In the malware analysis community, it is common to rename a malware sample to its hash value or add the hash to the filename. This helps analysts easily identify a sample and to store it with a unique filename. This strategy saves time and empowers collaboration. A drawback, however, is malware can use this as a way to detect and evade analysis.
A simple evasion technique used by malware is to check its own filename. If it includes a hash value or specific hash pattern, the malware terminates execution early – possibly without revealing any malicious behavior.
In response, we introduced a new feature in VMRay Analyzer v2.1 to prevent this simple evasion technique by checking submitted samples for their own hash value and randomizing the filename.
Figure 1: Randomized File Names – Check Box
To look closer at this feature, we will analyze a sample that uses this evasion technique. We will upload the file twice, first with the original filename and again with the new feature enabled.
In the first analysis, the sample checks if the filename contains a hash by using a simple heuristic. The VTI Score in Figure 2 shows the sample terminating if the filename is longer than 32 chars. This check is the evasion technique in-action. All common hash algorithms produce hash values ranging from 16 Bytes (MD5) to 32 Bytes (SHA256) which translates to 32 and 64 chars.
Figure 2: Detected Threats of the first and incomplete analysis
As a result, the malware detects analysis and the actual malicious behavior is not shown.
Figure 3: Excerpt of the code that the malware uses to detect hash values in its filename
Now let’s run the file again using the new randomized naming feature.
We know from the first analysis that a renamed sample is needed to get a complete analysis. Submitting the sample again, the VMRay Analyzer automatically recognizes the hash value in the uploaded filename and suggests the option to rename it.
With a randomized filename, we see the complete behavior in the analysis report, resulting in a VTI Score of 98/100. Looking at the process graph (Figure 3), we can get a quick glance at the real behavior of the malware. We see the malware masking its presence by using several injection transitions and renaming the image on the hard disk.
Figure 4: Process graph of the analysis with a randomized name
Conclusion
Analyzing malware often raises the problem of time management, since it is often cumbersome and time-consuming. The ability to randomize filenames that contain their own hash value means VMRay Analyzer can further simplify analysis workflows while increasing analysis accuracy.
View the VMRay Analyzer Reports
Analysis #1: Original File Name
Analysis #2: Randomized File Name Feature Enabled
