Monday, 25 February 2019

Multisandbox update to Dr.Web vxCube 1.2 brings Android analysis

The multi-sandbox project is under continual improvement. In June 2018, we announced our integration with Dr.Web vxCube. Today we are happy to announce an update to Dr.Web vxCube that adds support for Android. With more than 2 billion active android devices, having visibility into android is a very welcome feature. Note that this adds to other multi-sandbox Android setups such as Tencent HABO for Android and VirusTotal Droidy.

In their own words:
We are proud to introduce our newest malware analyzer that now supports Android platform - Dr.Web vxCube 1.2. It maintains the same fast and versatile functionality when working with the Android files. Dr.Web vxCube 1.2 conducts a thorough analysis of APK files and provides in-depth reports on their behavior in the sandbox environment, including information about SMS and calls they could try to make. Moreover, each report includes manifest information with a full list of app’s permissions, activities, broadcast receivers and services.
To view the details generated by Dr.Web vxCube make sure to click on the behavior tab:


To demonstrate some of the features, lets take a look at a few malware samples:

https://www.virustotal.com/gui/file/beb7eefb2008aaf28e75d6ec24eb055c57473c4fd91c4ed70c15e352c0c825f8/behavior/Dr.Web%20vxCube

https://www.virustotal.com/gui/file/a8bf520bcc7336ec447d58794be22715f65ccd0f1c020b5cb7fd6a3599d79e44/behavior/Dr.Web%20vxCube

Detection summary

At the top of the detailed report we can clearly see a detection summary for this APK file. Note that it display a verdict based on execution behavior, this verdict may complement  Doctor Web's antivirus engine running in VirusTotal.


 

Malicious functions

We can see the app is sending SMS spam with malicious URLs:





 

Network activity

The network activity map, visually shows where the traffic goes, along with protocol and address information.


 

Connect the dots

With VT Graph you can see all the relationships above in a single nodes and arcs graph enriched with the historical knowledge of the VirusTotal dataset. Forget about having dozens of open tabs to investigate a single incident, one canvas is all you need.



Moreover, as you can see above, you can easily generate an embeddable graph object in order to display your investigation in sites other than VT Graph.

 

Digging deeper

VT Enterprise users can try some more advanced searches using search modifiers in order to identify interesting samples based on behavioral observations and other structural and in-the-wild metadata.

For example you can search for filenames within the behavior data:
behavior_files:"com.adobe.flash/files/BotPrefix"



Similarly, the behavior-scoped modifiers can be combined with any other facets in order to pinpoint not only malware families but also their command and command-and-control servers, drop-zones, additional infrastructure, etc.

type:apk androguard:"android.permission.READ_PHONE_STATE" behavior_network:http positives:10+


 

More insights and giving back to Doctor Web and the community

If you are as grateful as we are for this new insights into Android apps, you can give back to Doctor  Web and the community by helping them receive more APKs so that they can continue to improve their defenses. The easiest way to do this is through a community-developed VirusTotal App that will make the task of uploading new APKs to VirusTotal a no-brainer:

https://play.google.com/store/apps/details?id=com.funnycat.virustotal

We look forward to keep working close with Doctor Web, meanwhile we continue to encourage other sandbox setups to join the multisandbox project.

Thursday, 7 February 2019

Multisandbox project welcomes SecondWrite

We are excited to announce the integration of  SecondWrite into the multi-sandbox project. The multi-sandbox project's goal is to aggregate many sandboxes in a similar fashion as the way we integrate Anti-Virus products. With this integration we are now up to 6 sandboxes including  ReaQta-Hive, Tencent HaboVirusTotal DroidyCyber adAPT ApkRecon and Dr. Web vxCube.  SecondWrite offers some cool features which we will detail below. 


In their own words:

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware. Its platform combines dynamic sandbox analysis with static analysis to leverage the best features of both. Its patented technology on forced code execution finds and executes hidden code paths that other sandboxes miss. It uses advanced neural networks that can auto-learn what suspicious code patterns to look for, without human-specified signatures. The neural networks are further enriched by its technology to detect evasive and anti-analysis features in malware.

To view the SecondWrite report make sure to check out the detailed report.


Within the detailed reports, for a quick summary, take a look at the detection scores and classifications.

Malware Score


Classification of different categories

Let's dig a little deeper and see some more features:

Forced Code Execution (FCE)

See for example the file  fcd6c16a61b286bb6951e49869fcadbc9bf83bccf31dc2e3b3c8f7ad23d6054f.

Within the detailed report you can see the IOCs generated by the FCE feature, extracted by SecondWrite's driver. In this example we see that the sample attempts to repeatedly call a a single API to avoid analysis. The FCE feature can rewrite one or more conditional statements to get the code sample to execute. Furthermore, some of the discovered events were characterized as Ransomware IOCs, Stealth IOCs, and Anti-Analysis IOCs.

 

Program-Level Indicators (PLI)

 


Typical hook-based approaches gather information about program behavior by capturing application to library function calls and application to kernel system calls. This approach is very effective at capturing how an application interacts with the underlying system through supported Application Program Interfaces (APIs), but it completely misses classes of evasion techniques intended to modify a program running in memory. SecondWrite's Program-Level Indicators are patterns that can only be discovered by looking at the assembly instructions themselves. Frequently the instruction sequences chosen by malware have second-order effects that are beneficial only to malicious programs attempting to hide something. The following report contains two such examples: anti-binary translator code to defeat static analysis and an Import Address Table (IAT) bypass.



Machine learning can be very effective at finding subtle, multivariable associations that are impossible for a human to find. The most granular dataset to feed to a machine learner is sequences of assembly instructions. SecondWrite's Automatic Sequence Detection technology is able to discern instruction sequences that are only found in malicious applications and give a confidence level. It is precise enough to limit false positives, but also broad enough to not be susceptible to artificial changes injected to malware strains such as is the case with polymorphic malware. The following report shows a sample that was determined to be malicious by Automatic Sequence Detection with a 93% confidence:
https://www.virustotal.com/gui/file/520c376e726ca11d47566cbbd03f764646c4e498d76b8457e4cf28e940ca79f1/behavior/SecondWrite

Next we can click on the relations tab, we can see how it's related to other IP Addresses, Domains, and URLS.


In this graph we can see related files based on network communication, with common URLs, Domains and IP addresses: