Curves Crypto (ECC): https://blogs.sophos.com/2015/12/31/the-current-state-of-ransomware-ctb-locker/
Others play with ZIP or RAR formats (quite dumb, still efficient): http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
But yes, I think that for ransomware coders, the easiest and most documented method is to use the RSA-AES combo.
I wanted to stick with the original source (a forum post on Bleeping Computer), so this post links to that.
More analysis on the CW 4.0 is available here: Bleeping Computer - CryptoWall 4.0 Analysis
Edit: Fixed a typo
Check this also,
http://www.howtogeek.com/119028/how-to-make-your-pc-wake-from-sleep-automatically/
If they had access to the computer, a backdoor, then they could remap the Shutdown button to sleep and then use something like that to turn on the computer to be able to connect.
OS X also has the ability to schedule a startup time, http://support.apple.com/kb/ht3902
Yeah the email is bullshit. My main duty at my job is email security and web filtering, and I've seen days where there are hundreds of these emails. Most days it's just dozens.
Go to https://haveibeenpwned.com/ and put in your email address, I'll bet my paycheck you're pwned. That doesn't mean they have your password or that they can login to your account, but it does mean they have your email and might have a password (your current or old password, depending). If you're pwned change your password.
Whether you're pwned or not you should activate Multifactor Authentication (2FA or MFA) on all the services you can, and get some sort of password storing app (1Password, LastPass, etc...). Use garbage passwords which you store in the app. The password "padJSPOIH4584wef898##@FocsNf" is functionally impossible to guess, even for a computer, and you'd just store it in your app so you don't need to remember it either.
I have a feeling that the terms and conditions of EC2 disallow this kind of use - actively collecting and running malware. I'll see if I kind find the clause.
EDIT: It appears to be against their Acceptable Use Policy to use or store Harmful content such as viruses, trojans, etc.
ESET has released an amazing tool to easily remove Poweliks that can be found here. I keep seeing Poweliks accompanied by Cryptowall so TREAD CAREFULLY if you see Poweliks on a customer's machine. Cryptowall doesn't always activate until after Poweliks has been removed. Make sure you get a copy of their data and make sure this infection is truly cured.
> But that would require a sandbox system that could be fine-tuned according to every program running within it and give very specific and individual permissions to each program. I don't know if such a thing exists. Only that personal firewalls do some part of this.
It does exist (at least on Linux) and it's Qubes-OS
Here is a decision based on actual unbiased data: https://www.av-test.org/en/antivirus/home-windows/
Along with detailed reports like: https://www.av-comparatives.org/wp-content/uploads/2021/06/avc_prot_2021a.pdf
Here is the underlying AutoIt script (obfuscated): https://paste.ee/p/Fz2gi (binary taken from https://malwr.com/analysis/NGU1ZDE4MzNjNmQ2NDQ1MDk4YWY5ZWIxOWYwYmFlZDg/ with MD5 of 6fd78aafa581afa74c8f2fb459a6e349). You can clearly see calls to CallWindowProc, which is often used for calling native code (through its first parameter).
Various anti-virus and anti-malware companies allow you to to submit suspicious files. You can find some places where you an submit via this search: https://www.google.com/search?q=submit+malware
You can't expect them to tell you how to fix your computer though. A submission will probably just cause their products to detect that malware in the future. They may also respond to you to tell you whether the file is malicious. It's best to do a full re-install using known-good sources.
A global hook isn't always bad. Various programs do legitimate things with it. However, if you have a program you can't identify doing global hooks, that is very suspicious.
First try scanning suspicious files via http://www.virustotal.com/. It automatically scans them using many different scanners. Even totally legitimate files can have false positives on a few though.
OP is a good guy and ~~shitposts incessantly~~ answers a lot of questions on Twitter. I have every confidence the book is well worth the $35 price of admission. This is the direct link to the Amazon page as well, non-affiliate.
Just received this one myself. They had my actual password from years ago - that password has been leaked through more than one data breach according to haveibeenpwned.com. Safe to say it's a scam. An unusually effective one, though. Remember: If you have to ask, it's spam.
CryptoMonitor is a fairly new utility that can help prevent pretty much any ransomware. Tested it against TeslaCrypt, Cryptowall, torrentlocker, etc and does a great job.
More info here:
From the ComboFix Guide on BleepingComputer:
> You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.
I would stick with MalwareBytes and make a support topic at BleepingComputer.com if you still have issues. Be careful taking advice from Reddit when dealing with tech support. There are tons of people on here that do not give the best advice, though they are genuinely attempting to help. Stick with experts who are proven to know what they are doing and direct your support questions to the proper forum.
This is the variant that I keep seeing on customer's machines. ESET has released an amazing tool to easily remove Poweliks that can be found here. I keep seeing Poweliks accompanied by Cryptowall so TREAD CAREFULLY if you see Poweliks on a customer's machine. Cryptowall doesn't always activate until after Poweliks has been removed. Make sure you get a copy of their data and make sure this infection is truly cured.
The best way to do PCAP IMO is to actually install Wireshark on the HOST machine and tap it into the virtual interface being used between Inetsim and the victim machine. This keeps Wireshark off the victim machine and hides it from the malware. Any tool you can run outside of the victim machine is a good thing but there are some tools you have no choice with.
Probably the two most used tools I use for dynamic analysis are Process Monitor and RegShot. Process monitor will give you a MASSIVE output of what the malware (or anything running at the time) is doing. You will need to do a lot of filtering but it is extremely useful for seeing what files are modified/created. RegShot compares 2 snapshots of your registry, one from before malware execution and one after. This shows you what the malware might have done to the registry and how it survives reboot if it does.
Those 3 things cover the bases of malware: Network, Files, and Registry while keeping a low profile on the victim machine. I see much more malware check for AV and Wireshark than I do ProcMon and RegShot so it won't interfere much with the malware. Once you get into static analysis, your toolbox will get much bigger.
If you mouse over the "i" icon next to "Compressed Parents", it says "Bundled files that contain the file being studied".
So I'd say the compressed parent is an archive of some sort which is considered malicious by VT, but the individual file you've linked may not itself be considered malicious even though it was included in the archive.
EDIT: Looking a bit more closely, it looks like the file you've linked came from here originally. So I'm guessing that the compressed parent archive had something to do with cracked or pirated software or somehow contained something that was infected, and this NFO viewer was included in the archive to show off the l33t skillz of whatever group released it.
"What makes this case especially interesting is the fact that the attack was enabled by a vulnerability in one of the world’s largest and most popular sites - one of the domains on Alexa’s “Top 50” list. "
Meh people always have opinions on AV, its a complex issue. I believe there was some industry testing done on mobile AV's.
https://www.av-test.org/en/antivirus/mobile-devices/
https://www.av-comparatives.org/consumer/test-results/android-mobile/
Looking at the ratings, you may want to consider bitdefender over Avira.
>By Sandbox you mean it could live run the malware and show its behaviour?
Exactly :)
>Do you remember the URL/Domain i really would like to see what it was on Web Cache :)
By "programs" do you mean tools or malwares? If you can list examples, that would be helpful too. If malware, you can try searching for them at https://malwr.com (you'll need to create an account to be able to download iirc)
Thanks for the suggestion! I actually submitted the file to Malwr.com and it executed the file. The results are here (https://malwr.com/analysis/NTdiYmQyMDMyZmQ0NDdiMThhYTNkNTZjNWYxMzFmZDM/), and from the looks of it it installs itself as a startup item, and makes outbound HTTP calls. Now, I understand most of what I'm looking at in the cuckoo analysis but I'm uncertain about what vulnerability this took advantage of, and how did cuckoo know how to invoke the file?
DOCX with VB script, but couldn't get it to detonate on my Office 2010.
Here's the first shot at a static analysis of the script, with some formatting. http://pasted.co/20df4688
A lot of junk code. Few things of note is building data based on huge byte assignments, one at a time:
Dcn6Lz54Lgc(7668) = 81 Dcn6Lz54Lgc(7669) = 123 Dcn6Lz54Lgc(7670) = 40
That's the biggest, 7670 bytes. I see a function (IPKn9eJOg8xQw) that looks like RC4 encryption. If so, the key value is strongly obfuscated as well.
Ugly stuff. My sandbox isn't running the right Office to make it work though, so nothing usable from me :)
Edits: Same-ish as: https://malwr.com/analysis/NjU0MjUxODAyMDQyNDM4ZTk3M2JjYTcxNWMyOTAxZTQ/
Uploaded it to malwr.com and the analysis finished before I could figure out how Process Monitor works (I'm new to this kind of stuff :P).
Results of the analysis are here.
I looked into the Application Data folder and found this. nbvcgjhk.exe and xoidmjqw.exe were both created the same time I ran the initial executable. The other executable was created the 2nd time I ran it, later. nbvcqjhk.exe and wqlxlmr.exe are both the exact same size (80KB) and xoidmjqw.exe is the exact same size as the initial executable (172KB). The analysis from malwr.com says it only drops vucirhah.exe, but that file is nowhere in site.
Want to run the exes it dropped, but I'd like to know how to properly track what they're doing with Process Monitor first.
Thanks for your help so far
You can find the analysis here: https://malwr.com/analysis/NTRlMzExNmQyYjk3NGIwMjlkNmQ1NjdjYmJlZjZlMDc/
I have also uploaded all the files mentioned here: https://www.dropbox.com/s/5zc4btfan8vnycq/hasbro.zip
You can search all loaded DLLs (ctrl+f) with Process Explorer. IIRC you can also use a filter in Filemon/Procmon. Compare it's filesize against the file mentioned here:
(https://www.herdprotect.com/linkgeneration.dll-254c3fdb26817e382dd51ecd4be527411f895860.aspx)
If you're more into productivity than the project of trying to clean it, then cut your losses. Saving an OS installation that displays persistent malware is a problem that's generally not worth your time to solve. Worse, you'll never be sure you got it all.
Wipe the drive with DBAN. If you're really paranoid then purchase a new drive and flash the PC's mainboard firmware from known good media, set a bios/efi password, and then reinstall the OS from known good media. Bring the OS to current with (assuming it's Windows) WSUS Offline Update before it ever sees a network.
Accomplish any downloads on a different network and write them to brand new media, preferably onto write-once optical media. Check the hashes on the downloads. If the malware is coming back it might be a home network device or storage media that is the vector of persistence. Update your router as well as soon as possible from your newly-reinstalled OS and make sure to change any default passwords to something new.
If it still persists after all that, then be sure to speak directly into your webcam and say "You won", then set fire to your house and move to Nebraska.
First to ID which specific ransomware it is:
https://id-ransomware.malwarehunterteam.com/
Then see if the source of the virus is still around. Then if so - upload it to https://www.hybrid-analysis.com/ which tells you EXACTLY where every file goes. Usually it starts in temp - drops another file in %appdata% and finally residing in C:\programdata.
What kind of analysis were you looking for? A detailed reversing by an individual or just curious as to what it does? www.hybrid-analysis.com has a really good sandbox for automated analysis. I dropped your file there: https://www.hybrid-analysis.com/sample/af04432264e472ac02577d8b9547d3d1d868029900fe3cae4954f6cbf95a2944?environmentId=1
I gotta admit, that is something I haven't seen before through any online free utility, and could potentially be pretty cool. I also like the fact that it uses Windows 7. I'm still wondering though why the callout domain (which was truncated in the network signature) said it was found in the strings, but wasn't listed in any of the "extracted strings"...
It handled a zbot sample I sent it pretty nicely I'd say, even if some of the info appeared to be a little off. Definitely enough information to start looking for IOC's on the network: https://www.hybrid-analysis.com/sample/54e38b846908e66bdf7c919ba19f5cd0ffc263b247c9b868ebaf8931af57a57a/
It would be nice if sample downloads were available through "public" reports, and even nicer if memory dumps were available.
Sorry for late reply, life sometimes gets in the way
Your DNS setting in going to be in your router web admin page. Also consider using opendns, https://www.opendns.com/home-internet-security/
Could be that anime site you mentioned in another comment. Clear your cache and don't go to that site for 24hours as a test. See if it happens. If it doesn't try contacting that sites admin... if they care
This sounds rather like an infection with Potentially Unwanted Software (PUP). Tools aimed at removing adware can usually deal better with this than anti malware tools. Run AdwCleaner and reset all of your browsers.
Sorry, I read that part and my brain must have stopped working just after. Anyways, here is a trick that might get you there (or any other site in case your browser is not working).
- Open the start menu and go to run (or press Windows + R on your keyboard)
- to get to VirusTotal, type the following command exactly:
> mshta http://www.virustotal.com
EDIT: There is no address bar in mshta for you to copy the link from. No worries.Go to the "File Detail" tab in VirusTotal and copy the MD5, then paste it here and I'll paste the link for you.
All that said, you should post support topics in another subreddit, this one is for malware related articles/information, not for removal help.
A honeypot/honeytoken doesn't have to be a specific service running on a box, it can be a VM, an account, an API key etc.
As for building, I recommend this book:
https://www.amazon.com/Virtual-Honeypots-Tracking-Intrusion-Detection/dp/0321336321
I build mine in VMWare workstation and cheap windows 10 licenses, but Virtualbox works just as well. One thing you got to do is to scrub out any references to Virtual machines, even though lots of infra is nowadays hosted in Virtual environments. Some attackers use various VM Detection techniques before they deploy.
If it is a bad developed ransomware there can happen a lot such as security researchers releasing a fix to decrypt your files, or like this special situation: http://www.zdnet.com/article/coinvault-ransomware-decryption-keys-released/
I would just wait and research what is happening and might be lucky. I don't have very important information or documents on my computers because I usually save it on my server(s).
Click on Behavior and then you'll see "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "system64" /tr "%USERPROFILE%\AppData\Roaming\Microsoft\system64.exe"
​
​
Remove scheduled task: https://winaero.com/how-to-delete-scheduled-task-in-windows-10/
​
It's still best to just reinstall Windows though :)
Hello!
I took a free course on Coursera.org that, among other things, served as an introduction to Android malware analysis. I enjoyed it and recommend checking it out:
"Just Pay the Ransom" is pretty much the worst advice ever. The people collecting your money don't give a shit about your data! The ransom-ware has now become so sloppy and widely executed that the chances of even getting your data back without corruption is slim.
For adware, adwcleaner or Junkware Removal Tool. If that doesn't work, try Malwarebytes as the other commenter said.
As with all "good" policy statements it's vague enough that many things could be interpreted either way :/ I'm not yet seeing anything in Amazon's ToS that prohibits using it for malware analysis: https://aws.amazon.com/service-terms/
A friend of mine is on MS's IR team so I'll maybe run the scenario by him as well.
Edit: the Amazon AUP does talk about malware tho: https://aws.amazon.com/aup/
This thread is better suited for /r/antivirus
**Please redirect questions related to malware removal to [/r/Antivirus](/r/antivirus) or /r/techsupport. Ransomware related questions can be directed to /r/ransomware**
That being said this is https://haveibeenpwned.com/ you will likely see your email has been leaked in the OnlinerSpambot dump. There have been a fair amount of extortion emails going around like this.
Thanks, dayz_ike, but no :) It's just not worth it, I wouldn't use the programming skill in my life. Instead, I decided to download this little soft: http://www.downloadcrew.com/article/34737-anti-keylogger_tester and test for my self. And, belive it or not, both SafePay and Comodo passed all tests. Not a single capture, not even using a GetAsyncKeyState()! So it's there a way to bypass this and capture the keystrokes?
> i think it's working
Yep good thing and if u r new to torrenting and stuff and don't know how to check executables for adware and malwares I would highly recommend to use Bitdefender or Malwarebytes with unchecky and this subreddit is contributed to analyze the activity and reverse engineering of modern ransomware and malwares
http://www.groovypost.com/howto/avoid-computer-bloatware-from-cnet-download-com-crapware/
No, it's not. Have you ever downloaded something from there recently?? It's full of crap. You should link the guy to a ninite installer if anything. https://ninite.com/super/
Hello,
It used to be that download sites existed to provide a centralized "all in one" repository for people to get open source, public domain (freeware) and evaluation (shareware) versions of software, and they were largely supported by running banner advertisements. With the crash of ad revenue from those, most of them have gone to "software wrapping" business models, e.g., taking the software you want, and placing a loader or shell in front of it that installs potentially unwanted applications, adware and other garbage they can get paid to install.
A partial solution to this is go to directly to the author's site, instead of download sites like CBS Interactive's CNet Download.Com, etc. I say partial, because a few software authors monetize directly by bundling PUAs, adware or other "third-party offers" that no wants directly into their installers. Examples of these include Adobe Flash and Sun Java, both of which reportedly make between $20-30M a year (each) from bundling crapware with their frameworks.
Anyways, if you CDex, here's the author's web site:
Author's site: http://cdex.mu/
Author's download page: http://cdex.mu/download
I don't think they bundle anything with their direct downloads, but please check yourself to make sure.
Regards,
Aryeh Goretsky
P.S. The r/Malware subreddit is for technical discussions of malware, not really for end-user reports like yours. Consider using a subdreddit like r/24HourSupport or r/BadApps to report things like this in the future.
Oh fuck, i hate name collisions.
http://munin-monitoring.org/ is very well established and is still one of the easiest ways to get very detailed monitoring of your network & hosts in just a few minutes to set up, with dead simple flow for making your own plugins.
https://metadefender.opswat.com
Another few in case you have any issues with my previous recommendation.
Thamk you and hope they work out for you. Any hassles give me a shout. : )
Here is a generated report https://www.joesandbox.com/analysis/98217/0/html
I am looking at a site that is probably hacked and this script clears the console after it runs.
There are several organizations that test AV programs. The one I prefer is AV Comparatives (https://www.av-comparatives.org/). They have a number of different tests but here's a link to their latest "Real World" test (you can use the dropdown to chose other tests): https://www.av-comparatives.org/comparison/
While the "Best" changes with each test Bitdefender and Kaspersky are always at the top. I use the paid version of Bitdefender. The free version uses the same AV engine, it just lacks all the extras.
In this particular test Avast did fine, Malwarebytes not so fine. It had a lower detection rate and several false positives.
Malwarebytes is usually used as a "second opinion", just run on demand. It is good at finding things that are already in the system, not as good keeping things out in the first place.
As someone else already mentioned Windows Defender is fine for most people. It wasn't always that way but Microsoft has improved it quite a lot over the years, as you can see in this test.
Did you upload this to https://malwr.com and can you post the results? Upload all the files separately, including the .js and the two .exe files you collected and post the three resulting links.
Also, watch this Webinar - https://zeltser.com/malware-analysis-webcast/
It makes the same callouts as this: https://malwr.com/analysis/NjY3NjRjYTdhZGYxNDk5YWEyMWRkMjM5YjJmMzFmODQ/
Both domains helloguysqq[.]su and sowhatsupwithitff[.]com don't currently resolve, but this looks like a lot of ransomware stuff that's been going around over the past week or so.
https://malwr.com/analysis/MTZkZDVkN2Q2MzAxNGNkN2E5YzhmZTI0ZWJjMGNkYTQ/
That's a fairly recent one but is typical of what I've been seeing over the last month of two. Each document uses macros which are obfuscated to perform a GET on the actual malware (crypto and dridex have been the popular ones). It's rare that I've seen repeats, structure or the macro/infection remains the same but the actual email/document/obfuscation changes from day to day.
Weird, I don't think it had anything to do with that (I got to the site by googling "flood live in Australia stylophone" in an effort to confirm that that was an instrument used on the album). I'll try uploading to malwr right now, thanks for the link.
ed: here you go: https://malwr.com/analysis/MjcxNDI1ZTkyNzIzNGIxYWE0NjM0ZDM4NGJmNzlkOTQ/
different filename because I'd already deleted the other and needed to redownload from my email. Any idea what's going on there? It's hard for me to see anything on my phone, unfortunately.
Finally got it onto virustotal by redownloading from my email (original file kept coming up as 0b, I think I deleted it in one place and Android didn't notice?) : https://www.virustotal.com/en/file/cccb9fecf7fdb8777471f1a615c8c37151938f812fdd97b811013001013149cc/analysis/1440692556/
Am I understanding correctly that it's a. swf? If so, I'm guessing it wouldn't have executed in mobile chrome or just by being downloaded and opened in notepad++ on Windows, correct?
ed: here's the malwr link as well: https://malwr.com/analysis/MjcxNDI1ZTkyNzIzNGIxYWE0NjM0ZDM4NGJmNzlkOTQ/
OP I like the idea, at least I haven't seen it before! Please do as /u/AnthongRedbeard says and run it through https://malwr.com/submission/ I am curious of the results.
Edit: As for building a RAT the answer is yes it is fully possible.
I too am working through PMA, but there's nothing like doing it for real, with real malware.
Someone else posted about https://malwr.com/ - get samples from there, and go through your own junk email folder: setup a gmail account and subscribe to anything and everything you can find... it'll get out there eventually. - I get a lot of good samples from my old mt.gox address.
I usually see CryptoWall distributed side by side with Poweliks (today also included ursnif and simda) through Magnitude EK. Just about 30 minutes ago I got: fae906bdca873acd53fc24024d0d07b5 -cryptowall cc5d5fc96d536a6e50baa28dd229475f -poweliks
If anyone needs a recent poweliks installer, it can be downloaded here: https://malwr.com/analysis/MTM2OTAxMmQyYWExNGM2OTkxMmExMTNkOWQ0N2U3MTE/
I have the JAR and DOC files.
Here's the Malwr.com link: https://malwr.com/analysis/M2I0ZjBmYWFkOTg3NDU4N2ExMjgzODg1NjIxNDkzNTQ/
And here is the VirusTotal link: https://www.virustotal.com/en/file/67b0812cd6ae5083def578d38714bc5209f13674470c3124b545620d86bc0c99/analysis/
If the hash is the same, then the file is the same. That's how hashes work. What you're likely experiencing is the executable's anti-vm or anti-debugging capabilities.
Rename the .bin file as a .dll extension and run it from a physical host.
Read more here under "May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)" and see the file actually executing here.
I would definitely recommend making an account on this site so you can download this file and many other samples by using the filter feature they have available. But here is the link to the file where I got this sample from:
https://app.any.run/tasks/4078f683-181d-4ca4-ba0b-c233f47cfaf8/
You are correct. I ran it in any.run (link here) and it appears that the program doesn't change the computer except for a few temporary files. It's a dummy program. As for how my family member got it, I have no idea, and probably will never know (he's old, won't remember). If he payed money, I'm sure he would have said something to me since I'm the "tech guy". Probably downloaded it by mistake, somehow got onto his desktop.
I personally wouldn't recommend it being on prem just to cut out any possible interaction with the production network. You could potentially look into a free/paid service such as app.any.run to submit samples and interact with them in real time (I believe paid keeps your submissions 'hidden'). Otherwise I would go the route of a completely separate network for malware analysis.
The link results in a 404 page not found error, hence my remark
EDIT: if you remove the backslashes it works, so this is this correct link.
Hey, total noob here. I can't contribute much but I have some thoughts.
I've heard of programs that can survive a wipe by hiding themselves in your hard drive firmware (or something to that effect) or even hide in your bios or networking equipment, which would explain why a scan wouldn't pick anything up. What kind of hardware and networking setup did the people with similar issues have? Is there a common thread? It could also maybe be some sort of exploit regarding your drivers (you'd install the same ones after a wipe right?), but I would assume a scan would pick something like that up.
If it's the hardware thing, you could try swapping in new hardware one piece at a time, ruling out where it lives one piece at a time. Just be careful re-using hardware you've used on this infected system, until you know the nature of the exploit it's probably best to assume it can infect other pieces of hardware (maybe that's overkill idk, anyways).
Before that though, I would consider nuking the drive with something like Darik's boot and Nuke if you're going to reformat, just to rule out a traditional virus.
I hope you find some of this useful. This sounds neat so I'll be lurking around waiting for somebody smarter than me to have an idea of what's going on.
Yes, you were, I can see the VT logs. Here's something interesting: The compilation date is 2017-08-05 however there are transactions to that same wallet from 2017-04-26.
So this is an older version of the same malware or the programmer mined using his machine for testing.
So I searched were this hash was used before and https://www.virustotal.com/gui/file/e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326/behavior
Compiled at 2017-08-01, it's probably the second version
And according to this report on 2017-10-19 https://www.hybrid-analysis.com/sample/e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326?environmentId=100
it had an AV Detection of 73%.
So I'd assume there are other versions of the same malware but got detected and they didn't bother to create a new wallet.
Does anyone know how to search for behavior on VT?
Did you find this in the wild? Was it running?
So it turned out that the whole thing is a variant of Gootkit. The actual sample is here: https://www.hybrid-analysis.com/sample/8f6def3065a5b17de521abd8d4a7b862fdb32a50b6d98fac50d2f99332dee428/5f918e6df55554303766a7a0
After diffing the VM image with a clean snapshot it definitely seems to be fine. I also found an analysis on hybrid-analysis which does not look too bad either.
Since I figured it doesn't really matter what software it is, here is a link, just in case you're interested: https://www.hybrid-analysis.com/sample/77656e2674c65f8d742d4ca3be5d82a7d0e7f422457e983e438a6e0d150df1f6/5e7b3f50d056063c5c783441
To investigate situations like this I use Hybrid Analysis. It generates a public report of what happens to a victim. If a threat is.detected then the attack site is automatically shared with open threat exchanges. This protects the community and gives you the answers you want.
Here is the report for your given IP: https://www.hybrid-analysis.com/sample/ecfc40797913b3e4d68a98cdb09d7833af36266c742d736b79038fb00f95cacf
Option 3 is the server checks the headers and Powershell makes requests in a specific way that wget/curl do not
Roughly the same shit lots of malware does. As others pointed out this is a fairly generic threat category.
But I'm nice, so I dug up a sample hash of Tiggre from a machine I investigated recently, so you can review the hybrid analysis report and get an idea.
Sha256: 049c24daa8a1c033085a1dc8caab3deb02af706c668dc787baf49112df6e82a2
This particular instance appears to have bern introduced on the machine I investigated via "steam_api.dll" which indicates some moron was trying to access copyrighted steam games without paying for them and installed malware in the process.
I got a sample, please contact me I am a Ransomware Researcher, A factory was infected past weekend by Sodinokibi "REvil" Ransomware
I have uploaded it to VirusTotal already and sandboxed it to Falcon:
Sandbox Analisys:
maybe. All the report only shows windows being affected. Doesn't hurt to look at what https://www.hybrid-analysis.com/ says. that way you can have at some assurance.
It's on Hybrid Analysis:
You'll need to sign up for an account and pass the vetting process, shouldn't be too difficult but I'm not sure how long it takes.
yep generate sha256 for that exe and https://www.hybrid-analysis.com/sample/[sha256oftheexe] and scroll to network analysis and if you see connecting to any ad network or irregular url its could be a spyware/adware/malware
It looks like it decodes and drops some vbs files which try to determine what if any firewall/antivirus is running. It probably tries to do other stuff after that but hybrid analysis didn't get much further than that.
What exactly is your boss asking you to do?
- https://www.hybrid-analysis.com/
- virustotal
Both should tell you all you need to know about a suspect file. Baring any anti-vm tech.
I would focus on securing your end points. White listing, Antivirus/malware, keep everything patched.
Thanks! Unfortunately I'd already tried that service and wasn't aware of this option, so have now hit this so can't resubmit:
>It is currently not possible to re-submit/overwrite an existing analysis on the public webservice at https://www.hybrid-analysis.com/, so be careful to provide the password without a typo.
Aside from tinkering in a VM, if you're looking at simply gaining insight on what suspected files are doing there are some free cloud based solutions out there too like https://malwr.com and https://www.hybrid-analysis.com
I'm not great with VB either, but I found it analysed on this website, so you can see some of it's activity. It downloads some more files, watches internet history, and does who knows what else.
Edit: The variables you should look at are must_be_DEL and MyRunO.
Just thought I would follow-up here, because we've been doing a lot of work on the service and here's a quite excellent analysis of CTB-Locker by the way:
... but again, I don't want to compare, just trying to offer another alternative. I've received quite a lof of feedback over the past weeks, so thanks for that everyone.
https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
This is it but you could also patch the instructions with nops instead of jumping with a little understanding of asm. Its good to learn.
This book is a gold mine:
Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware https://www.amazon.com/dp/B073D49Q6W/ref=cm_sw_r_cp_api_6fWVBb5VJV91Z
Hope it helps.
Take a look at Gray Hat Hacking: https://www.amazon.com/Hacking-Ethical-Hackers-Handbook-Fourth/dp/0071832386/ref=sr_1_1?ie=UTF8&qid=1512291222&sr=8-1&keywords=Gray+hat+hacking
It has a chapter about Android Malware.
If I remember correctly Packt Publishing also has some books about Android Malware. Another good source is YouTube.
Hope that helps