Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 41178 times)




Offline BlueTesta

  • Comodo's Hero
  • *****
  • Posts: 263
« Last Edit: November 29, 2016, 01:57:03 AM by BlueTesta »
Comodo Cloud Antivirus - Malwarebytes Anti-Exploit - CryptoPrevent - Standard User Account
Windows 10

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 345
  • I like CIS , Kali Linux and IDA Pro ! ;)
PUA.Variant.Installcore

Human Expert Analysis Result: Clean

My personal Analysis Result: NOT CLEAN  :a0

Please check the file again !

https://valkyrie.comodo.com/get_info?sha1=3aa287706fc0037d98db5378c11ae45779c742b0

https://www.virustotal.com/en/file/7f206a93fb2e86dbf80a53ef84cd05f641f12abed39a9fc25b67efb9592acad5/analysis/

Malicious Indicators : Matched Compiler/Packer signature Found (Borland Delphi 4.0) , Reads the active computer name , Drops executable files , Contains ability to create named pipes for inter-process communication , Makes a code branch decision directly after an API that is environment aware , Found potential URL in binary/memory
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 345
  • I like CIS , Kali Linux and IDA Pro ! ;)
Fake "File Converter" Online Downloader

PUA

https://valkyrie.comodo.com/get_info?sha1=9ca7408cb40c29a73c913c407aa0a8c771633531

https://www.virustotal.com/de/file/cb52d2c4c092c80071be779f00ddaf18468198794ea5881b3be7da1a8ed1633b/analysis/

File Domain Indicators : https://sitecheck.sucuri.net/results/www.pcfreetime.com

Some suspicious/malicious Indicators : Matched Compiler/Packer signature , Reads the active computer name  , Reads the cryptographic machine GUID , Reads the windows installation date  , Queries process information , Queries the internet cache settings , Contains ability to start/interact with device drivers , Spawns a lot of processes , Reads configuration files , Drops executable files , Opens the Kernel Security Device Driver , Contains ability to listen for incoming connections , Contacts 8 domains and 1249 hosts. , Multiple malicious artifacts seen in the context of different hosts ,  Uses network protocols on unusual ports (Multiple TCP connections over Port  6969 and 6881), Sends UDP traffic to various hosts , P2P BitTorrent DHT ping request , P2P Torrent download , HTTP request contains Base64 encoded artifacts
« Last Edit: May 20, 2017, 11:38:13 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 153
I'll make it review. Thank you Pio for notification.


Offline fatih.orhan

  • Global Moderator
  • Comodo Loves me
  • *****
  • Posts: 153
That's correct, the file is Trojan.Win32.TrojanDownloader.Injector. Fixed.

thanks

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 345
  • I like CIS , Kali Linux and IDA Pro ! ;)
I have accidentally deleted ( again during the execution of copy / paste operations and an unexpected imposed log off  88) ) my previous post !  :-\ If somebody had already checked it , please give me a short info . Thank you !!! >>> https://valkyrie.comodo.com/get_info?sha1=5cdf3de454d3e4e5dc83d9563f31f9d65beeb45b VT : https://www.virustotal.com/de/file/528cc0f79a45a857c1aa1cd2bfcab344b487c46cf0f895f8d6fff120a2be3820/analysis/1500591585/  >>> My final Verdict is NOT Clean !!! But sometimes it´s just a question off definition ... !  ;)

Two new Files :

Human Expert Analysis = Clean >>> https://valkyrie.comodo.com/get_info?sha1=5c6951f5b4b3f6577b907fd1fc74d9a5bf9d5adc
VT : https://www.virustotal.com/de/file/f3626c12ba3d61d4133d74855bd82d9bc093237d6ddb8a2df6875051184e3d2d/analysis/

My Analysis Verdict = Not Clean - PUA.Variant.InstallCore

Some suspicious/malicious indicators : Matched Compiler/Packer signature ( Borland Delphi 4.0. ) , File has multiple PE Anomalies ( File contains more then 8 sections , PE file contains zero-size sections , PE Parsing in Sections "bss" , "tls", "reloc" ) , File Code is packed and obfuscated , Reads the registry for installed applications , Scanning for window names , Scans for the windows taskbar , Contains ability to lookup the windows account name , Contains ability to reboot/shutdown the operating system , Opens the Kernel Security Device Driver , Found a known API Export symbol ( Found reference to API SHGetFolderPathA[at]SHFOLDER.DLL at PID 00002728 ) , Drops mutiple executable files , Drops executable files to the Windows system directory (  File type "VAX-order 68k Blit mpx/mux executable" was dropped at "%WINDIR%\Tasks\CouponViewer Toolbar.job" ) , Process drops a File with positive VT detection >>> "CVHP.exe" >>> https://www.virustotal.com/de/file/c79b5ceb2260c1f229f92a574ddc3a16a2af364d194649df5d8131a5bcf837ba/analysis/ , Creates named pipes for inter-process communication ( CreateNamedPipeA[at]KERNEL32.DLL at PID 00002728 & CreateNamedPipeA[at]KERNEL32.DLL at PID 00002800 ) , Installs hooks/patches the running process ( "regsvr32.exe" wrote bytes to address "0x76FE1000" ( part of NSI.DLL )

Dropped File :

Human Expert Analysis = Clean >>> https://valkyrie.comodo.com/get_info?sha1=fda1eab5c7c5022b33ebf1b01dc9692f6dc11114
VT : https://www.virustotal.com/de/file/c79b5ceb2260c1f229f92a574ddc3a16a2af364d194649df5d8131a5bcf837ba/analysis/

My Analysis Verdict = Not Clean - PUA.Adware.Elex

Some suspicious/malicious indicators from the dropped File "CVHP.exe":  Found many suspicious Strings in file hex table , Matched Compiler/Packer signature ( VC8 -> Microsoft Corporation ) , PE file contains unusual section name , Reads the active computer name , File Code is packed and obfuscated , Contains ability to lookup the windows account name , Tries to create guarded memory sections , Reads the registry for installed applications , Opens the Kernel Security Device Driver , Found API Hooks ,  Drops executable files ( CouponViewer Toolbar.job" has type "VAX-order 68k Blit mpx/mux executable ) , File querries the "Windows Internet library" and "Event Log" , File querries sensitive Browser settings (IE) ,

« Last Edit: July 20, 2017, 09:18:32 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek