Trojan.TDR. Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs
|
|
- April Newman
- 6 years ago
- Views:
Transcription
1 Trojan.TDR Udi Shamir (Ta!0n) COSEINC (AML) Advanced Malware Labs Overview TDR malware targets specific companies which are using McAfee protection suites. The malware utilizes anti-debugging, antivirus awareness and smart process injection techniques to evade detection. It also transmits sensitive information to command and control servers. Background Currently, most malware attacks are in the form of trojan downloaders, bankers and BHO (browsers helper objects). A functional trojan malware seldom gets embedded within the payload of an exploit, but TDR is one such exception. Infection Details TDR was found by our researchers on a high profile host, but its infection vector is still unknown to us. At this point, we believed that it was dropped by one of Adobes latest CVE s.
2 Technical Summary TDR functionalities can be split into two components, namely the loader and the payload. The loader provides the preliminary safety verifications, such as running in minimize mode, detecting debugger and evading specific Antivirus software. When the environment is safe, it will proceed to load the second stage: the payload. The payload performs sophisticated process injection, unpacks the main payload section and creates new process which looks benign. More importantly, the new process is specifically built to evade detection by McAfee Antivirus. The Loader (tdr.mal.exe) The Loader first calls the function that performs Anti Debugging technique. This is to ensure that the malware is not being analyzed and debugged. When executing, TDR stays silent by using windows hide parameter (SW_HIDE) within the following StartupInfo structure parameters: Startupinfo = 0018FF44 -> STARTUPINFOA {Size=0, Reserved1=NULL, Desktop=NULL, Title=NULL, X=0, Y=0, Width=0, Height=0, XCountChars=0, YCountChars=0, FillAttribute=0, Flags=0, ShowWindow=SW_HIDE, Reserved2=0, Reserved3=NULL, hstdinput=null,
3 Anti-Debugging Function: The Anti-Debugging technique is known but not commonly used. The author chose the OutputDebugStringA Win32 API. The OutputDebugString function accepts a single string and send it to the debugger. The Anti Debugging trick is very simple; the developer sets a DWORD Value in the SetLastError() function and calls OutputDebugString. If Debugger is present, the GetLastError() function will hold the Value assigned to SetLastError(). If the value is empty, it implies that no Debugger attached. TDR will exit if a Debugger is attached. WINAPI OutputDebugString( in_opt LPCTSTR lpoutputstring); DWORD TESTDATA = 007; SetLastError(TESTDATA); OutputDebugString(L"F00 Fighters ); if(getlasterror() == TESTDATA){ //i found a debugger attached } When disassembling TDR s binary we can see the call to OutputDebugStringA with the debugger specific message. Evading Antivirus: Most Trojans will choose to stop execution when they detect the presence of Antivirus software. TDR, on the other hand, seems to target McAfee. Its disassembled code shows this behavior. The detection technique is very simple. TDR calls RegQueryValueA Win32 API and search for the presence of McAfee products inside the registry keys. When it detects the presence of McAfee
4 Antivirus, it creates a process named services.exe and if McAfee is absent, it will create the process named svchost.exe. The disassembler code below shows the logical behind this.
5 Our research machine did not contain any McAfee products, so TDR creates the svchost.exe process and calls the packed payload routine at address 0x The unpacking routine is at address 0x Packed section at address 0x The unpack function at address 0x040102E
6 The Payload TDR payload is packed and its unpacking routines start when the loader finishes its init process. The unpacking routine is tedious and time consuming and after it is done, TDR creates a new process with process-name depending on if McAfee products are present. In our setup, the process name was svchost.exe. CreateProcess(NULL, svchost.exe, tdr.mal.exe, NULL, NULL, FALSE, CREATE_SUSPEND ); Create Process The CreateProcess parameters indicate that TDR creates new process in SUSPEND mode and subsequently performs process injection. Process Injection TDR uses an uncommon injection technique which was first introduced by the Duqu Malware ( This technique is also referred to as puppet process, as the first created process is just a puppet that does nothing. The Injection steps are described below: 1. TDR needs to locate the entry point of the newly created process and its ImageBase. It achieves this by finding the ImageBaseAddress through calling ZwQueryInformationProcess() and then ReadProcessMemory(). 2. The ImageBaseAddress is at offset 0x8. Below is the debugger s output after extracting the PEB structure.
7 3. The next step is to map the original binary PE section from tdr.mal.exe using the ZwMapViewOfSection() with the BaseAdress equal to 0. The malware wants to copy the entire PE image and modifies its PE image address to that of the newly created process. During this step, TDR has already unpacked its payload into memory and is pointing to the new entry point of svchost.exe puppet process. Below is an example code which demonstrate how TDR extract the ImageBaseAddress PROCESS_BASIC_INFORMATION p_info; // retrieves pointer to a PEB DWORD ImageBase; ZwQueryInformationProcess = (long ( stdcall *)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG))GetProcAddress(GetModuleHandleA( ntdll ),"ZwQueryInformationProcess") ; // extract ImageBase PebBaseAddress +8 // ReadProcessMemory(p_info.hProcess, (BYTE*)pbi.PebBaseAddress + 8, &ImageBase, 4, &nb_read);
8 4. Before copying the new image into the puppet process, TDR un-maps svchost.exe memory section with the BaseAddress equal to the ImageBaseAddress. Subsequently, it copied the original PE image using memcpy(). When everything is completed, it unlinks (remove) the original image. PE_H NEW PROCESS SVCHOST IMAGE PE_H TDR Image TDR.MAL.EXE PE_H NEW PROCESS SVCHOST CONTAINS TDR IMAGE Above diagram shows the injection flow. TDR creates new process name svchost.exe. It un-maps the existing new process image using ZwUnmapViewOfSection(). It creates a new section using ZwMapViewOfSection() and copy the malwares section using memcpy(). It removes the original sample tdr.mal.exe. Why TDR took these extra steps when creating a new process? 1. The newly created process svchost.exe is a valid system service hence it looks benign. 2. The PE header is benign since TDR replace the Image and not the PE Header. This leaves the header completely unchanged. 3. This technique fools McAfee Antivirus which inspect the headers and structures.
9 Network Connection TDR initiates network connection from the new process svchost.exe. This allows the malware to mask its network traffic among legitimate connections from the real svchost.exe. TDR first tries to connect to the ip address This belongs to KORNET, which is a legitimate provider. inetnum: netname: KORNET descr: KOREA TELECOM descr: Network Management Center country: KR admin-c: DL248-AP tech-c: GK40-AP The second connection is being initiated with known dynamic domain service provider myddns.com.
10 The following urls were captured during the network analysis: Both urls have server listening on port 8080, followed by a random 5 characters php file. The above examples showed the php files kvfbx.php and pnrrv.php. The id parameter structure is <random 6 numbers><mac address> for example: DDF34B09G == random id: 151DDF34B09G machine MAC address DDF34B09G == random id: 151DDF34B09G machine MAC address Conclusion TDR employs interesting anti debugging and injection techniques that are not commonly used. It also targets McAfee antivirus and circumvent the way McAfee inspects newly created processes. The fact that TDR was captured on a live host with updated antivirus protection emphasizes why antivirus may not be a foolproof solution to malware. And finally, these various pieces, when added together, make TDR a formidable malware that is hard to detect.
ID: Sample Name:._k.php Cookbook: default.jbs Time: 05:41:18 Date: 25/04/2018 Version:
ID: 2 Sample Name:._k.php Cookbook: default.jbs Time: 0:41:1 Date: 2/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Sample Name: image002 Cookbook: default.jbs Time: 18:19:28 Date: 18/05/2018 Version:
ID: 0309 Sample Name: image002 Cookbook: default.jbs Time: 1:19:2 Date: 1/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Cookbook: urldownload.jbs Time: 19:53:36 Date: 07/03/2018 Version:
ID: 49 Cookbook: urldownload.jbs Time: 19:: Date: 0/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice
More informationID: Sample Name: test Cookbook: default.jbs Time: 09:46:13 Date: 21/05/2018 Version:
ID: 042 Sample Name: test Cookbook: default.jbs Time: 09:4:1 Date: 21/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Sample Name: dialog.nvp Cookbook: default.jbs Time: 00:09:12 Date: 10/05/2018 Version:
ID: 09 Sample Name: dialog.nvp Cookbook: default.jbs Time: 00:09:12 Date: 10/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: vlaue.exe Cookbook: default.jbs Time: 18:54:49 Date: 26/01/2018 Version:
ID: 44024 Sample Name: vlaue.exe Cookbook: default.jbs Time: 18:4:49 Date: 2/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:54 Date: 07/06/2018 Version:
ID: 001 Sample Name: dronefly.apk Cookbook: default.jbs Time: 10:24:4 Date: 0/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Cookbook: urldownload.jbs Time: 16:10:39 Date: 07/12/2017 Version:
ID: 94 Cookbook: urldownload.jbs Time: 1:10:9 Date: 0/12/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationID: Sample Name: 11#Ucb#Uae#Uc4#Ube#Ue5#Ubb#UaafNOnOJTVYQ.exe Cookbook: default.jbs Time: 09:47:21 Date: 02/02/2018 Version: 20.0.
ID: 4457 Sample Name: #Ucb#Uae#Uc4#Ube#Ue5#Ubb#UaafNOnOJTVYQ.exe Cookbook: default.jbs Time: 09:47:21 Date: 02/02/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General
More informationID: Sample Name: MacKeeper.dmg Cookbook: default.jbs Time: 11:09:32 Date: 02/06/2018 Version:
ID: 22 Sample Name: MacKeeper.dmg Cookbook: default.jbs Time: 11:0:2 Date: 02/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: binarydata Cookbook: default.jbs Time: 22:09:57 Date: 22/11/2017 Version:
ID: 88 Sample Name: binarydata Cookbook: default.jbs Time: 22:09: Date: 22/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Sample Name: lt.pak Cookbook: default.jbs Time: 12:40:34 Date: 26/07/2018 Version:
ID: 90 Sample Name: lt.pak Cookbook: default.jbs Time: 12:40:4 Date: 2/0/201 Version: 2.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Sample Name: oq5wdjgk2r.exe Cookbook: default.jbs Time: 20:25:47 Date: 22/11/2017 Version:
ID: 388 Sample Name: oq5wdjgk2r.exe Cookbook: default.jbs Time: 20:25:4 Date: 22/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationHow to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis
White paper How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis AhnLab, Inc. Table of Contents Introduction... 1 Multidimensional Analysis... 1 Cloud-based Analysis...
More informationID: Cookbook: urldownload.jbs Time: 22:46:20 Date: 19/02/2018 Version:
ID: 4706 Cookbook: urldownload.jbs Time: 22:46:20 Date: 1/02/201 Version: 21.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationID: Sample Name: Payment_Remittance#.xps Cookbook: defaultwindowsofficecookbook.jbs Time: 01:35:46 Date: 20/09/2018 Version: 23.0.
ID: 25 Sample Name: Payment_Remittance#.xps Cookbook: defaultwindowsofficecookbook.jbs Time: 01:35:4 Date: 20/09/201 Version: 23.0.0 Table of Contents Table of Contents Analysis Report Payment_Remittance#.xps
More informationID: Sample Name: faktury_pdf.rar Cookbook: default.jbs Time: 12:24:33 Date: 15/12/2017 Version:
ID: 4019 Sample Name: faktury_pdf.rar Cookbook: default.jbs Time: 12:24: Date: 1/12/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: 5GeZNwROcB.bin Cookbook: default.jbs Time: 15:22:54 Date: 30/11/2017 Version:
ID: 82 Sample Name: GeZNwROcB.bin Cookbook: default.jbs Time: 1:22:4 Date: 0/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: gpg4win exe.sig Cookbook: default.jbs Time: 21:44:31 Date: 02/02/2018 Version:
ID: Sample Name: gpgwin-.0..exe.sig Cookbook: default.jbs Time: 21::1 Date: 02/02/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: ff2c8cadaa0fd8da6138cce6fce37e001f53a5d9ceccd67945b15ae273f4d751.evaljs.js Cookbook: default.jbs Time: 16:44:00 Date:
ID: 33355 Sample Name: ff2c8cadaa0fd8da138ccefce3e001f53a5dceccd45b15ae23f4d51.evaljs.js Cookbook: default.jbs Time: 1:44:00 Date: 04//201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report
More informationID: Sample Name: fly.jse Cookbook: default.jbs Time: 18:17:26 Date: 11/11/2017 Version:
ID: 371 Sample Name: fly.jse Cookbook: default.jbs Time: 1:17:2 Date: 11/11/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence Classification
More informationID: Cookbook: urldownload.jbs Time: 20:47:24 Date: 09/12/2017 Version:
ID: 0 Cookbook: urldownload.jbs Time: 20:4:24 Date: 0/12/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Cookbook: urldownload.jbs Time: 08:25:02 Date: 29/10/2018 Version: Fire Opal
ID: Cookbook: urldownload.jbs Time: 0:25:02 Date: 29//201 Version: 24.0.0 Fire Opal Table of Contents Table of Contents Analysis Report http://15.1..14/neko.sh Overview General Information Detection Confidence
More informationID: Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/2018 Version:
ID: 4441 Cookbook: urldownload.jbs Time: 02:55:04 Date: 01/02/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationID: Sample Name: Unconfirmed crdownload Cookbook: default.jbs Time: 22:58:07 Date: 08/11/2017 Version:
ID: 80 Sample Name: Unconfirmed.crdownload Cookbook: default.jbs Time: 22:8:0 Date: 08/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More information06 - Anti Dynamic Analysis
CYS5120 - Malware Analysis Bahcesehir University Cyber Security Msc Program Dr. Ferhat Ozgur Catak 1 Mehmet Can Doslu 2 1 ozgur.catak@tubitak.gov.tr 2 mehmetcan.doslu@tubitak.gov.tr 2017-2018 Fall Table
More informationZLAB. The stealth process injection of the new Ursnif malware. Malware Analysts: Antonio Pirozzi Antonio Farina Luigi Martire
ZLAB The stealth process injection of the new Ursnif malware Malware Analysts: Antonio Pirozzi Antonio Farina Luigi Martire 11/01/18 Introduction Whereas the malware LockPos, famous for its new incredibly
More informationID: Sample Name: quzpecasrh Cookbook: default.jbs Time: 16:55:54 Date: 07/10/2017 Version:
ID: 3393 Sample Name: quzpecasrh Cookbook: default.jbs Time: 1:55:54 Date: 0//201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Cookbook: urldownload.jbs Time: 20:09:25 Date: 13/06/2018 Version:
ID: 3923 Cookbook: urldownload.jbs Time: 20:09:25 Date: 13/0/201 Version: 22.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature
More informationID: Cookbook: urldownload.jbs Time: 19:58:34 Date: 02/05/2018 Version:
ID: 57706 Cookbook: urldownload.jbs Time: 19:5:34 Date: 02/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Sample Name: maintools.js Cookbook: default.jbs Time: 15:43:35 Date: 17/02/2018 Version:
ID: 48 Sample Name: maintools.js Cookbook: default.jbs Time: 1:43:3 Date: 1/02/2018 Version: 21.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: 10:19:47 Date: 19/02/2018 Version:
ID: 47020 Sample Name: NEW ORDER LIST.jar Cookbook: default.jbs Time: :19:47 Date: 19/02/201 Version: 21.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence
More informationID: Sample Name: 21PO jpg...js Cookbook: default.jbs Time: 14:32:06 Date: 21/11/2017 Version:
ID: 371 Sample Name: 21PO201745.jpg...js Cookbook: default.jbs Time: 14:32:0 Date: 21/11/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection Confidence
More informationID: Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:17:42 Date: 12/04/2018 Version:
ID: 54295 Sample Name: 11youtube3.com Cookbook: default.jbs Time: 08:1:42 Date: 12/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: Coss, Daniel.vcf Cookbook: default.jbs Time: 15:16:47 Date: 21/06/2018 Version:
ID: 6467 Sample Name: Coss, Daniel.vcf Cookbook: default.jbs Time: 15:16:47 Date: 21/06/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: meterpreter64bit.exe Cookbook: default.jbs Time: 16:01:45 Date: 24/11/2017 Version:
ID: 0 Sample Name: meterpreter4bit.exe Cookbook: default.jbs Time: 1:01:4 Date: 24/11/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: MobaXterm_installer.dat Cookbook: default.jbs Time: 18:29:43 Date: 25/05/2018 Version:
ID: 1259 Sample Name: MobaXterm_installer.dat Cookbook: default.jbs Time: 1:29:43 Date: 25/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More informationID: Sample Name: testfiletestfile.txt Cookbook: default.jbs Time: 15:24:30 Date: 06/07/2018 Version:
ID: 6045 Sample Name: testfiletestfile.txt Cookbook: default.jbs Time: 15:24:30 Date: 06/0/201 Version: 23.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More informationInfosec Binary Analisys. amd4.exe
amd4.exe MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows 2559.79 KB (2621224 bytes) Compile time: 2018-05-02 17:08:30 MD5: SHA1: Import hash: 25705698d4403963b89432c39ee4eeed
More informationID: Cookbook: browseurl.jbs Time: 13:10:41 Date: 01/04/2018 Version:
ID: 52775 Cookbook: browseurl.jbs Time: 13:10:41 Date: 01/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Cookbook: urldownload.jbs Time: 20:31:22 Date: 09/08/2018 Version:
ID: 153 Cookbook: urldownload.jbs Time: 20:31:22 Date: 09/0/201 Version: 23.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature
More informationID: Sample Name: Serial.txt Cookbook: default.jbs Time: 02:59:20 Date: 07/05/2018 Version:
ID: 58133 Sample Name: Serial.txt Cookbook: default.jbs Time: 02:5:20 Date: 0/05/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/2018 Version:
ID: 5139 Cookbook: browseurl.jbs Time: 17:39:02 Date: 22/03/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Cookbook: urldownload.jbs Time: 16:41:45 Date: 23/06/2018 Version:
ID: 52 Cookbook: urldownload.jbs Time: 1:41:45 Date: 23/0/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationID: Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version:
ID: 80115 Sample Name: js.jar Cookbook: defaultwindowsfilecookbook.jbs Time: 10:01:15 Date: 26/09/2018 Version: 23.0.0 Table of Contents Table of Contents Analysis Report js.jar Overview General Information
More informationID: Cookbook: browseurl.jbs Time: 15:46:38 Date: 29/03/2018 Version:
ID: 52374 Cookbook: browseurl.jbs Time: 15:46:3 Date: 29/03/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Cookbook: browseurl.jbs Time: 12:58:02 Date: 02/04/2018 Version:
ID: 5253 Cookbook: browseurl.jbs Time: 12:5:02 Date: 02/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Sample Name: process.0xfffffa8004b x dmp Cookbook: default.jbs Time: 22:45:59 Date: 02/12/2017 Version: 20.0.
ID: 38941 Sample Name: process.0xfffffa8004b120.0x480000.dmp Cookbook: default.jbs Time: 22:4:9 Date: 02/12/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information
More informationID: Sample Name: text_0.txt Cookbook: default.jbs Time: 16:20:15 Date: 12/01/2018 Version:
ID: 4253 Sample Name: text_0.txt Cookbook: default.jbs Time: 1:20:15 Date: 12/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationWhite Paper. New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection
White Paper New Gateway Anti-Malware Technology Sets the Bar for Web Threat Protection The latest version of the flagship McAfee Gateway Anti-Malware technology adapts to new threats and plans for future
More informationAgenda. Motivation Generic unpacking Typical problems Results
Who we are Product: ewido security suite Protection against Trojans, Adware, Spyware,... First release: Christmas 2003 Emulation research since 2002 Used for generic unpacking Agenda Motivation Generic
More informationID: Sample Name: test.txt Cookbook: default.jbs Time: 13:18:36 Date: 31/03/2018 Version:
ID: 5250 Sample Name: test.txt Cookbook: default.jbs Time: 13:18:3 Date: 31/03/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Cookbook: urldownload.jbs Time: 22:26:00 Date: 30/12/2017 Version:
ID: 41304 Cookbook: urldownload.jbs Time: 22:26:00 Date: 30/12/2017 Version: 20.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview
More informationShellzer: a tool for the dynamic analysis of malicious shellcode
Shellzer: a tool for the dynamic analysis of malicious shellcode Yanick Fratantonio 1, Christopher Kruegel 2, and Giovanni Vigna 2 1 Politecnico di Milano, Italy yanick.fratantonio@mail.polimi.it 2 University
More informationUser Mode Debugging Internals
User Mode Debugging Internals Introduction The internal mechanisms of what allows user-mode debugging to work have rarely ever been fully explained. Even worse, these mechanisms have radically changed
More informationID: Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version:
ID: 67658 Cookbook: browseurl.jbs Time: 20:07:02 Date: 11/07/2018 Version: 23.0.0 Table of Contents Analysis Report Overview Information Detection Confidence Classification Analysis Advice Signature Overview
More informationCannot Remove The Mcafee Agent Other Products Are Using It
Cannot Remove The Mcafee Agent Other Products Are Using It Trying to uninstall Mcafee agent gives me a "can't uninstall agent because it is in use by other programs" error. Using the cleanup utility also
More informationID: Sample Name: modulecheck.js Cookbook: default.jbs Time: 17:46:31 Date: 01/02/2018 Version:
ID: 44491 Sample Name: modulecheck.js Cookbook: default.jbs Time: 17:4:31 Date: 01/02/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Cookbook: urldownload.jbs Time: 18:48:38 Date: 19/06/2018 Version:
ID: 64646 Cookbook: urldownload.jbs Time: 1:4:3 Date: 19/06/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationMcAfee Advanced Threat Defense
Advanced Threat Defense Detect advanced malware Advanced Threat Defense enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike
More informationID: Sample Name: E DA5e8a0c01b.txt Cookbook: default.jbs Time: 15:35:01 Date: 18/04/2018 Version:
ID: 55401 Sample Name: E203182DA5e8a0c01b.txt Cookbook: default.jbs Time: 15:35:01 Date: 18/04/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More informationein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec)
Next Gen Endpoint Protection ein wichtiger Baustein im Security Ökosystem Dr. Christian Gayda (T-SEC) und Ingo Kruckewitt (Symantec) What is Next Gen Endpoint Protection? 2 DT Next Gen Endpoint Protection
More informationID: Cookbook: browseurl.jbs Time: 15:48:15 Date: 29/03/2018 Version:
ID: 52376 Cookbook: browseurl.jbs Time: 15:4:15 Date: 29/03/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationInfosec Binary Analisys. amd6.exe
amd6.exe MalScore: 100 File type: File size: PE32 executable (GUI) Intel 80386, for MS Windows 2507.29 KB (2567464 bytes) Compile time: 2018-05-02 17:08:30 MD5: SHA1: Import hash: c64b759c1022c22eaf2e4825eca431df
More informationID: Sample Name: tesseract-ocrsetup exe. Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version:
ID: 46161 Sample Name: tesseract-ocrsetup-3.05.01.exe Cookbook: default.jbs Time: 16:44:15 Date: 12/02/2018 Version: 20.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence
More informationID: Sample Name: fonttable.xml Cookbook: defaultandroidfilecookbook.jbs Time: 05:14:58 Date: 27/04/2018 Version:
ID: 6926 Sample Name: fonttable.xml Cookbook: defaultandroidfilecookbook.jbs Time: 0:14: Date: 2/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information
More informationFig.1 Malvertising scenario. Kovter file is digitally signed by trusted COMODO under the company name Itgms Ltd.
Infection vector The Kovter family compromises websites to serve malvertising (malicious advertising). Once the victim downloads a file from any of these sites, their computer gets infected with the Kovter
More informationCisco Advanced Malware Protection (AMP) for Endpoints
Cisco Advanced Malware Protection (AMP) for Endpoints Endpoints continue to be the primary point of entry for attacks! 70% of breaches start on endpoint devices WHY? Gaps in protection Gaps in visibility
More informationID: Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31:13 Date: 16/03/2018 Version:
ID: 50648 Sample Name: FsQHOWXph8.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 20:31: Date: 16/03/2018 Version: 22.0.0 Table of Contents Analysis Report Overview Information Detection Confidence
More informationTECHNICAL FEATURE. ANTI-UNPACKER TRICKS PART FIVE Peter Ferrie Microsoft, USA. 2. OllyDbg plug-ins. 1. OllyDbg-specific tricks. 2.
TECHNICAL FEATURE ANTI-UNPACKER TRICKS PART FIVE Peter Ferrie Microsoft, USA New anti-unpacking tricks continue to be developed as the older ones are constantly being defeated. This series of articles
More informationReverse Engineering Malware Binary Obfuscation and Protection
Reverse Engineering Malware Binary Obfuscation and Protection Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Binary Obfuscation and Protection What is covered in this
More informationID: Cookbook: browseurl.jbs Time: 13:46:19 Date: 09/05/2018 Version:
ID: 5702 Cookbook: browseurl.jbs Time: 13:46:19 Date: 09/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationQuick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.
AntiVirus Pro Advanced Protects your computer from viruses, malware, and Internet threats. Features List Ransomware Protection anti-ransomware feature is more effective and advanced than other anti-ransomware
More informationID: Sample Name: numbering.xml Cookbook: defaultandroidfilecookbook.jbs Time: 05:15:39 Date: 27/04/2018 Version:
ID: 92 Sample Name: numbering.xml Cookbook: defaultandroidfilecookbook.jbs Time: 0:1:9 Date: 2/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection
More informationID: Cookbook: browseurl.jbs Time: 10:12:02 Date: 15/01/2018 Version:
ID: 42670 Cookbook: browseurl.jbs Time: 10:12:02 Date: 15/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version:
ID: 45263 Sample Name: DOCS.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 16:07:38 Date: 06/02/2018 Version: 20.0.0 Table of Contents Analysis Report Overview Information Detection Confidence Classification
More informationInvasion of Malware Evading the Behavior-based Analysis
Invasion of Malware Evading the Behavior-based Analysis Memory-Based Exploit Analysis of AhnLab MDS Feb. 21, 2014 Content Introduction... 3 Ever-evolving Malware Bypass Even Sandbox-based Behavior Analysis...
More informationID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:
ID: 42417 Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationNew Software Blade and Cloud Service Prevents Zero-day and Targeted Attacks
New Software Blade and Cloud Service Prevents Zero-day and Targeted Attacks 1 WOULD YOU OPEN THIS ATTACHMENT? Over 90% of targeted emails use malicious file attachments as the payload or infection source
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationCracking, The Anti. Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta
Cracking, The Anti Dorian Bugeja Department of Computer Science and Artificial Intelligence University of Malta Email: dbug0009@um.edu.mt Abstract This paper will describe some techniques used to protect
More informationID: Sample Name: PO xls Cookbook: defaultwindowsofficecookbook.jbs Time: 03:13:36 Date: 08/01/2018 Version:
ID: 41861 Sample Name: PO65445465.xls Cookbook: defaultwindowsofficecookbook.jbs Time: 03::36 Date: 08/01/2018 Version: 20.0.0 Table of Contents Analysis Report Overview Information Detection Confidence
More informationManually Remove Of Xp Internet Security Protect
Manually Remove Of Xp Internet Security Protect McAfee Family Protection McAfee Internet Security NOTE: To determine which McAfee Security software version you have installed, You must uninstall your McAfee
More informationPractical Malware Analysis
Practical Malware Analysis Ch 7: Analyzing Malicious Windows Programs Rev. 2-27-17 The Windows API (Application Programming Interface) What is the API? Governs how programs interact with Microsoft libraries
More informationID: Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/2018 Version:
ID: 5945 Cookbook: browseurl.jbs Time: 11:59:06 Date: 14/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationID: Sample Name: Snow Patrol - Chasing Cars.mp3 Cookbook: defaultandroidfilecookbook.jbs Time: 12:40:19 Date: 09/01/2018 Version: 20.0.
ID: 4201 Sample Name: Snow Patrol - Chasing Cars.mp Cookbook: defaultandroidfilecookbook.jbs Time: 12:40:19 Date: 09/01/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview
More informationID: Sample Name: Dxd1yOZMU1.bin Cookbook: defaultwindowsofficecookbook.jbs Time: 09:43:59 Date: 21/10/2017 Version:
ID: 34788 Sample Name: Dxd1yOZMU1.bin Cookbook: defaultwindowsofficecookbook.jbs Time: 0:43:5 Date: 21/10/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information
More informationID: Sample Name: [Content_Types].xml Cookbook: defaultandroidfilecookbook.jbs Time: 05:15:19 Date: 27/04/2018 Version: 22.0.
ID: 92 Sample Name: [Content_Types].xml Cookbook: defaultandroidfilecookbook.jbs Time: 0:1:19 Date: 2/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information
More informationAdvanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
More informationID: Sample Name: 29UPDYATHD.exe Cookbook: default.jbs Time: 19:03:31 Date: 06/04/2018 Version:
ID: 5352 Sample Name: 29UPDYATHD.exe Cookbook: default.jbs Time: 19:03:31 Date: 06/04/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence
More informationNew Wave of Hancitor Malware Comes with New Evasive Techniques
MORPHISEC LAB New Wave of Hancitor Malware Comes with New Evasive Techniques INTRODUCTION From November 7 15, 2016, Morphisec identified and monitored a new wave of sophisticated malware attacks using
More informationAdvanced Malware Analysis Training Series.
Advanced Malware Analysis Training Series Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge
More informationSentinelOne Technical Brief
SentinelOne Technical Brief SentinelOne unifies prevention, detection and response in a fundamentally new approach to endpoint protection, driven by machine learning and intelligent automation. By rethinking
More informationELECTRONIC BANKING & ONLINE AUTHENTICATION
ELECTRONIC BANKING & ONLINE AUTHENTICATION How Internet fraudsters are trying to trick you What you can do to stop them How multi-factor authentication and other new techniques can help HELPING YOU STAY
More informationAnti-Virus Comparative. Factsheet Business Test (August-September 2018) Last revision: 11 th October
Anti-Virus Comparative Factsheet Business Test Language: English August-September 2018 Last revision: 11 th October 2018 https:// - 1 - Introduction This is a short fact sheet for our Business Main-Test
More informationID: Cookbook: browseurl.jbs Time: 18:05:31 Date: 26/12/2017 Version:
ID: 41000 Cookbook: browseurl.jbs Time: 1:05:31 Date: 26/12/2017 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationFast & Furious reverse engineering TitanEngine. titan.reversinglabs.com
Fast & Furious reverse engineering TitanEngine titan.reversinglabs.com Contents Introduction to TitanEngine... 3 Introduction to static unpackers... 4 Introduction to dynamic unpackers... 5 Introduction
More informationID: Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version:
ID: 42035 Sample Name: Luxus.doc Cookbook: defaultwindowsofficecookbook.jbs Time: 10:22:08 Date: 09/01/2018 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview Information Detection
More informationID: Sample Name: wtf.bat Cookbook: default.jbs Time: 18:32:35 Date: 19/05/2018 Version:
ID: 6036 Sample Name: wtf.bat Cookbook: default.jbs Time: 1:32:35 Date: 19/05/201 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification
More informationID: Cookbook: urldownload.jbs Time: 21:28:55 Date: 28/06/2018 Version:
ID: 6600 Cookbook: urldownload.jbs Time: 21:2:55 Date: 2/06/201 Version: 23.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature Overview Networking:
More information