It has been a while since I've posted to Payload Security's blog, because the dev team behind VxStream Sandbox has been quite busy finishing the web interface and focusing on the new report design. Nevertheless, it is our daily task to stress test the system with new samples. So as we were running samples through our system today we had an analysis that was quite on spot and perfect for a blogpost. The malware analysis we will be discussing here shortly outlines the strengths of our sandbox system: behavior signatures paired with a strong analysis engine that includes
Hybrid Analysis. I know the term "Hybrid Analysis" is more mystic than obvious to most of the readers, but you should have a good idea after reading this article, so have no fear to continue reading. Before we go into the depths of malware, let me announce something very cool: within the next weeks we will be offering a demo "web interface" with navigable reports to give everyone an impression of the system overall.
UPDATE: You can view the full report at our new free malware analysis service here:
http://www.hybrid-analysis.com/sample/f0a068c48d260ebd182861e114edfb4383f922ec8186fa6b9ffb247a37da36eb/
Tumble down the rabbit hole (with VxStream Sandbox)
The sample we will be looking at is labeled by Kaspersky as "Trojan-Spy.Win32.SpyEyes.aryc" (SHA256: f0a068c48d260ebd182861e114edfb4383f922ec8186fa6b9ffb247a37da36eb), but we will call it "Torminator", because it destructs the system (e.g. deletes all shadow copies), encrypts user files and then asks for a ransom to decrypt/restore the files (i.e. a typical ransomware). The restore page(s) are TOR websites (e.g. https://<random>.torminater.com/).
The first thing we do when we test our system (besides reading our own report) is check what the "competition" detected in order to determine the quality of our analysis. Unfortunately in this case, malwr (the free service running Cuckoo Sandbox) did not so well (failed analysis happens to us all the time):
Please note that today, some malware is even aware of analysis system software presence (detecting e.g. third-party tools like Wireshark, AutoIt etc.) and falls asleep not executing its payload (which is why "dormant code detection" as implemented by Hybrid Analysis is so important). Also, userland hooking engines (as utilized by Cuckoo Sandbox) will always have detection issues (a bit like Heisenberg's
uncertainty principle that describes the disturbance triggered by the act of observation), which is somewhat countered by a whole list of advantages (such as fast portability between Windows versions compared to kernel code, sometimes stability or being a lot closer to the instructions and data), but that is another discussion. Should you be interested, you can see the full malwr report
here. On a side note: I did not want to downtalk malwr or its free service (how can anyone ever complain about free work?!), but the comparison shows that different systems can have different results and it is always good to rely on a variety of tools, even if they are from the same category ("forensic malware analysis").
When we take a look at the VxStream Sandbox report, we always start out with the behavior signatures as based on that we can get a very good idea of what the malware does, what functionality it contains and get entrypoints for deeper analysis. The more we scroll down, the deeper we fall into the rabbit hole and get to know about more details.
An interesting malicious signature that immediately pops into our face is the "Deletes volume snapshots" signature, as it characterizes a unique feature (dropping files and writing memory into foreign processes is common among malware). When we uncollapse the signature we obtain some more details about the signature:
As we can see, the "volume snapshots" are deleted using vssadmin.exe using the commandline "Delete Shadow /All /Quiet" (note the /Quiet).
The next step I surf to is usually the "Screenshots" and "Hybrid analysis" section (see menu on the right), because they contain visual information (which is always interesting) and a process tree of the original sample that contains infected and newly created processes. Also, I can take a look at in-depth data about each monitored process. In this case, this is how the process tree looks:
As we can see, the malware injects itself into explorer (or creates a new instance) and hides itself in a svchost process (quite typical for malware) to then create a notepad instance, delete shadow copies of the harddrive, disable recovery mode and set the boot policy to "ignore all failures". Not very nice. ;-) If we take a look at the second screenshot below we can see that a notepad instance with the title "DECRYPT_INSTRUCTIONS" and some informational text (in german) is created:
What it basically says is that all files were encrypted with a RSA-2048 key and it is possible to recover the files if one visits some "personal website" and pays a bunch of $$$ to some crooks. Typical ransomware, just that a TOR service is being used. More interesting is to take a look at how the software works. If you are interested in very specific details, such as the logged API calls, all registry accesses, created mutants, touched handles or "streams" (more on that later), then it is possible to click on any process in the process tree and navigate the in-depth "sub-reports" (on a per process basis). Here are two examples:
In the example above we can see a simple list of API calls. What is nice is that there is some additional "meta parameters" (those that are in brackets) containing additional information (e.g. the pathway connected to a handle). Let's take a look at some "streams" (basically annotated disassembly listings):
As can be seen, disassembly instructions were extracted from a memory dump file and annotated accordingly. What is nice is that the "vsaadmin.exe Delete Shadows /All /Quiet" call was reconstructed automatically by the Hybrid Analysis engine using stack simulation and data flow analysis. The malware author tried to hide the string adding each character to the local stack frame, because the string cannot be detected using a binary search in that case. Luckily, we are equipped with a powerful tool to counter-attack that measure. ;-)) One additional note: the screenshots presented here are from the web interface, i.e. they do not represent the "full report" which contains all the gathered information of the analysis system. Full reports are available in JSON, XML and HTML currently.
Anyway, if we scroll to the network traffic section we get a good overview including a graphical "world map" that highlights countries that were contacted:
If we scroll down even further we can take a look at the dropped files and download them as well:
As we can see, two interesting dropped files are available for further inspection. An alleged "jpg" file that is actually a COM executable and the file named w7-32@pumma[1].txt ("w7-32" is our computer name) which is a configuration file. Adding to the monitored processes and memory dumps, dropped files can provide valuable indicators for (automatic) post-processing. Please note that all dropped files are parsed by Hybrid Analysis as part of a normal analysis already (i.e. disassembly streams and strings/API calls are extracted). Scroll down the report even further down, there is a list of extracted strings (from a variety of sources) and some informational notices of the analysis system itself. That's it.
One last note: to be fair, we added the ransomware signature "Deletes volume snapshots" after we found the sample and ran it for the first time, but it only took two minutes to add the new signature script and five minutes to re-run the adapted system, because the signature interface is very open andcan be scripted easily. This iterative approach is what some people call agile security.
Conclusion
A malware analysis system that provides reports which are straight forward outline, but the option to look at in-depth behvaior at the same time is a very good basis to understand and adapt to malware threats today. Generic behavior signatures are a strong and powerful tool, but they all depend on the underlying system to provide data that can be used as a trigger. That is why technologies such as Hybrid Analysis that can extract strings, API calls, shellcode and dormant code are invaluable on a large scale, because the overall data will have a higher quality. In this blogpost we outlined how easy it is to understand the most important aspects of malware within 10 minutes. For deeper analysis, the disassembly listings and the provided context files provide a good entrypoint. The reports VxStream Sandbox generates are more than just an impression.