on

An open and agile malware analysis sandbox, the new community feature

Blueliv has always been focused on trying to make Cyber Intelligence available for everyone and believes that sharing intelligence is the key to get the upper hand in an ever-changing war on cyber crime. We began with the free Cyber Threat Intelligence API, so you could feed your systems with data about C2, then we gave you the possibility to check if one of your assets is infected by one of the botnets from which we have intelligence, and now, we bring you another amazing feature that we hope you will like as much as we do.

We are proud to announce that today we are releasing a new feature for Blueliv’s Community, our free online malware analysis sandbox. With this amazing sandbox, you will be able to upload a malware sample (x32 and x64b PE files and office/PDF documents for now – other formats are under development/testing), have it analyzed and obtain a report which includes the connections that the sample made during runtime analysis.

This is very useful in a lot of situations. For example, while handling a malware related incident, you could obtain information about the sample in a quick manner by just uploading it, and automatically block in your firewalls any suspicious IPs or domain the sample connected to. That is why our free online sandbox is a great replacement if you do not have your own in-house solution. It provides valuable information for a basic analysis (anti-virus matching, signature matching, network connections, etc), and offers some early indicators ready to scan your infrastructure for existing infections. It also provides a quick way to further protect your infrastructure.

Now let’s see a real example with a Dyre sample. First of all you have to register in the Blueliv community, then click on the sandbox icon and once you are in the sandbox interface, you can upload the sample:

screenshot0

The sample will take at least 2 minutes to be analyzed. Once it finishes, we can inspect the results:

* Firstly, taking a look at the summary, you can see that the sample has made some connections to Serbia, the US and Ukraine:

* Performing a quick deep dive into the HTTP and TCP protocols you will notice the following:

* The US IP belongs to icanhazip.com, meaning that the malware tries to get the real public IP of the infected machine.

* We can also see the GET request performed to port 13227 in which the sample is sending information about machine name, windows version, etc. in the initial registration phase. On the other hand, the communications to port 443 with no standard HTTP protocol can also be observed.

screenshot2

screenshot3

* Taking a look at the signatures, its maliciousness can quickly be identified because of the “Antivirus Matched” and “Browser Stealer” findings.

screenshot4

* If you then have any doubt you can double check what the AVs are saying about the sample at Virustotal by simply clicking the VT icon at the top of the page.

screenshot5

After having found that, one could write a quick yara rule to be run against the PCAP file which is downloadable from the interface. Once you’ve got the rule you can use it to identify malicious patterns in your network.

rule dyre_network: dyre_network

{

meta:

description = “simple dyre network yara rule”

thread_level = 3

in_the_wild = true

strings:

$o01 = “icanhazip.com” nocase

$cc1 = /[^0-9][0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\:13227/ nocase

$cc2 = /[^0-9][0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\:4443/ nocase

$cc3 = /[^0-9][0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\:443/ nocase

condition:

2 of ($cc*) and $o01

}

screenshot6

Remember that this sandbox is just starting, as we progress in our research we will develop more features for it. Stay tunned!

The sample used for this test is a Dyre Banking Trojan of which sha256 hash is:

07fedfeb0a7697a0ea8092bff0385000c1d2c99ecbbe27710863fe93c90de01a

We hope that you will enjoy our sandbox to have quick network information, and, with the help of the information we provide through our API (see other posts ELK Plugin, Splunk Plugin, Start Collaborating), you can quickly react against any internal security seizure.

For inquiries do not hesitate to contact us.

Demo Free Trial Community Newsletter