Sunday, April 13, 2014

Cryptam Malware Document Analizer + imphash

The web and suite versions of the Cryptam document malware analysis system now calculate the imphash of embedded/dropped executables when possible and store this value within the dropped file info for searching. The imphash is a executable similarity hash based on the Import Address Table order and is included in Cryptam is designed to statically extract the xor/rol/ror/not obfuscated executables from malware documents such as RTF, MS Office, or PDF files and can automatically process the dropped files with Yara or an external sandbox.

This new feature allows you to link dropper executables to current or past attack campaigns and to cross reference older samples which may have already been identified with Yara signatures but now have been modified to evade the unique static string matching common to many Yara signatures.

Imphash searching is available to registered users under Advanced Search - drop_files like <your imphash>.

Searching the example imphash c948ebda9bd9367f9fc50e01020766c8 dropped by RTF b2b8127bae5b61e258b17dc057338075 (24 / 51 on Virustotal April 11 2014) shows a number of dropped samples some of which have been identified as the malware called "Safe" related to Lurid. This sample beacons to www[.]getapencil[.]com visible in the executables strings extracted by Cryptam.

Scan a document for embedded executables with Cryptam at

No comments:

Post a Comment