The multisandbox project keeps growing, short after the integration of Tencent Habo, VirusTotal Droidy and Cyber adAPT ApkRecon we are now welcoming Dr.Web vxCube. What is most exciting about this integration is that not only does it run executables, but also opens documents with potentially vulnerable software in order to spot exploits and characterize dropped malicious payloads.
In their own words:
Dr.Web vxCube was born inside Doctor Web Anti-Virus Laboratory. It is a hypervisor-based sandbox that uses agentless technology to analyze malware inside the operating system. It works incredibly fast and invisibly to the analyzed sample. Dr.Web vxCube offers comprehensive but intuitive reports containing information about sample’s behavior, created files and dumps, process graph, API log and network activity map. We are happy to bring our expertise to the VirusTotal community.
The following report examples highlight how useful this new integration is:
The following ones are particularly interesting as they exemplify how Dr.Web vxCube is able to spot exploitations triggered when opening a document, most specifically exploitation of CVE-2017-11882:
Make sure you also open the detailed report:
This will open up a far more insightful HTML capturing fine grained execution details that are presented in an aggregate fashion in the summarized behavior tab or perhaps not even included at all:
Behavior information is essential when diving into investigations because it allows analysts to pivot over certain indicators of compromise and discover other malicious files and network infrastructure that is related to the same campaign or attacker group. For instance, if we focus on the first CVE-2017-11882 file and open it up in VirusTotal Graph:
We can immediately get a sense of the file indeed being malicious (due to its connection to malicious items) but we may also easily discover the network infrastructure used by it, and most importantly, we get to see other malware served by that very same network infrastructure, without having to follow a huge amount of report links:
And this is precisely how we discover some of the deception techniques being used by the attackers behind this particular threat. The exploiting document communicates with a-dce.com, so do 3 other samples. By investigating these in VirusTotal Intelligence we get to see that some of those files were spotted as attachments in spam email files uploaded to VirusTotal, we can see the body of these messages and discover how they trick users into downloading and opening the exploiting document:
Fake purchase orders and invoices remain a common simple bait inducing users to execute malware. Having reached this point it would be a good moment to build a Yara rule to detect variants of this malware family and set them up in Malware Hunting in order to discover new threats created by the very same group and keep expanding the investigation graph.
We hope you find this new sandbox as exciting as we do. We already have more integrations in the pipeline and we are certain this will heavily contribute to identifying new threats and strengthening anti-malware defenses worldwide.
If you have a sandbox setup or develop dynamic malware analysis systems please contact us to join this effort.