Malwr is an experiment. Its goal is not just to provide a static malware analyzer, but a larger community platform for people to interact, share data and perform research. After another year of operation (although with its ups and downs), it is interesting to draw some conclusions and crunch some numbers to get an overview of what we've seen so far.
The following table shows the number of occurrences each behavioral signature has recorded complexively across all analysis our service completed. It is an interesting overview of the overall popularity of malicious or non-malicious behavior that Cuckoo was able to identify.
As I've introduced a couple of new signatures just few hours ago and others have been around longer, take these statistics with a grain of salt.
| Signature | Count |
|---|---|
| File has been identified by at least one AntiVirus on VirusTotal as malicious | 143511 |
| Installs itself for autorun at Windows startup | 106221 |
| Starts servers listening on {0} | 71622 |
| Performs some HTTP requests | 70045 |
| Steals private information from local Internet browsers | 63310 |
| The binary likely contains encrypted or compressed data. | 41257 |
| Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) | 17010 |
| The executable is compressed using UPX | 13571 |
| Generates some ICMP traffic | 13478 |
| Operates on local firewall's policies and settings | 9664 |
| Unconventionial binary language | 6578 |
| Creates an Alternate Data Stream (ADS) | 5362 |
| At least one process apparently crashed during execution | 3084 |
| Harvests credentials from local FTP client softwares | 3063 |
| Retrieves Windows ProductID, probably to fingerprint the sandbox | 2453 |
| Connects to an IRC server, possibly part of a botnet | 2304 |
| Checks for the presence of known devices from debuggers and forensic tools | 2280 |
| Disables Windows' Registry Editor | 1852 |
| Creates Zeus (Banking Trojan) mutexes | 1518 |
| Creates an autorun.inf file | 1413 |
| Queries information on disks, possibly for anti-virtualization | 1393 |
| Tries to unhook Windows functions monitored by Cuckoo | 1273 |
| Zeus P2P (Banking Trojan) | 1201 |
| Checks for the presence of known windows from debuggers and forensic tools | 1082 |
| Detects VirtualBox through the presence of a file | 1055 |
| Creates known Fynloski/DarkComet mutexes | 1016 |
| Installs WinPCAP | 936 |
| Checks the version of Bios, possibly for anti-virtualization | 756 |
| Detects the presence of Wine emulator | 741 |
| Creates known SpyNet mutexes and/or registry changes. | 606 |
| Contacts C&C; server HTTP check-in (Banking Trojan) | 523 |
| Installs an hook procedure to monitor for mouse events | 506 |
| Makes SMTP requests, possibly sending spam | 345 |
| antivm_generic_diskinfo | 305 |
| Detects virtualization software with SCSI Disk Identifier trick | 292 |
| Looks up the external IP address | 249 |
| Collects information on the system (ipconfig, netstat, systeminfo) | 146 |
| Creates known XtremeRAT mutexes | 142 |
| Detects VirtualBox through the presence of a registry key | 109 |
| Creates known Ruskill mutexes | 109 |
| Detects VirtualBox through the presence of a library | 103 |
| Detects VirtualBox using ACPI tricks | 99 |
| Installs Tor on the infected machine | 92 |
| Installs OpenCL library, probably to mine Bitcoins | 76 |
| Disables Windows' Task Manager | 73 |
| Creates known SpyEye mutexes | 62 |
| Creates known PcClient mutex and/or file changes. | 46 |
| Recognized to be a DirtJumper bot | 44 |
| Creates a Tor Hidden Service on the machine | 38 |
| Checks the presence of IDE drives in the registry, possibly for anti-virtualization | 31 |
| Recognized to be an Athena HTTP bot | 13 |
| Suspicious downloader (Cabby) | 12 |
| Enumerates services, possibly for anti-virtualization | 12 |
| Recognized to be a Drive bot | 6 |
| Cridex banking trojan | 4 |
| Creates known PlugX mutexes | 4 |
| Executed a process and injected code into it, probably while unpacking | 3 |
| Recognized to be an Madness bot | 2 |
| Creates a windows hook that monitors keyboard input (keylogger) | 1 |
| Connects to Tor Hidden Services through Tor2Web | 1 |
| Detected Prinimalka banking trojan | 1 |
Out of curiosity, I was also interested in getting an overview of the average detection rate recorded through our VirusTotal integration. The following table shows the number of occurrences each detection count recorded across all analysis completed by our service.
For example, the third row means that 6485 files have been detected just by two Antiviruses out of all available on VirusTotal at that specific time (generally between 45 and 55). The first row simply means that at the time of submission to Malwr, the files were not available on VirusTotal.
| Detection Numbrer | Occurrences |
|---|---|
| Not found on VirusTotal | 70980 |
| 0 | 26707 |
| 1 | 10452 |
| 2 | 6485 |
| 3 | 5410 |
| 13 | 4848 |
| 4 | 4806 |
| 5 | 4470 |
| 6 | 4299 |
| 14 | 3978 |
| 12 | 3849 |
| 8 | 3772 |
| 7 | 3708 |
| 9 | 3645 |
| 10 | 3376 |
| 11 | 3268 |
| 15 | 2763 |
| 39 | 2741 |
| 38 | 2697 |
| 40 | 2577 |
| 16 | 2528 |
| 37 | 2500 |
| 20 | 2461 |
| 31 | 2410 |
| 22 | 2372 |
| 36 | 2359 |
| 17 | 2354 |
| 18 | 2328 |
| 35 | 2262 |
| 19 | 2246 |
| 25 | 2228 |
| 34 | 2221 |
| 33 | 2218 |
| 30 | 2208 |
| 29 | 2179 |
| 21 | 2141 |
| 24 | 2083 |
| 32 | 2077 |
| 41 | 2069 |
| 23 | 2065 |
| 26 | 2004 |
| 48 | 2004 |
| 28 | 1959 |
| 27 | 1910 |
| 47 | 1868 |
| 42 | 1769 |
| 49 | 1721 |
| 45 | 1673 |
| 43 | 1646 |
| 44 | 1630 |
| 46 | 1566 |
| 50 | 870 |
| 51 | 328 |
| 52 | 87 |
| 53 | 31 |
| 54 | 4 |
I'm very well aware that VirusTotal scores are not supposed to be a metric of comparison or of efficiency, but there's an interesting trend shown by these numbers, whatever conclusion you might draw from them.
Also, keep in mind that it is common that non-malicious files are uploaded to the service (for example clean PDF documents are very popular), so the high number of 0 detections isn't in anyway representative.
Let us know if you find this type of information of any value, if you would like to see these statistics calculated more regularly and if you have some additional ideas.
published on 2014-12-09 03:00:00 by nex
Older Posts
| Date | Title |
|---|---|
| 2014-10-01 12:00:00 | We're back |
| 2014-08-22 12:00:00 | Status update |
| 2014-07-25 18:00:00 | Submissions Disabled |
| 2014-05-22 15:00:00 | Submissions now shared by default |
| 2014-05-19 15:00:00 | Welcome to Malwr Blog |