I will be honest with you, I was quite skeptical that anyone in their right mind would appropriate computing resources to test someone else’s malware, for free.
However, I am impressed at what information hybrid-analysis.com was able to divulge.
You see, hybrid-analysis.com performs a procedure known as dynamic binary analysis, which is the watch the alleged malware in action in a sandbox environment like Cuckoo versus static binary analysis, where you do not run the program but instead pick it apart with tools such as binwalk, objdump, and the GNOME debugger to determine it’s intent.
When I submitted my own python reverse shell generated by Metasploit, I was sorely disappointed to learn that hybrid-analysis did not find it suspicious at all. But it was also my fault for not configuring the networking options of the free online sandbox. No reverse shell network activity basically means, no malicious activity.
I also learned that hybrid-analysis.com avoids wasting unnecessary processing power for their sandboxes, they will first check the SHA256 hash of the file you have submitted.
If that hash value matches any file they analyzed before, the sandboxing process is halted and the previously obtained information of the malware is retrieved for you instead.
Performing the real test: Acquiring malware
First, I git cloned theZoo repository on GitHub, which has the authentic samples of infamous malware such as Petya and WannaCry.
You can git clone it yourself with the command git clone https://github.com/ytisf/theZoo. Then navigate to cd /root/Documents/theZoo/malwares/Binaries and now you have a supermarket of LIVE malware that is ready to be unlocked and analyzed. Be careful at this stage, each volatile payload is secured in a zip file with a simple password, infected. Do NOT execute any of these payloads without at least having
- Proper supervision
- Proper network containment
- Within a virtual machine, sandbox, or containerized instance
- And with the knowledge that you may lose all your data should things go wrong (like a hypervisor breakout, or transmissible media sharing spreading the infection)
First Sample: The Original WannaCry
Under the assumption that I was going to have to wait for the sandbox to spool-up again, I aimlessly submitted the binary and clicked OK. It caught me by surprise how quickly the page concluded that it was malware, based upon the one-way hash calculations.
It never bothered to run it at all. It already knew this was bad doo-doo.
The user interface for hybrid-analysis.com is stellar. The first section is basically your “no-bullshit bullet-points” that quickly described the executable as malicious, and a brief overview of each suspicious or dangerous trait of the malware.
Here is where the fun really starts. As you can see, the executable’s purpose is clearly malicious.
1. It makes and conceals system level changes
2. It saves a copy of the static decryption key
3. It then saves a copy of the victim’s hard disk forensic identifiers
4. It attempts to guarantee that the data being held for ransom cannot be recovered in any other way (it deletes your backups first)
5. It attempts to locate additional mount points, basically looking for more media to infect like a external hard disk
6. Finally, it phones home to C2, Command-and-Control
There are nine uniquely identifiable hosts that the ransomware tries to contact. Hybrid-analysis.com has been so kind to even specify the exact spawned process that is trying to connect back to the attackers.
Clicking through the options, you can actually trace the steps of the infection, down to the individual processes that it spawned, and the commands it was running in the background (to encrypt your hard disk against your will).
And once again, that infamous flyer, caught by a screenshot provided by the sandbox.
Second Sample: The FancyBear Attack on German Parliament
I decided to get a bit fancy and in the corner of my eye I noticed a new malware sample submission. Could it really be? FancyBear? Russian hacker associated with the GRU?
Analyzing this was significantly harder and it clearly shows a intent by the author to cover his tracks and avoid being discovered too early. Even the initial HTTP requests has been encrypted and obfuscated using the Microsoft CryptoAPI.
In this picture you can clearly see the Certificate Authority and a portion of the TLS handshake. Remember, these are static strings that were discovered from dynamic analysis of the malware. We can only look at it and wonder what it’s real intents are, or unless we get more conclusive evidence.
If this is indeed from FancyBear, he has planned out his countermeasures very well. Here is evidence that the author attempted to disrupt reverse-engineering attempts with a debugger by tampering with the OS’s Exception Handling process by using the kernel32.DLL dynamic link library.
Here we see a possible digital certificate being concealed in a binary .bin file. It’s purpose is unknown but a faint picture is beginning to form. It could be a required symmetric key to enable encrypted exfiltration of valuable data at a later point in time.
We also found extensive efforts by the malware to uniquely identify and enumerate the victim’s specific machine, and will try to prepare itself to use the Remote Desktop Protocol.
Finally, another anti reverse-engineering measure was used, multiple TLS callbacks to foil debuggers.
Finally typical attack patterns and techniques have been positively identified. Hybrid-analysis.com even provided me with the exact headlines documenting the attack.
Hybrid-analyis.com had the right idea providing to us a free online sandbox to test malware on, and I would say that hybrid-analysis.com is a essential online tool alongside the likes of VirusTotal and Shodan.
I was still a bit bummed that it couldn’t catch a generated Python Meterpreter payload, but it could have been the settings I saved for the environment.