Author Topic: Post Valkyrie Links in Which You Believe That The Manual Analysis Is Wrong  (Read 46543 times)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thank you pio,

883b9a573b62ff7a82b96ffd96e859f1a592dd09 has been reviewed and marked as Malware.

https://valkyrie.comodo.com/get_info?sha1=883b9a573b62ff7a82b96ffd96e859f1a592dd09

 :-TU  :P0l
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Adware.OneClick

https://valkyrie.comodo.com/get_info?sha1=+2e25cf5200b9f199cce9ac2d17f71711ffead403+

https://www.virustotal.com/#/file/9230cf26f6d2e44e4da6814cc38b9895ad4ce90aa1526d7b31cedc370762b4a4/detection

Some suspicious/malicious Indicators : Matched Compiler/Packer/Crypter signature > Compiler : Borland Delphi , File has multiple binary anomalies ( File ignores Code Integrity , Entrypoint is outside of first section , Has "2" executable sections , Contains zero-size sections , Digisig is expired: Dec 18 23:59:59 2017 , Imports sensitive Libaries ( Multiple Provider Router DLL ) ) , Contains ability to start/interact with device drivers , Contains ability to lookup the windows account name , Contains ability to reboot/shutdown the operating system , Contains ability to retrieve keyboard strokes , Contains ability to elevate privileges , Reads the keyboard layout followed by a significant code branch decision ( Found API call GetKeyboardLayout[at]USER32.DLL directly followed by "cmp ebx, dword ptr [00503A9Ch]" and "je 00452916h" from _iu14D2N.tmp.exe ) , Creates named pipes , Hooks/Patches the running process ( "Input Sample" wrote bytes to "MSIMG32.DLL" ) , Opens the Kernel Security Device Driver

« Last Edit: May 23, 2018, 12:59:17 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline ceyhun.b

  • Newbie
  • *
  • Posts: 18
Thank you Pio,

2e25cf5200b9f199cce9ac2d17f71711ffead403 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=2e25cf5200b9f199cce9ac2d17f71711ffead403

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Thank you Pio,

2e25cf5200b9f199cce9ac2d17f71711ffead403 has been reviewed and marked as PUA.

https://valkyrie.comodo.com/get_info?sha1=2e25cf5200b9f199cce9ac2d17f71711ffead403

Thank you for the information !

Best Regards!
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***



Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Trojan.Generic

https://valkyrie.comodo.com/get_info?sha1=b7a9cd974ba0d72d4396b63da70ff6d572b828a3

https://www.virustotal.com/#/file/e4c1ee64dcaf9a73b92cdc8bafe8d6ba9870124de51a9a4f5d4e4cda8dd28634/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores Code Integrity , The resource directory is invalid , The file has "2" executable sections , Checksum mismatches the PE header value , Entrypoint is outside of first section , The file is resource-less , The count "3" of libraries is suspicious , Contains zero-size sections , The file doesn't register any VersionInfo ) , Found Anti-VM Strings ( Checks amount of system memory ) , Checks if a debugger is present , Tries to delay the analysis , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the cryptographic machine GUID , Reads the windows installation date ,  Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( "Input Sample" is creating a new process > "iexplorer.exe" & "iexplore.exe" is creating a new process > "iexplorer.exe" ) , Writes data to another  process ( "iexplorer.exe" ) , Process launched with changed environment ( "iexplorer.exe" ) , Installs hooks/patches the running processes ( "USER32.DLL" ,  "COMCTL32.DLL" , "ADVAPI32.DLL" , "IEFRAME.DLL", "OLEAUT32.DLL", "OLE32.DLL", "SHELL32.DLL" ) , Duplicates the process handle of an other process to obtain access rights to that process ( 37 events ) , Touches multiple files in the Windows directory , Makes a code branch decision directly after an API that is environment aware , Accesses sensitive information from local browsers , Queries sensitive IE security settings , Attempts to modify system certificates , Opens the MountPointManager , Opens the Kernel Security Device Driver, Found possibly malicious network releated activity > Connects to an IP address that is no longer responding to requests ( "51.143.22.239" ) , Found an instant messenger related domain ( (Indicator: "skype.com"; File: "network.pcap" )
« Last Edit: June 26, 2018, 11:04:54 AM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2578
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Doesn´t seem to be processed yet ! Please take a look at this and create a classification ! Thanks !

Trojan.Generic

https://valkyrie.comodo.com/get_info?sha1=b7a9cd974ba0d72d4396b63da70ff6d572b828a3

https://www.virustotal.com/#/file/e4c1ee64dcaf9a73b92cdc8bafe8d6ba9870124de51a9a4f5d4e4cda8dd28634/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Borland Delphi , Packer: BobSoft Mini Delphi , File has multiple binary anomalies ( File ignores Code Integrity , The resource directory is invalid , The file has "2" executable sections , Checksum mismatches the PE header value , Entrypoint is outside of first section , The file is resource-less , The count "3" of libraries is suspicious , Contains zero-size sections , The file doesn't register any VersionInfo ) , Found Anti-VM Strings ( Checks amount of system memory ) , Checks if a debugger is present , Tries to delay the analysis , Found strings in conjunction with a procedure lookup that resolve to a known API export symbol , Reads the cryptographic machine GUID , Reads the windows installation date ,  Reads the active computer name , Reads terminal service related keys , Reads the registry for installed applications , Scanning for window names , Creates guarded memory sections , Drops cabinet archive files , Creates new processes ( "Input Sample" is creating a new process > "iexplorer.exe" & "iexplore.exe" is creating a new process > "iexplorer.exe" ) , Writes data to another  process ( "iexplorer.exe" ) , Process launched with changed environment ( "iexplorer.exe" ) , Installs hooks/patches the running processes ( "USER32.DLL" ,  "COMCTL32.DLL" , "ADVAPI32.DLL" , "IEFRAME.DLL", "OLEAUT32.DLL", "OLE32.DLL", "SHELL32.DLL" ) , Duplicates the process handle of an other process to obtain access rights to that process ( 37 events ) , Touches multiple files in the Windows directory , Makes a code branch decision directly after an API that is environment aware , Accesses sensitive information from local browsers , Queries sensitive IE security settings , Attempts to modify system certificates , Opens the MountPointManager , Opens the Kernel Security Device Driver, Found possibly malicious network releated activity > Connects to an IP address that is no longer responding to requests ( "51.143.22.239" ) , Found an instant messenger related domain ( (Indicator: "skype.com"; File: "network.pcap" )
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 530
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
PUA.Adware

https://valkyrie.comodo.com/get_info?sha1=b16db01b23d7666c3147a9fbfed6d89398d6083d

https://www.virustotal.com/#/file/91e445748413847111655772ca27d82e96794d5467c1be9fd9b3df2910f72a50/detection

Some suspicious/malicious Indicators : Compiler/Packer signature > Compiler : Nullsoft PiMP Stub , Packer: NSIS, appended, Unicode, UPX, UTF-8 , File has multiple binary anomalies ( File ignores Code Integrity , Digisig is expired: Jul 20 21:05:12 2017, Contains another file ( type: Nullsoft, location: overlay, file-offset: "0x00018A08" , 20x00113333" , "0x0063B90D" ) , PE file has unusual entropy sections , CRC value set in PE header does not match actual value , PE file contains zero-size sections ) , Found possibly Anti-VM Strings ( Checks amount of system memory , Querries the disk size ) ,  Contains ability to open the clipboard , Contains ability to retrieve keyboard strokes , Contains ability to reboot/shutdown the operating system , Contains references to WMI/WMIC , References "1" Windows built-in privilege , Scanning for window names , References suspicious system modules ( "lsass.exe" ) , Drops executable files , Reads the active computer name , Creates guarded Memory sections , Opens the MountPointManager , Opens the Kernel Security Device Driver , Touches multiple files in the Windows directory
« Last Edit: July 16, 2018, 07:33:14 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Chunli

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 2578
Hi, pio

Thank you for your submission.
We'll check them and if found to be malware detection will be added.

Best regards
Chunli.chen

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek