Published on

Analyses of Malware Files

Authors
  • avatar
    Name
    Predrag TASEVSKI
    Twitter

PURPOSE

The main goal of laboratory report is to identify three analyses of malware files from the archive file send by the lecture. The archive contains 89 malware files. The way how we choice 3 files is by following algorithm:

  1. Soft them by name
  2. First use last number of your student code + your birthday day
  3. Second, generate random number from (https://www.random.org/) and only if it does not match first number use it for choosing the file
  4. Third, use random number generator again and if it does not match first or second number use it.

Malware archive can be download from the following [link] [unfortunatly not available anymore]

WARNING FILE CONTAINS LIVE VIRUSES

Task that need to be complete for this laboratory assignment:

  • Pick your malware

  • Run your malware against 2 of next online analysis tools

  • virustotal

  • comodo

  • threatexpert

  • Find additional 2 online analysis tools where to analyse virus.

  • Things that should be presented in the laboratory report are:

  • Chosen numbers

  • General information about malware

  • name

  • md5

  • sha1

  • link to analysis result if it is possible

  • link to disinfecting instructions – if not possible explanation why it is not

  • Analysis tools – links

  • Your opinion about each analysis tool and comparison results.

Firstly, we are going to analyse the chosen files in section Chosen files and each file with the above required information and detail analysis results, links to disinfecting instructions, analysis tools used for this purpose. Secondary, expression about each analysis tool used and comparison results will be presented in section Analysis. In addition, in section Appendixes its provides what virtual environment has been used for this laboratory report. Because we know that if we open this file in our real machine we will get infected. That is why we are using an Linux virtual environment.

Furthermore, each file will be analysed with two different tools, in case to gather more information and solution for disinfecting process. Finally the conclusion made of all collected data will be concise in conclusion section.

CHOSEN FILES

Number of files are listed bellow and the name of the file that is going to be analysed:

  1. Number: 71; File name: sales.exe; Size: 454.7 KB
  2. Number: 57; File name: mgre.exe; Size: 61.4 KB
  3. Number: 60; File name: moos3.ee; Size: 91.6 KB

FILE 1

File name: sales.exe; Size: 454.7 KB; Number: 71.

MD5: 093e72cbc78b46e977561c5874cfab4cSHA1 Hash: e79a730b01b6689c336138f39c79fbd2ea45b6c1SSDeep Hash: 12288:2Pqr7eKhHvZ3NSYqHMsD+vgp0pQe1lhJ:283vhN1qHMsD+Ip8QEz

Links to analyse report:

  1. [Link](https://www.netscty.com/report/690/e12093ea-3ae7-4fac-a 218-5721b1aabded-347](https://www.netscty.com/report/690/e12093ea-3ae7-4fac-a%20218-5721b1aabded-347)
  2. [Link](https://www.virustotal.com/file-scan/report.html?id=6f47a1f72fa005900f40803ede1a2a55167e641011271b49543eef748ffcb5a1-1318408947\#](https://www.virustotal.com/file-scan/report.html?%20id=6f47a1f72fa005900f40803ede1a2a55167e641011271b49543eef748ffcb5a1-%201318408947#)

The above malware file has been reported that is capable to send out e-mail message with the built in SMTP client engine. Second, it contains characteristics of Waledac, a worm that spreads by sending an e-mail containing links to copies of itself. And finally, creates a startup registry entry.

Links provided, are demonstrating which anti virus software/application can disinfected the malware infection.

Tools for analysing the malware are:

  1. Netscty – Online Sandbox
  2. Virustotal.com

FILE 2

File name: mgre.exe; Size: 61.4 KB; Number: 57.

MD5: 1375a8e437db6acafe2b0419cfbff7ecSHA1:b48f702a5a0fa8558c278dd97ecfbd0d637fefd3SHA256: 89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709

Links to analyse report:

  1. [link](https://camas.comodo.com/cgi-bin/submit?file=89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709](https://camas.comodo.com/cgi-bin/submit?%20file=89294d70e80547aac5b506915d2e8fc0309c0e578ab16fc9875c9a4668e63709)
  2. [link](https://wepawet.iseclab.org/view.php?hash=1375a8e437db6acafe2b0419cfbff7ec&type=js](https://wepawet.iseclab.org/view.php?%20hash=1375a8e437db6acafe2b0419cfbff7ec&type=js)

From above analysed links we can conclude that the file creates keys, it changes values in registry, it change only one file, creates process called sample.exe and adds value to the modules.

The links do not show any way of disinfecting the following malware file. My personal opinion of the above links is good that they can show you that this file is malware, but still they do not show you enough information. Which can help you for further instructions and actions that should be consider. Not even providing you an information or links which anti virus software can help you.

Tools for analysing the malware are:

  1. Comodo Instant Malware Analysis
  2. Wepawe

FILE 3

File name: moos3.exe; Size: 91.6 KB; Number: 60.

MD5: 4ddade6548142d5fd5b742f34b71e1daSHA-1: 5345bdd52591b0fcd8e9a81fed7a7b588e24a15d

Links to analyse report:

  1. [Link](https://anubis.iseclab.org/?action=result&task\_id=13e22805d763a08d4d158904eae5e709d&format=html](https://anubis.iseclab.org/?%20action=result&task_id=13e22805d763a08d4d158904eae5e709d&format=html)

  2. [Link](https://www.threatexpert.com/report.aspx?md5=4ddade6548142d5fd5b742f34b71e1da](https://www.threatexpert.com/report.aspx?%20md5=4ddade6548142d5fd5b742f34b71e1da)

The malware file, contains characteristics of an identified security risk. Possible security risk is Backdoor.Agent.AJU [Backdoor.Agent.AJU]. The threat category is network-aware worm and malicious trojan horse. Its modifying file system, memory and registry. The origin of this malware indicates possible country, Russian Federation.

From the reports we can conclude that most of the known anti virus software has hit of this malware infection and it can disinfected.

Tools for analysing the malware are:

  1. Anubis: Analyzing Unknown Binaries
  2. ThreatExpert

ANALYSIS

The web tool that we have used to analysis three of random chosen files are listed bellow.

Moreover, we will compare each one of those service, what kind of information they show, provide and do they supply with disinfected solution, if so how, and why not.

  1. Netscty – Online Sandbox
  2. Virustotal.com
  3. Comodo Instant Malware Analysis
  4. Wepawe
  5. Anubis: Analyzing Unknown Binaries
  6. ThreatExpert

To compare our results from the above list of online analysing tools I have setup an score from 1 to 5 of each section. Where the highest score is better solution. With the following attributes:

Easy to useProvides enough informationDisinfected informationTOTAL
Netscty454
Virustotal.com545
Comodo532
Wepawe411
Anubis531
ThreatExpert555

The above table give as an perfect over view, which tool is easy to use, provides enough information, disinfected information and gain the highest mark.

CONCLUSION

I would like to generalize that from the above information we see that each online analysing tool has own means, criteria and different information to distribute. On the whole, some of them were not that easy and simple to use, yet they provide as with expectant information and disinfected solutions. Therefore, our succeeder for this test is ThreatExpert. But bear in mind that I have not measure and compare all the online tool-kits for analysing the files, just the ones listed in the previous section. For furthermore, please refer to the following article that was publish in 2010 by Lenny Zeltser [MalwareAnalysisToolkit].

In summary, we found out that the chosen files are malware. Likewise, can harm our computer in different methods. Yet we got an information for some, for instance how to disinfected the computer. Therefore, we made a comparison table to scale the best online analysing tool for malware. Where total number is 6 tools, and different score rank. The first one is TheratExpert, secondly is Virustotal.com and the third is Netscty. Still all of mentioned tools score difference with one point.

APPENDIXES

Appendix 1 is configuration of the virtual environment.

APPENDIX 1

Virtual environment: Oracle VirtualBox Version 4.1.2 r73507. Downloadable from the following [link] https://www.virtualbox.org/wiki/DownloadsSecurity Fedora 14 32 bit – Client: https://spins.fedoraproject.org/security/Base Memory: 512 MBAcceleration: VT-x/AMD-V, Nested Paging• DisplayVideo memory: 12 MBStorage: SATA Controller, Port 0: 8 GBNetwork:Adapter 1: Adapter 1: Parvirtualized Network (NAT)Adapter 2: Adapter 2: Inter PRO/1000 MT Desktop (Host-only adapter, VirtualBox Host- Only Enternet Adapter)

Bibliography

Backdoor.Agent.AJU: ThreatExpert, ThreatExpert’s Statistics for Backdoor.Agent.AJU [PC Tools], 2011, link

MalwareAnalysisToolkit: Lenny Zeltser, 5 Steps to Building a Malware Analysis Toolkit Using Free Tools, January 2010, link