How to integrate the SDK (a simple set of REST APIs) into your event response Workflow
We believe that malware recognition should be easy, efficient, and powerful.
This is what Deepviz wants to achieve. This article shows what our SDK (a simple set of REST APIs) can do and how to integrate it into your event response workflow, such as the analysis process.
Today, we use APIs to find recently registered domain names. We process about 100,000 new malware samples every day to activate data on our platform.
Let's take a look.
{ "apikey": "xxxxxxxxxxxxxxxxxxxxxxxxx", "timestamp": ["3d"], "output_filters": ["whois"]}
Our API marks a malicious domain name:
{ "status" : "success", "data" : { "jgpxwjttbbhw.pw" : { "score" : { "good" : 0, "malicious" : 1 }, "whois" : { "info" : { "updated_date" : ["2015-10-27 11:27:19"], "expiration_date" : ["2016-10-27 23:59:59"], "contacts" : { "registrant" : { "email" : "[email protected]", "name" : "WhoisGuard Protected" } }, "registrar" : ["NAMECHEAP INC"], "creation_date" : ["2015-10-27 11:27:16"] } } } }}
The domain name jgpxwjttbbhw. pw was registered on April 9, October 27, 2015. Two days ago, it protected the server through WhoisGuard. Let's find the sample connection Domain Name Information:
{ "apikey": "xxxxxxxxxxx", "url": ["jgpxwjttbbhw.pw"], "search_params": ["objects=5", "start_offset=0"]}
Response:
{ "status" : "success", "data" : { "Total" : 1, "MD5" : [ "c8ef44a9193504f54d6988bf9697d137" ] }}
Looking at our automatic analysis results, it is easy to find that a bank Trojan hooks the following APIs due to some common behaviors such as injecting code into a browser:
HttpQueryInfoAInternetCloseHandleInternetReadFileInternetQueryDataAvailableHttpSendRequestWInternetReadFileExAHttpSendRequestA
In other user modes, hook is used to hide data in the system:
NtCreateProcessExNtCreateThreadNtCreateUserProcessNtEnumerateValueKeyNtQueryDirectoryFileNtResumeThread
Another interesting feature of the SDK is to determine the similarity between samples and existing samples in the database.
{ "status" : "success", "data" : { "Total" : 63, "MD5" : [{ "score" : 0.6564425770308123, "MD5" : "6e6896529cfaf9979d1681561424a219" }, { "score" : 0.5907179346834519, "MD5" : "c96b5da5917492bb8e3a89e73533ffc5" }, { "score" : 0.5857008340059188, "MD5" : "41fa83e0225888aa1625e4b56e0b2aaf" }, { "score" : 0.5782840722495894, "MD5" : "658a2d388c11db27f72c6ae3ed41ea6d" }, { "score" : 0.5647985336918537, "MD5" : "3a4618e85251904031397b0f94d3fcfb" }, { "score" : 0.5050692686262539, "MD5" : "1dc7d6ad1c1b922f10c4feb831d71805" }, { "score" : 0.5038733007327224, "MD5" : "36c7b218feb15625239adebdb5d85658" }, { "score" : 0.4894942157654021, "MD5" : "7e8c4390b2a057743a0a3170bac850ba" }, { "score" : 0.45920310512939877, "MD5" : "fb4f64565083d2cf7273ed502ad23333" }, { "score" : 0.4460298008092125, "MD5" : "b0a9a4558abf94f214288d79a86a91ca" } ] }}
We found 63 different MD5 values, which are similar to those of the original bank Trojan (only a portion of them are listed for simplicity ). However, if samples are put together for clustering, they can be divided into two groups, that is, they are all of the same group, and then divided into two groups.
The eight samples in group A on the right attempt to connect to the domain name xlcssfufckuh. biz, IP address 82.165.37.127.
By searching through similar APIs, we searched for all samples connecting IP addresses and domain names, and found 210 unique MD5 values. By clustering them, we can find eight different similar families:
Group A is clustered into eight sub-groups, and the other two undiscovered MD5 groups are added,
6946bf0df54e323cb740a15dc6931bd2 and 64f5b0c836d92b72e3ca5944825b3ae1
By further analyzing these clustering links to the Tianba bank Trojan, these Samples connect to recently registered domain names using different/New RSA public keys:
-----BEGIN PUBLIC KEY-----MIICITANBgkqhkiG9w0BAQEFAAOCAg4AMIICCQKCAgB603o25wk9mgDqlYdXpufyCjBBx21hin1BJtiFcvVpLv7v1PomHjYXnODrlhX1u3Yco84hMHeyXoARp6xs5OjYAppHsjRqNSjBmTIrnjZKO5x9ShCevvCrNLnCckCw13NO9TjRKTmqn08fgfaEpw9cWYnDh1ydkamFMJZkKk+fOjPbsJqr3Axr06FqpGVIiyQLzPbUpd6eHyMo0LvelwJcd5E46gFtam/64mBSwzFkOZmZV9zzdy4RE/rhAXqL4/Kd1Srw/FAIBm0N/3BGjMkt+5l1zhNMrALrn9t1ScCwXuz64fL5x+dT34BvrocFDh/4XcnNNwXcd0mqU9ybvSRmKTrcD0LBdZgrW8EM0UtU94mejoAXeelDJrldaWGdjlvuIRsPVLFgK6A7yyxD7pRYP43nS7YE2U9rzhIppffWVG1NqYXwbxfZWy82CVF2qnNaNfhNF2ZMdLKehawdpzO15QiTLyxNlAQljMin9TftbHNvpSq6PQrH4jsb3WMX/puIVDTi3bcGG4l4PhmVtCE0iYRoyVQK7imdI7BHm7vYNnwfwtuGN0LohZP60LWnPPchLo0xN5YjqCgj1x3dqHHFIMadDUxpgbIH6AnaCQiz9byM1iT/WJ3Vb85gTRu269PLC5/fB84tNIjjrHIR/7KJ7nWERJ3LHInxWbB+2gkKOwIDAQAB-----END PUBLIC KEY-----
A cluster is identified as A Tinba variant connected to A randomly generated domain name, but the same URL path is always used.
/N0tru2t76hw2edqj/
The MD5 values of group A are as follows:
c8ef44a9193504f54d6988bf9697d137658a2d388c11db27f72c6ae3ed41ea6dc96b5da5917492bb8e3a89e73533ffc56e6896529cfaf9979d1681561424a21936c7b218feb15625239adebdb5d8565841fa83e0225888aa1625e4b56e0b2aaf3a4618e85251904031397b0f94d3fcfb6946bf0df54e323cb740a15dc6931bd264f5b0c836d92b72e3ca5944825b3ae11dc7d6ad1c1b922f10c4feb831d71805
These samples share an RSA public key (except the first one). With this sample, we can start to explore it in depth.
Deepviz can automatically identify malware samples thanks to the support of AI classifier on the automatic clustering platform.