 Welcome to meta-analysis for hedgehogs. So today I want to answer some questions about virus-soda. For instance, why are there some files that the community of virus-soda cannot agree upon whether they are malicious or clean and what's the most uploaded file on virus-soda? How do you find similar samples and maybe explain some basic usage? So I hope this is useful for you, so let's see. All right, let's check out some files on virus-soda, right? The first one I want to look at is this one. We see it's not detected by any of the antivirus skinners. Firstly, there's this overview like the ones that detect the file are put on top. So you can always be sure if you see only undetected ones. There's not one detection like down below. Also, here's a summary that's saying, okay, no, none of the antivirus skinners says it's malicious. So then there is a community score right down right underneath, and the community score is overwhelming the negative. What is this? Everyone who has an account on virus-soda can vote for the file. The X means you think it's malicious and the check mark means you think it's clean. It's fine. If you check on the community tab and scroll down, you see the voting details. So these are people who voted for or against this file. A lot of them are marked as anonymous. Anonymous was like a few years ago, it was possible to vote without an account. So you have these anonymous votes that are like four years old in this case. And then there are people with an account and some of them have a lot of voting power because if you go on a profile, click on trusted. And lots of people do that, you will get more voting power. So that's how they want to ensure that only people who know what they're doing can their opinion counts more, right? So what's happening? Why do all of these skinners not detect the file, but all of these people think it's malicious? Now the first thing I do, if none of the interviewers can us detect anything, is I check one was as far submitted for the first time. And that's in the details tab history section. You see the date of first submission and that's been more than 10 years ago. It's pretty much, it's very, very, very unlikely that the file has gone unnoticed for more than 10 years in this malicious at the same time. So if you see something of that, even if the first submission is like a few months ago, you can be quite sure it's a clean file. People so think it's malicious. The answer to that is because it's often related to executing malware. In this case, we have the winner scripting host. We see here the signature information that's this file is signed by Microsoft. It's a Microsoft file. You also see this here, if I was published by Microsoft Corporation. So you can be sure it's a valid file by Microsoft and it's part of the operating system and used to execute script files like VB script or JScript. So that's why it's also seen as malicious by some people because sometimes as far were execute malicious scripts, but it's not malicious itself. But the people don't know that and the winner scripting host might be additionally dropped by malware to execute malware scripts and then it may have a different name like this one or this one. And in that case, if you find that in the temp folder and you know it has been executing malicious code, you know, it's somehow related to your malware file. You might think it's malware as well. Yeah, that same can happen with, for instance, Python access. But yeah, I think that's a good thing to know here. Now the good thing is if you have something like W script easy or Python easy or anything that may be used to execute malware, you can check out the relations tab to find new malware, because here you see those are scripts that have been executed. And if you click on those scripts, like this one, you see it's malware, right? Well, they are not that many detections, but you also see that the last time it was scanned was more than a year ago. So let's click on the rescan button and see what happens. And there are more antivirus scanners detecting the fiber now because yeah, that's like the second date you need to check, I guess, if you have a file that's not detected much, check the date of the last scan. And you may click the reanalyze button. So you see if the file is detected by now. There are some more dates. Let's go back here. You see quite a few dates here. What do these mean? Now, first submission we talked about that. The reason I like to look at that one is it cannot be faked by malware developers, because this is like the minimum time this file is old, minimum. You can also check out the creation time. Creation time is if you have a portable executable file, this is part of the, this is the compilation date that the compiler puts in there into the portable executable header. But this can be wrong. So some compilers put in the wrong date and malware authors may just change the date. So the signature date, on the other hand, that's the date when this file was signed. So we should see this reflected here as well. So that's the same one, right? Now, yeah, last submission when was the file uploaded the last time. And by now you can, as we have seen, analyze the file without uploading it. If you just click this reanalyze button, and that's the last analysis date. So those are the dates, all right. Let's check out another file, right? Because this one is an actual malware. And I think that's interesting to see the behavior tab in VirusTotor. If you check this out, like lots of detections here say it's ransomware. And the behavior tab will show you our files opened and written. And the files written, oh, those, those are ransomouts. There are also two batch files. Now, lots of, lots of ransom notes. Now check out files deleted. The batch files have been deleted at some point. And here are files copied. Oh, that's weird. Does it have to do with C-sharp? Now there's C++, okay. If you click on the plus, you see where it's been copied to. Now the ransomware copied the original file, or better renamed the original file, just appended the extension. And afterwards it probably encrypts this. So I guess that's why it's been shown as copied. And then you can also see the processes. This is the original file. And it executed those batch files. So, highlighted actions here in this case. It shows us get tick count because this might be a way for the member to detect that it's being run in a sandbox. So this might be interesting for us to know if it has sandbox detection and won't do much in the sandbox. And this has been highlighted as highlighted text. The cmd.exe is being used to execute the batch file. So there we have this connection. Okay, now let's take a look at this file. This is probably the most uploaded file to VirusTotal. And I know a few years ago when I looked at this, like this was also in the red, the community score. If you check out the votes, you will see lots of people vote negative on this file. So they think it's malicious. Even some of a bit more reputation. It's not just the anonymous people. So what's happening here? It's undetected. So again, let's check out the last, the first submission date. And it's pretty, pretty old. So it's most likely a clean file. And the names section will tell you what names were used while uploading the file. So what was the file name of it? And also here you see things that hint to it being malware. You see these supposedly porno movies, which have a double extension. So that's a common trick to trick users into running malware. There are lots of them, right? This seems to be quite malicious when you look at the names. But if you check out the file size here, it's zero bytes. It's an empty file. Now, why is it the most uploaded file? A lot of times when the file fails to upload, virus sort of will just scan an empty file and show you the result. So if for any reason, that's especially important if you are helping or assisting someone with a possible infection on their system. So if you see that, of course, you don't have to remember the hash, but if you see this zero size file, then it's been a problem with the upload most likely. Of course, it could also be actually an empty file, but most of the times there are actual malware files on these systems and it's just the upload that's failed. Here's another file I wanted to show you, the relations tab for this one, because you can also see some URLs. Like in the other cases, we had only other files and here are also URLs. So you see how this looks like. And like with the files, you can click on them. You will not be brought to the URL. We will be brought to the virus sort of page for that URL, not the file that's being downloaded there, right? So this is different from the verdicts that are done for downloaded files. You see for URLs, you usually just get a malware verdict and nothing else, nothing about the malware type or the family that is there. And in this case, we also see this URL has already been taken down. It's not available anymore because it's been reported as malware. So okay, here's something else I would like to show you and that's the hashes and the details tab because I didn't explain them yet. So the most important hash is probably this one because that's a cryptographic hash and it's commonly used to refer to your sample. So most of the time, also the other ones, MD5 and SHA1, they might be used in other reports to say, okay, this is the sample I was analyzing. So you will find these most often. But if you create reports, I think you should use this one. Then the impash is a hash based on the imports of the file. The idea is that if two files have the same impash, they probably have the same behavior because they import the same functions and use the same Windows APIs, maybe. So using the impash and searching where the impash may enable you to find similar samples. Then SSD, SSD is quite interesting for finding similar samples because this is a hash like SHA256. If you will change, if you just change one byte, the whole hash will be different, right? But with SSD, if you change just a few bytes, the hash will still be mostly the same, like maybe one or two characters are different after those changes. So you can actually find files that are similar using SSD. Here's a very good article about thread attribution using SSD. And it explains how SSD works and also shows some examples and how you use the tool and explains in general those kind of hashes. They are called context-triggered-piece-wise hashes. Yeah, check it out, I will put it in the description below. So in the other parts of the basic properties, those are just a file type and the magic number and the file size. Now you already know what the file size, why it's useful, right? The magic bytes, this is a byte sequence that tells the executing program or the operating system what kind of file type this is. And so the magic bytes are related to the file type somehow. But sometimes there's more information in it than just the file type. I think this was here. Yeah, you see some more header information for this. So it's not just the magic number, I guess, what you can find here. And some actual Excel spreadsheet and then you have also some dates and so on. Now, everything that I showed you today is possible without having an intelligence account of our sort. Intelligence account is quite expensive most of the time. You only have access to it if you work for a company that pays for that. So I'm not sure how interesting this overview of that would be for you. So yeah, if you have any questions, please put them down below. And I'd love to see you next time.