The analysis Insights window provides a summary overview of the Parent and all its unpacked Children. This is intended to give the analyst quick insight into the threat level of the submission and any identified malware families.

Classification

The Classification of the sample is determined based on an amalgamation of all the information extracted during the analysis. The following classifications are used.

Malicious

The file is confirmed malware with an associated Malware family.

Suspicious

The file contains multiple malware characteristics but is not confirmed malware.

Benign

The file is confirmed NOT malware.

Goodware

The file is confirmed goodware from a know origin, validated using a SHA256 hash.

Zombieware

Zombieware is malware that has been abandoned by its operators but replications of the malware continue to appear in the wild. Often these are self replicating malware like file infectors and worms but Zombieware is not exclusive to these types of malware. Zombieware may still pose a threat especially in the case of zombie ransomware, however these samples lack operator control and intent. Zombieware distribution is incidental and not driven by campaigns, these samples are of low intel value.

Troll File

The file contains more than three different confirmed malware families. It is possible that Troll Files are intended to be malicious though there is also the possibility that they have been developed to intentionally trigger anti-virus detection.

Corrupt File

The file is corrupt and unable to be processed correctly.

Unknown

Not enough information bas been extracted from the file to classify it.

Packer

The Packer identification is a combination of the DIE results as well as the internal packer classification from UnpacMe. Most internal packer classifications are intentionally obfuscated behind a Generic Packer label for operational security purposes.

Threat Type

The Threat Types assigned to an analysis are based on the internal UnpacMe malware identification process and are associated with identified malware families. A sample may have more than one Threat Type depending on its capabilities.

The common threat types are loosely based on the Canadian Centre for Cyber Security (CCCS) YARA Specification. Where applicable, descriptions are copied directly from the Validator Configuration File version 0.9.

  • ADWARE – Software that shows you extra promotions that you cannot control as you use your PC. You wouldn't see the extra ads if you didn't have adware installed.
  • LOADER – A program that loads another application / memory space.
  • BANKER – Trojan Banker programs are designed to steal your account data for online banking systems, e-payment systems and credit or debit cards.
  • BRUTEFORCER – Trojan bruteforcer are trying to brute force website in order to achieve something else (EX: Finding WordPress websites with default credentials).
  • CRYPTOMINER – Cryptocurrency mining malware.
  • DOWNLOADER – Trojan Downloaders can download and install new versions of malicious programs in the target system.
  • EXPLOITKIT – Exploit kits are programs that contain data or code that takes advantage of a vulnerability within an application that is running in the target system.
  • FAKEAV – Trojan FakeAV programs simulate the activity of antivirus software. They are designed to extort money in return for the detection and removal of threat, even though the threats that they report are actually non-existent.
  • HACKTOOL – A type of tool that can be used to allow and maintain unauthorized access to your PC.
  • INFOSTEALER – A program that collects your personal information, such as your browsing history, and uses it without adequate consent.
  • POS – Point-of-sale malware is usually a type of malware that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information.
  • PROXY – This type of trojan allows unauthorized parties to use the infected computer as a proxy server to access the Internet anonymously.
  • RAT – A program that can be used by a remote hacker to gain access and control of an infected machine.
  • RANSOMWARE – This type of malware can modify data in the target computer so the operating system will stop running correctly or the data is no longer accessible. The criminal will only restore the computer state or data after a ransom is paid to them (mostly using cryptocurrency).
  • ROOTKIT – Rootkits are designed to conceal certain objects or activities in the system. Often their main purpose is to prevent malicious programs being detected in order to extend the period in which programs can run on an infected computer.
  • SCAREWARE – Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software.
  • SPAMBOT – Malware that is sending spam.
  • WIPER – A type of malware that destroy the data.
  • WORM – A type of malware that spreads to other PCs.

Malware

The Malware labels applied to an analysis are based on the internal UnpacMe malware identification process and are associated with identified malware families. A sample may have more than one Malware label depending on the number of different malware families bundled with the Parent.

Though often overlapping, YARA labels and Malware labels are distinct from each other. Malware labels refer to the malware family while YARA labels apply to individual samples. For example, the YARA rule emotes_loader may identify the loader component of the Emotet malware family leading to a Malware label of Emotet.

Yara Matches

YARA Matches list the individual YARA rules that have matched on the Parent and Children. Beside each label is a list of 📄links which can be used to navigate to the sample that is responsible for the match.

AntiVirus

AntiVirus matches list any antivirus detections for the Parent and Children. Each detection lists the antivirus engine and the detection label applied by the antivirus. Beside each detection is a list of 📄links which can be used to navigate to the sample that is responsible for the detection.

Community Rules

Community Rules list all YARA rules from the curated repository of open source rules that have matched on the Parent and Children. Beside each label is a list of 📄links which can be used to navigate to the sample that is responsible for the match.

References

The References list provides a list of links to OSINT information related to the identified malware. These links may include analysis reports, blog posts, GitHub repositories, and other information that describe the threat.