Monday, March 23, 2015

Latest Updates of VxStream Sandbox and the Malware Analysis Service at Hybrid-Analysis.com

A previous blogpost published at the beginning of February outlined some of the new features that were added to our online malware service. We have added quite a lot of functionality since then and think it is a good idea to post a brief summary of what that is exactly to keep our readers and users up-to-date.

 

Updated Anti-VM Technology

After Pafish v0.4 (a benchmarking tool that implements common VM detection methods) was released earlier this year, we updated our anti-vm technology to be up-to-date and made a small benchmark of some popular malware analysis services at the same time. Today, Pafish v0.5 was released and we will start working on our anti-vm technology in the coming weeks and keep you updated on any progress.

 

Improved Searching Capabilities

We improved the webservice search and added some more advanced search options. On the previous version, you were able to search by filename, MD5 or SHA256 hash. Now, you can also search for a virus family name, all reports that contacted a specific host IP address or domain. Examples:
Please note: if only one result is returned by the search, you are automatically redirected to the report. Also, the vxfamily search is a substring search and applies only to the VxStream determined virus family name. All search results are limited to at most 100.

Also, some of the new searching capabilities were integrated into all online reports with direct links, so you can continue navigating to other reports by clicking the virus family name or quickly find other reports with common network destinations (see the following image).

 

Updated VBA Macro Parsing

As we had been getting more and more uploads of Word files and malicious XML files (and not all of them triggered or showed outgoing network traffic), we spent some time and added a small VBA "de-obfuscating" engine that helps extracting C2 IPs regardless of the runtime behavior. We made a blogpost about it last week that received good feedback and is showing some good results so far. After we published the blogpost, Philippe Lagadec announced that he is working on a generic engine that does the same and more - so we are looking forward to that development and will keep you updated on any progress.

 

Other updates not mentioned anywhere

Of course, we also make updates that are not published as part of blogposts or mentioned in the FAQ page of the service, because it would take too much time and not everything is really significant. Some of these updates over the past week included:
  • we added new YARA signatures that run on all input samples (we have ~600 online right now)
  • we have been adding more generic behavior signatures (we have ~215 online right now)
  • we added a webservice statistics page to clean up the front page, which tells you the current status of the number of signatures loaded by the system
  • we added support for MIME types (i.e. you can upload a MIME type and the service will "unmime" it and analyze a valid file, if it is embedded)
  • we added "environment groups" (multiple systems) that can be selected from if you upload a file
  • we added some Windows 8.1 VMs
  • we added the ability to "not share" a sample when submitting (it is not available for download and not uploaded to VirusTotal, if unknown)
  • we added a download for strings detected in-memory
  • we added shellcode streams that are extracted from memory written to foreign processes
  • we brushed up the visuals a bit, especially the submissions list that contains a lot more information now
.. and a few other minor things that should not be mentioned here.