07-15-2013 01:06 PM
I got two files sent to me for analysis and I ran them through Wildfire to get a verdict...
Unfortunately im still not comfortable with what Wildfire thinks is a malware and what me (and obviously the rest of the world) belives is a malware...
Could perhaps somebody from PaloAlto themselfs (or somebody else) explain to me why both files have the verdict "Benign" when they obviously is anything BUT benign?
File1:
Overview
Filename: b14620ee8cd512565ce5e0ecd6ab55ca.exe
SHA256: 0f57e8e9334daf3769be5a1ddd19337f7ef8d11a9b2297e71a1c8b2cc2ee7ec3
User:
Received: 7/15/2013 9:40:01 PM
Attacker:
Victim:
Hostname/Mgmt. IP:
Application:
Verdict:
Benign
Analysis Summary
Behavior
Changed security settings of Internet Explorer
Created or modified files
Modified Windows registries
Detailed Events
Registry Action
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData Set
HKCU\Software\Micorosoft\Server\SmartAssemblyReportUsage Set
HKCU\Control Panel\Keyboard\InitialKeyboardIndicators Set
Process Parent Process Action
C:\sample.exe explorer.exe Create
File Process Action
C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\identity.dat C:\sample.exe Write
C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\info.dat C:\sample.exe Write
C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin C:\sample.exe Delete
C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\D C:\sample.exe Delete
C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin C:\sample.exe Write
And here is what Virustotal thinks of the above file: Antivirus scan for 5fa713436f4820532eb6ea70a9e1ff21 at2013-07-15 19:58:59 UTC - VirusTotal
File2:
Overview
Filename: e762428b721a1de0e50cb93c91ca629c.exe
SHA256: df97bc506772110d83e081bcc80226483176be6de1da85239ac81440eba89ec0
User:
Received: 7/15/2013 9:40:18 PM
Attacker: Victim:
Hostname/Mgmt. IP:
Application:
Verdict:
Benign
Analysis Summary
Behavior
Created or modified files
Spawned new processes
Modified Windows registries
Changed security settings of Internet Explorer
Changed the proxy settings for Internet Explorer
Modified the network connections setting for Internet Explorer
Attempted to sleep for a long period
Detailed Events
Registry Action
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History Set
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Delete
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride Delete
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL Delete
HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable Set
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings Set
Process Parent Process Action
C:\sample.exe explorer.exe Create
C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE C:\sample.exe Create
C:\WINDOWS\system32\userinit.exe C:\WINDOWS\system32\winlogon.exe Terminate
File Process Action
C:\Documents and Settings\Administrator\Local Settings\Temp\dw.log C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Write
C:\Documents and Settings\Administrator\Local Settings\Temp\8750.dmp C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE Write
And here is what Virustotal thinks of the above file: Antivirus scan for 8b00c2d2face7267c2eb16c93e75a662 at2013-07-15 19:58:21 UTC - VirusTotal
07-19-2013 12:41 AM
It turns out this was actually a false-negative as I got this in return from the support:
"
The verdict in production has been changed to malware and these samples will be covered by Virus/Win32.generic.jnrgg and Virus/Win32.generic.jnrgh in WF AV: 16814
"
07-15-2013 02:38 PM
This could be a possible False_negative.
Can you please open a support case specifying the SHA of both these files.
HTH
07-15-2013 02:44 PM
Thanks!
I have forwarded this to "my" support.
07-15-2013 11:50 PM
I have created a case and made sure the SHA for both files as well as a link to this forum post is part of the same case.
Regards Peter
07-16-2013 04:48 AM
Milkand,
We have see false negatives based on Virus total analysis or based on the behavior that was observed leading up to the download of the executable (java downloads leading up to the exe download) or social engineering (clicking on links in emails from bad guys). In these cases we try to get a copy of the executable and attach it to the case we submit to support along with supporting documentation (virus total report, URL of wildfire report ). We have done this on numerous occasions with positive outcomes (virus definitions inclusion).
Phil
07-16-2013 07:00 AM
In this case Radpoint ("my" support 🙂 returned to me asking for the files in question - seems like 2nd line support (over at PA) doesnt have proper access to the files being uploaded to wildfire (or because these files were identified as benign wildfire doesnt store them - only files identified as malware and not previously seen is stored within wildfire, anyone who knows what happens behind the scenes?).
Anyway - support has got the files and case id 147980 is open regarding this... hopefully it wont take too long to get an explanation in return for why wildfire identified both files as benign...
Because, and this has been discussed previously in this forum, I fully understand if for example a downloader isnt identified as malware (even if I somewhat doesnt agree but still) but rather the file which the downloader is downloading (unless the downloader on its own is exploiting stuff) - but neither of the files seems to match that criteria.
07-19-2013 12:41 AM
It turns out this was actually a false-negative as I got this in return from the support:
"
The verdict in production has been changed to malware and these samples will be covered by Virus/Win32.generic.jnrgg and Virus/Win32.generic.jnrgh in WF AV: 16814
"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
