Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Having the right tool for the job
#1
Information 
Quote:
[Image: Logo_VT_Horizontal.png]

Not all the investigations are tackled the same way. Sometimes from a single sample we need to quickly find as much context as possible. In other situations, we are presented with a handful of IOCs and we need to make a sense of what’s going on. 

When you have a few pieces of the puzzle, the most natural is to put all of them on the table (by the way, this table will also find some extra missing pieces for you). And here it is when VirusTotal Graph can make your life easier. Never heard of it? No worries, this video will show you how to use it! 

VirusTotal Graph will allow you to make Visual Investigations, an extremely useful resource to save valuable time by allowing efficient evaluation of incidents.
If you want to know more about this topic, join us for our workshop next July 15th at 15:00 UTC along our friends from Maltego and Kaspersky.


But stay with us! In this blog post we want to provide you some cool examples of what kind of magic you can do with VT Graph.  

Context in less than 1 minute

We have a few IOCs from some APK malware samples we suspect are connected, and we are interested in finding out if they have any common infrastructure. This would allow us to quickly react by, for instance, blocking any related domain or IP in our network. In this case, we will use Anatsa samples as an example. 

First, we create a new graph using the IOCs from the previous link, in this case:
  • 49de707fc2d7e44e14f8d50ea7d731fd8abda3418acd106c78cee833183e240f
  • aa435c4da9fa1bb3bb186a0bce1fd9710c227b8d72fa82d71a426df82c236eb1
  • 7bc0f932d40f17abc43f8b25a9d75408b192f55c742a02843c5e31869d3d4684
 
At this point, the new graph will automatically calculate all the relationships for us. This can be a bit noisy if we are only interested in the infrastructure, so we can remove all the other relationships leaving only “contacted URLs” and “contacted IPs”.

The whole process took less than one minute and shows us that the IP 185.215.113[.]31 is used by all three initial samples. Not only that, from the URLs paths we already have some ideas what kind of actions this malware is doing. What else to do here? For instance, you can fully expand the node with the suspicious IP 185.215.113[.]31 to find all the samples downloaded from it (quite a lot) in order to continue your investigation. If we would be interested in keeping the full relationships automatically created in this graph instead of a simplified version for the infrastructure, we could also find similar files to the ones we are analyzing. Another interesting finding is a common file between the analyzed samples found in the PCAP files resulting from their execution in sandboxes: this file contains the malicious injects sent from the C&C server to the bots. 

This is a lot of information from just dropping some IOCs into a graph! Most of the time this will be more than enough for having a first idea of what we are dealing with.
 
Map the entire infrastructure behind a domain

Sometimes a simple domain investigation can turn into a complex scenario. Given the nature of the dataset in which VirusTotal Graph works, it is easy to find all the subdomains, URLs and resolutions that VirusTotal knows about a domain.

Let’s take a look at the suspicious “ladycash[.]ru” domain. We can simply do a series of relationships expansions to reach a point where we uncover different sub-domains and all the different IP addresses all over the world they resolve. And voilà! After a few clicks we have valuable data to continue our investigation of a potentially malicious infrastructure.
...
Continue Reading
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
The slowest Meteor Lake spotted: Intel C...
Intel Core Ultra 5...harlan4096 — 12:47
Microsoft Edge fixes 0-day vulnerability...
Microsoft released...harlan4096 — 10:12
AnyDesk 8.0.9
AnyDesk 8.0.9:   ...harlan4096 — 10:10
AMD Confirms RDNA 3+ GPU Architecture F...
AMD Zen5-based Strix...harlan4096 — 10:08
Adobe Acrobat Reader DC 24.001.20629 (Op...
Adobe Acrobat Read...harlan4096 — 10:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
harlan4096's profile harlan4096
Administrator

>