 Welcome to MAV analysis for HEDSHOX. I think it's long overdue that we take a look at hybrid analysis and how to use it for initial MAV assessment. This is the hybrid analysis website and what this is it's just an automated sandbox system so you can drag and drop a file inside it will run the file and it will process the dynamic execution of the file and then create a report for you. So the purpose of this as a MAV analysis at least you can use this for initial analysis. So what does it mean? You will, before you even try to dive into analyzing the code of the MAV or the sample you have in front of you, you should try to find which is the best path to look for the relevant code. So in a lot of cases beginners and MAV analysis will waste a lot of time by just you know they see have a sample they put it into detected easy see it's okay it's x86 assembly code put it into IDA and then they get lost because I don't understand what the code is doing and if this relates to you you might want to check stuff in hybrid analysis first. Why? Because this saves you a lot of time you will find more hints to what you should actually do to find the relevant code and what this file does. So here we are let's if you are a malware hunter if you are a malware hunter this is also very useful you can check the scans that were done lately here in the quick scans and files or URL section and then you see all of the latest scans if you combine a low AV detection rate with a malicious threat level that has been determined by the sandbox you will have a likelihood of finding yet undetected malware so that's quite useful. The malicious threat level is especially interesting because that's where you see some behavior in the sandbox usually if you have nothing here or it sets no threat it's probably because it didn't show anything any behavior it doesn't mean it's clean it just means you couldn't find anything that's suspicious which can happen as well with we am aware sandbox aware malware so just because something is determined by hybrid analysis is malicious or is clean it does not mean that this is truly the case okay so what can you do here so as I said if you check for low AV detection rate and a malicious threat level that's probably interesting for you as a malware hunter you can also search for stuff like you could say keylogger search for keylogger maybe you're interested and seeing what people uploaded as green keylogger so that is already some stuff you could actually use because some people for some reason someone put in a an archive now an archive is not executable so it does not make much sense to put something in a dynamic analysis environment which is not executable so something like an archive makes not much sense because you won't get much out of it the only reason it flexes as malicious is probably because of the entire virus detection rate which is 43% so this is taking into account too yeah but there are some other gems in here you can download them like that's the interesting part you can download those so if you're interested in spoiler Phoenix keylogger or Falcon keylogger correct just download from here and you can analyze it yeah cool so let's take a look at a specific one that was also flagged as a keylogger by the hybrid analysis sandbox so this is the file here it has a very low detection rate 2% on virus total and it's labeled as Trojan keylogger but the shred score they determined is 100 we can see some of the indicators that it takes into account which it thinks is the reason that this is malicious which is here at the top and some general risk assessment where it says okay it has global winners hooks to intercept key strokes and to intercept mouse events but actually if I check a sample that's not the first thing I look at it's like the least interesting thing for me because this is just an summary of what the sandbox things is risky here but I want to determine this myself is this actually risky because it depends on the context so this is not the first thing that is of interest for me at least same of the indicators usually I skip this first and go down that's like a lot of stuff so the first thing I really like to look at is the file details section you have here a button to turn more details on so this these are some hashes so what are they firstly this is the hash that is used by hybrid analysis to identify one sample and differentiate it from other samples that are different so what does it mean if this hash is different hybrid analysis will say it's a different sample why why do I know this because this is part of the URL and if that URL changes you have basically have a different sample same as done by various total so various total determinants is based on this hash because this is a hash function Shara 256 is a cryptographic hash function which means it's collision resistant so if you change one byte in the file it will have a completely different hash and it is very hard to find another file or create another file that has the very same hash value as this one so that is the reason why this is being used for identification otherwise you could just graph files that are different but have the same hash map on the same hash and that will be bad for such a sandbox so these are included and but usually not used that much anymore these were used in the past for the same reason and they are often still mentioned in matter analysis reports so that's why they are here so you can search for them in case you read a matter report and see this is the MD5 for the sample that they used in the report SSD is quite different to the other three hash functions because SSD is a similarity preserving hash and that means if you change just a few bytes in the file this hash value will look almost the same so maybe two characters are different if you change just a few bytes and the rest is the same so this is for finding similar samples and that's also why you can click on it if you click on it you will find samples that look the same and okay let's wait until this is done and it didn't find any so seems to be the only one that looks like this then the impash impash is actually MD5 underneath but this MD5 value is created on the imports of the PE file, PE file imports so imports the ideas that files that behave the same have similar imports or vice versa if you have the same imports that file probably behaves similar so you can find similar files if you click on this so let's see what we find here oh yeah there are some more that are also low in the AV detection rates and considered malicious so this might be interesting impash does not make sense for every PE file so yeah but that's a different topic might come back later. Authentic hash is for the certificate so that's a part of the PE file that is considered relevant for certificate validation but this file is not signed so this isn't that relevant here here it says this is a Delphi executable now remember if you were or let's say most beginner analysts would probably put a sample into detected easy or PE ID see it's a ball and Delphi and then R&R that's hard and then they would try to analyze it in either or any Delphi specific program to analyze it and that's the case where they would get lost they would get lost completely because you will realize so now actually that is not the code we want to look at here why the version info tells us some interesting stuff here and we see a mention of a website flashjessor.com now if you Google flash jessor juggler engine you will find this and it says juggler turns your flash files into standalone programs for it's important for flash development so or here converts SWF files into standalone executables so this is actually a flash application that has been turned converted into an executable using flash jessor so the part that is here detected as ball and Delphi is actually part of flash jessor and it's not so it's the execution environment that's the part that will unpack the actual flash code and execute it so what you want to look at instead in your analysis is the flash code now this version info just so you to put this into perspective the developer of the file and also a matter developer can change the version information so this is something that's completely free for the developer to to put in so this could be fake and this could be something that is just to put us off track so you have to keep this in mind because it's a hint what what this might be where you where you could proceed looking into so it's might be a flash file actually also when I check the version information and the icon that's the icon that's put on the easy file I check it doesn't make sense in the overall picture of the program and in this case when you search for flash jessor you will find that that's no that's not the icon but mini clip com here is mini clip com it's just Google for mini clip com and that is their their logo so this kind of makes sense just inverted but it kind of makes sense that they would have this logo so it seems that this was created probably by mini clip com browser game website so it could be a game and they use flash jessor to convert it what's this here now this is a Portex is my a library that I wrote it's written in Scala and Java I wrote it for my master seizes and they put it the visualization which is just like a side product of my master seizes but they put the visualization part into hybrid analysis which is cool I also think it's very useful because here you can estimate where in the fire are interesting areas and is the fire probably packed so what you can see here is it has a huge overlay that's this blue part here here's the explanation and this one has also in the middle is the entropy the overlay is high in entropy so this is packed area where I assume the fires packed because this is some data that's so high dense in information it it's likely the packed data and the overlay so okay but then if this is a flash converter flash to exe converter it makes sense that it packs other files inside it might just use this overlay to put inside the actual flash executable for instance and flash code that is executed by it so that you know in the whole picture it makes sense here's some more data on the fire sections not much of interest in here except that okay we see code data BSS which is typical for Delphi applications apart from that I don't think there's much that is really interesting for me file imports of course those are the ones used by the impish that I explained earlier so the impish makes stuff on this area and if this area has almost no imports the impish is of no use for you so if there is just one or two don't bother with the impish it will not help screenshots are obviously very interesting in this case because we have a graphical interface this is called space fighter rebellion so it makes sense in you know in context with the file name and it says mini clip comm so we also see the icon here and obviously you can play the game but the sandbox did not play it so we also only see the launch screen so but still so is a game it still could be the case that this is just a lore and that there's some malicious code behind it now let's go back to the beginning you remember this risk assessment here where it says sets global windows hook to intercept keystroves and to intercept mouse events now in light of knowing that this is a game do you think this is still a suspicious thing actually no so a game needs to read keystroves it needs to read mouse events otherwise it cannot be played so yeah this is not really a suspicious indicator actually we should just put this off the list here but still we do not know is it malicious or not so let's let's check the next part here is a one of the most interesting parts as well that is the process section and you can also click on these processes to check more details about them we see here there's a space fighter rebellion.exe process so this was the file originally started by the sandbox and then this one started another process called space fighter exe so that's a different process name the process name is dependent on the file name so it started different file to create this process generally it's suspicious if you see the same one if we see the very same file as the type process it's an indicator that process injection is used it's not the case here that the child process was started so this one again because that's a different one so we don't know if process injection is used could still do process injection it could create a copy of itself with a different name and run this so it could be using process injection now if we look at the beginning here it says writes data to remote process to check if it does that we can click on it get the information about the API calls that have been logged now what's a bummer is we only see the first 1000 calls so we might miss data and when it's not there if it's not there doesn't mean anything so I had made a process injection graphic or also video about typical process injection APIs that you can search for here but yeah if one of the first one I do is write and we see already there's a call to write virtual memory and NTDRL and well that doesn't look much like process injection because it's only 34 bytes that's probably just some arbitrary data not really probably not so in the network analysis area we don't see any requests or any network requests so this is not indicative of a keylogger you remember that we saw this keylogger label where does it come from the keylogger label it comes from virus solo why see this that's where it comes from they just checked if there's any good detection name probably we see there's only six detections for this yeah because we chose specifically file of a low detection rate and that's where the keylogger stuff comes from and also from this one here but so far I don't see reason to assume it's a keylogger because it's a game it needs to log your not log but hook your key keystrokes and we have no network so how is the attacker supposed to get the keystrokes in this case well it's possible that this just did not happen because the maver only does it once a day we don't know maybe it waits for a long time until it's upload some keystrokes that could be possible yeah but so far no indicator for that the extraction strings these are interesting as well if I remember correctly it even includes some in-memory strings so you might find quite interesting stuff you can score through see if you see anything interesting there is also a selection of strings that are deemed interesting by hybrid analysis just goes through see if there's something that looks like it could be typical for malware something that catches my eye is this shall open command it's often used in combination with certain UAC bypass techniques so if I would take note of that and specifically check in the deeper analysis of how this string is used if this is indeed a UAC bypass technique and similar we can see here similar stuff and everything just points to the jester environment so this is probably really just a dot flash converter and nothing else when it comes to the main Delphi code now as I said this part here the process it has to drop the space file somewhere to create a process of a different name so what I'm questioning is is the space fighter file copy or is it the same file a space fighter rebellion.exe and if you check down here you see that's the space fighter exe and it's a different file why do I know that because the hash the shard 256 in different one if you compare this it starts with one five five a and ours you see it in the URLs it's such a zero c4 and so on it's a different file and this file is also deemed clean by virus total it has only zero detection rate of zero let's check the virus total report actually oh and the name is me of this file is as we flsh32exe so this is flash flash executable check it yeah that's a flash player and we see it also named the space fighter.exe but yeah that's just that makes sense you know if you you cannot assume that a computer where the game is being played has flash player on it and to be able to execute this flash application everywhere on Windows systems you just put inside the execution environment which is the flash player inside this whole file additionally with the flash code so now you know it's pretty sure that this is a flash executable just and you only need to check the flash code of that and not the Delphi code this just around the earth deemed malicious for what reason because someone some AV scanners think it's malicious but then the name just around for me just indicates it's part of this gesture execution environment and well when I check virus total roughly three is not much and all of those security vendors are not really well known so these are well if it was like Kaspersky or Avira or Bitdefender I would take it a bit more seriously but no not these that's likely clean and this file at least so and now as a last measure I would probably just check okay what what what do we have here as you know malicious indicators let's go through them a bit and what will also tell you not all of them might display it because you need to for the full version for that so not everyone has the money to do that but let's go through them it says it has five malicious indicators which are probably the responsible for for this verdict and threat score and the first one is Windows hook to intercept mouse events we already know that makes sense for game so ignore that extracts a file that was identified as malicious but that was the gesture on the hour where we checked virus total and it's like nah it's probably clean plus if you check the first submission it 2008 if this was malicious it was scanned one day ago I don't think it takes that many years for Melvier to stay unnoticed so no not really indicative installation persistence computer-based training hook sets a callback procedure using this fellow I'm not sure what this is about I guess I would have to Google what this actually is writes data to a remote process we check that and now since that you open it you see are there has been actually they have been more calls to this right process function I guess but these are all I could I only at most 52 bytes not really that's global in a stock to intercept keystrokes so same it's a game so what do you expect yeah not really none of these are indicative of Melvier in this case so suspicious indicator let's also go over them a bit it says here anti-reverse engineering fires fires unusual entropy sections and this is something you know you can compare with this picture here it says the code section has a lot of high entropy I do not see this here actually because the overlay is way brighter than the code section is let's check the code section the entropy is 6.4 there's a little bit of a mismatch because I calculate the entropy different from from this year it seems that here that seems very high because you know entropy is either based on 8 bits so it goes from 0 to 8 or it is from 0 to 10 and it seems that here they calculate the entropy from 0 to 10 whereas down below it's created from 0 to 8 so we have a small entropy here in this area they do that's bad they use different pauses it's that's not this one that's a bit confusing but generally this value is high it means it's actually probably packed but then it's not that high the overlay is far higher we can see in the picture it unfortunately the overlay entropy is not shown here okay anyways it's not as high as it seems here environment awareness tries to evade analysis by sleeping many times it's probably normal for for game to do that I'm not sure reads the active computer game name yeah okay if it's just that why not sample was identified as malicious by at least one virus engine we know that already reads configuration files now it reads its own its own any file so yeah that's the fire drops itself it's its own settings are nothing suspicious here drops executable files every know that already but then that's like the flash executable that needs to run the flash code write the fire header to this that's when it writes the space fighter easy then yeah so it's not another indicator it's just logical if you drop an executable file you have to write it yeah found potential IP addresses I think that's the version number from the version information here five version product version it's not an IP address reads terminal service related keys oh I would have to Google those a terminal server okay GP related I don't know but it did not do any network connections whatsoever not sure why it needs that max files for deletion yeah apparently this is dropped in temp like this is common for such wrapper files that they drop the execution and settings and the code execution environment into the temp folder and delete it afterwards that's what the temp folder is for so you can just put temporary files in there nothing suspicious about that opens fire with deletion access rights yes that's the same as this one max file for division then you would want to open it with deletion access rights entry point isn't an uncommon section now this just around here seems to be packed with AS pack we see this here as well they are crowdsourced Yara rules matching on AS pack and they find the section name named AS pack and you check the sections of this one it has an AS pack section so that's the reason why it's probably packed and import suspicious API's well this is to deal with regulatory stuff I attribute all in all I don't think this combination is suspicious I mean yeah but what you can use this for is if you want if you did not have a flash file and did not have to analyze the flash code but the actual assembly code and Ida I would check specifically where those API's are used because yeah they are interesting if you analyze malware but it doesn't mean that the files are suspicious because many files need those API's as well that are clean and well why not installs patches hooks running in the running process this might have to do with the hooks that it places for keyboards and for keystrokes and mouse events reads information about supported languages whether probably every file does this I'm not sure why this is suspicious lot of fights do this and then it has some more indicators it doesn't tell us because we don't have the full version yeah but I don't think you are missing out on much if you don't see them as you can see most of these things that are deemed as suspicious are actually not that much of a deal here so I found a URL flash just a calm yeah they are more informative files things here but I think you get the get the idea of how to use this properly and what you would do next so next thing for you is Google how you analyze slash files and there you go so to sum this up what did we learn today what can we conclude well is our sample clean or is it malicious well the likelihood that this file is clean is very high but we do not know for sure to know this for sure we will have to analyze it further now hybrid analysis in this case helped us to determine where we should need to look further we know already that the sample is dropping a flash player and probably executing some flash code so that's where we should look next in case to be more sure about its cleanness determining if a file is clean is actually more difficult than determining if a file is malicious simply because if it's malicious you just find a malicious code that's it if it's clean when do you stop searching for the malicious code that still could be there that's harder so at some point you will have to decide if it's worth to continue or not yeah but in this case I would probably just analyze the flash code and then that's it so I would declare it clean if I don't find anything suspicious in there what did we learn about hybrid analysis now hybrid analysis very useful obviously to save us time in the long run you should take the time and use these tools that give you an overview that includes using hex editor using a file static file parser like PE parser using tools like detected easy and that includes sandbox systems so those are the first things to check and to take notes and a lot of my analysis is you make assumptions and then you try to confirm these assumptions now a lot of the things we find oh it's probably flash those are like probabilities it could be as we learned the version info could have been faked by the malware actor threat actor and then it might have been seen like this was a flash application when it's actually not so you need to always confirm your assumptions and come up with new assumptions if they don't confirm yeah and sandbox systems in general although they are useful you should not take their overall result as the global truth they have wrong verdicts all the time and you are the expert or the matter in this US the matter in this you're the one who needs to interpret all of the data and the results in this sandbox report should not be on the sandbox system to tell you what is actually suspicious you need to use your own knowledge and common sense to check if this is true so I hope you learned something today if you want me to check out the samples in various total hybrid analysis whatever and run through them let me know if it's interesting for video I will include so but I don't promise anything so no I'm not publishing that often so I usually choose very carefully what topics I will cover yeah but let's hope the next one will be soon and see you next time