Read the original article: Building towards the richest and most interconnected malware ecosystem
Investigations on malicious activity usually start with small pieces of a puzzle we don’t know how big and complex it will be. Analysts will never have a full picture of the attack under investigation, only attackers know, but probably that’s not necessary either. What is needed is to retrieve the context necessary to achieve the goal of the investigation.
How to get this context? Every piece of the puzzle can be used to obtain new pieces. Then, we repeat the process until we don’t find any more clues, or we are satisfied with the results. In this case, the pieces of the puzzle will be Indicators of Compromise (IOCs), usually hashes, domains and IPs.
So when starting the investigation with only a few pieces… how to find the rest in VirusTotal? It is a pretty massive database, so we have been working hard to find every single clue we could to relate different items for you to complete your puzzle. For instance, if we start with a few malware samples we want to find the infrastructure used in the attack as well as other related files used by the same attacker in the same campaign. Maybe we can even use similarity to find potentially related samples from the same actor.
We have good news for everyone! During the last months we have included additional meaningful relationships to create a rich ecosystem that interconnects samples, URLs, domains and IP addresses. Below we will review what kind of relationships you can find in VirusTotal. You can visualize all the relationships-related information under the “Relations” tab in VirusTotal for any sample and networking item.
Below you can find all the fresh new relationships specific for files:
-
Dropped files: Interesting files written to disk during sandbox execution. Extremely useful to find what dropper was used for any specific malware.
For example: baad6807d751aa8b44bd464b3302a6ad4c200dc27b22b3845b0397cf366e3f4c
-
Overlay children: Files that are contained as overlay in another sample. Once again, finding information about the parent of some malware sample helps understanding the whole execution chain and properly reproduce the attack.
For example: 12304478f1c50f9d10497bc8afea771bd1e3bd5bd3beaa0370090f727f3713a1
-
PCAP children: Files seen inside the communication traffic for an uploaded PCAP file. Another valuable source of information, as the communication between samples and Command and Control servers can shed light on the artifacts used by attackers once having a foothold in the victim.
For example: 2804184381e9c1c51a213bdcd703ae0a9a16c6abc39b43cd44619365d5914934
-
PE Resource children: PE files contained into another file as a resource. Similar to the cases above where we want to find the parent of the malware, this time hiding in a different place.
For example: 12305f7314b7b3c13657d7da48b73a2d10a2303cc23e76d6954ea909ac74e997
-
In the wild (ITW) IP addresses: We have seen this file being downloaded from these IP addresses. This is how we know how the malware was distributed. It could help to find the malicious infrastructure used by attackers, but also hacked sites used as watering holes for example.
For example: a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
-
Email attachments: Files that were distributed through email as attachments. Spear phishing is still the most popular method employed by attackers to distribute malware. This relationship helps confirm what artefacts were spread this way.
For example: 1230725a4b8cbfa70c19c9eaa925b945511374da1cce787ea2854c2a2303f1b6
You can use the have: modifier with the newly added relationships for your searches in the following format have:name_of_relationship. For instance, you can find Emotet samples distributed through email as an attachment using the following query:
Become a supporter of IT Security News and help us remove the ads.