How Deepviz supports your malware research

We believe malware investigations should be something that is easy to carry out, effective and powerful.

This is the goal we want to achieve with Deepviz. With this blog post we want to show an example of what our SDK – a simple set of REST APIs – could do and how you could integrate this into your incident response workflow, as well as into an analysis pipeline.

Today we looked at the recently malicious registered domains with our API. We are currently processing around 100,000 fresh malware samples every day which we use to fuel the data in our Intel platform from.

Lets take a look…

{
  "apikey": "xxxxxxxxxxxxxxxxxxxxxxxxx",
  "timestamp": ["3d"],
  "output_filters": ["whois"]
}

and our API resulted in this interesting domain marked as malicious:

{
	"status" : "success",
	"data" : {
		"jgpxwjttbbhw.pw" : {
			"score" : {
				"good" : 0,
				"malicious" : 1
			},
			"whois" : {
				"info" : {
					"updated_date" : ["2015-10-27 11:27:19"],
					"expiration_date" : ["2016-10-27 23:59:59"],
					"contacts" : {
						"registrant" : {
							"email" : "a0b37d8383db463a9ebf891dc72874c0.protect@whoisguard.com",
							"name" : "WhoisGuard Protected"
						}
					},
					"registrar" : ["NAMECHEAP INC"],
					"creation_date" : ["2015-10-27 11:27:16"]
				}
			}
		}
	}
}

The domain jgpxwjttbbhw.pw has been registered on the 27th October 2015, two days ago, through a WhoisGuard protected service. Interestingly enough. Lets have a look at the sample connecting to that domain

{
  "apikey": "xxxxxxxxxxx",
  "url": ["jgpxwjttbbhw.pw"],
  "search_params": ["objects=5", "start_offset=0"]
}

Answer:

{
	"status" : "success",
	"data" : {
		"Total" : 1,
		"MD5" : [
			"c8ef44a9193504f54d6988bf9697d137"
		]
	}
}

Looking at our automated analysis report  it’s easy to spot it’s a banking trojan as it shows very common behavior like injecting its code into browsers and placing inline hooks on the following APIs:

HttpQueryInfoA
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpSendRequestW
InternetReadFileExA
HttpSendRequestA

Along with other user mode hooks used to hide its presence in the system:

NtCreateProcessEx
NtCreateThread
NtCreateUserProcess
NtEnumerateValueKey
NtQueryDirectoryFile
NtResumeThread

Another cool feature of our SDK is the option to look whether a sample is similar to other samples already present in our database.

{
	"status" : "success",
	"data" : {
		"Total" : 63,
		"MD5" : [{
				"score" : 0.6564425770308123,
				"MD5" : "6e6896529cfaf9979d1681561424a219"
			}, {
				"score" : 0.5907179346834519,
				"MD5" : "c96b5da5917492bb8e3a89e73533ffc5"
			}, {
				"score" : 0.5857008340059188,
				"MD5" : "41fa83e0225888aa1625e4b56e0b2aaf"
			}, {
				"score" : 0.5782840722495894,
				"MD5" : "658a2d388c11db27f72c6ae3ed41ea6d"
			}, {
				"score" : 0.5647985336918537,
				"MD5" : "3a4618e85251904031397b0f94d3fcfb"
			}, {
				"score" : 0.5050692686262539,
				"MD5" : "1dc7d6ad1c1b922f10c4feb831d71805"
			}, {
				"score" : 0.5038733007327224,
				"MD5" : "36c7b218feb15625239adebdb5d85658"
			}, {
				"score" : 0.4894942157654021,
				"MD5" : "7e8c4390b2a057743a0a3170bac850ba"
			}, {
				"score" : 0.45920310512939877,
				"MD5" : "fb4f64565083d2cf7273ed502ad23333"
			}, {
				"score" : 0.4460298008092125,
				"MD5" : "b0a9a4558abf94f214288d79a86a91ca"
			}	]
	}
}

We have found 63 different MD5s that are similar to the initial banking trojan (the above list was cut for brevity). However, when clustering the samples together what happens is that all of them can be grouped in 2 clusters, which means they are all the same family, divided in two sub-groups.

All of the 8 samples part of the group A (on the right)  tried to connect to the domain xlcssfufckuh.biz resolving to the IP 82.165.37.127. 

With a similar API research, we looked for all the samples connecting to that IP/domain and we’ve found a total of 210 unique MD5s. However, when clustering all of them it’s possible to identify 8 different families similar to each other:

Trojan families

One of those clusters group all the 8 samples of the group A family plus two additional MD5s not spotted initially, 6946bf0df54e323cb740a15dc6931bd2 and 64f5b0c836d92b72e3ca5944825b3ae1.

After further investigation all these clusters are connected to the Tinba banking trojan and the sample connecting to the recently registered domain was a new variant of it using a different/new RSA public key:

-----BEGIN PUBLIC KEY-----
MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgB603o25wk9mgDqlYdXpufy
CjBBx21hin1BJtiFcvVpLv7v1PomHjYXnODrlhX1u3Yco84hMHeyXoARp6xs5OjY
AppHsjRqNSjBmTIrnjZKO5x9ShCevvCrNLnCckCw13NO9TjRKTmqn08fgfaEpw9c
WYnDh1ydkamFMJZkKk+fOjPbsJqr3Axr06FqpGVIiyQLzPbUpd6eHyMo0LvelwJc
d5E46gFtam/64mBSwzFkOZmZV9zzdy4RE/rhAXqL4/Kd1Srw/FAIBm0N/3BGjMkt
+5l1zhNMrALrn9t1ScCwXuz64fL5x+dT34BvrocFDh/4XcnNNwXcd0mqU9ybvSRm
KTrcD0LBdZgrW8EM0UtU94mejoAXeelDJrldaWGdjlvuIRsPVLFgK6A7yyxD7pRY
P43nS7YE2U9rzhIppffWVG1NqYXwbxfZWy82CVF2qnNaNfhNF2ZMdLKehawdpzO1
5QiTLyxNlAQljMin9TftbHNvpSq6PQrH4jsb3WMX/puIVDTi3bcGG4l4PhmVtCE0
iYRoyVQK7imdI7BHm7vYNnwfwtuGN0LohZP60LWnPPchLo0xN5YjqCgj1x3dqHHF
IMadDUxpgbIH6AnaCQiz9byM1iT/WJ3Vb85gTRu269PLC5/fB84tNIjjrHIR/7KJ
7nWERJ3LHInxWbB+2gkKOwIDAQAB
-----END PUBLIC KEY-----

The group A cluster is identifying a variant of Tinba connecting to randomly generated domains (DGA) but always using the same URL path: /n0tru2t76hw2edqj/ 

The  list of MD5s grouped by the group A is:

c8ef44a9193504f54d6988bf9697d137
658a2d388c11db27f72c6ae3ed41ea6d
c96b5da5917492bb8e3a89e73533ffc5
6e6896529cfaf9979d1681561424a219
36c7b218feb15625239adebdb5d85658
41fa83e0225888aa1625e4b56e0b2aaf
3a4618e85251904031397b0f94d3fcfb
6946bf0df54e323cb740a15dc6931bd2
64f5b0c836d92b72e3ca5944825b3ae1
1dc7d6ad1c1b922f10c4feb831d71805

All of them share the same RSA public key except the first one, the sample from where we started our deep dive.

Deepviz automatically determined the sample as malicious thanks to our AI classifier supported by our automated clustering platform.