What is Reddit's opinion of
Malwr?
From 3.5 billion Reddit comments
84 reviews of this app found across Reddit:
~~IMPORTANT~~
~~The largest image file I was able to find posted to the subreddit was this.~~
~~https://i.imgur.com/bR8WhRT.jpg (316kb)~~
~~316kb is about the expected size of a piece of malware~~
~~I renamed it from jpg to exe and uploaded it to the malware analysis sandboxing website https://malwr.com~~
~~It found malicious code signatures in the file~~
~~https://malwr.com/analysis/YTAxZmZiMDNkOWUxNDgyMGJjYTk1MmI0ZWM5NDIwYzM/~~
~~Signatures~~ ~~Creates an Alternate Data Stream (ADS)~~ ~~file: C:\DosDevices\A:~~ ~~process: None~~ ~~signs: [{u'type': u'file', u'value': u'C:\DosDevices\A:'}]~~ ~~file: C:\DosDevices\B:~~ ~~process: None~~ ~~signs: [{u'type': u'file', u'value': u'C:\DosDevices\B:'}]~~ ~~file: C:\DosDevices\C:~~ ~~process: None~~ ~~signs: [{u'type': u'file', u'value': u'C:\DosDevices\C:'}]~~
~~Installs itself for autorun at Windows startup~~ ~~process: None~~ ~~signs: [{u'type': u'file', u'value': u'C:\WINDOWS\SYSTEM.INI'}]~~
~~The file also contains strings used in other pieces of malware.. data that doesn't belong in an image file.~~
~~It is safe to say we are dealing with malware here. I am guessing the smaller images are encrypted commands, and the larger images are executables that would be run on the infected machines (bots).~~
This was a false positive.. it looks like malwr is having issues right now.
I still believe this subreddit is a CnC though :)
I got a message on Steam of a .scr file (which is really a virus, diguised as a screensaver). I saved it, and opened it in dotPeek (a C# decompiler) which allowed me to see the (pseudo)source code. The strings are intact, which allowed me to see this.
For a full analysis go here: https://malwr.com/analysis/MWU1NzE5MTgyN2RlNGYwNDllMDhjOTlkOGE5MzdjMTY/
Seems to be encrypted malware, It has been added to your startup via reg keys.
Also has dropped two files "scs2.tmp" and "scs1.tmp"
It's reading a lot of you files, actually it looped over all your drives (From A to Z (Clearly not well coded))
File edits and reg key edits: http://pastebin.com/k0kteQz0
Full analysis: https://malwr.com/analysis/MzQ1Y2NiNDcwMWYzNDI1NTk0NWMxMTcwMTBkNWNhNTQ/#
Official MD5 checksum: 5AA177F4358CD9DAC052CD6D5B4564B0
The file you downloaded: E53CB4472115CEC595CD5999DEF5726C
So not legit at all.
EDIT: Virus total scan: https://www.virustotal.com/en/file/16506c5503ca9eaa739e2c9c3d2e03d2d5a4bacc13f6b34c72736b3f69cbc676/analysis/1417630111/ (As I said before, it's encrypted so not detected.)
EDIT2: "C:\DosDevices\A:" is not a legit folder that should be there (As far as I know) you should check out the folder and see what's up.
This is a false positive.
Whenever you want check something like this, also check a known innocuous file. I exported a png from photoshop consisting of a single magenta fill. Using malwr, I scanned it and got the same two signature matches: https://malwr.com/analysis/ZGUwZjcwYzY2YTZmNDk3MWFhOTEwNmM2NmQ5NGVhNGU/
Note that these are SIGNATURE matches. Clearly something is triggering this, but I'm not sure what. No part of those values shown under "signs" actually appear in the files.
Note that none of the strawmen files that I've seen(including the large jpg mentioned) actually contain "strings that are used in other pieces of malware."
Edit-before-I-even-posted:
I created a file, filled it with ascii gibberish, named it gibberish.exe and uploaded it to malwr. Here's the full contents of the gibberish file:
fasfaf;sdfkh'hdignipasgiasdgipasdghighighighivmse[pm8uvtopawr8tvo;srm,
here's the scan result:
https://malwr.com/analysis/Mzk5N2NjODQ5MDhkNGM1ZTk4YzkxNzEwNjJlM2MzM2Y/
Either their virtual machine used for scanning has a virus on it, or their software is misconfigured.
Malware will often arrive as a weaponised Word or PDF document, as opposed to an executable binary such as an EXE file.
It's often worth reviewing your SPAM folder or creating a dedicated email address with which to sign up for lots of junk. You'll soon get a load of samples coming in.
I'd also recommend checking out the likes of Malwr to download and review samples.
And as a extra precaution, analyse samples in a virtual machine to Prevent accidental infection of your own machine. I'd personally suggest REMnux which is a Linux district specially designed for malware analysis.
Good luck!
Nej den tjekker meget mere end bare det. En malware scanning af programmet afslører at den installerer sig i autorun så den potentielt kan køre når den har lyst til det og læse den din internet historik og m.m.
Her er det som u/rawzone fandt: >Looks like they link a .jnlp file for fetching their .jar "malware".
>The jar is a "Java archive" a container for shipping Java applications.
>malwr.com did a bit of analyzing of the process that is spawned when running.
>jnlp:
https://malwr.com/analysis/ZjMxZWJlMTYzMmU3NDc5ZDkzOTk0MzM3YTgwOGNhZjM/
This could be compared to normal malware's droppers.
>jar:
https://malwr.com/analysis/NWViMGFkOTY2NDJiNGJmNThmNzM4ODdmMzNmZDcyNGM/
This would be the malware it self.
>Looks like they are only looking for VirtualBox's graphic driver when checking for a virtual machine - So use Wmware or others when poking the malware.
>Seems like they forgot to tell that the "dropper" touches the browser history as well...
>Also why is it doing stuff to the computers startup process? Should this not just be running while at the exam?
>Anyways - Good luck with your exams.
Ey, did some google searching and this might be the installer for it on a virus scan site. This is indeed AutoIt, as screenshots show.
https://malwr.com/analysis/ZTAyNGRlYzQ0ODExNDNiYzlhYWFkZGZkZjA2OGYzMjM/
This shows nearly everything on the program iirc. Malwr is godlike.
EDIT : It may not be running everything since I believe the virus scan environment is Windows XP. Perhaps compatibility issue?
This program sets "IntelServices.exe" to run on startup. Totally legit. Hopefully nobody tried running it.
Probably related to this: https://malwr.com/analysis/ZjVjMzVjYTRiNzAxNGRkMzhmMzY2ZDczYmYzZjczMTk/
https://malwr.com/analysis/YWE2YmUzMTg2NzNhNGZjY2EyNmRkODUxYjkzNTBmMmI/
For those that this may concern, analysis from malwr.com shows:
Signatures
- A process attempted to delay the analysis task.
- File has been identified by at least one AntiVirus on VirusTotal as malicious
- Performs some HTTP requests
- The binary likely contains encrypted or compressed data.
- Tries to unhook Windows functions monitored by Cuckoo
- Executed a process and injected code into it, probably while unpacking
- Contacts C&C server HTTP check-in (Banking Trojan)
- Creates an Alternate Data Stream (ADS)
- Installs itself for autorun at Windows startup
The file connects to the following IPs:
- 23.102.23.44
- 89.35.178.219 (saitamasinse.com)
11foot8.com's A record (and therefore the webserver) is located at 184.172.129.21, as you find out from the public DNS servers you tried.
Apologies in advance if you are already aware of the following:
Attempting to browse to that IP by entering it into your browser's address bar will fail. You probably saw something like this. This is (probably) because the website is hosted on a server that hosts multiple unrelated websites and by entering the IP address you haven't given the web server enough information to know which site to serve up. When you enter the full DNS name into your browser and allow your computer to resolve the IP, as well as requesting the web page from the server your browser sends some data across known as the Host Header Name. This is, basically, the URL that you requested. This allows a single IP to host multiple websites.
Edit: I'm on mobile at the moment, so excuse the brevity, but 195.22.126.213 and zeroredirect1.com are both mentioned here, which may prove useful in your investigation: https://malwr.com/analysis/ZTFjODZiZjEyNDY2NGRkNmFlNmY5ZmNmYjIyYmZjZWI/
MD5 9bdd2e72708584c9fd6761252c9b0fb8. https://malwr.com/analysis/ZDZlNTcyMzg3ZDEwNDgyMmE5Y2QwZWNmZDIwNjJjZjI/#
same internal name as the screenshot in the blog: http://breakingmalware.com/wp-content/uploads/2015/10/suspended-thread.png Same anti-debug tricks same argument for CreateProcessInternalW Same EntryPoint Same filename Same unpacking routine Same Icon Same UAC bypass It's Moker for sure
I compared the SHA-256 values from the version included in Tron to the latest version on their site and they're a match. Here are the Malwr results. Only one AV flagged it as malicious. You are safe to classify that as a false-positive.
Please reiterate the importance of not opening unrecognized attachments.
Did Word show any indication that it blocked the macro?
You might as well reimage the machine, but if for some reason you can't do that just hit it with whatever AV tools you have on hand.
Here is the macro as reported by this site. ~~I don't really have time to deobfuscate.~~ EDIT: Nevermind, I'm bored but it likely won't tell you much more than it downloads and executes another file.
Here is a Malwr link, though you might as well upload your sample in case it is different.
A good way without install anything, you can check any file (less than 128MB) VirusTotal(that scan with 64 AV) or Malwr(that has lots of information about the file and some Av too).
$ python /shared/investigations/oledump/oledump.py -a -v -s A3 059-12r21-8g.srk5hg.dot > 059-12r21-8g.srk5hg.dot.3 $ file 059-12r21-8g.srk5hg.dot.3 059-12r21-8g.srk5hg.dot.3: ASCII text, with CRLF line terminators $ md5sum 059-12r21-8g.srk5hg.dot.3 bdb50e3219a2b3d31b00f5105516f005 059-12r21-8g.srk5hg.dot.3
I can't get this code to unwrap itself even trying to run it by itself or in another doc.
tried a few different sandboxes as well (here's a few public attempts for record purposes): https://malwr.com/submission/status/YTk4YzMxYjA0OTk3NGFhMDg2MmU4MTRkMDdhMDQ4ZWI/ https://malwr.com/submission/status/NTIyYmYyMzZmNGMxNDUzMmExMWFkYjhmYjNmOWE2YWQ/
As far as obfuscating this manually, honestly my lack of care is great. But I'll play with it as time allows. I'm sure there's a tool somewhere that plays off of the entire possible range of methods used by macros to pull this without running it though to see what it tried to do. But what's the fun in using someone else's tools anyways?
Wow this thing uses a really neat trick to rename the file, if you notice there is 'rsc.mp4' at the end of the filename, when using a tool that correctly shows the filename, it is read as '4pm.scr'.
Further, once unpacked from the archive, here is VirusTotal - oddly once completed, it said the analysis failed. Malwr. Looking at the strings, there are some references to 'vTask', which points to vTask Studio. I'm kinda stuck here since there is not much online about decompiling the scripts. I did run it with logging turned on, and all it seemed to do was copy itself to various startup locations. I have it running right now and am monitoring network traffic, but nothing is going through currently.
Update: Ok so I think I got the script now: http://pastebin.com/iPQTFijM
This one
https://malwr.com/analysis/OGQ1ZWM4YTVjYTcyNGY0ZTlhMGY5ZTE5ZmQ1Mzc4MzQ/
is a Nanocore RAT. Look , it uses Google DNS (8.8.8.8) which is tipically a Nanocore behaviour.
Jesus, more crap everyday
So, this looks like ransomware. Didn't get all the way to the bottom of the rabbit hole, but I got some PHP code that seems to encrypt all files, delete shadow copies and send off info about target PC for ransom purposes.
Analysis of PHP file: https://malwr.com/analysis/MDUzZGFjYWVhMzdiNDQ3M2I5MjE3N2JjZjNmZDE5ZTk/
edit: definitely ransomware -- "All your documents, photos, databases and other important personal files were encrypted<br>using a combination of strong RSA-2048 and AES-128 algorithms."
This is malware, come the fuck on.
u/lilstef and u/azharsukma are 12 months old and this is their first post.
u/Nirvii and u/RAYfighter are very obviously shill accounts, and this is their first comments about bitcoin.
https://malwr.com/submission/status/ZWQ4Yzk4NmM5ZWI1NDIyZDk1OTJkYzNjNDJkNzljNjc/
Here is the underlying AutoIt script (obfuscated): https://paste.ee/p/Fz2gi (binary taken from https://malwr.com/analysis/NGU1ZDE4MzNjNmQ2NDQ1MDk4YWY5ZWIxOWYwYmFlZDg/ with MD5 of 6fd78aafa581afa74c8f2fb459a6e349). You can clearly see calls to CallWindowProc, which is often used for calling native code (through its first parameter).
Basically this with a few small differences with files names, drop locations, passwords, obfuscation, and file-types.
This one ends up connecting to
kapc.pw:11678 GSK=DK9N=AALEC:A>EAEFB9E>HAJGI90<E
Here is a malwr.com analysis link. Looks like it didn't even get to dropping the full playload though.
I was going to link to the post in the malware subreddit but rule #3.
Still prefer this - https://malwr.com/
Runs the Malware/Virus in a sandboxed XP environment, Gives you screenshots and a whole lot more.
It runs this, If you care to set it up for yourself http://www.cuckoosandbox.org/
>This one >https://malwr.com/analysis/OGQ1ZWM4YTVjYTcyNGY0ZTlhMGY5ZTE5ZmQ1Mzc4MzQ/ >is a Nanocore RAT. Look , it uses Google DNS (8.8.8.8) which is tipically a Nanocore behaviour.
And it's even connecting to a no-ip domain, after all the malware-related seizures (wording?) that happened.
I've never downloaded any samples myself, but I think these places have some:
Other than that, when I feel like wrecking my XP virtual machine, I just google silly stuff like "cialis free download" and "flash player google chrome update 2014"
You will see bunch of botnets using SSH port-forwarding as proxy and trying to install a trojan on the attacked machine.
Most of the malware is not that much impressive, I've seen likes of BillGates or Xor.DDOS.
Interesting part is that LKM rootkits are coming back. For example, this variant of the Xor.DDOS contains a LKM rootkit. Dump the SYS_BUF symbol from the binary to obtain the LKM rootkit.
- No.
- Only binaries files (exe, rar...) for the moment.
- Apparently the malware was already in use since malwr.com and virustotal.com detect it.
- For future malwares, make sure you download your binaries via SSL/TLS. For this infection, have a look at the malwr.com analysis, there's a lot of interesting points.
The malware seem try connect to this IP :
31.170.162.243
31.170.164.249
208.113.199.191
And these domains :
rombeast.site50.net
error404.000webhost.com
www.fakolith.es
www.alcoyensanche.com
www.administraciondefincasalcoy.com
www.226ers.es
The name of the file start with : 8361A794DFA231D863E109FC9EEEF21F4CF09DDD
For instance, when you open processexplorer.exe or tcpview.exe each of these process should appear in the list, but instead what appears is 8361A794...
Look at these caps (the process on the top and the bottom) :
https://malwr.com/analysis/file/ZjBlMWNjOTM4NmFjNGYyNzkyYmMzOGY3ZjU1YWNjOGY/screenshot/ea985a34bef07529e6e529fb2880016f37fdfad0fa1f409dcd5c2ec0d9c1fdba/
https://malwr.com/analysis/file/ZjBlMWNjOTM4NmFjNGYyNzkyYmMzOGY3ZjU1YWNjOGY/screenshot/ea985a34bef07529e6e529fb2880016f37fdfad0fa1f409dcd5c2ec0d9c1fdba/
This malware seems to like acrobat reader, it had some "temp" files in its docs and settings folders.
The "exe" is actually a text file, presumably failed output from somewhere:
<br /> <b>Warning</b>: readfile() [<a href='function.readfile'>function.readfile</a>]: http:// wrapper is disabled in the server configuration by allow_url_fopen=0 in <b>/home/content/85/9342685/html/jobs/file.php</b> on line <b>4</b><br /> <br /> <b>Warning</b>: readfile(hxxp://piscinasalhaurin.es/modules/mod_modules/sh.exe) [<a href='function.readfile'>function.readfile</a>]: failed to open stream: no suitable wrapper could be found in <b>/home/content/85/9342685/html/jobs/file.php</b> on line <b>4</b><br />
The one from the spanish domain appears to be flagged as "dorkbot.ed" by one av on virustotal.
Uploaded as well:
https://malwr.com/analysis/MTA4YWFiY2E2MDFiNDM1M2JlNTYxMmFiYzY5OTE1YjA/
This one does a significant amount more. Reading though now.
Edit: And boo, does vmware detection, I can't get it to run, oh well. Not going to invest a ton of time into it.
Have you verified that the malware you are looking for, actually are detected by the Antivirus scanner.
Im sure you allready know this, its by far all malware that are detected, and the artefacts.
​
I would try to identify it, as mentioned from mounting the E01. Then test it on malwr.com or virustotal.com (When possible.) Or Simply create a HASH value and check if its known or if its detected by other malware scanners. Then try to scan with the products that actually detect the malware.
​
A neat little trick is to collect all the artefacts from the malware, and put it into a password protected folder. That way you can securely store the malware.
If you then unzip this folder onto a test machine, with the latest signature from the vendor. THen you can verify if all the artefacts are detected or not.
Hope this makes sense :)
>By Sandbox you mean it could live run the malware and show its behaviour?
Exactly :)
>Do you remember the URL/Domain i really would like to see what it was on Web Cache :)
By "programs" do you mean tools or malwares? If you can list examples, that would be helpful too. If malware, you can try searching for them at https://malwr.com (you'll need to create an account to be able to download iirc)
That was part of the fox-it blog pos, which was later removed from the post. I'm not sure why it ended up in the initial wave of reports.
Those emails were part of a different phishing campaign that was reporting on the 10th:
https://malwr.com/analysis/MjE2ZDlkMTBlZDNiNGViMGJlYjMxYmQ0ZmQ1MzRhMWU/
Thanks for the suggestion! I actually submitted the file to Malwr.com and it executed the file. The results are here (https://malwr.com/analysis/NTdiYmQyMDMyZmQ0NDdiMThhYTNkNTZjNWYxMzFmZDM/), and from the looks of it it installs itself as a startup item, and makes outbound HTTP calls. Now, I understand most of what I'm looking at in the cuckoo analysis but I'm uncertain about what vulnerability this took advantage of, and how did cuckoo know how to invoke the file?
Hi, I did. Avira added it.
Any idea of what it is doing? https://malwr.com/analysis/MjBjY2Y5N2FlZTdkNGYzY2JmZDUzOWNkYzgwMzE5MjA/
Seems like it's tunneling ALL of my traffic to a remote host :s
Her er en malware analyse af programmet som nok også er grunden til at folk synes det er krænkende i forhold til deres "privatliv"
https://malwr.com/analysis/ZjMxZWJlMTYzMmU3NDc5ZDkzOTk0MzM3YTgwOGNhZjM/
https://malwr.com/analysis/NWViMGFkOTY2NDJiNGJmNThmNzM4ODdmMzNmZDcyNGM/
DOCX with VB script, but couldn't get it to detonate on my Office 2010.
Here's the first shot at a static analysis of the script, with some formatting. http://pasted.co/20df4688
A lot of junk code. Few things of note is building data based on huge byte assignments, one at a time:
Dcn6Lz54Lgc(7668) = 81 Dcn6Lz54Lgc(7669) = 123 Dcn6Lz54Lgc(7670) = 40
That's the biggest, 7670 bytes. I see a function (IPKn9eJOg8xQw) that looks like RC4 encryption. If so, the key value is strongly obfuscated as well.
Ugly stuff. My sandbox isn't running the right Office to make it work though, so nothing usable from me :)
Edits: Same-ish as: https://malwr.com/analysis/NjU0MjUxODAyMDQyNDM4ZTk3M2JjYTcxNWMyOTAxZTQ/
Quiet at work so:
https://malwr.com/analysis/MTdmYzU2NDMxNzQ3NDUxOTk3ZjI0MDY3ODExOTI3NTY/
http://i.imgur.com/k0JwGwC.jpg
Signatures
Installs itself for autorun at Windows startup process: None signs: [{u'type': u'registry', u'value': u'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog\OSession\Microsoft Office 12 Sessions'}]
Unfortunately the link was 404'd but the filename produced some search results that suggest it probably is a variant of a piece of malware meant to steal steam inventory/passwords and was built using Visual C# on the .NET framework.
If it is indeed the same file, here is a link to some information on what it does: https://malwr.com/analysis/ZGM4MTk5YjNkZjA0NDg4YzgxNjU0OWU2YjRjYmNmMmU/#
As /u/KenzoTenma1446 stated, scan your computer with malwarebytes and ESET (I know you have AVG, but ESET also offers an online scanner here: http://www.eset.com/us/online-scanner/)
I would recommend a clean install if you want to be 100% sure the malware is gone (also if you have steam, delete the entire directory and re-download if you do a clean install).
You may have guessed that the only practical way to do this would be in an offline/local analysis environment, which puts the burden of using (and updating) various vendor tools/signatures on you:
https://security.stackexchange.com/questions/92091/is-there-a-way-to-use-virustotal-com-offline
However, signature-based malware detection is being left in the dust by increasingly-effective heuristic/behavioral analysis utilities. A good example of this is the open-source "Cuckoo Sandbox":
You can see an example of how this is used in https://malwr.com/ --
In your case you obviously don't want to upload file(s) of that size, so running the scan using a locally-running instance of the sandbox would be most-appropriate.
Ask Mila nicely and she will give you the password for the samples stored at: http://contagiodump.blogspot.com/
You can also look at some of the trackers at abuse.ch like: https://zeustracker.abuse.ch/monitor.php?browse=binaries or sign up at https://malwr.com/ to get access to samples submitted there.
Exploit was patched. Going to look into this "anti-cheat" of theirs. Looks sketchy as fuck, so you probably shouldn't install it. edit: Yeah it's malware. For anyone interested: https://malwr.com/analysis/ODBmZGRiOTdiNTkzNDdlNzkzMzQ4Y2QzZGU1MmIxNTM/
Cuckoo Sandbox would be a good application to analyze. It's designed to sandbox malware in a vm and perform dynamic analysis. It provides a Web interface for uploading samples and serving reports.
I love this software. Not just for its intended use, but as a reference for how to "do it right". I often browse the code when I want to cross check my code with very well written code.
For the future, malwr.com can help with quick IR. Free sandbox'd sample analysis. Basically it's hosted Cukoo with some tweaks to the Web UI. They're running Windows XP VMs for everything, so if your malware crashes, that may be why. Also, some malware checks for virtualized environments in an attempt to prevent this kind of analysis.
It is malware disguising itself as VLC Player.
https://malwr.com/analysis/MmYxN2NmZTc0OTNkNGZlMGJiZDdkMGIwMTVkNzQ1MTM/ https://www.virustotal.com/en/file/05764bd93aebf3aaf268bc4f1c9066e89550509c1c7a9c50c517b87a32063255/analysis/
Based on one of the signatures, it may be the Dark Comet RAT with a VB.NET packer.
looks like he's still going through some stuff with you - of course whilst this infection is on your computer don't access anything that you wouldn't want to give someone else access to. Apparently the purpose of this Trojan is to steal private information
What have you done so far smaw?
Uploaded it to malwr.com and the analysis finished before I could figure out how Process Monitor works (I'm new to this kind of stuff :P).
Results of the analysis are here.
I looked into the Application Data folder and found this. nbvcgjhk.exe and xoidmjqw.exe were both created the same time I ran the initial executable. The other executable was created the 2nd time I ran it, later. nbvcqjhk.exe and wqlxlmr.exe are both the exact same size (80KB) and xoidmjqw.exe is the exact same size as the initial executable (172KB). The analysis from malwr.com says it only drops vucirhah.exe, but that file is nowhere in site.
Want to run the exes it dropped, but I'd like to know how to properly track what they're doing with Process Monitor first.
Thanks for your help so far
Have you had a quick butchers at https://malwr.com.. its a good site into peering in at what PE32 files people are finding and uploading to test. All credit must go to the creators of Cuckoo Sandbox for producing this awesome freebie tool.
Oh.. and then go and build yourself a cuckoo sandbox...
You can find the analysis here: https://malwr.com/analysis/NTRlMzExNmQyYjk3NGIwMjlkNmQ1NjdjYmJlZjZlMDc/
I have also uploaded all the files mentioned here: https://www.dropbox.com/s/5zc4btfan8vnycq/hasbro.zip
I uploaded a copy to malwr.com, here's the output: https://malwr.com/analysis/NDMzMDkzOGQzZTIwNGY3OWEyMWM3MTY4ZmE1MmNkMzg/
Not sure if it detected that it was in a VM, or if the fact that opencl wasnt' installed, but it didn't drop anything. I'm guessing this is just the miner component.
the only other way would be to move the file into a VM or container with debug/trace software and run it there, disabling storage and networking. Cuckoo Sandbox and malwr.com are quite popular if you suspect it could be something new/original, or just curious. using a public scanner like malwr does take time, so, ymmv.
As mentioned, anti-sandbox is kind of extensive though. Malware toolkits are updating over time, and can detect the VM and sandbox, but if it's running in a clinical environment, most of the detection will have to run, it just won't detect part 2, which does the damage from the internet.
Earlier VM detection were looking for signs of a cloned system, i.e. checking "Microsoft Office RecentFiles", and terminating their payload if you hadn't opened any files, indicating a 'clean' environment, along with other markers like VMware and other VM hardware devices, names of popular AVs and debug and process explorer programs in memory, etc. if it matches a known list, it will play dead, or download alternative payloads to infect weak or outdated AV that it can exploit, etc.
Because there's a payday with ransomware, people develop all sorts of toolkits to get malware onto "protected" computers. It's very cat and mouse still.
I use Cuckoo Sandbox for behavior analysis. And I know that https://malwr.com/ uses this framework to check user files like the virustotal.
I don't know about ability to analyse word docs at this service. I will try it after some hours.
What do you think about it?
Hey! I'm always interested to see the results of these things. If you've got the time, can you upload the sample to both https://www.virustotal.com/ and https://malwr.com/ and provide me the links for each.
Uploading to Virus Total is a great way to support all AV vendors as they have private API keys to pull down samples from the service. I work for a security vendor myself however I don't want to give too much bias hence pointing you towards a neutral place to upload to.
Thanks!
Did you upload this to https://malwr.com and can you post the results? Upload all the files separately, including the .js and the two .exe files you collected and post the three resulting links.
Also, watch this Webinar - https://zeltser.com/malware-analysis-webcast/
preliminary results on "working web installer.exe":
virustotal link: https://www.virustotal.com/en/file/1d20d711fb29f38c7a01d4501ba71a6e583eb457e8b79ff688036aa198aad509/analysis/1471967513/
malwr link: https://malwr.com/analysis/NTAzZDIxZjI3Zjg4NDdiOTkzNTM4ZGM1N2EwMzBhOTE/
working web installer.exe seems to be an update of the first trojan indeed; This one sets up a ransomware payload immediately (see malwr.com screenshots).
I strongly urge anyone reading this to never download anything provided by babylon gaming in any way!
Also, and this goes without saying, never deactivate your malware defenses for anything or anyone. Especially not without extensive analysis first, and especially not for shady characters acting like infection is no big deal and/or asking you to turn off anything !
FYI, someone submitted the exe to malwr.com. I haven't been able to find any of the files mentioned in the analysis, so I'm wondering if it doesn't have some anti-analysis routines.
Have you tried comparing the output for SHA256 instead?
"certUtil -hashfile <file> SHA256" yields
0d 8c 1d 36 f0 d3 06 d4 18 84 ee 44 cb e6 85 7a 14 ef 5a fc b4 4c 6f 0e 4b a0 72 1c 3a e4 05 d4
The SHA256 hash for ieframe.dll from certUtil matches the one provided by VirusTotal and Malwr provides the same.
Perhaps it is just an anomaly?
It makes the same callouts as this: https://malwr.com/analysis/NjY3NjRjYTdhZGYxNDk5YWEyMWRkMjM5YjJmMzFmODQ/
Both domains helloguysqq[.]su and sowhatsupwithitff[.]com don't currently resolve, but this looks like a lot of ransomware stuff that's been going around over the past week or so.
Thanks found the JS file hash, already submitted here: https://malwr.com/analysis/ZTg5ZTM4MGJhNmZjNGNiOTk5ZTM3YTg4ZDc4ZTA1ZjU/
I've notified Microsoft Malware Research to this. Hopefully other AV vendors follow suit.
Just a warning, this was posted in the /r/solve_strawmen:
> [–]Toonah[S] 21 points 32 minutes ago* IMPORTANT The largest image file I was able to find posted to the subreddit was this. https://i.imgur.com/bR8WhRT.jpg (316kb) 316kb is about the expected size of a piece of malware I renamed it from jpg to exe and uploaded it to the malware analysis sandboxing website https://malwr.com It found malicious code signatures in the file https://malwr.com/analysis/YTAxZmZiMDNkOWUxNDgyMGJjYTk1MmI0ZWM5NDIwYzM/ Signatures Creates an Alternate Data Stream (ADS) file: C:\DosDevices\A: process: None signs: [{u'type': u'file', u'value': u'C:\DosDevices\A:'}] file: C:\DosDevices\B: process: None signs: [{u'type': u'file', u'value': u'C:\DosDevices\B:'}] file: C:\DosDevices\C: process: None signs: [{u'type': u'file', u'value': u'C:\DosDevices\C:'}] Installs itself for autorun at Windows startup process: None signs: [{u'type': u'file', u'value': u'C:\WINDOWS\SYSTEM.INI'}] The file also contains strings used in other pieces of malware.. data that doesn't belong in an image file. It is safe to say we are dealing with malware here. I am guessing the smaller images are encrypted commands, and the larger images are executables that would be run on the infected machines (bots).
https://malwr.com/analysis/MTZkZDVkN2Q2MzAxNGNkN2E5YzhmZTI0ZWJjMGNkYTQ/
That's a fairly recent one but is typical of what I've been seeing over the last month of two. Each document uses macros which are obfuscated to perform a GET on the actual malware (crypto and dridex have been the popular ones). It's rare that I've seen repeats, structure or the macro/infection remains the same but the actual email/document/obfuscation changes from day to day.
If VLC can't play the file/WMP cant play the file/WMP wants you to install 'DivX Codecs' fuck that shit...
This is what you get https://www.virustotal.com/en/file/2ba6b4e32ea5f6bfcd6e0e61c190eab22843a5139165d0302fde6490749beebd/analysis/1448297995/ https://malwr.com/analysis/NjMwMjE5NTNmYzA4NDNmMDhhNGM3MDYxMTdmMTBkMGY/ https://www.virustotal.com/en/file/c617728c25f1ceca0dd4e0070346217a94c0072cdcc3561925f6fafe86a985ea/analysis/ etc etc
Weird, I don't think it had anything to do with that (I got to the site by googling "flood live in Australia stylophone" in an effort to confirm that that was an instrument used on the album). I'll try uploading to malwr right now, thanks for the link.
ed: here you go: https://malwr.com/analysis/MjcxNDI1ZTkyNzIzNGIxYWE0NjM0ZDM4NGJmNzlkOTQ/
different filename because I'd already deleted the other and needed to redownload from my email. Any idea what's going on there? It's hard for me to see anything on my phone, unfortunately.
Finally got it onto virustotal by redownloading from my email (original file kept coming up as 0b, I think I deleted it in one place and Android didn't notice?) : https://www.virustotal.com/en/file/cccb9fecf7fdb8777471f1a615c8c37151938f812fdd97b811013001013149cc/analysis/1440692556/
Am I understanding correctly that it's a. swf? If so, I'm guessing it wouldn't have executed in mobile chrome or just by being downloaded and opened in notepad++ on Windows, correct?
ed: here's the malwr link as well: https://malwr.com/analysis/MjcxNDI1ZTkyNzIzNGIxYWE0NjM0ZDM4NGJmNzlkOTQ/
Did you get ahold of that c:.Bin\S-1-5-21-1708537768-823518204-1801674531-218703.exe file from the quarantine? Check the hash it might be writing itself to that location. Any other modifications to the system? Check out this analysis of the download: https://malwr.com/analysis/M2NkMjJiZTUzYzkwNGE5MTg2NzIwZDVjOGZjNTIzMjQ/
You could submit it to Mcafee as a suspected false and they can tell you exactly why it's being detected by their heuristics engine.
You're infected. Please see here.
I would try suggest scanning with your antivirus, MBAM, etc. There is a list of files created on the url linked above.
Edit: appears to be DarkComet RAT.
OP I like the idea, at least I haven't seen it before! Please do as /u/AnthongRedbeard says and run it through https://malwr.com/submission/ I am curious of the results.
Edit: As for building a RAT the answer is yes it is fully possible.
Did your tool work?
Think there is a difference between regular packers and this, this seems to be built specifically for this task. Layer2 is even more interesting because it was not recognised by any AV. Now it's recognised as zusy: https://www.virustotal.com/nl/file/13d1f18f38877d85a8a831b2f1391a343b386f9bcfea5d5ca794717d3032f783/analysis/1433833935/
layer2 sample: https://malwr.com/analysis/YWVjNGI4NGViYTVjNDMyYjkzZTMyYzZlYzllM2U5OTQ/
CTB sample: https://malwr.com/analysis/ODA2NjVhNjljZDZiNGVmODk0MjlmMzE1OGI2MzM1MzU/
the website couldn't analyse truesight, but googled it and it seems it's part of the rogue killer software which i have on my computer
https://malwr.com/analysis/ZTEzYjRiMTQ2YmI4NDZmMjlmZjBhNzAzNDBkMzRjMmY/
aaand everything is a program that i use to search for files, submitted it anyway and got this back:
https://malwr.com/analysis/MGVhZDRlM2ViZjljNDFjZmE3MjZjZTQ0MDBkMDVlMzI/
I too am working through PMA, but there's nothing like doing it for real, with real malware.
Someone else posted about https://malwr.com/ - get samples from there, and go through your own junk email folder: setup a gmail account and subscribe to anything and everything you can find... it'll get out there eventually. - I get a lot of good samples from my old mt.gox address.
It's been run through Allatori and I unfortunately have too much work to do to deobfuscate the damn thing.
Someone threw it into a sandbox, though: https://malwr.com/analysis/NDYyOTlhZWYyNzgzNDkyYmJhZjhiODUyNjVlZmJhZmE/
Yes, that's likely where you got infected from. You might not have ran the exe, but scr files are executable files as well. He may have put an image for the icon to make it look like a picture.
The exe file and the 4 scr files are all the same size (279040 bytes)
The contents of that zip
/tmp/overlayvirus » ls -l -rw-r--r-- 1 phil phil 37243 Nov 15 16:42 overlay 1.jpg -rw-r--r-- 1 phil phil 75520 Dec 13 19:17 Overlay 3.png -rw-r--r-- 1 phil phil 2875 Dec 13 19:18 Overlay 5.jpg -rw-r--r-- 1 phil phil 279040 Jan 15 16:49 OverlayEnhancer.exe -rw-r--r-- 1 phil phil 279040 Jan 15 16:49 Redline.Offline.Screen.scr -rw-r--r-- 1 phil phil 279040 Jan 15 16:49 Redline.Photoshop.Overlay.scr -rw-r--r-- 1 phil phil 279040 Jan 15 16:49 Resolution.Changer.scr -rw-r--r-- 1 phil phil 279040 Jan 15 16:49 Text.Editor.scr
and they all have the same hash.
/tmp/overlayvirus » sha256sum *.exe *.scr 419f9dd32b36a7de3398200d399a271a755e18972f6ba686de4518e6f8b74808 OverlayEnhancer.exe 419f9dd32b36a7de3398200d399a271a755e18972f6ba686de4518e6f8b74808 Redline.Offline.Screen.scr 419f9dd32b36a7de3398200d399a271a755e18972f6ba686de4518e6f8b74808 Redline.Photoshop.Overlay.scr 419f9dd32b36a7de3398200d399a271a755e18972f6ba686de4518e6f8b74808 Resolution.Changer.scr 419f9dd32b36a7de3398200d399a271a755e18972f6ba686de4518e6f8b74808 Text.Editor.scr
uploaded it to Malwr and you can see the results here. and it's also on virustotal here
Only 1 antivirus picked it up. (this is why you shouldn't rely on antivirus software)
Okay you all have recommended your tools Ill give you one! If you have a suspicious file that you dont trust and dont have a vm to run it on https://malwr.com is a great place to test files and see what they do to a machine!
I've found one through a friend getting infected. Its full of chinese characters, and I can't even tell what its trying to do because of it. Its got a large base64 bitmap in its resources.
It doesn't reference Steam in any way, and its really quite odd. It tries to decrypt some kind of bytes and salt. I can imagine that this itself is where it gets some of its information.
EDIT: https://malwr.com/analysis/ZTNmZmYyYjk5MTI1NGEwN2JkMzcyZWZkMTQ3YzlmY2E/
Unless it was written in a language which doesn't compile all the way to raw machine instructions (e.g. Java) then reverse engineering it using a decompiler / disassembler is not likely to be an easy thing to do. I can't say i've heard of boomerang, i've played with ollydbg and Ida Pro before but only really used them in basic exploit development not reverse engineering. When I have wanted to look at malware before I have just used a service like malwr which saves having to learn the reverse engineering skills, be aware though that some malware will try and detect if its not running on a real victim machine and change (i.e. hide) its malicious behaviour
they used Adobe Muse to create that site. it links to copy.com for the .scr file. the front page of that domain links to a .exe file which is exactly the same as the .scr file but without a large image file.
so this one actally has a bit of effort going into making it look like an alternative to gyazo until you try running the malware.
edit: info and analysis below
https://malwr.com/analysis/NGE5NzcyN2Y2NDA3NGNiMmIwN2FlN2I0NTQ0ODhlZTU/
I usually see CryptoWall distributed side by side with Poweliks (today also included ursnif and simda) through Magnitude EK. Just about 30 minutes ago I got: fae906bdca873acd53fc24024d0d07b5 -cryptowall cc5d5fc96d536a6e50baa28dd229475f -poweliks
If anyone needs a recent poweliks installer, it can be downloaded here: https://malwr.com/analysis/MTM2OTAxMmQyYWExNGM2OTkxMmExMTNkOWQ0N2U3MTE/
How about Malwr?
Also, I PM'd OP asking for a sample, but if you could send me the file he sent that'd be cool too. I have some free time while setting up some other machines for a security project and was planning on running it in a VM. It might just be better in that case to run it on a machine I can just wipe after but I'd love to play around with it to see what it's doing.
Oh look, some random executable from the interwebz!
https://malwr.com/analysis/Yjk0ZDQxOGYwZDA2NDg5Y2FhMmI4YWZjNjdlYzg3MzE/
What do you say to this comment on Github?
> Why you are updating the exe but not the source? Please provide a makefile or some other project file to compile the source. Otherwise it seems a bit scammy. Why your program is asking for the visual c++ redistributable package, I couldn't find this package on the internet only the 2013 version. And why the source code contains a links to another project, but not to this: https://github.com/multimulti/multi . And you obfuscated your program using smartassembly, that isn't logical for a open source project.
https://github.com/Multicoiner/Multicoiner/commit/212b0c3b7e2fc6a0c95490418eb5286445e362bf
-- Update -- Possible malware:
https://malwr.com/analysis/NTlmMTkxMDFiZTNjNDYwYmI4ZDRjMGJkMjliMGZkYTA/
I have the JAR and DOC files.
Here's the Malwr.com link: https://malwr.com/analysis/M2I0ZjBmYWFkOTg3NDU4N2ExMjgzODg1NjIxNDkzNTQ/
And here is the VirusTotal link: https://www.virustotal.com/en/file/67b0812cd6ae5083def578d38714bc5209f13674470c3124b545620d86bc0c99/analysis/
It could simply be looking for data to send back home.
Here are things I do:
Find the .zip file and upload it to virustotal.com and malwr.com. I'd bet it contains a .scr and the third-party spam filters aren't investigating .zip files deeply enough to see it.
Question the need to have any .zip files delivered. Some banks still do this.
Virustotal will tell you which av vendor finds it malicious and what it is. From there you can research with your vendor's malware lists.
malwr.com will tell you exactly what the thing does and what changes it makes, domains it needs etc.
Here's recent sample reports from VirusTotal and Malwr.com:
https://www.virustotal.com/en/file/9840809328d627483dbc1dabdb185399615a5d35a1c76583338a90aedeb6f316/analysis/ https://malwr.com/analysis/NTgwYTljY2EzOWY0NGFkY2FlZWQ5NjUyMTUyOGY4NGU/
Your AV vendor will likely have the means to submit a sample that you know is malicious. Include the link to the virustotal results. I've done this with McAfee and Microsoft and had the new dats that catch it within a few hours.
You can (probably) set up your reporting software to look for those changes in registry or new files given to you via malwr.com. Treat those as indicators of compromise. Not every PC has access to shares but can become 'typhoid mary" and house the malware to be spread via USB, Mac's too.
You can create a hosts file that contains the domains the malware needs to communicate with and direct them to 0.0.0.0, which is faster than the 127.0.0.1 that seems to be the default. Push it out with GPO. Be careful to not let the hosts file get too large. The hosts file at http://www.malwaredomainlist.com/ is tuned to malware only (not ads) and is a decent size.
Malwr seems to report that it is clean, it doesn't drop any files or talk to the internet but who knows if it's able to detect a VM. I don't know if the process activity is out of the normal. That malwr rendered a screenshot seems to indicate program load success.
Virustotal is 1/47: Ikarus reports it as Trojan-Downloader.Win32.VB.