Malware Analysis Online Services

[SysAdMini]

Xandora by Panda
http://xandora.security.net.my/index.php

Xandora is a service for analyzing malware.
Submit your Windows executable and receive an analysis report telling you what it does.

[SysAdMini]

FilterBit
http://filterbit.com/index.cgi

[SysAdMini]

mwanalysis
http://mwanalysis.org/

formerly cwsandbox.org

[hamzehokour]

http://analysis.avira.com/samples/index.php

[SysAdMini]

JoeDoc

http://joedoc.org/

Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.

In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.

To check if your pdf contains any malicious content follow the instructions below:

   1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
   2. Send your zip file to submit@joedoc.org as an email attachement.
   3. Wait for the result which is sent back after a short while.


By submitting data to Joedoc you agree to the following terms and conditions.

Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.

[cleanmx]

JoeDoc

http://joedoc.org/

Joedoc is a novel automated runtime system for detecting exploits in applications running on end-user systems.

In its beta state it currently detects PDF exploits for Acrobat Reader 7.0.5, 8.1.2, 9.0 and 9.2.

To check if your pdf contains any malicious content follow the instructions below:

   1. Add your pdfs (with .pdf extension) to a zip and protect the zip with the password "infected".
   2. Send your zip file to submit@joedoc.org as an email attachement.
   3. Wait for the result which is sent back after a short while.


By submitting data to Joedoc you agree to the following terms and conditions.

Be patient we are currently adding features to detect exploits for Internet Explorer 8.0 and 9.0 as well as Microsoft Office documents.

Stefan told me about this 3 weeks ago, but i think joebox is much more better...

I currently submit all executables, all pdf's !!! and all rar and zips to joebox, I think reports are fantastic... to dig in deeper..

-- gerhard

[SysAdMini]

viCHECK.ca

https://vicheck.ca/

We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address.

Our scanning system will automatically process and email you back a report about your submitted files. Occasionally we may contact you for more information about particularly interesting samples, together we can help make the internet a safer place for everyone.

For your convenience, you can also forward your malware samples by email to hereyougo@vicheck.ca . Please try to include the full email headers wherever possible (you may need to view headers then copy and paste them into the forwarded message.)

[SysAdMini]

pdf examiner
http://www.malwaretracker.com/pdf.php

View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits (CVE-2007-5659, CVE-2009-0927, CVE-2008-2992, CVE-2009-4324, CVE-2009-1493, CVE-2010-0188 and embedded /Action commands), process PDF compression (FlateDecode, ASCIIHexDecode, LZWDecode, ASCII85Decode, RunLengthDecode), encryption (128 bit AESV2), and obfuscation (unicode, Hex, fromCharCode). Browse objects.

shellcode analysis
http://www.malwaretracker.com/shellcode.php

[Kensley]

Does anyone know what was used to produce this report? Seems like a nice little tool!

[foks]

Does anyone know what was used to produce this report? Seems like a nice little tool!

The report looks similar to http://www.spamfighter.com/VIRUSfighter/Archive/17133-W32_Bagle_AK-1.asp, which is based on Norman Sandbox.

[SysAdMini]

Malbox
http://malbox.xjtu.edu.cn/

report example

Code: [Select]

                 .__  ___.                   
  _____  _____   |  | \_ |__    ____ ___  ___
/     \ \__  \  |  |  | __ \  /  _ \\  \/  /
|  Y Y  \ / __ \_|  |__| \_\ \(  <_> )>    <
|__|_|  /(____  /|____/|___  / \____//__/\_ \
      \/      \/           \/              \/
                                                   
=====Sample Summary=====
File name: sample.exe
MD5: 439C24E6CA0CD8CE7986F834B83A70FC
SHA1: A002376D70F119E2DFA6EE2FC50389565A767065
SHA256: DFD5F008815BE4735799BD05515C7B3130224AE3A965BF3704290583295A41E1

=====Major Threats=====
[Create file in sensitive path] C:\flash.exe

=====Behavior Details=====

Create process:
sample.exe --> C:\WINDOWS\system32\cmd.exe
cmd.exe --> C:\WINDOWS\system32\reg.exe
sample.exe --> C:\WINDOWS\system32\ntvdm.exe

Create remote thread:
sample.exe --> cmd.exe
cmd.exe --> reg.exe
sample.exe --> ntvdm.exe

Create file:
sample.exe --> C:\WINDOWS\TEMP\HXVsB.bat
sample.exe --> C:\flash.exe
ntvdm.exe --> C:\WINDOWS\TEMP\scs3.tmp
ntvdm.exe --> C:\WINDOWS\TEMP\scs4.tmp

Delete file:
sample.exe --> C:\WINDOWS\Temp\HXVsB.bat
ntvdm.exe --> C:\WINDOWS\Temp\scs3.tmp
ntvdm.exe --> C:\WINDOWS\Temp\scs4.tmp

Create key:
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\000000000004548d
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Visual Basic\6.0

Set value key:
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [0B E5 62 E5 B9 F0 31 EF ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [F4 88 48 6C 27 F7 42 30 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [7A 3E 68 8B E6 73 24 75 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [42 80 88 9C 4D 6D EB 0B ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [01 66 20 39 AE 97 DC 28 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [9F 9C 41 0F 46 15 A5 E3 ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [2B E5 64 F7 57 D9 C1 0F ...]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [D7 8C AB 02 A8 DB E5 CC ...]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal ["D:\Backup\我的文档"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents ["C:\Documents and Settings\All Users\Documents"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop ["C:\Documents and Settings\Administrator\桌面"]
sample.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop ["C:\Documents and Settings\All Users\桌面"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet [0x1]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache ["C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies ["C:\Documents and Settings\Administrator\Cookies"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\TEMP\HXVsB.bat ["HXVsB"]
reg.exe --> \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\RNG\Seed [CD 36 74 BD CB 46 EE A1 ...]
reg.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\CurrentVersion\Run\flash ["\flash.exe"]
sample.exe --> \REGISTRY\USER\S-1-5-21-1177238915-1647877149-2147093213-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\flash.exe ["flash"]


[x0ner]

https://www.pdfxray.com

Submit and do analysis on PDF files.

[shellc0de]

http://pyms86.appspot.com/

Very useful when you don't have a copy of IDA on hand and you found some shellcode...

[SysAdMini]

malwr
http://malwr.com/

Malwr.com is a free malware analysis service.

It allows you to analyze suspicious files and extract information on their process and network behavior while being executed. It's built on top of an open source malware analysis system called Cuckoo Sandbox, which is developed and maintained by the same people behind this website: http://cuckoobox.org/

[SysAdMini]

Zulu URL Risk Analyzer
http://zulu.zscaler.com/#