We are happy to announce the immediate availability of SEKOIA Dropper Analysis, our new malware analysis service.
You can access it at https://malware.sekoia.fr.
SEKOIA Dropper Analysis is a malware analysis application with a focus on droppers. Droppers are often the first stage in a malware infection and can take several forms, with their simple goal being to install and execute a second stage malware on the system.
Because we do not always want or have the time to wait for a full sandbox run, SEKOIA Dropper Analysis will try to extract payload delivery URLs, dropped files and deobfuscated scripts quickly. Partial results appear as soon as they become available.
“FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor”
See Proofpoint’s detailed analysis.
As we can see, this is a Word document with macros:
Dynamic analysis of the file shows that it drops a file on the system that will then be executed with a scheduled task:
Downloading the “Deobfuscated Scripts” will get you the deobsfucated backdoor.
“Spoofed SEC Emails Distribute Evolved DNSMessenger”
See Talos’ detailed analysis.
This special document does not leverage macros but the DDE protocol in order to execute a command automatically:
Dynamic analysis confirms that the command is executed:
Locky / Dridex inside malicious PDFs
We recently saw Locky and Dridex samples delivered inside malicious PDFs. The malicious PDF files actually contained a Word document as attachment:
Looking at the embedded document, we see that it is downloading an executable file:
The whole logic can be seen quickly in the “Relations” graph:
How does it work ?
It is a mix of proprietary and open-source tools orchestrated so that they work well together.
The following open-source tools are involved:
- FAME – https://certsocietegenerale.github.io/fame/
- malware-jail – https://github.com/HynekPetrak/malware-jail
- box-js – https://github.com/CapacitorSet/box-js
- oletools – https://www.decalage.info/python/oletools
- ViperMonkey – https://github.com/decalage2/ViperMonkey
- Lazy Office Analyzer – https://github.com/tehsyntx/loffice
- peepdf – http://eternal-todo.com/tools/peepdf-pdf-analysis-tool
Of course, no malware analysis service is perfect, and this one is no exception.
The service should be considered beta software. If you identify bugs during an analysis or if you have suggestions on how to improve the service, we’re happy to receive your feedback on firstname.lastname@example.org.
We hope you will find SEKOIA Dropper Analysis useful.