Delphi-PRAXiS

Delphi-PRAXiS (https://www.delphipraxis.net/forum.php)
-   Delphi-News aus aller Welt (https://www.delphipraxis.net/58-delphi-news-aus-aller-welt/)
-   -   EurekaLog + VirusTotal = unforeseen consequences (https://www.delphipraxis.net/207075-eurekalog-virustotal-%3D-unforeseen-consequences.html)

DP News-Robot 22. Feb 2021 18:40
EurekaLog + VirusTotal = unforeseen consequences
 
We were contacted by a person who reported unforeseen consequences of uploading EurekaLog-enabled application to the VirusTotal service.

It was like this: the client compiled an application with EurekaLog. The application was configured to send bug reports by e-mail. He uploaded the compiled application to the VirusTotal website, and got a scan result that everything is fine.

So far, everything is quite typical. The strange things started the next day, when the client received an e-mail with bug report from EurekaLog. The weird thing was that the client did not launch the application, and he did not distribute/deploy it. And the report itself looked... unusual.

In particular, the executable file was renamed to a random set of letters, as well as the username and computer name. There was nothing suspicious in the list of modules and processes, and in general the machine seemed "bare". The only aspect that stood out was the loaded pancore.dll, which has created one thread. Google suggests that pancore.dll is a part of Oracle AutoVue - an enterprise solution for visualizing and viewing CAD and similar data.

The answer to the "riddle" came later. This is what the results of analyzing the file looked like during the first check:


And here is what the site shows when re-uploading the same file a day later (after receiving the "mysterious" report):



As you can see, the scan results have changed: "interesting" behavior patterns have been added to the title, and new tabs have appeared in the full report, containing the analysis of the file's behavior: which files it opens, which URLs it visits, which registry keys it changes, which processes it launches, and so on.

It turns out that VirusTotal runs uploaded apps in multiple virtual machines / sandboxes (aka multisandboxing) to determine details of its behavior. In particular, the file we uploaded has been verified in C2AE (presumably CAPE Sandbox), Sysinternals Sysmon tool, and VirusTotal's own sandbox: Jujubox.

This feature has existed in VirusTotal since 2012, when they used VirusTotal Cuckoofork - a clone of CuckooBox. VirusTotal has launched multi-sandbox in 2017, and Cuckoofork was replaced with the new Jujubox Sandbox in 2019.

It is not hard to figure out that EurekaLog's report is a result of executing the uploaded file in one of these sandboxes (presumably - Jujubox). Now getting a "sudden" report does not seem so surprising anymore. http://feeds.feedburner.com/~ff/EurekaLog?d=yIl2AUoC8zA http://feeds.feedburner.com/~ff/Eure...18:-BTjWOF_DHI http://feeds.feedburner.com/~ff/Eure...18:4cEx4HpKnUU http://feeds.feedburner.com/~ff/Eure...18:F7zBnMyn0Lo http://feeds.feedburner.com/~ff/Eure...18:V_sGLiPBpWU http://feeds.feedburner.com/~ff/EurekaLog?d=qj6IDK7rITs
http://feeds.feedburner.com/~r/EurekaLog/~4/M3ou1gHZusk

Weiterlesen...


Alle Zeitangaben in WEZ +1. Es ist jetzt 11:08 Uhr.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
LinkBacks Enabled by vBSEO © 2011, Crawlability, Inc.
Delphi-PRAXiS (c) 2002 - 2023 by Daniel R. Wolf, 2024 by Thomas Breitkreuz