Multisandbox project welcomes SecondWrite

We are excited to announce the integration of  SecondWrite into the multi-sandbox project. The multi-sandbox project’s goal is to aggregate many sandboxes in a similar fashion as the way we integrate Anti-Virus products. With this integration we are now up to X sandboxes including  ReaQta-Hive, Tencent HaboVirusTotal DroidyCyber adAPT ApkRecon and Dr. Web vxCube.  SecondWrite offers some cool features which we will detail below. 

In their own words:

SecondWrite’s next-generation malware detection engine delivers a combination of automatic deep code inspection and accurate scoring of zero-day malware. Its platform combines dynamic sandbox analysis with static analysis to leverage the best features of both. Its patented technology on forced code execution finds and executes hidden code paths that other sandboxes miss. It uses advanced neural networks that can auto-learn what suspicious code patterns to look for, without human-specified signatures. The neural networks are further enriched by its technology to detect evasive and anti-analysis features in malware.

To view the SecondWrite report make sure to check out the detailed report.

Within the detailed reports, for a quick summary, take a look at the detection scores and classifications.

Malware Score
Classification of different categories
Let’s dig a little deeper and see some more features:

Forced Code Execution (FCE)

See for example the file  fcd6c16a61b286bb6951e49869fcadbc9bf83bccf31dc2e3b3c8f7ad23d6054f.

Within the detailed report you can see the IOCs generated by the FCE feature, extracted by SecondWrite’s driver. In this example we see that the sample attempts to repeatedly call a a single API to avoid analysis. The FCE feature can rewrite one or more conditional statements to get the code sample to execute. Furthermore, some of the discovered events were characterized as Ransomware IOCs, Stealth IOCs, and Anti-Analysis IOCs.


Program-Level Indicators (PLI)


Typical hook-based approaches gather information about program behavior by capturing application to library function calls and application to kernel system calls. This approach is very effective at capturing how an application interacts with the underlying system through supported Application Program Interfaces (APIs), but it completely misses classes of evasion techniques intended to modify a program running in memory. SecondWrite’s Program-Level Indicators are patterns that can only be discovered by looking at the assembly instructions themselves. Frequently the instruction sequences chosen by malware have second-order effects that are beneficial only to malicious programs attempting to hide something. The following report contains two such examples: anti-binary translator code to defeat static analysis and an Import Address Table (IAT) bypass.

Machine learning can be very effective at finding subtle, multivariable associations that are impossible for a human to find. The most granular dataset to feed to a machine learner is sequences of assembly instructions. SecondWrite’s Automatic Sequence Detection technology is able to discern instruction sequences that are only found in malicious applications and give a confidence level. It is precise enough to limit false positives, but also broad enough to not be susceptible to artificial changes injected to malware strains such as is the case with polymorphic malware. The following report shows a sample that was determined to be malicious by Automatic Sequence Detection with a 93% confidence:

Next we can click on the relations tab, we can see how it’s related to other IP Addresses, Domains, and URLS.

In this graph we can see related files based on network communication, with common URLs, Domains and IP addresses:

Source: VirusTotal