Ever discover a site or a service that's brand-new and cool, only to learn it’s been around for years? No, I’m not talking about cat videos. I'm referring to the awesome, free malware analysis site Malwr.
It’s been around since January 2011 and is based on the popular open source analysis software Cuckoo. Malwr takes Cuckoo’s sandbox, throws a front end on it, and adds other related features. I’m not sure if the malware analysis teams at the leading antivirus firms use it (my guess is they have more sophisticated, expensive analysis tools at their disposal), but Malwr is good enough for any disassembling hobbyist. Claudio Guarnieri and Alessandro Tanasi -- respectively, chairman and director of the Netherlands-based Cuckoo Foundation -- created and operate Malwr.
I heard that Malwr got overwhelmed a while ago, running out of resources due to an abundance of users. Now it runs on systems provided by the long-trusted Shadowserver Foundation.
To use it, go to malwr.com and choose the Submit option from the top of the page. Then browse to your malware sample, upload it for inspection, type in the mathematical answer to a Turing test, and click on Analyze.
You can then pore through the results. The analysis includes:
- Hash fingerprinting results
- Submission to Virustotal.com
- Screenshots of the program during execution and installation
- Static analysis
- Dynamic analysis
- Domains contacted
- Hosts contacted
- Whether the program makes itself autorun on Window systems
- Registry keys created
- Files dropped
- Mutexes created
- Files and registry keys queried, failures, and successes
- Network activity
- HTTPS packets generated
There's a whole lot more. I was delighted to see the level of information delivered. It’s definitely enough to determine if the program in question is doing something shady or unexpected. It’s not perfect -- and malware is often written specifically to hide bad behaviors from tools like Malwr -- but it’s 100 times faster than trying to do the analysis on your own.
I downloaded a suspicious “registry cleaner” to analyze. Here are some screenshots from the results:
In this case, I didn’t see anything that jumped out as malicious, but I saw enough that I didn’t want to run it, including the report that TrendMicro labels it as "suspicious." What bothered me more was that it tried to create a file, netmsg.dll, in my System32 folder. There are a million reasons why that would be normal, but I didn’t like seeing it from a newly installed registry cleaner program, most of which are full of rogue code anyway.
It was great that I didn’t have to run the malware sample on my own desktop, although I could have done so safely in a newly created VM and installed additional monitoring tools -- or even used Cuckoo. Instead, I selected the file, uploaded to Malwr, and waited one or two minutes while it did all the hard work -- no setup or configuration, no sweat, and no messy cleanup, one and done. I love it.