Malware Domain List
Malware Related => Malware Analysis => Topic started by: sowhat-x on December 07, 2007, 03:25:01 am
-
...A quick short list of online malware analysis services,in order to make life easier...
Note that it is absolutely NOT necessary to make use of the following services,
before submitting direct links to sites hosting malware/exploits etc:
this goes up completely at your own personal choice... :)
UploadMalware
http://www.uploadmalware.com/
From our good friend CM_MWR,lol... ;D
VirusTotal
Provided by Hispasec Sistemas S.L.
http://www.virustotal.com/
Jotti's malware scan
Created and provided by Jordi Bosveld
http://virusscan.jotti.org/
Anubis
-------
Sponsored by Secure Business Austria
Developed by Secure Systems Lab (Vienna University of Technology)
http://analysis.seclab.tuwien.ac.at/
ThreatExpert
--------------
Developed by the team of professionals who created PC Tools' flagship products.
http://www.threatexpert.com/default.aspx
VirSCAN Online AV Scanner
http://virscan.org/
Filterbit
http://www.filterbit.com/
-
analyze malware behavior
http://research.sunbelt-software.com/Submit.aspx
http://www.norman.com/microsites/nsic/ (linked via anubis (http://analysis.seclab.tuwien.ac.at/links.php))
http://www.joebox.org/ (linked via anubis)
https://www.microsoft.com/security/portal/submit.aspx
scan web pages
http://linkscanner.explabs.com/linkscanner/default.asp
http://online.drweb.com/
not sure about this one:
http://scanner.virus.org/
-
Assiste.com.free.fr
http://assiste.com.free.fr/p/antivirus_gratuits_en_ligne/envoyer_un_echantillon_par_email_a_l_analyse.html
Not a virus/malware analysis service,but a (french speaking) site,
that maintains a frequently updated list of all AV companies' current mail addresses.
Ie.so that someone can easily send a sample to most of them at once...
-
WOW, Anubis made it to this list :-) I just found out about this great site at the deepsec conference in november 2007 in vienna.
here's another site like Anubis (in some ways better, in other ways not)
http://cwsandbox.org/
-
http://www.norman.com/microsites/nsic/ (linked via anubis (http://analysis.seclab.tuwien.ac.at/links.php))
http://www.joebox.org/ (linked via anubis)
p.s. you can see the word "sunbelt" in the logo of cwsanbox.org because sunbelt owns it, as can also be seen from the licensing page.
-
https://www.microsoft.com/security/portal/submit.aspx
-
http://wiki.castlecops.com/Online_malware_scans_-_Comparison#Multiple_engine_scans
-
Not sure if they really count but what the heck;
http://web-sniffer.net
http://vurl.mysteryfcm.co.uk
-
Project Malfease
http://malfease.oarci.net/
...For more info/details,check out the following papers:
https://malfease.oarci.net/help/av_evasion.pdf
https://malfease.oarci.net/help/malware_repo_update.pdf
-
http://camas.comodo.com/cgi-bin/submit (thanks to Kayrac for mentioning it.)
-
http://www.suspectfile.com/index.php (http://www.suspectfile.com/index.php)
-
Shellcode 2 EXE
http://sandsprite.com/shellcode_2_exe.php
JSUNPACK
http://jsunpack.jeek.org/dec/go
Eureka Malware Analysis
http://eureka.cyber-ta.org
-
WEPAWET
http://wepawet.iseclab.org/index.php (http://wepawet.iseclab.org/index.php)
Online Flash/Javascript Analyzer
NEW : URL Submission Feature !!!!
-
F-SECURE SAMPLE ANALYSIS SYSTEM
https://analysis.f-secure.com
requires registration
-
BitBlaze Malware Analysis Service
https://aerie.cs.berkeley.edu/index.php
-
Xandora by Panda
http://xandora.security.net.my/index.php
Xandora is a service for analyzing malware.
Submit your Windows executable and receive an analysis report telling you what it does.
-
FilterBit
http://filterbit.com/index.cgi
-
mwanalysis
http://mwanalysis.org/
formerly cwsandbox.org
-
http://analysis.avira.com/samples/index.php
-
JoeDoc
http://joedoc.org/
Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.
In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.
To check if your pdf contains any malicious content follow the instructions below:
1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
2. Send your zip file to submit@joedoc.org as an email attachement.
3. Wait for the result which is sent back after a short while.
By submitting data to Joedoc you agree to the following terms and conditions.
Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.
-
JoeDoc
http://joedoc.org/
Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.
In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.
To check if your pdf contains any malicious content follow the instructions below:
1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
2. Send your zip file to submit@joedoc.org as an email attachement.
3. Wait for the result which is sent back after a short while.
By submitting data to Joedoc you agree to the following terms and conditions.
Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.
Stefan told me about this 3 weeks ago, but i think joebox is much more better...
I currently submit all executables, all pdf's !!! and all rar and zips to joebox, I think reports are fantastic... to dig in deeper..
-- gerhard
-
viCHECK.ca
https://vicheck.ca/
We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address.
Our scanning system will automatically process and email you back a report about your submitted files. Occasionally we may contact you for more information about particularly interesting samples, together we can help make the internet a safer place for everyone.
For your convenience, you can also forward your malware samples by email to hereyougo@vicheck.ca . Please try to include the full email headers wherever possible (you may need to view headers then copy and paste them into the forwarded message.)
-
pdf examiner
http://www.malwaretracker.com/pdf.php
View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits (CVE-2007-5659, CVE-2009-0927, CVE-2008-2992, CVE-2009-4324, CVE-2009-1493, CVE-2010-0188 and embedded /Action commands), process PDF compression (FlateDecode, ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode), encryption (128 bit AESV2), and obfuscation (unicode, Hex, fromCharCode). Browse objects.
shellcode analysis
http://www.malwaretracker.com/shellcode.php
-
Does anyone know what was used to produce this report (http://utcheats.info/cheats-6/ct-hook-0-4-fully-undetected-aimbot-for-ut2004-now-passes-antitcc/msg4676/#msg4676)? Seems like a nice little tool!
-
Does anyone know what was used to produce this report (http://utcheats.info/cheats-6/ct-hook-0-4-fully-undetected-aimbot-for-ut2004-now-passes-antitcc/msg4676/#msg4676)? Seems like a nice little tool!
The report looks similar to http://www.spamfighter.com/VIRUSfighter/Archive/17133-W32_Bagle_AK-1.asp, which is based on Norman Sandbox.
-
Malbox
http://malbox.xjtu.edu.cn/
report example
.__ ___.
_____ _____ | | \_ |__ ____ ___ ___
/ \ \__ \ | | | __ \ / _ \\ \/ /
| Y Y \ / __ \_| |__| \_\ \( <_> )> <
|__|_| /(____ /|____/|___ / \____//__/\_ \
\/ \/ \/ \/
=====Sample Summary=====
File name: sample.exe
MD5: 439C24E6CA0CD8CE7986F834B83A70FC
SHA1: A002376D70F119E2DFA6EE2FC50389565A767065
SHA256: DFD5F008815BE4735799BD05515C7B3130224AE3A965BF3704290583295A41E1
=====Major Threats=====
[Create file in sensitive path] C:\flash.exe
=====Behavior Details=====
Create process:
sample.exe --> C:\WINDOWS\system32\cmd.exe
cmd.exe --> C:\WINDOWS\system32\reg.exe
sample.exe --> C:\WINDOWS\system32\ntvdm.exe
Create remote thread:
sample.exe --> cmd.exe
cmd.exe --> reg.exe
sample.exe --> ntvdm.exe
Create file:
sample.exe --> C:\WINDOWS\TEMP\HXVsB.bat
sample.exe --> C:\flash.exe
ntvdm.exe --> C:\WINDOWS\TEMP\scs3.tmp
ntvdm.exe --> C:\WINDOWS\TEMP\scs4.tmp
Delete file:
sample.exe --> C:\WINDOWS\Temp\HXVsB.bat
ntvdm.exe --> C:\WINDOWS\Temp\scs3.tmp
ntvdm.exe --> C:\WINDOWS\Temp\scs4.tmp
Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\000000000004548d
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic\6.0
Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0B E5 62 E5 B9 F0 31 EF ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F4 88 48 6C 27 F7 42 30 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7A 3E 68 8B E6 73 24 75 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [42 80 88 9C 4D 6D EB 0B ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [01 66 20 39 AE 97 DC 28 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [9F 9C 41 0F 46 15 A5 E3 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2B E5 64 F7 57 D9 C1 0F ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D7 8C AB 02 A8 DB E5 CC ...]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\我的文档"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ["C:\Documents and Settings\All Users\Documents"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\桌面"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ["C:\Documents and Settings\All Users\桌面"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\TEMP\HXVsB.bat ["HXVsB"]
reg.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CD 36 74 BD CB 46 EE A1 ...]
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run\flash ["\flash.exe"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\flash.exe ["flash"]
-
https://www.pdfxray.com
Submit and do analysis on PDF files.
-
http://pyms86.appspot.com/
Very useful when you don't have a copy of IDA on hand and you found some shellcode...
-
malwr
http://malwr.com/
Malwr.com is a free malware analysis service.
It allows you to analyze suspicious files and extract information on their process and network behavior while being executed. It's built on top of an open source malware analysis system called Cuckoo Sandbox, which is developed and maintained by the same people behind this website: http://cuckoobox.org/
-
Zulu URL Risk Analyzer
http://zulu.zscaler.com/#
-
Online Malware Analysis Sandbox Comparison
http://ossectools.blogspot.de/2012/02/online-malware-analysis-sandbox.html
-
Stefan told me about this 3 weeks ago, but i think joebox is much more better...
I currently submit all executables, all pdf's !!! and all rar and zips to joebox, I think reports are fantastic... to dig in deeper..
-- gerhard
Hi Gerhard:
Stefan has just released JoeSecurity Sandbox v5.0.
It has been updated for multiple capabilities but most notable is its crunching Phoenix, Blackhole and other exploits.
I have attached data generated by JoeSecurity Sandbox v5.0 for the Blackhole site; http://50.2.7.109/showthread.php?t=73a07bcb51f4be71
EDIT:
I have removed the PCAP, HTML report and BINs. They were there long enough. ;D
-
There is a new addition to the JoeSecurity.Org malware analysis lineup.
Joe Document Dissector (http://joedd.joesecurity.org/) (aka; Joe DD)
Joe DD - "Joe Document Dissector" is a free automated malware analysis platform for detecting malicious documents.
It opens documents in Acrobat Reader, Microsoft Office Word, Excel or Powerpoint and monitors the behavior of the application. With the help of over 200 generic behavior signatures it determines if the application behaves maliciously.
Currently Joe DD checks documents against the following applications / versions:
* Acrobat Reader 8.1.2
* Acrobat Reader 9.3.4
* Acrobat Reader 9.4.6
* Acrobat Reader 10.1.3
* Office (Word, Excel, Powerpoint) 2003
* Office (Word, Excel, Powerpoint) 2003 SP3
* Office (Word, Excel, Powerpoint) 2007 SP3
* Office (Word, Excel, Powerpoint) 2010 SP2
and provides additional data such as static file informations, process startup lists, created / dropped files and contact domains.
-
Sandy, a new online service for #Java exploit analysis
http://exploit-analysis.com/sandy/index.php
Traditional malware sandboxes are built to analyze binary samples and you can submit binary files blindly to it with out knowing much about them. But that is not the case with exploit samples where a certain criteria抯 needed to be satisfied for successful exploitation, like a document exploit might only work on Chinese xp box or a java exploit will only drop files on mac machine etc. And talking about java exploits, there is no sandbox that process java exploit at all. So their needs to be an intelligent specialized system that process these exploit samples.
Our aim is to build an exploit analysis engine specialized in processing file format exploits.
The main aim of sandy is to extract the embedded executable, dropped documents and url controllers from these file formats and provide attribution to the Attack groups and there technology. Sandy initial analysis it performs multiple static analysis, that included detecting simple XOR, ROL, ROR encryption, Packer detection, Signature scan,Shellcode Detection, Meta Data analysis, Entropy and Cryptanalysis, File version detection and finally provides the extracted analysis data after processing for download to the end user. Once the static analysis is finished the data generated is passed on to our dynamic analysis box for improved efficiency. All current systems out there blindly pass exploit samples to a dynamic sandbox. But sandy uses the static analysis data to do an intelligent dynamic analysis, there by making the system unique.
-
Hybrid Analysis
https://www.hybrid-analysis.com/
Pure dynamic analysis is not enough anymore these days, as malware evolves and detects sandbox systems. Often, the real payload is not executed and triggered through timebombs or other mechanisms. Combining static with dynamic analysis in a hybrid solution is a next generation approach when it comes to malware analysis. As data load grows, we need performant and intelligent solutions. That is what we offer with our product VxStream Sandbox - a fully automated malware analysis solution with integrated Hybrid Analysis technology.