Empowering Cyber Security Posture


Swatbox File Analysis

Are you prepared for most cyberattacks? Or do you have just basic protection? While it’s easy to think of large scale organizations as prime targets for cyber criminals, the truth is that companies of all sizes – large or small – are under threat.

At Cyberstanc, we are always striving to provide the highest level of protection to everyone, whether you run a small business or a major enterprise.

Today we are pleased to announce our first Cyberstanc's Swatbox™ aided malware analysis blog . Swatbox framework  plays an important role in the fight against malwares by providing in-depth analysis featuring :

  1. Pragmatically triaging incidents by level of severity.
  2. Basic static analysis is not always a reliable way to detect sophisticated malicious code, and sophisticated malware can sometimes hide from the presence of sandbox technology. By combining basic and dynamic analysis techniques, hybrid analysis we provide security teams the best approaches possible.
  3. Uncovering hidden indicators of compromise (IOCs) that should be blocked
  4. Introducing a potential kill chain vector which might prevent the execution of the malware.
  5. Support's MITRE ATT&CK® framework / STIX format

Achieve Complete Visibility

Uncover the full attack life cycle with in-depth insight into all file, network, memory and process activity. Analysts at every level gain access to easy-to-read reports that make them more effective in their roles. The reports provide practical guidance for threat prioritization and response. CISO's / CTO's are provided with monthly analysis of their organization's security posture based on combined artifacts collected by Swatbox and their organisation's capability to handle such events.

Automation

Cyberstanc Swatbox uses a unique hybrid analysis technology that includes automatic detection and analysis of unknown threats. All data extracted from the hybrid analysis engine is processed automatically and integrated into the Swatbox reports.

Example Sample Analysis:

Basic file info:

Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.
  • Filename : downloader.exe
  • File Type : PE32 executable (GUI) Intel 80386, for MS Windows
  • MD5 : ccfea4731817fa9b375a327fc933afec
  • ImpHash: bf5a4aa99e5b160f8521cadd6bfe73b8
  • Family : IRCbot

Dropped files:

Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • C:\Users\admin\AppData\Roaming\VtdUpdater.exe ( ccfea4731817fa9b375a327fc933afec) => Renaming self

Process Events:

Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • C:\Users\admin\AppData\Roaming\VtdUpdater.exe

Registry Events:

Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox

Network Events:

Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
  • pufrehc.altervista.org
  • dns.msftncsi.com

Dynamic Runtime:

Full malware runtime recorded inside Cyberstanc's Swatbox

downloader.exe (ccfea4731817fa9b375a327fc933afec)

Mitre TTP's:

Hybrid analysis artifacts collected by Cyberstanc's Swatbox  are mapped to MITRE ATTACK framework
  • Registry Run Keys / Startup Folder (T1060)
  • Shared Modules (T1129)
  • Virtualization / Sandbox Checks (T1497)

For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :

https://cyberstanc.com/uploads/eae911d2-863f-4d0e-b977-25761729a917/eae911d2-863f-4d0e-b977-25761729a917.pdf

Interested for more ?

Shoot us an email right away if you are interested in our products at [email protected]