Malwr

HomeAboutFeed

Malwr is an experiment. Its goal is not just to provide a static malware analyzer, but a larger community platform for people to interact, share data and perform research. After another year of operation (although with its ups and downs), it is interesting to draw some conclusions and crunch some numbers to get an overview of what we've seen so far.

The following table shows the number of occurrences each behavioral signature has recorded complexively across all analysis our service completed. It is an interesting overview of the overall popularity of malicious or non-malicious behavior that Cuckoo was able to identify.

As I've introduced a couple of new signatures just few hours ago and others have been around longer, take these statistics with a grain of salt.

SignatureCount
File has been identified by at least one AntiVirus on VirusTotal as malicious143511
Installs itself for autorun at Windows startup106221
Starts servers listening on {0}71622
Performs some HTTP requests70045
Steals private information from local Internet browsers63310
The binary likely contains encrypted or compressed data.41257
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)17010
The executable is compressed using UPX13571
Generates some ICMP traffic13478
Operates on local firewall's policies and settings9664
Unconventionial binary language6578
Creates an Alternate Data Stream (ADS)5362
At least one process apparently crashed during execution3084
Harvests credentials from local FTP client softwares3063
Retrieves Windows ProductID, probably to fingerprint the sandbox2453
Connects to an IRC server, possibly part of a botnet2304
Checks for the presence of known devices from debuggers and forensic tools2280
Disables Windows' Registry Editor1852
Creates Zeus (Banking Trojan) mutexes1518
Creates an autorun.inf file1413
Queries information on disks, possibly for anti-virtualization1393
Tries to unhook Windows functions monitored by Cuckoo1273
Zeus P2P (Banking Trojan)1201
Checks for the presence of known windows from debuggers and forensic tools1082
Detects VirtualBox through the presence of a file1055
Creates known Fynloski/DarkComet mutexes1016
Installs WinPCAP936
Checks the version of Bios, possibly for anti-virtualization756
Detects the presence of Wine emulator741
Creates known SpyNet mutexes and/or registry changes.606
Contacts C&C server HTTP check-in (Banking Trojan)523
Installs an hook procedure to monitor for mouse events506
Makes SMTP requests, possibly sending spam345
antivm_generic_diskinfo305
Detects virtualization software with SCSI Disk Identifier trick292
Looks up the external IP address249
Collects information on the system (ipconfig, netstat, systeminfo)146
Creates known XtremeRAT mutexes142
Detects VirtualBox through the presence of a registry key109
Creates known Ruskill mutexes109
Detects VirtualBox through the presence of a library103
Detects VirtualBox using ACPI tricks99
Installs Tor on the infected machine92
Installs OpenCL library, probably to mine Bitcoins76
Disables Windows' Task Manager73
Creates known SpyEye mutexes62
Creates known PcClient mutex and/or file changes.46
Recognized to be a DirtJumper bot44
Creates a Tor Hidden Service on the machine38
Checks the presence of IDE drives in the registry, possibly for anti-virtualization31
Recognized to be an Athena HTTP bot13
Suspicious downloader (Cabby)12
Enumerates services, possibly for anti-virtualization12
Recognized to be a Drive bot6
Cridex banking trojan4
Creates known PlugX mutexes4
Executed a process and injected code into it, probably while unpacking3
Recognized to be an Madness bot2
Creates a windows hook that monitors keyboard input (keylogger)1
Connects to Tor Hidden Services through Tor2Web1
Detected Prinimalka banking trojan1

Out of curiosity, I was also interested in getting an overview of the average detection rate recorded through our VirusTotal integration. The following table shows the number of occurrences each detection count recorded across all analysis completed by our service.

For example, the third row means that 6485 files have been detected just by two Antiviruses out of all available on VirusTotal at that specific time (generally between 45 and 55). The first row simply means that at the time of submission to Malwr, the files were not available on VirusTotal.

Detection NumbrerOccurrences
Not found on VirusTotal70980
026707
110452
26485
35410
134848
44806
54470
64299
143978
123849
83772
73708
93645
103376
113268
152763
392741
382697
402577
162528
372500
202461
312410
222372
362359
172354
182328
352262
192246
252228
342221
332218
302208
292179
212141
242083
322077
412069
232065
262004
482004
281959
271910
471868
421769
491721
451673
431646
441630
461566
50870
51328
5287
5331
544

I'm very well aware that VirusTotal scores are not supposed to be a metric of comparison or of efficiency, but there's an interesting trend shown by these numbers, whatever conclusion you might draw from them.

Also, keep in mind that it is common that non-malicious files are uploaded to the service (for example clean PDF documents are very popular), so the high number of 0 detections isn't in anyway representative.

Let us know if you find this type of information of any value, if you would like to see these statistics calculated more regularly and if you have some additional ideas.

published on 2014-12-09 03:00:00 by nex


Older Posts

Date Title
2014-10-01 12:00:00 We're back
2014-08-22 12:00:00 Status update
2014-07-25 18:00:00 Submissions Disabled
2014-05-22 15:00:00 Submissions now shared by default
2014-05-19 15:00:00 Welcome to Malwr Blog