Category Archives: OSINT

Enriching your Malware analysis reports with Open Source Intelligence (OSINT)

Often, while analyzing a malware sample, I open Google and start searching for the hash or for some other Indications in the malware sample like Mutexes, User agents, Registry keys, Filenames, URLs and  IP Addresses. Searching for all those indications in Google and other search engines is too cumbersome. A couple of days ago I came across Malformity. Malformity is a collection of Maltego transforms to assist with malware and malicious infrastructure research. Malformity queries data from many sources (Ex. VirusTotal, Bit9, ThreatExpert…) in order to perform Maltego transforms. To get started with Malformity, you create with Maltego entities from the data you already have:

entities

 

Then you can run transforms:

Screenshot from 2013-12-14 17:34:47

 

Using those transforms It is possible to get useful information about the malware you are analyzing. For example in the example below I took a malware and found out URLs related with it, and even a Mutex (The one on the left).

Screenshot from 2013-12-14 21:59:36

 

In the next example, I created a URL entity out of a URL address from which the malware sample downloaded a DAT file. I found information about the website (Infrastructure information) and also some information from known security companies.

Screenshot from 2013-12-15 21:47:59222

 

In the example below, I took the same hash and found different virus signatures, and alternative names for the same malware:

Screenshot from 2013-12-15 21:50:51

 

Maltego and Malformity are nice tools to have when researching for malware indicators and malicious infrastructure, and can be really helpful at times. It is important to note that those searches are not silent, and doing those transforms can expose and reveal that the malware has been discovered and is under investigation.

Some additional honorable mentions of tool that can help and ease the research: