Trying (still) to understand Wildfire

cancel
Showing results for 
Search instead for 
Did you mean: 

Trying (still) to understand Wildfire

L6 Presenter

I got two files sent to me for analysis and I ran them through Wildfire to get a verdict...

Unfortunately im still not comfortable with what Wildfire thinks is a malware and what me (and obviously the rest of the world) belives is a malware...

Could perhaps somebody from PaloAlto themselfs (or somebody else) explain to me why both files have the verdict "Benign" when they obviously is anything BUT benign?

File1:

Overview

Filename:     b14620ee8cd512565ce5e0ecd6ab55ca.exe

SHA256:     0f57e8e9334daf3769be5a1ddd19337f7ef8d11a9b2297e71a1c8b2cc2ee7ec3

User:

Received:     7/15/2013 9:40:01 PM

Attacker:

Victim:    

Hostname/Mgmt. IP:

Application:    

Verdict:    

Benign

Analysis Summary

Behavior

Changed security settings of Internet Explorer

Created or modified files

Modified Windows registries

Detailed Events

Registry     Action

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass     Set

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop     Set

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Local AppData     Set

HKCU\Software\Micorosoft\Server\SmartAssemblyReportUsage     Set

HKCU\Control Panel\Keyboard\InitialKeyboardIndicators     Set

Process     Parent Process     Action

C:\sample.exe     explorer.exe     Create

File     Process     Action

C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\identity.dat     C:\sample.exe     Write

C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\info.dat     C:\sample.exe     Write

C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin     C:\sample.exe     Delete

C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\D     C:\sample.exe     Delete

C:\Documents and Settings\Administrator\Local Settings\Application Data\IsolatedStorage\2uvfwpzx.c5m\ayzczy0y.0ay\Url.xvrp4itmvjamqpvqmgo5332dmzim1pjr\AssemFiles\BB41470D\Usages.bin     C:\sample.exe     Write

And here is what Virustotal thinks of the above file: Antivirus scan for 5fa713436f4820532eb6ea70a9e1ff21 at2013-07-15 19:58:59 UTC - VirusTotal

File2:

Overview

Filename:     e762428b721a1de0e50cb93c91ca629c.exe

SHA256:     df97bc506772110d83e081bcc80226483176be6de1da85239ac81440eba89ec0

User:

Received:     7/15/2013 9:40:18 PM

Attacker:         Victim:    

Hostname/Mgmt. IP:

Application:    

Verdict:    

Benign

Analysis Summary

Behavior

Created or modified files

Spawned new processes

Modified Windows registries

Changed security settings of Internet Explorer

Changed the proxy settings for Internet Explorer

Modified the network connections setting for Internet Explorer

Attempted to sleep for a long period

Detailed Events

Registry     Action

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e86064ca-57e4-11e0-bef8-806d6172696f}\BaseClass     Set

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Documents     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Desktop     Set

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common Desktop     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History     Set

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer     Delete

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride     Delete

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL     Delete

HKLM\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable     Set

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings     Set

Process     Parent Process     Action

C:\sample.exe     explorer.exe     Create

C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE     C:\sample.exe     Create

C:\WINDOWS\system32\userinit.exe     C:\WINDOWS\system32\winlogon.exe     Terminate

File     Process     Action

C:\Documents and Settings\Administrator\Local Settings\Temp\dw.log     C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE     Write

C:\Documents and Settings\Administrator\Local Settings\Temp\8750.dmp     C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE     Write

And here is what Virustotal thinks of the above file: Antivirus scan for 8b00c2d2face7267c2eb16c93e75a662 at2013-07-15 19:58:21 UTC - VirusTotal

1 ACCEPTED SOLUTION

Accepted Solutions

It turns out this was actually a false-negative as I got this in return from the support:

"

The verdict in production has been changed to malware and these samples will be covered by Virus/Win32.generic.jnrgg and Virus/Win32.generic.jnrgh in WF AV: 16814

"

View solution in original post

7 REPLIES 7

L5 Sessionator

This could be a possible False_negative.

Can you please open a support case specifying the SHA of both these files.

HTH

Thanks!

I have forwarded this to "my" support.

L1 Bithead

I have created a case and made sure the SHA for both files as well as a link to this forum post is part of the same case.

Regards Peter

L4 Transporter

Milkand,

We have see false negatives based on Virus total analysis or based on the behavior that was observed leading up to the download of the executable (java downloads leading up to the exe download) or social engineering (clicking on links in emails from bad guys).  In these cases we try to get a copy of the executable and attach it to the case we submit to support along with supporting documentation (virus total report, URL of wildfire report ).  We have done this on numerous occasions  with positive outcomes (virus definitions inclusion).

Phil

This is true for AV,Spyware and Vulnerability.For Wildfire you just need SHA of the suspected file.

In this case Radpoint ("my" support 🙂 returned to me asking for the files in question - seems like 2nd line support (over at PA) doesnt have proper access to the files being uploaded to wildfire (or because these files were identified as benign wildfire doesnt store them - only files identified as malware and not previously seen is stored within wildfire, anyone who knows what happens behind the scenes?).

Anyway - support has got the files and case id 147980 is open regarding this... hopefully it wont take too long to get an explanation in return for why wildfire identified both files as benign...

Because, and this has been discussed previously in this forum, I fully understand if for example a downloader isnt identified as malware (even if I somewhat doesnt agree but still) but rather the file which the downloader is downloading (unless the downloader on its own is exploiting stuff) - but neither of the files seems to match that criteria.

It turns out this was actually a false-negative as I got this in return from the support:

"

The verdict in production has been changed to malware and these samples will be covered by Virus/Win32.generic.jnrgg and Virus/Win32.generic.jnrgh in WF AV: 16814

"

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!