MalwareViz

unknown

unknown

2014-05-04


Notice both the circle and the VirusTotal results are both green. This is stating that both MalwareViz and VirusTotal did not find anything wrong with this file. Ok, now what? What is the legitimate purpose for someone creating this file?


The answer to this question can be found by taking a look "under the hood." Malwr has a Strings option under the Static Analysis tab. This shows a lot of information that you can use to search the Internet for answers. This file turns out to be a website template.

CVE-2010-0840

CVE-2010-0840

2014-05-04


There is no Internet Traffic in this malware and no Created Files. The majority of malware wants to call home to state it has been successful. It also wants to leave a file so it can hide and survive a reboot. Malware wants to run and fulfill its purpose by infecting something. When it looks like this, something went wrong.


There are multiple possibilities why it didn't work. The malware may have detected it is in a sandbox environment like malwr.com. It might only work with an exact version of Java, Adobe Reader, Flash Player, MS Word, Excel, etc. At this point you will have to reverse-engineer the file to get the information that did not work through automated analysis.

NGRBot

Zeus or Zbot

2014-05-02


When analyzing malware it's important to look at what you understand first. Most people like reading English before they like reading hexadecimal. Read the English strings to get an idea of what you are dealing with. A lot of malware is packed and won't show its most important strings like the URL or IP address it wants to call home to. However this is not always the case.

If you click on the malwr.com link for this malware and go to Static Analysis then Strings tab, you will find the text Coded by BRIAN KREBS for personal use only. Since most malware does not contain this string simply doing a Google search will give you an idea of what you are dealing with. Executing this file in a sandbox was still necessary to obtain the other information as it was packed and hidden from plain view.

stuxnet

unknown

2014-05-03


New malware does not always get detected by Antivirus programs on the VirusTotal site. VirusTotal is green in this graph noting no detection. The circle around the name however, is red. MalwareViz makes the circle red whenever VirusTotal has a hit or when a file has more than one Internet Connection. One Internet Connection could just be a legitimate file updating itself. More than one can be malware that wants multiple locations it can call home to in case one is blocked.


Despite not having any VirusTotal hits on the main file. The files that come out of the original file or the "Created Files" often can be picked up by an Antivirus. Clicking on the Created File "_Setup.dll" has a hit as being malicious.

CryptoLocker CryptKeeper

CryptoLocker

2014-05-03


The URL in the Internet Traffic does not have an associated IP address. Some URLs are associated to an IP address for only a few minutes before the attacker removes the URL/IP association. This short existence time makes it difficult for an organization to block or monitor the Internet Traffic.


Notice the Internet Traffic (shalunishka12.org) and one of the created files (unmxkiol) are not named by a human but are instead names that are randomly created by the malware. The same malware can have a different file name for every machine it infects and possibly different Internet Traffic. These hints let you know that this malware was possibly created from an automated malware creator program.

Somoto

Somoto

2014-05-04


Here we see Internet Traffic to both an IP address directly and to a URL associated with an IP address. Clicking IP address will go to a tool called robtex.com. Robtex gives helpful information such as physical location, a graph of domains associated with the IP address, registration information and more. The URL links to VirusTotal which can give information if malicious actions have been associated with this URL.

MalwareViz creates a clickable node for Created Files that may be executable. Such as .exe, .dll, .sys, etc. Clicking on a link takes you to VirusTotal to see if the file has been seen before. Other files are placed together in one clickable node that gives details of file extensions. Such as the two temporary (.tmp) files at the bottom of the graph.

CryptoLocker

Pony

2014-05-05


2014-05-05 is the time the graph was created.
2014-04-22 is when the malware was uploaded to malwr.com.
2014-04-06 is the "compiled time". This is the time when the malware came into existence.
This timestamp can be helpful in computer forensics and can be found in the VirusTotal link under the "File detail" tab called "Compilation timestamp". Sometimes it is modified to trick an investigator, but sometimes it is not.


The language used can also be of interest. Notice on the VirusTotal site under the "File detail" tab that "Number of PE resources by language" shows a possible connection to the Chinese language.

Zeus

Zeus

2014-05-04


Some malware will try to hide their malicious Internet Traffic with regular looking traffic. Some will check to see if they have Internet access before unpacking and sending traffic to their real locations. This graph shows Internet Traffic to legitimate Google sites of www.google.com and www.google.nl.(Netherlands). There is also malicious Internet Traffic to an IP address and URL.


The ".tmp" file is usually deleted as a temporary holding place for the ".exe" file. A ".bat" file can be many things but it is included in malware that is coded to delete the original file after the original file has been renamed and copied to a hidden directory location.


Disclaimer

These are my personal opinions. The views and opinions represent my own and not those of people, institutions or organizations I am affiliated with unless stated explicitly.

Copyright © 2014 MalwareViz.