Announcing SEKOIA Dropper Analysis

We are happy to announce the immediate availability of SEKOIA Dropper Analysis, our new malware analysis service.

You can access it at https://malware.sekoia.fr.

SEKOIA Dropper Analysis is a malware analysis application with a focus on droppers. Droppers are often the first stage in a malware infection and can take several forms, with their simple goal being to install and execute a second stage malware on the system.

 

More specifically, SEKOIA Dropper Analysis focuses only on a reduced set of supported file types: documents (Microsoft Office, PDF) and scripts (JavaScript, VBScript, encoded or not). No analysis is performed on executable files.

Because we do not always want or have the time to wait for a full sandbox run, SEKOIA Dropper Analysis will try to extract payload delivery URLs, dropped files and deobfuscated scripts quickly. Partial results appear as soon as they become available.

Examples

“FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor”

See Proofpoint’s detailed analysis.

As we can see, this is a Word document with macros:

Dynamic analysis of the file shows that it drops a file on the system that will then be executed with a scheduled task:

Looking at the analysis performed on the debug.txt file, we see that this is a Javascript file and that it tried to connect to an URL:

Downloading the “Deobfuscated Scripts” will get you the deobsfucated backdoor.

Link to the analysis: https://malware.sekoia.fr/results/d2c90bf2ade012b1133bff16d68a808b1d5ea9f84f6ccc914334f5c791cffc5c

“Spoofed SEC Emails Distribute Evolved DNSMessenger”

See Talos’ detailed analysis.

This special document does not leverage macros but the DDE protocol in order to execute a command automatically:

Dynamic analysis confirms that the command is executed:

Link to the analysis: https://malware.sekoia.fr/results/1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428

Locky / Dridex inside malicious PDFs

We recently saw Locky and Dridex samples delivered inside malicious PDFs. The malicious PDF files actually contained a Word document as attachment:

Looking at the embedded document, we see that it is downloading an executable file:

The whole logic can be seen quickly in the “Relations” graph:

Link to the analysis: https://malware.sekoia.fr/results/d5c88c505e51caa5f07cfb8cafa8e4a71f21e40974310cc35c8ce44df5f29375

How does it work ?

It is a mix of proprietary and open-source tools orchestrated so that they work well together.

The following open-source tools are involved:

Final Words

Of course, no malware analysis service is perfect, and this one is no exception.

The service should be considered beta software. If you identify bugs during an analysis or if you have suggestions on how to improve the service, we’re happy to receive your feedback on malware@sekoia.fr.

We hope you will find SEKOIA Dropper Analysis useful.

Recent Posts

Categories

Archives

Gael Muller Written by:

Comments are closed.