A SecondWrite blog series

Introduction

At SecondWrite, we analyzed the EpicNet sample (Malware SHA256 Hash: A2C0B6D31DC39ED651B29729C10E748073001DD4F58F599E5B418954B4ECCA5D) using SecondWrite’s DeepView sandbox (no manual analysis) and two other leading commercial sandboxes. We present our detailed results below. 

This blog describes how the SecondWrite sandbox caught a variety of dynamic behavior from this malware that other leading sandboxes missed, including network traffic, APIs, DNS requests, malicious domains, dropped files, registry keys, mutexes, and WMI queries.

The SecondWrite DeepView malware processing engine is built on three unique features (i) Forced Code Execution (FCE), (ii)  Program Level Indicators (PLI), and (iii) Automatic Sequence Detection (ASD) that all feed into our deep learning based machine learning models used to classify samples and provide a maliciousness score. These three unique technologies are further explained here

EpicNet is a good example of a malware sample that benefits from our patented Forced Code Execution (FCE) technology. Interestingly, one leading sandbox actually notes that only 4.1% of APIs were actually executed in their sandbox. Here are some glimpses of the kind of information that DeepView has extracted that other sandboxes have missed. For the complete report or the malware sample or the pcap files, please contact us at info@secondwrite.com 

Here is a breakdown of what we found for this sample that was not found by other tools:

HTTP

Other leading sandboxes have not extracted any network traffic from this malware sample whereas DeepView used FCE to extract all the HTTP requests this sample can make on the victim computer. 

Suspicious features related to network traffic were shown in our report whereas none of the other leading sandboxes were able to extract this information since they have no network information in their reports.

DNS

DNS requests made by this malware. None of the other sandboxes have been able to extract this information since this sample uses an early termination evasion to prevent other sandboxes from seeing these requests. Our FCE on this sample executed code along all dormant paths exposing this behavior. 

Resolution of the malicious domains. Other sandboxes have only been able to extract static information showing that Russian data was embedded in this sample, however; DeepView has been able to reveal the exact Russian domain that was contacted and also classify it as a malicious domain.

IP

We have also been able to produce a network traffic graph. 

Raw PCAP

Our Pcap files capture all this network data whereas other leading sandboxes in the market produce empty pcap files. Contact us if you want to obtain these pcap files.

Stealthy Payload Installation

New path and executable that was created on the system. No other leading sandbox was able to uncover this information. 

Clandestine Mutex

Creation of a new mutex. 

Secret Registry Keys

Registry Keys that were created. Note that all the ones related to cloudnet.exe have been captured.


Concealed WMI Results

Other sandboxes have been able to identify WMI queries only statically, however; DeepView has actually executed them and has been able to produce its actual arguments. 

Conclusion

Whether you’re responding to an incident, proactively hunting for traces of this malware, enriching a threat feed, or trying to follow an exfil path, you need all the indicators to get the full picture. Had you used any other, you would have missed some really critical indicators:

  1. Network communication to malicious domains including some in Russia that then carry out the malicious activity. 
  2. Creation of a new executable (cloudnet.exe) which is likely the next stage in the attack 
  3. Modification to the windows registry to establish persistence

Each of these behaviors is critical regardless of the use case for the analysis and were used to classify this sample as a trojan on day zero.  

EpicNet Description

The EpicNet malware (often manifested as cloudnet.exe) is a very harmful Trojan. Alternate names for it include Glupteba.

It runs in the background of the victim’s computer and establishes a backdoor to its creators who then take complete control of the victim’s computer. It can then be used to perform any of the following activities: 

  1. Mine crypto-currency on the computer in the background for many days before the victim finds out. 
  2. Hijack the victim’s browser and then run ads on it and completely slow down the victim’s computer. 
  3. Delete, change or corrupt any of the software or data present on the victim’s computer. 
  4. Perform online fraud or theft using the victim’s computer. 
  5. Install other malicious software on the victim’s computer including spyware and most recently ransomware. 
  6. Turn the victim’s computer into a bot that can then infect other computers in the system. 
  7. Change the victim computer’s registry and make it completely useless. 
  8. Steal email credentials and personal information from the victim’s computer
  9. Excessively run things on the victim’s computer, heating it up. 
  10.  Start redirecting the user to malicious websites. 

It can be present on a victim’s computer for many days before the user notices anything other than high CPU usage. By this time, the creators would have done days of malice and stolen the victim’s personal information. Hence, using SecondWrite can enable security providers to identify such malicious sample on day-zero showing them all the behavior that this sample may exhibit on the victim computer. 

Please contact us at info@secondwrite.com for the malware sample, pcap files or the full report that contains the following: 

  1. Malware Score
  2. All Indicators of Compromise
  3. Static imports and strings 
  4. Static section information, 
  5. Matched YARA patterns
  6. Detailed process graph
  7. Detailed APIs
  8. Files written, read, opened and copied
  9. Registry Keys opened, read and written
  10. Detailed Network information of all the IP addresses contacted. 
  11. Network Map 
  12. Detailed file information 

We offer evaluation licenses for DeepView. You can sign-up for a free trial here

Sample File Details

The file we used in this installment had the following hash values:

SHA256: A2C0B6D31DC39ED651B29729C10E748073001DD4F58F599E5B418954B4ECCA5D

SHA1: 7cfd717dfed0cb1d6a08da3020290ab536b36c4a

MD5: 61b7f33df6de4daada0c24e97d31cf7e

Aparna Kotha

Aparna Kotha

Co-founder and Chief of Product Development

Aparna Kotha has over six years of experience as a startup manager and entrepreneur in the cyber-security and enterprise software space. She is a founding member of SecondWrite and has led its product development from the early days. She manages customer on-boarding & support at SecondWrite. She has also showcased the SecondWrite product at various technology conferences and trade-shows. Aparna has over ten years of experience in binary rewriting, program analysis, compilers and algorithms. Prior to SecondWrite, she received a PhD from University of Maryland(UMD), College Park in Spring 2013. She has authored over 14 papers and 4 patents.