A typical work day with DeepToad
Sometimes, I receive so many malware samples that it turns out to be imposible (or at least inhuman) to analyze all the samples by hand and I need to automate the typical (boring) tasks: Clusterization of the samples in smaller sets and initial (and superficial) analysis of the different samples. For the first task I created DeepToad, a tool to clusterize any kind of file using fuzzy hashing techniques.
Antiemulation Techniques (Malware Tricks II)
From time to time, when reversing malware, I find new antiemulation techniques as they are widely used by malware to evade detection by AVs that uses emulation, however, it seems that no one wrote about them maybe because there are a lot or, maybe, because they aren't very interesting. Anyway, a friend and I decided to look for antiemulation techniques and we found a bunch of them in just about 2 days. Surprise. Well, the following is a list of antiemulation techniques "found" by us.
Malware Tricks I
Today, while analyzing a family of malwares (the familiy called by some vendors as "Krap") I noticed a good and new, at least for me, antiemulation technique. What do you think this sample code does?
-
; Do stuff...
-
-
start:
-
push offset some_func
-
jmp edx