Showcase Reports

In this section, we will highlight our cybersecurity software's key capabilities, including sample analysis, malware family decoding, disassembly unpacking, similarity search, and more. These features represent our commitment to providing comprehensive tools for detecting and combating malware effectively. Explore the reports below to delve into each capability in detail.

#0 Synthetic (fabricated) sample

This sample stands as a purpose-built example to highlight the diverse capabilities of MetaDefender Sandbox (previously known as OPSWAT Filescan Sandbox). Crafted to show-off real-world cyber threats, embedding multiple files and file-types into each other. This effectively demonstrates our solution's prowess in adaptive threat analysis, behavioral analysis, and advanced security measures.

https://www.filescan.io/uploads/6551fb8d2546bd423f181cc3/reports/cc034b35-24c0-4b01-a75d-84a9c7639c59/overview

Check out all the following great features of the previous link:

  • Many detailed indicators, highlighting these:

    • Significant evidence of malicious (phishing) file
    • Malware config
    • Many PE related ones
    • Call for action indicators
    • Contains an URL encoded in a QR code
      • We do decode QR codes even if they're embedded. Check this out both as an indicator, as strings and as the picture itself rendered

  • File details shown in additional files, make sure you are not only checking the input, but all the details of:

    • Extracted files (different file types with many details shown!)
    • Downloaded files

  • Emulation data - note that we're able to dig down multiple levels into the emulation. Check some of the interesting blocks, such as:

    • AccessLocale
    • StartProcess
    • CreateObject

  • Identified sets of IOCs, including the URL from the QR code as well

  • Thorough string extraction with the filtering ability

#1 Geofencing

Malware documents employing geofencing have become a significant threat to cybersecurity. These malicious files often employ location-based triggers, making detection and mitigation a challenging task. However, Adaptive Threat Analysis stands out from traditional approaches by offering the capability to accurately emulate and falsify the expected geolocation values, effectively neutralizing the tactics employed by malware, thus enhancing our ability to protect against such threats.

In the sample provided below, we can observe a geofencing malware attempting to execute exclusively within a specific country. However, our innovative solution successfully bypasses this restriction, as previously mentioned, by emulating the desired geolocation values, demonstrating our superior capability in countering such geofencing-based threats.

https://www.filescan.io/uploads/643d529246e0911fda9eb28c/reports/65c685b3-a9ca-466d-9655-b6ab2ba0bf1a/emulation_data

#2 Phishing detection

By rendering suspicious websites and subjecting them to our advanced machine learning engine we're capable of identifying nearly 300 brands. In the example provided below, you can witness a Russian website masquerading as a computer gaming company known as Steam. Our solution excels in comparing the site's content to the genuine URL, swiftly identifying such fraudulent attempts to safeguard your digital assets and personal information.

Learn more about this feature by clicking here.

https://www.filescan.io/uploads/6437bf9d1f50fdcf669a0b60/reports/5a011dcb-dbcb-43e7-96a1-0199a1a86552/url_details

#3 Offline URL Reputation

The offline URL detector ML model provides a new layer of defense by effectively detecting suspicious URLs, offering a robust means to identify and mitigate threats posed by malicious links. It leverages a dataset containing hundreds of thousands of URLs, meticulously labeled as either no threat or malicious by reputable vendors, to assess the feasibility of accurately detecting suspicious URLs through machine learning techniques.

It is important to note that this feature is particularly useful in air-gapped environments where online reputation lookups are not available.

https://www.filescan.io/uploads/6696cf5a3d7227f9379408e2/reports/30c313a7-40ac-46e8-a473-661f0e17dddd/osint

Learn more about the Suspicious URL Detection in Offline Mode by clicking here.

#4 Malware config extraction of a packed sample

The sample below reveals a malware that was packed using the UPX packing technique. Despite its attempt to evade detection and defenses, our analysis successfully unpacked the payload, exposing its true identity as a Dridex Trojan. We were able to uncover the malware configuration, shedding light on the malicious intent behind this threat, extracting valuable IOCs.

Learn more about malware config extraction feature by clicking here.

Learn more about malware unpacking feature by clicking here.

https://www.filescan.io/uploads/6710df185c4ea75bc80ab7e0/reports/9e0ef23b-fbc1-4a56-af25-01dc3d3671c3/overview

Employing Similarity Search functionality, sandbox has detected a file remarkably resembling a known malware. Notably, this file had been previously marked as non-malicious, revealing the potential for false negatives in our security assessments. This discovery empowers us to specifically target and rectify these overlooked threats.

It is important to highlight that Similarity Search is highly valuable for threat research and hunting, as it can help uncover samples from the same malware family or campaign, providing additional IOCs or relevant information about specific threat activities.

Learn more about this feature by clicking here.

https://www.filescan.io/uploads/64fab197d3406611cfae4c98/reports/2353dd56-c024-4fac-ab04-ad9487de5dcb/threat_intelligence

#6 Finding interesting things via Disassembly

#6.1 Native executable

Our disassembling engine revealed intriguing findings within the target sample. Surprisingly, this sample monitors the system time using the uncommon rdtsc instruction and accesses an internal, undocumented structure in Windows, commonly used for different malicious tricks. These unusual actions raise questions about its purpose and underscore the need for further investigation to assess potential risks to the system.

https://www.filescan.io/uploads/6437de44b4ec50bace5ff564/reports/a74af3b9-596f-4de8-8a82-f63e025e75d5/disassembly

#6.2 .NET Executable

The sample under examination was built using .NET framework. While we refrain from displaying the actual CIL, our decompilation process extracts and presents noteworthy information, including strings, registry artifacts, and API calls.

Besides that, we parse the .NET metadata to identify .NET-specific functions and resources. This process allows to extract detailed information about the assembly, such as methods, classes, and embedded resources, which is critical for analyzing the behavior and structure of .NET applications.

https://www.filescan.io/uploads/671257087f0507a8d241e285/reports/c80b84e5-5431-4ebc-9c35-56cc7921ec71/overview

#7 Shellcode emulation

Many application exploits bring their final payload in raw binary format (shellcode), which might be an obstacle when parsing the payload. With our shellcode emulation we are able to discover and analyse the behaviour of the final payload, in this example for a widely leveraged Office vulnerability in the equation editor. Hence opening the door to gathering the relevant IOCs.

https://www.filescan.io/uploads/650a09b733582f234efc873c/reports/f48778d5-8cde-4309-ad93-639e7a055e14/emulation_data

#8 Highly obfuscated VBA macro

Obfuscated VBA macros present a significant challenge to deliver a reasonable response time of active threats. This unclear code makes the analysis and understanding of threats a high complex task that demands a lot of time and efforts. Our cutting-edge VBA emulation technology is able to overcome these challenges and provides a comprehensive analysis of obfuscated VBA macro together with clear insights into its functionality in seconds.

The analyzed sample is an Excel document with highly obfuscated VBA code that drops and runs a .NET DLL file, together with a LNK file in charge of continuing the malware execution chain. After VBA emulation, MetaDefender Sandbox identifies launched processes and the main deobfuscating function, automatically extracts obfuscated strings and saves dropped files (previously hardcoded and encrypted in the VBA code). This rapidly show the main purpose of the malware and give us the possibility of a further analysis of this threat.

https://www.filescan.io/uploads/6661fdc921581a92819b4d64/reports/e87e263e-27b5-45fc-bb99-733a553b3a36/overview
Emulation calls the same function excessively

Emulation calls the same function excessively
Obfuscated VBA macro code

Obfuscated VBA macro code
Extracted strings after deobfuscating and emulating the VBA macro code

Extracted strings after deobfuscating and emulating the VBA macro code
Next stager PE file created by VBA emulation

Next stager PE file created by VBA emulation

#9 Sandbox evasion via Task Scheduler

Using Windows Task Scheduler to execute malicious payloads at a later time is a stealthy technique to evade sandbox environments seen in recent threats. It exploits the delay in execution to effectively bypass the short analysis window typical of sandboxes.

The following sample is an obfuscated VBScript that downloads the malicious payload and creates a scheduled task to run it 67 minutes later. Traditional sandboxes maintain the execution for only a few minutes and the malicious behavior would be never exposed. In the other hand, our VBScript emulator is able to detect and overcomes this evasion technique (T1497), adapting the execution environment to continue with further analysis, and getting the full report in 12 seconds.

Filescan.IO - Analysis Report for b161c8e32c0f33a182b5b2479521d3b826ce739ac0b3f3de9042e17d53873e57 - Emulation_data
Schedule task created to gain persistence and evade sandbox analysis (execution delayed 67 mins)

Schedule task created to gain persistence and evade sandbox analysis (execution delayed 67 mins)

#10 .NET Reflection

NET Reflection is a powerful feature provided by the .NET framework that allows programs to inspect and manipulate a .NET file structure and behavior at runtime. It enables the examination of assemblies, modules, and types, as well as the ability to dynamically create instances of types, invoke methods, and access fields and properties.

Malware can use reflection to dynamically load and execute code from assemblies that are not referenced at compile time, allowing to fetch additional payloads from remote servers (or hidden in the current file) and execute them without writing them to disk, reducing the risk of detection.

In this case, we can see how the analysed VBScript loads and runs a .NET assembly into memory directly from bytes stored in a Windows register.

https://www.filescan.io/uploads/666b0289ef9fdf64aa6adb06/reports/ce3451fe-3dd6-40f2-bf06-44136f2fe43c
VBScript saving a reversed and base64-encoded PE in a register and then running a .NET-based RAT using .NET reflection

VBScript saving a reversed and base64-encoded PE in a register and then running a .NET-based RAT using .NET reflection
Emulation actions showing the payload execution using .NET reflection

Emulation actions showing the payload execution using .NET reflection

#11 XOR decrypting payload stored in PE resource

This feature enables to reveal hidden artifacts encrypted within PE resources. Malicious artifacts are often encrypted to evade detection and obscure the true intent of the sample. Uncovering these artifacts is essential, as they typically contain critical data (as C2 information) or payloads. By extracting them, the sandbox can deliver a deeper scan, with higher chance of identifying the most valuable IOCs.

Both storing encrypted data in a PE resource and using XOR encryption are techniques widely used by malware for these two basic reasons:

  • Storing payloads in PE resources helps malware evade detection by static analysis tools. Many security tools focus on analyzing the executable’s main code section, while resources are often overlooked, making it easier to hide malicious content.
  • XOR encryption shines for its simplicity and efficiency in evading detection, being time and resource efficient.

But XOR encryption has a weakness when applied to data with a large number of null bytes (such as PE files). This is because if a bit is XORed with 0, the original bit remains unchanged. By analyzing patterns in the encrypted data, especially in areas with many null bytes, the encryption key can be revealed, allowing to decrypt the hidden.

https://www.filescan.io/uploads/66ab4c2e78d5c73fb1ca7f90/reports/eec0ead1-4ba2-4d6d-acf3-8ca73f9bec6f/overview
Hidden payload in PE resource

Hidden payload in PE resource
Payload extracted after XOR decryption

Payload extracted after XOR decryption
C2 information identified from the payload

C2 information identified from the payload
Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard
Next to read:
Showcasing Report Video

See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet

On This Page
Showcase Reports#0 Synthetic (fabricated) sample#1 Geofencing#2 Phishing detection#3 Offline URL Reputation#4 Malware config extraction of a packed sample#5 Similarity Search#6 Finding interesting things via Disassembly#6.1 Native executable#6.2 .NET Executable#7 Shellcode emulation#8 Highly obfuscated VBA macro#9 Sandbox evasion via Task Scheduler#10 .NET Reflection#11 XOR decrypting payload stored in PE resource