Another week, another Triage Thursday blogpost. This week the focus is on Android, with several background updates which should significantly improve the experience analysing APKs through Triage.
As usual we also have a few updates for our Windows detections and configuration extractors which we’ll introduce as well.
In addition to our normal update news, we’re also announcing a job opening with Hatching. If you like what we’re building here and want to be a part of our team, we are currently looking for a senior Go developer to work on some of the long list of feature ideas we would love to bring to our users. Interested? You can find the full job listing here.
In the news today:
- Various Android analysis updates and improvements
- New configuration extractor for CryptBot
- Improved handling for Dridex and its components
- Updated detection for Gozi RM3
- Updated detection for recent IcedID samples
As usual, if you have any feedback on Triage or particular samples please do get in touch! You can reach us directly through the website, on Twitter, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.
Since initially releasing Android support back in August 2020 we’ve been receiving plenty of feedback. We’ve made a range of tweaks over the months, but this week sees a larger update covering a number of aspects which have been mentioned by many of our users.
We don’t want to bore you with all the background technical details, but in this section we’ll quickly go over the main ones which should have a noticeable effect on your experience using the platform.
Reporting of suspicious/dangerous app permissions during static analysis phase
In our initial release, our main focus had been on behavioural detection and getting the VMs and basic signatures in place. In this update we are starting to flesh out the static phase further, adding parsing of the application manifest to report on the permissions requested and highlight any which are generally dangerous or potentially malicious.
Added framework for static extraction of ransomnotes
Continuing the theme of improving on static detection, we have also added ransomnote dumping for the
Filecoder family of Android ransomware. In doing so, we have necessarily built the framework to allow us to add support for additional families in the future. This expands on our existing capabilities for configuration extractors to add support for some additional file types/events.
Run multiple Android analyses simultaneously
When Android support was released, Triage could only process a single Android task at a time, unlike other platforms where we support large numbers of parallel analyses. Thanks to some improvements in the background we now support running multiple tasks simultaneously which will greatly decrease wait times when submitting batches of Android files.
Download DEX payloads dropped during analysis
Triage now automatically dumps executable files created during the course of an analysis, and these can now be downloaded through the web UI just the same as for a Windows submission. They will appear in the
Downloads section at the bottom of the report page.
Improved Live Monitor functionality
Live Monitor is our feature which allows interaction with the analysis VM(s) while running. The initial version of this for Android was fairly basic, allowing interaction but with some limitations. Additionally lag has been an issue, especially in the context of Android where many actions require actions normally carried out on a touchscreen not a mouse and keyboard.
Taking all of these changes together, we hope that you’ll find Android analysis much simpler and more user-friendly. We still have lots more planned, and as always if you have issues or feedback do feel free to reach out to us.
New CryptBot Configuration Extractor
CryptBot has popped up a couple of times in our blogposts this year, first in February when we made some updates to behavioural detection and again last month with the addition of some fallback yara rules to ensure detection in as many cases as possible.
This week we are extending this further with a full configuration extractor for the family based on recent samples observed in Triage.
Improved Dridex Handling
Dridex continues to be a major family across the industry so we are continuing to monitor it and make changes to improve our handling of the family wherever possible. This week we have implemented some additional detections for recent variants, as well as separating out rules for the loader and payload modules to give more informative and detailed feedback in the end report.
Updated Detection for Gozi RM3
We released this one earlier in the week but include it here for completeness, or any readers who don’t follow our Twitter account.
We have just deployed a small tweak for our #Gozi/#Ursnif #RM3 detection - our configuration extractor will be working more reliably now.— Hatching (@hatching_io) May 25, 2021
Find an example here: https://t.co/vHh8pcbQEz
Thanks to @fumik0_ for reporting the issue to us pic.twitter.com/QoEfPr7uwL
Thanks to a report from user @fumik0_ we have applied an update for Ursnif/Gozi RM3 to provide better coverage with our configuration extractor.
Updated Detection for Recent IcedID Samples
IcedID appears again this week with another minor tweak to our detections based on recent samples. In this case, changes to the core loader required some alterations in our Yara rules to properly catch it and trigger processing.
These new samples were initially brought to our attention by Myrtus0x0 - thanks for the feedback as always!