Author Topic: Malware Analysis Online Services  (Read 38096 times)

0 Members and 1 Guest are viewing this topic.

October 26, 2009, 07:57:34 am
Reply #15

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Xandora by Panda
http://xandora.security.net.my/index.php

Quote
Xandora is a service for analyzing malware.
Submit your Windows executable and receive an analysis report telling you what it does.

Ruining the bad guy's day

October 31, 2009, 04:32:54 am
Reply #16

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Ruining the bad guy's day

February 11, 2010, 10:40:50 pm
Reply #17

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Ruining the bad guy's day

February 25, 2010, 09:58:57 pm
Reply #18

hamzehokour

  • Newbie

  • Offline
  • *

  • 1

May 02, 2010, 09:52:32 am
Reply #19

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
JoeDoc

http://joedoc.org/

Quote
Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.

In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.

To check if your pdf contains any malicious content follow the instructions below:

   1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
   2. Send your zip file to submit@joedoc.org as an email attachement.
   3. Wait for the result which is sent back after a short while.


By submitting data to Joedoc you agree to the following terms and conditions.

Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.
Ruining the bad guy's day

May 02, 2010, 10:11:25 am
Reply #20

cleanmx

  • Special Members
  • Hero Member

  • Offline
  • *

  • 3405
    • Spam-Filter Anti-Spam Virenschutz - CLEAN MX Managed Anti-Spam Service ist die L鰏ung f黵 Ihr Spam-Problem
JoeDoc

http://joedoc.org/

Quote
Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.

In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.

To check if your pdf contains any malicious content follow the instructions below:

   1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
   2. Send your zip file to submit@joedoc.org as an email attachement.
   3. Wait for the result which is sent back after a short while.


By submitting data to Joedoc you agree to the following terms and conditions.

Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.

Stefan told me about this 3 weeks ago, but i think joebox is much more better...

I currently submit all executables, all pdf's !!! and all rar and zips to joebox, I think reports are fantastic... to dig in deeper..

-- gerhard

July 20, 2010, 06:25:31 pm
Reply #21

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
viCHECK.ca

https://vicheck.ca/

Quote
We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address.

Our scanning system will automatically process and email you back a report about your submitted files. Occasionally we may contact you for more information about particularly interesting samples, together we can help make the internet a safer place for everyone.

For your convenience, you can also forward your malware samples by email to hereyougo@vicheck.ca . Please try to include the full email headers wherever possible (you may need to view headers then copy and paste them into the forwarded message.)
Ruining the bad guy's day

August 31, 2010, 04:10:13 pm
Reply #22

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
pdf examiner
http://www.malwaretracker.com/pdf.php

Quote
View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits (CVE-2007-5659, CVE-2009-0927, CVE-2008-2992, CVE-2009-4324, CVE-2009-1493, CVE-2010-0188 and embedded /Action commands), process PDF compression (FlateDecode, ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode), encryption (128 bit AESV2), and obfuscation (unicode, Hex, fromCharCode). Browse objects.

shellcode analysis
http://www.malwaretracker.com/shellcode.php
Ruining the bad guy's day

December 20, 2010, 02:22:04 am
Reply #23

Kensley

  • Newbie

  • Offline
  • *

  • 5
Does anyone know what was used to produce this report? Seems like a nice little tool!

December 20, 2010, 06:20:22 am
Reply #24

foks

  • Jr. Member

  • Offline
  • **

  • 14
Does anyone know what was used to produce this report? Seems like a nice little tool!

The report looks similar to http://www.spamfighter.com/VIRUSfighter/Archive/17133-W32_Bagle_AK-1.asp, which is based on Norman Sandbox.

May 19, 2011, 11:21:59 am
Reply #25

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Malbox
http://malbox.xjtu.edu.cn/

report example
Code: [Select]
                 .__  ___.                   
  _____  _____   |  | \_ |__    ____ ___  ___
/     \ \__  \  |  |  | __ \  /  _ \\  \/  /
|  Y Y  \ / __ \_|  |__| \_\ \(  <_> )>    <
|__|_|  /(____  /|____/|___  / \____//__/\_ \
      \/      \/           \/              \/
                                                   
=====Sample Summary=====
File name: sample.exe
MD5: 439C24E6CA0CD8CE7986F834B83A70FC
SHA1: A002376D70F119E2DFA6EE2FC50389565A767065
SHA256: DFD5F008815BE4735799BD05515C7B3130224AE3A965BF3704290583295A41E1

=====Major Threats=====
[Create file in sensitive path] C:\flash.exe

=====Behavior Details=====

Create process:
sample.exe --> C:\WINDOWS\system32\cmd.exe
cmd.exe --> C:\WINDOWS\system32\reg.exe
sample.exe --> C:\WINDOWS\system32\ntvdm.exe

Create remote thread:
sample.exe --> cmd.exe
cmd.exe --> reg.exe
sample.exe --> ntvdm.exe

Create file:
sample.exe --> C:\WINDOWS\TEMP\HXVsB.bat
sample.exe --> C:\flash.exe
ntvdm.exe --> C:\WINDOWS\TEMP\scs3.tmp
ntvdm.exe --> C:\WINDOWS\TEMP\scs4.tmp

Delete file:
sample.exe --> C:\WINDOWS\Temp\HXVsB.bat
ntvdm.exe --> C:\WINDOWS\Temp\scs3.tmp
ntvdm.exe --> C:\WINDOWS\Temp\scs4.tmp

Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\000000000004548d
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic\6.0

Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0B E5 62 E5 B9 F0 31 EF ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F4 88 48 6C 27 F7 42 30 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7A 3E 68 8B E6 73 24 75 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [42 80 88 9C 4D 6D EB 0B ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [01 66 20 39 AE 97 DC 28 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [9F 9C 41 0F 46 15 A5 E3 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2B E5 64 F7 57 D9 C1 0F ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D7 8C AB 02 A8 DB E5 CC ...]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\我的文档"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ["C:\Documents and Settings\All Users\Documents"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\桌面"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ["C:\Documents and Settings\All Users\桌面"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\TEMP\HXVsB.bat ["HXVsB"]
reg.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CD 36 74 BD CB 46 EE A1 ...]
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run\flash ["\flash.exe"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\flash.exe ["flash"]
Ruining the bad guy's day

October 17, 2011, 07:16:01 pm
Reply #26

x0ner

  • Newbie

  • Offline
  • *

  • 1

January 03, 2012, 10:24:56 pm
Reply #27

shellc0de

  • Newbie

  • Offline
  • *

  • 4
  • Personal Text
    0x90 sled
http://pyms86.appspot.com/

Very useful when you don't have a copy of IDA on hand and you found some shellcode...

January 23, 2012, 08:40:14 am
Reply #28

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
malwr
http://malwr.com/

Quote
Malwr.com is a free malware analysis service.

It allows you to analyze suspicious files and extract information on their process and network behavior while being executed. It's built on top of an open source malware analysis system called Cuckoo Sandbox, which is developed and maintained by the same people behind this website: http://cuckoobox.org/
Ruining the bad guy's day

January 26, 2012, 08:56:02 am
Reply #29

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Ruining the bad guy's day