Swatbox File Analysis
Are you prepared for most cyberattacks? Or do you have just basic protection? While it’s easy to think of large scale organizations as prime targets for cyber criminals, the truth is that companies of all sizes – large or small – are under threat.
At Cyberstanc, we are always striving to provide the highest level of protection to everyone, whether you run a small business or a major enterprise.
Today we are pleased to announce our first Cyberstanc's Swatbox™ aided malware analysis blog . Swatbox framework plays an important role in the fight against malwares by providing in-depth analysis featuring :
- Pragmatically triaging incidents by level of severity.
- Basic static analysis is not always a reliable way to detect sophisticated malicious code, and sophisticated malware can sometimes hide from the presence of sandbox technology. By combining basic and dynamic analysis techniques, hybrid analysis we provide security teams the best approaches possible.
- Uncovering hidden indicators of compromise (IOCs) that should be blocked
- Introducing a potential kill chain vector which might prevent the execution of the malware.
- Support's MITRE ATT&CK® framework / STIX format
Achieve Complete Visibility
Uncover the full attack life cycle with in-depth insight into all file, network, memory and process activity. Analysts at every level gain access to easy-to-read reports that make them more effective in their roles. The reports provide practical guidance for threat prioritization and response. CISO's / CTO's are provided with monthly analysis of their organization's security posture based on combined artifacts collected by Swatbox and their organisation's capability to handle such events.
Automation
Cyberstanc Swatbox uses a unique hybrid analysis technology that includes automatic detection and analysis of unknown threats. All data extracted from the hybrid analysis engine is processed automatically and integrated into the Swatbox reports.
Example Sample Analysis:
Basic file info:
Basic static analysis consists of examining the executable file without viewing the actual instructions. Basic static analysis can confirm whether a file is malicious, provide information about its functionality, and sometimes provide information that will allow you to produce simple network signatures.
- Filename : downloader.exe
- File Type : PE32 executable (GUI) Intel 80386, for MS Windows
- MD5 : ccfea4731817fa9b375a327fc933afec
- ImpHash: bf5a4aa99e5b160f8521cadd6bfe73b8
- Family : IRCbot
Dropped files:
Files created / dropped by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- C:\Users\admin\AppData\Roaming\VtdUpdater.exe ( ccfea4731817fa9b375a327fc933afec) => Renaming self
Process Events:
Process's created by the parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- C:\Users\admin\AppData\Roaming\VtdUpdater.exe
Registry Events:
Registry changes made by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- C:\Users\admin\AppData\Roaming\VtdUpdater.exe (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) => Write
Network Events:
Potential network connections made/attempted by parent sample during dynamic analysis powered by Cyberstanc's Swatbox
- pufrehc.altervista.org
- dns.msftncsi.com
Dynamic Runtime:
Full malware runtime recorded inside Cyberstanc's Swatbox
Mitre TTP's:
Hybrid analysis artifacts collected by Cyberstanc's Swatbox are mapped to MITRE ATTACK framework
- Registry Run Keys / Startup Folder (T1060)
- Shared Modules (T1129)
- Virtualization / Sandbox Checks (T1497)
For detailed analysis of the sample please kindly download Swatbox's automated malware analysis report :
Interested for more ?
Shoot us an email right away if you are interested in our products at [email protected]