Tuesday, November 29, 2011

30 PDF files processed by Cuckoo Sandbox - results and samples

Update - posted a list of the dropped files for each file and the C&C info from pcaps in the end of the post - for review and easy Googling.

Shutterstock image
In addition to the post about the Cuckoo sandbox, please see below sandbox results and samples for 30 recent  PDF files (APT type). I excluded the payload/dropped files because of the large number of benign files in the same folder as the payload. Perhaps seeing the output will help you decide whether you want to deploy the sandbox or not.
If you need to see the payload 'files' folders, please see the previous post for example or contact me.According to the author, the file dumps filtering will be added soon.
 What you will see in the package:
Original analysis folder (excluding "Files" - dropped files)
  • Analysis.config - you will see the name of the analysed file there.
  • Analysis.log + report.txt- all API calls and created files log
  • Dump.pcap file
  • logs folder - in csv fomat
  • shots folder - screenshots taken
  • Original file itself  
 Additonal files
  • List of all hashes of all files
  • All pcap files converted to text
  • Filtered logs showing dropped files.

Nov 3 CVE-2011-0611 1104statment.pdf analyzed via Cuckoo sandbox

I have been away and busy with all kinds of stuff (some malware related and some not :)  but I am back.
I played a little recently with Cuckoo sandbox - an awesome free sandbox developed by Claudio Guarnieri (Linkedin). The sandbox has been out for several months, constantly being improved and got a lot of fans. You can read the Cuckoo guide here and also follow active discussions on the Malwr forum. I think the sandbox works very well and very flexible -  it can be developed and extended to analyze any (many) kinds of exploits. You can find descriptions of the sandbox online but I want to post results of the sandbox analysis - something I didn't have chance to see until I installed it. I will post unfiltered results and with some minimal processing (conversion of pcaps to text, filtering out search results, etc.). This tool is still in development and you will not get polished reports like you see on Threatexpert but they are exportable into a database of your choice, searchable, and "tweakable". If you already tried it a while ago, try it again, I heard the later versions are much better than the earlier ones.

Thursday, November 17, 2011


Believe it or not, I am still alive and will post something soon.

Thursday, November 3, 2011

Step by step binary analysis with Frankie Li ( dg003.exe dropper from "XinTang Event.chm" )

With the express written permission from the author, here is a an excellent paper "A Detailed Analysis of an Advanced Persistent Threat Malware" and the corresponding malware sample, which you can reverse engineer following step by step explanation by the author Frankie Li (http://espionageware.blogspot.com/)- from vxrl.org (Valkyrie-X Security Research Group)

Another great analysis from the same group of another CHM file can be found here: Evidence of Advanced Persistent Threat: A Case Study of Malware for Political Espionage (paper for IEEE 6th International Conference on Malicious and Unwanted Software (Malware 2011)).

Do you wonder if your sample APT or just crimeware? Use their Xecure Deezer - APT identification engine