DeXRAY 2.01 update

September 23, 2017 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

I recently came across an AV called BullGuard. I have never heard of it so it triggered my curiosity, not about the protection, but more about the algorithm it uses for its Quarantined files.

Yup. Yet another hobby of mine.

The algo turned out to be a simple xor, and as a result of this ‘research’ DeXRAY now supports one more quarantine file format…

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • BullGuard (Q)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

Enter Sandbox – part 15: The muddy, heavy water world of atomic formats…

September 22, 2017 in Batch Analysis, Clustering, Malware Analysis, Reversing, Sandboxing

Sample analysis process typically covers looking at the most common forensic suspects including mutexes, event names, and atoms. However, there is one more sub-artifact sitting on the same bench with the last one I have listed… one that often escapes the scrutiny of sandboxes and malware analysts – the clipboard format.

The clipboard format is registered using the RegisterClipboardFormat function – it allows applications to interchange data as long as they understand the format. The registration is implemented with the use of atoms as explained in this presentation.

Sandboxes and analysts inspecting the calls to RegisterClipboardFormat can use the received data in many ways. It can help to determine a file type of the sample, its modules, detect a family of a malware/adware, or perhaps a programming framework, and in some cases heuristically detect capabilities of the tested sample. I have listed a few example clipboard formats below. If you look at it one set that immediately stands out are Delphi clipboard formats:

  • Delphi Picture
  • Delphi Component
  • ControlOfs<HEX-STRING> (f.ex. ControlOfs00400000000007A8)

Finding these in the API calls or even in memory is a good indication that there is a Delphi application running.

The same goes for ATL samples:

  • WM_ATLGETCONTROL
  • WM_ATLGETHOST

There are also malware-adware-specific formats e.g.:

  • AmInst__Runing
  • yimomotoTec Picture
  • yimomotoTec Component
  • PowerSpider
  • RinLoggerInstance
  • SatoriWM_SetNetworkShareableFlag
  • Transfer_File_Success_Doyo
  • 180StartDownload

… RAT-related formats:

  • WinVNC.Update.Mouse
  • WinVNC.Update.DrawRect
  • WinVNC.Update.CopyRect
  • WinVNC.AddClient.Message
  • UltraVNC.Viewer.FileTransferSendPacketMessage

… test formats:

  • Hey, this is unicough single instance test
  • UWM_GAMETESTCMD_{75AEED17-2310-4171-94C6-08AC4438E814}_MSG
  • Message.My.Super.Puper.Test.Program.XXX
  • KSDB_TEST: Message communciation between Agent and its TEST host client.
  • FONT-TEST

… various functionality-related formats:

  • WM_HTML_GETOBJECT
  • RasDialEvent
  • EXPLORER.EXEIsDebuggerPresentExEdLl
  • winmm_devicechange
  • WM_HOOKEX_RK
  • UWM_KEYHOOK_MSG-968C3043-1128-43dc-83A9-55122C8D87C1
  • Transfer_File_Success_Doyo
  • 3rdeye_tb_hacking_dll
  • keyhook_msg

… P2P programs formats:

  • EMULE-{4EADC6FC-516F-4b7c-9066-97D893649570}
  • KazaaNewSearch

… possible hints on programmer’s mother tongue:

  • Karte ziehen
  • querodarmeucu

…random:

  • trhgtehgfsgrfgtrwegtre
  • frgjbfdkbnfsdjbvofsjfrfre
  • hgtrfsgfrsgfgregtregtr
  • gsegtsrgrefsfsfsgrsgrt

A short list of top 30 formats I collected from my sampleset:

 46894 TaskbarCreated
 30020 commdlg_FindReplace
 27886 Delphi Picture
 27886 Delphi Component
 27491 commdlg_help
 13920 WM_ATLGETCONTROL
 13914 WM_ATLGETHOST
 11000 3
  8395 commctrl_DragListMsg
  7445 1
  6909 WM_GETCONTROLNAME
  5475 FileName
  5020 Embedded Object
  4899 Link Source
  4885 Rich Text Format
  4787 Object Descriptor
  4652 commdlg_ColorOK
  4576 OwnerLink
  4574 Embed Source
  4569 Link Source Descriptor