On "Malware Analysis with Online Sandboxes" We will provide information and analyze malware through online sandboxes.
What are online sandboxes?
When we upload the file such as Virüstotal and Any Run, we analyze it in their own environment and platforms that show their results and details. We have our file on these platforms. We evaluate whether it is harmful or not.
There are 2 commonly used online sandboxes that we will process, the first of which is virustotal.
The second is any run. The virus scans the files we uploaded with 78 other antivirus in total.
And the places where the file that we uploaded the result of all of them is in contact with
Brings before us its original name and a lot of information.
The link to download the file we will examine: https://mega.nz/file/A74h0brC#C7yKQ2...q7ayxlRBO399vE
Virus Total Report Link:
https://www.virustotal.com/gui/file/...7de3/detection
Any Run Report Link:
https://app.any.run/tasks/c9fc86ad-4...-657473e04a79/ (don't mind the name written here)
Important note: I strongly recommend that you do this with the virtual machine.
Now let's first download and see what your file is.
The name of our file is "Malware. Let's install it immediately by dragging it to virustotal.
Link: ( https://www.virustotal.com/gui/home/upload )
Now we see a screen like this, your head may be a little confused.
First, let me explain the above menu, did you see a red place with 66/73 on it?
Means that the software went through 73 antiviruses and 66 anti-viruses decided it was harmful
is coming, because the majority is said to be harmful, in red, if the majority said clean
it would be green.
On the right it shows the size of the file where it says "775.00 KB Size", let me give you a tip. If the size of the virus total and the size of the download link are not the same, use a virtual machine when downloading. You have to analyze it yourself, because it is even the slightest realizing that malicious software can get into it.
There is a picture on the far right that says EXE, the room shows the extension of the file as you can guess.
Let's talk about the menu below.
In the Detection section, we see the results of the scans made by many antiviruses.
Details about the software are given in the Details section.
In the Relations section, there is a graphic map of the software and security reports of the places it communicates with.
In the Behavior section, the places where the program is connected and the operations it performs are shown.
The communication section includes comments made by the analysts who have previously examined the program.
Let's look at the "detection" part together, Many antivirus companies that caught our eye first detecting it as malicious software such as trojans and backdoor. But we only take our analysis. We cannot do base on these options, once it will be a mistake. We all know what a crypt is It is the program that crypts a file to pass virus programs cleanly, we If we throw a program loaded in a cryptere to virustotal, it will show less results. And it will mislead your antivirus programs. In such cases, ourselves to analyze the programs vital.
Let's take a look at the "details" section without wasting time.
The first part that will appear will be the "Basic Properties" part. In this part, the md5, sha-1,
Sha-256 hashes will appear, if you ask what these hashes do, to verify the integrity of the file.
or to prevent the file uploaded to the virus file from being uploaded again and to present direct results used. We don't have much to do with hashes and this part so let's jump to the next part now.
In the History section, the date of creation, first and last access date and last analysis date are respectively,
What we need to pay attention here is if our program is a newly released program, it is in the Creation Time section.
It should be a date close to the First submission, not necessarily for a new release, with any creation time, first submission
dates should be close to each other.
Let's look at the names section, now it is written here with the name given to the file, the first name is "Malware.exe", the name we give. But when we look at other names, we come to the place where it got stuck. The names MSRSAAPP and MSRSAAP.EXE appear.
The default names of darkcomet rat are already here, but we continue, although 95% harmful, it is possible that the software the owner may have given this name to the program.
When we look at the file version information section, we get information such as the version information of our software and its original name. Let's interpret them.
Writing "Remote Service Application" in the product section is one of the pluses we give to the option of being rat.
When we look at its original name, as I said above, we reach "MSRSAAPP.EXE", which is the default name of darkcomet rat.
When we look at the imports section, we see the DLL files included in the software, the dlls here are important to us in a way.
Frequently used by Kernel32.dll malware software, this DLL is used to manipulate access to memory files and hardware.
AdvApi.dll is used to manipulate access to registry.
GDI32.dll is used to manipulate the graphics of the software.
Shell32.dll is used to execute codes on the command line.
Now it's time to find "Relations".
The communicated URL and domain section appear, we can see the scans of the links that this program is in communication with.
We can see the graphical diagram of the software from the graph summary section,
Here we see that 1 domain and one URL and the software are connecting.
Let's go to the "Behavior" section,
When we look at the Network communication section, we see the Http and dns connections, so we see the "trial.no-ip.org" section.
This link is the second site that is generally used to hide their own ip addresses in the use of rats.
The most frequently used site is duckdns. Here we determine that this software is rat.
Let's move on to the Files Opened section. In this section, the files or folders opened by the software appear.
In the highlighted actions section, we see some texts in the program, which VirusTotal considers important.
Since no comments have been made to the software, we see the "Community" section as blank.
Looking at the Virus Total, according to these situations, I call the software Harmful // Darkcomet Rat.
By the way, rat was created by me and its contact address is fake, so you don't have to be afraid when you run it.
Because the program does not harm your computer. "MSDCSC", which stops the program from the task manager and comes to the desktop.
If you delete the folder, rat will be completely removed from your computer.
Source: https://www.turkhackteam.org/zararl...e-sandboxlar-ile-zararli-yazilim-analizi.html
Translator: Thekoftte
What are online sandboxes?
When we upload the file such as Virüstotal and Any Run, we analyze it in their own environment and platforms that show their results and details. We have our file on these platforms. We evaluate whether it is harmful or not.
There are 2 commonly used online sandboxes that we will process, the first of which is virustotal.
The second is any run. The virus scans the files we uploaded with 78 other antivirus in total.
And the places where the file that we uploaded the result of all of them is in contact with
Brings before us its original name and a lot of information.
The link to download the file we will examine: https://mega.nz/file/A74h0brC#C7yKQ2...q7ayxlRBO399vE
Virus Total Report Link:
https://www.virustotal.com/gui/file/...7de3/detection
Any Run Report Link:
https://app.any.run/tasks/c9fc86ad-4...-657473e04a79/ (don't mind the name written here)
Important note: I strongly recommend that you do this with the virtual machine.
Now let's first download and see what your file is.
The name of our file is "Malware. Let's install it immediately by dragging it to virustotal.
Link: ( https://www.virustotal.com/gui/home/upload )
Now we see a screen like this, your head may be a little confused.
First, let me explain the above menu, did you see a red place with 66/73 on it?
Means that the software went through 73 antiviruses and 66 anti-viruses decided it was harmful
is coming, because the majority is said to be harmful, in red, if the majority said clean
it would be green.
On the right it shows the size of the file where it says "775.00 KB Size", let me give you a tip. If the size of the virus total and the size of the download link are not the same, use a virtual machine when downloading. You have to analyze it yourself, because it is even the slightest realizing that malicious software can get into it.
There is a picture on the far right that says EXE, the room shows the extension of the file as you can guess.
Let's talk about the menu below.
In the Detection section, we see the results of the scans made by many antiviruses.
Details about the software are given in the Details section.
In the Relations section, there is a graphic map of the software and security reports of the places it communicates with.
In the Behavior section, the places where the program is connected and the operations it performs are shown.
The communication section includes comments made by the analysts who have previously examined the program.
Let's look at the "detection" part together, Many antivirus companies that caught our eye first detecting it as malicious software such as trojans and backdoor. But we only take our analysis. We cannot do base on these options, once it will be a mistake. We all know what a crypt is It is the program that crypts a file to pass virus programs cleanly, we If we throw a program loaded in a cryptere to virustotal, it will show less results. And it will mislead your antivirus programs. In such cases, ourselves to analyze the programs vital.
Let's take a look at the "details" section without wasting time.
The first part that will appear will be the "Basic Properties" part. In this part, the md5, sha-1,
Sha-256 hashes will appear, if you ask what these hashes do, to verify the integrity of the file.
or to prevent the file uploaded to the virus file from being uploaded again and to present direct results used. We don't have much to do with hashes and this part so let's jump to the next part now.
In the History section, the date of creation, first and last access date and last analysis date are respectively,
What we need to pay attention here is if our program is a newly released program, it is in the Creation Time section.
It should be a date close to the First submission, not necessarily for a new release, with any creation time, first submission
dates should be close to each other.
Let's look at the names section, now it is written here with the name given to the file, the first name is "Malware.exe", the name we give. But when we look at other names, we come to the place where it got stuck. The names MSRSAAPP and MSRSAAP.EXE appear.
The default names of darkcomet rat are already here, but we continue, although 95% harmful, it is possible that the software the owner may have given this name to the program.
When we look at the file version information section, we get information such as the version information of our software and its original name. Let's interpret them.
Writing "Remote Service Application" in the product section is one of the pluses we give to the option of being rat.
When we look at its original name, as I said above, we reach "MSRSAAPP.EXE", which is the default name of darkcomet rat.
When we look at the imports section, we see the DLL files included in the software, the dlls here are important to us in a way.
Frequently used by Kernel32.dll malware software, this DLL is used to manipulate access to memory files and hardware.
AdvApi.dll is used to manipulate access to registry.
GDI32.dll is used to manipulate the graphics of the software.
Shell32.dll is used to execute codes on the command line.
Now it's time to find "Relations".
The communicated URL and domain section appear, we can see the scans of the links that this program is in communication with.
We can see the graphical diagram of the software from the graph summary section,
Here we see that 1 domain and one URL and the software are connecting.
Let's go to the "Behavior" section,
When we look at the Network communication section, we see the Http and dns connections, so we see the "trial.no-ip.org" section.
This link is the second site that is generally used to hide their own ip addresses in the use of rats.
The most frequently used site is duckdns. Here we determine that this software is rat.
Let's move on to the Files Opened section. In this section, the files or folders opened by the software appear.
In the highlighted actions section, we see some texts in the program, which VirusTotal considers important.
Since no comments have been made to the software, we see the "Community" section as blank.
Looking at the Virus Total, according to these situations, I call the software Harmful // Darkcomet Rat.
By the way, rat was created by me and its contact address is fake, so you don't have to be afraid when you run it.
Because the program does not harm your computer. "MSDCSC", which stops the program from the task manager and comes to the desktop.
If you delete the folder, rat will be completely removed from your computer.
Source: https://www.turkhackteam.org/zararl...e-sandboxlar-ile-zararli-yazilim-analizi.html
Translator: Thekoftte
Moderatör tarafında düzenlendi:
