Forums
Main Category
General (Technical,...
Malware Analysis To...
 
Notifications
Clear all

Malware Analysis Tools

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by JimmyW 19 years ago
4 Posts
3 Users
0 Reactions
694 Views
RSS
 NormanSandbox
(@normansandbox)
New Member
Joined: 19 years ago
Posts: 2
Topic starter 07/07/2006 6:27 pm  

Take a look at these new malware analysis tools. If your looking to find out if any files are malicious, plus want to know what they are actually trying to do. Then these new tools can make your life a lot easier.

Take a look by following the url links

Norman SandBox Analyzer

Norman SandBox Analyzer Pro


   
Quote
 youcefb9
(@youcefb9)
Eminent Member
Joined: 20 years ago
Posts: 38
07/07/2006 10:56 pm  

My problem with such tool (I have read the info on the website only) and others like sysinternals (filemon, regmon) is what I call information overload.

analysing any applicaiton will surely generate tons of thousands of log entries that doesnt make any sense for an average investigator. how many people can read an API and infer what it means. In other terms, HOW CAN YOU TRANSLATE THE LOG INTO A STORY that could be presented to jurys and put into a report.

Sorry if this sound a putting off of your great work.


   
ReplyQuote
 NormanSandbox
(@normansandbox)
New Member
Joined: 19 years ago
Posts: 2
Topic starter 08/07/2006 2:15 am  

The SandBox summary is designed exactly for the purpose you are referring to. It gives a quick insight into what the file has done in terms of file changes, registry changes, network resources used etc.
If you then need to analyze further, you can do so with the analyzer pro tool.

Here is a SandBox sample summary

[ DetectionInfo ]
* Sandbox name W32/Malware
* Signature name Gobot.A

[ General information ]
* **IMPORTANT PLEASE SEND THE SCANNED FILE TO ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length 46876 bytes.
* MD5 hash cc28c1f669c99635b2a6ec39cbc4d869.

[ Changes to filesystem ]
* Creates file C\WINDOWS\uSGdj341.exe.

[ Changes to registry ]
* Creates value "CTRL"="C\WINDOWS\uSGdj341.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Modifies value "Dir1"="012345C\WINDOWS\Drivers" in key "HKCU\Software\Kazaa\LocalContent".

[ Network services ]
* Looks for an Internet connection.
* Connects to "109.244.113.203" on port 3127 (IP).

[ Security issues ]
* Uses common backdoor to infect remote system(s).

[ Process/window information ]
* Creates a mutex GhostBOT0.58b.
* Will automatically restart after boot (I'll be back…).
* Enumerates running processes.

[ Signature Scanning ]
* C\WINDOWS\uSGdj341.exe (46829 bytes) Gobot.A.


   
ReplyQuote
 JimmyW
(@jimmyw)
Trusted Member
Joined: 20 years ago
Posts: 64
10/07/2006 8:28 am  

Thanks for the tip. Another handy tool is InCtrl5, available free at http//www.pcmag.com/article2/0,4149,9882,00.asp. The results are very straightforward. RegMon and FileMon are invaluable, but filtering correctly is essential to limit the data to your requirements.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: