Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 45375 times)




Offline BlueTesta

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 441
« Last Edit: November 29, 2016, 01:57:03 AM by BlueTesta »
"Everybody is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid."

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA.Variant.Installcore

Human Expert Analysis Result: Clean

My personal Analysis Result: NOT CLEAN  :a0

Please check the file again !

https://valkyrie.comodo.com/get_info?sha1=3aa287706fc0037d98db5378c11ae45779c742b0

https://www.virustotal.com/en/file/7f206a93fb2e86dbf80a53ef84cd05f641f12abed39a9fc25b67efb9592acad5/analysis/

Malicious Indicators : Matched Compiler/Packer signature Found (Borland Delphi 4.0) , Reads the active computer name , Drops executable files , Contains ability to create named pipes for inter-process communication , Makes a code branch decision directly after an API that is environment aware , Found potential URL in binary/memory
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Fake "File Converter" Online Downloader

PUA

https://valkyrie.comodo.com/get_info?sha1=9ca7408cb40c29a73c913c407aa0a8c771633531

https://www.virustotal.com/de/file/cb52d2c4c092c80071be779f00ddaf18468198794ea5881b3be7da1a8ed1633b/analysis/

File Domain Indicators : https://sitecheck.sucuri.net/results/www.pcfreetime.com

Some suspicious/malicious Indicators : Matched Compiler/Packer signature , Reads the active computer name  , Reads the cryptographic machine GUID , Reads the windows installation date  , Queries process information , Queries the internet cache settings , Contains ability to start/interact with device drivers , Spawns a lot of processes , Reads configuration files , Drops executable files , Opens the Kernel Security Device Driver , Contains ability to listen for incoming connections , Contacts 8 domains and 1249 hosts. , Multiple malicious artifacts seen in the context of different hosts ,  Uses network protocols on unusual ports (Multiple TCP connections over Port  6969 and 6881), Sends UDP traffic to various hosts , P2P BitTorrent DHT ping request , P2P Torrent download , HTTP request contains Base64 encoded artifacts
« Last Edit: May 20, 2017, 11:38:13 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 181
I'll make it review. Thank you Pio for notification.


Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 181
That's correct, the file is Trojan.Win32.TrojanDownloader.Injector. Fixed.

thanks

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
I have accidentally deleted ( again during the execution of copy / paste operations and an unexpected imposed log off  88) ) my previous post !  :-\ If somebody had already checked it , please give me a short info . Thank you !!! >>> https://valkyrie.comodo.com/get_info?sha1=5cdf3de454d3e4e5dc83d9563f31f9d65beeb45b VT : https://www.virustotal.com/de/file/528cc0f79a45a857c1aa1cd2bfcab344b487c46cf0f895f8d6fff120a2be3820/analysis/1500591585/  >>> My final Verdict is NOT Clean !!! But sometimes it´s just a question off definition ... !  ;)

Two new Files :

Human Expert Analysis = Clean >>> https://valkyrie.comodo.com/get_info?sha1=5c6951f5b4b3f6577b907fd1fc74d9a5bf9d5adc
VT : https://www.virustotal.com/de/file/f3626c12ba3d61d4133d74855bd82d9bc093237d6ddb8a2df6875051184e3d2d/analysis/

My Analysis Verdict = Not Clean - PUA.Variant.InstallCore

Some suspicious/malicious indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0. ) , File has multiple PE Anomalies ( File contains more then 8 sections , PE file contains zero-size sections , PE Parsing in Sections "bss" , "tls", "reloc" ) , File Code is packed and obfuscated , Reads the registry for installed applications , Scanning for window names , Scans for the windows taskbar , Contains ability to lookup the windows account name , Contains ability to reboot/shutdown the operating system , Opens the Kernel Security Device Driver , Found a known API Export symbol ( Found reference to API SHGetFolderPathA[at]SHFOLDER.DLL at PID 00002728 ) , Drops mutiple executable files , Drops executable files to the Windows system directory (  File type "VAX-order 68k Blit mpx/mux executable" was dropped at "%WINDIR%\Tasks\CouponViewer Toolbar.job" ) , Process drops a File with positive VT detection >>> "CVHP.exe" >>> https://www.virustotal.com/de/file/c79b5ceb2260c1f229f92a574ddc3a16a2af364d194649df5d8131a5bcf837ba/analysis/ , Creates named pipes for inter-process communication ( CreateNamedPipeA[at]KERNEL32.DLL at PID 00002728 & CreateNamedPipeA[at]KERNEL32.DLL at PID 00002800 ) , Installs hooks/patches the running process ( "regsvr32.exe" wrote bytes to address "0x76FE1000" ( part of NSI.DLL )

Dropped File :

Human Expert Analysis = Clean >>> https://valkyrie.comodo.com/get_info?sha1=fda1eab5c7c5022b33ebf1b01dc9692f6dc11114
VT : https://www.virustotal.com/de/file/c79b5ceb2260c1f229f92a574ddc3a16a2af364d194649df5d8131a5bcf837ba/analysis/

My Analysis Verdict = Not Clean - PUA.Adware.Elex

Some suspicious/malicious indicators from the dropped File "CVHP.exe":  Found many suspicious Strings in file hex table , Matched Compiler/Packer signature ( VC8 -> Microsoft Corporation ) , PE file contains unusual section name , Reads the active computer name , File Code is packed and obfuscated , Contains ability to lookup the windows account name , Tries to create guarded memory sections , Reads the registry for installed applications , Opens the Kernel Security Device Driver , Found API Hooks ,  Drops executable files ( CouponViewer Toolbar.job" has type "VAX-order 68k Blit mpx/mux executable ) , File querries the "Windows Internet library" and "Event Log" , File querries sensitive Browser settings (IE) ,

« Last Edit: July 20, 2017, 09:18:32 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #41 on: January 05, 2018, 05:35:45 PM »
Not Clean !!!

PUA.Adware.InstallCore

https://valkyrie.comodo.com/get_info?sha1=21bd11b735bf1d918e1f7297e24dd0b85438420d

https://www.virustotal.com/fr/file/842ea64767f655a52a08406751d8625a98867fcb620e7e7a6a506176b908f0c2/analysis/1515190141/

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer : Inno Setup Installer ,  File has multiple PE Anomalies ( File ignores DEP , File ignores Code Integrity , Embeds another File ( type : Inno Setup , location : Resources ) CRC value set in PE header does not match actual value , PE file contains zero-size sections , The File has 3 shared sections , Contains unknown Resources , The file references 3 languages in the Resources ) , Contains ability to start/interact with device drivers ,  Contains ability to elevate privileges , Contains ability to create named pipes , Contains ability to lookup the windows account name , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Tries to delay the analysis , Drops executable files , Creates guarded memory sections , Reads the active computer name , Scanning for window names , Reads the registry for installed applications , Scans for the windows taskbar , Queries process information , Looks up many procedures within the same disassembly stream ( Found 57 calls to GetProcAddress[at]KERNEL32.DLL ) , Wrotes bytes to itself ,  Duplicates the process handle of an other process to obtain access rights to that process , Accesses to the Windows default Safe DLL search path , Opens the Kernel Security Device Driver , Found network releated activity , File tries to receives Data from h**p://www.msftncsi.com ("ncsi.txt")
« Last Edit: January 05, 2018, 05:46:10 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #43 on: February 03, 2018, 12:54:12 AM »
Not Clean !!!

Riskware/Adware.YoBrowser

https://valkyrie.comodo.com/get_info?sha1=2618cf80b3baa753bdba68c62e6667933714fa98

https://www.virustotal.com/#/file/9961fd789fb874879f1fd67e11192a7761029e484c27e2c8f5554656c5050db4/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer : Inno Extractor , File has multiple PE Anomalies ( Timestamp in PE header is very old ( from Thu Jan 1 00:00:00 1970 ) , Embeds another File ( Type: Inno Setup , location: Overlay ) , File ignores Code Integrity , PE file contains zero-size sections , File has 3 shared sections  , Contains unknown resources , resources contains 3 different languages ) , Contains ability to elevate privileges , Contains ability to enumerate processes/modules/threads , Contains ability to start/interact with device drivers , Contains ability to query CPU information , Contains ability to lookup the windows account name , Contains ability to create named pipes , Found Anti-VM Strings ( Found VM detection artifact "RDTSCP trick" (Offset: 220562) , Tries to delay the analysis ( "explorer.exe" tries to delay the analysis ) , Creates guarded memory sections , Reads the active computer name , Reads the registry for installed applications , Drops executable files ( dropped file "wharfholder.dll" was classified as "Application.Generic" with 19% detection rate on VT ) , Duplicates the process handle of an other process to obtain access rights to that process , Opens the Kernel Security Device Driver , Looks up many procedures within the same disassembly stream ( Found 57 calls to GetProcAddress[at]KERNEL32.DLL ) , Installs hooks/patches the running process ( File writes data to "SHFOLDER.DLL" ,  "MSIMG32.DLL" , "NSI.DLL" ) , Found Misc Activity ( Windows OS Submitting USB Metadata to Microsoft )
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 502
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong
« Reply #44 on: February 09, 2018, 01:44:21 AM »
Not Clean !!!

PUA/Riskware.Downloader.Auslogics.BoostSpeed

https://valkyrie.comodo.com/get_info?sha1=c967d982c771779963dad721374b34d5912b23ef

https://www.virustotal.com/#/file/2229706af87504ea5b8bf819c306ffb1ddfcb4c4342bd259255d93faf4cbcb90/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi 6.0 - 7.0 , Packer/Crypter : UPX 1.95 Beta - 3.x , File has mutiple PE Anomalies ( File ignores DEP , File ignores Code Integrity ,  Entrypoint is outside of first section , Checksum mismatches the PE header value , PE file contains zero-size sections  , The file has 2 writable and executable sections , The file contains 7 unknown resources , The size "17048 bytes" of the certificate is suspicious , Imports sensitive Libaries > Net Win32 API DLL , Internet Extensions for Win32 ) , Contains ability to lookup the windows account name , Found Anti-VM Strings ( Querries the disk size , Checks network adapter addresses , Checks amount of memory in system ) , Checks for the presence of an Antivirus engine ( Malwarebytes ) , Tries to obtain the highest possible privilege level without UAC dialog , Creates guarded memory sections , Modifies file/console tracing settings , Reads the registry for installed applications , Reads the active computer name , Reads the cryptographic machine GUID , Accesses sensitive information from local browsers ( %APPDATA%\Microsoft\Windows\Cookies\index.dat & %LOCALAPPDATA%\Microsoft\Windows\History\History.IE5\index.dat ) , Modifies proxy settings , Creates windows services ( "CREATE"; Path: "HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS" ) , Opens the Kernel Security Device Driver , Found network releated activity ( collected information will be sent back to google >>> Host : "google-analytics.com/collect"
« Last Edit: February 09, 2018, 02:30:32 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek