BluSapphire | Intelligent Cyber Defense
1.jpg

Blog

ZeroDay Detection with Machine Learning(ML) BluSapphire

 

Year 2016 & 2017 has witnessed the rise in cyber attacks targeting various sectors like banking, industrial, etc. New variants and types (fileless/in-memory) of malware families are being surfacing each day (wannacry, Petya/NotPetya/Nyetya/Goldeneye, BadRabbit, etc) which a traditional antivirus engine couldn’t detect without a signature.

With advancement in today’s cybercrime, there’s being advancement in detection of such potential threats, which brings me to Machine Learning (ML). According to wiki, Machine Learning (ML) is a field of computer science that gives computers the ability to learn without being explicitly programmed. In other words, computer trained to learn and identify malicious threats on its own.

BluSapphire is being integrated with Machine Learning (ML) engine that is capable of detecting any potential threats the moment they enter the network, making it easy to detect such sophisticated threats.

Last week one of our sensors has collected a file, which was flagged malicious by our Machine Learning (ML) engine. Being a zero-day, at that point in time, it has not triggered any AV flags. This post is an overview of the analysis made by BluSapphire ML engine.

ANALYZED SAMPLE:

MD5 Hash:    9d55d1c81605209fc2b537e74af9c91c

ANALYSIS:

We observed that the file was being downloaded from url “.pigcherrytoky.download”

1.jpg

Machine learning (ML) engine has flagged the file malicious and the file is loaded with some Anti-Debug techniques, making it difficult for debugging.

2.jpg

Being a zero-day, it has not triggered any AV flags, but the code within was matched over 176 known trojan malwares samples.

3.jpg

Malware being multipartite, it has refused to execute in pieces.

4.jpg

ABUSE USE OF APIS:

GetCommandLineA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
VirtualFree
VirtualAlloc
TlsDetValue

Right after few hours the same PUP has being flagged malicious by multiple AV’s.

5.jpg



 
Kiran VangavetiComment
Get in Touch