Component EurekaLog + VirusTotal = unforeseen consequences

FireWind

Moderator
Регистрация
2 Дек 2005
Сообщения
1,161
Реакции
831
Credits
3,380
EurekaLog + VirusTotal = unforeseen consequences

We were contacted by a person who reported Как увидеть ссылки? | How to see hidden links? of uploading EurekaLog-enabled application to the Как увидеть ссылки? | How to see hidden links? service.

It was like this: the client compiled an application with EurekaLog. The application was configured to send bug reports by e-mail. He uploaded the compiled application to the VirusTotal website, and got a scan result that everything is fine.

So far, everything is quite typical. The strange things started the next day, when the client received an e-mail with bug report from EurekaLog. The weird thing was that the client did not launch the application, and he did not distribute/deploy it. And the report itself looked... unusual.
In particular, the executable file was renamed to a random set of letters, as well as the username and computer name. There was nothing suspicious in the list of modules and processes, and in general the machine seemed "bare". The only aspect that stood out was the loaded pancore.dll, which has created one thread. Google suggests that pancore.dll is a part of Oracle AutoVue - an enterprise solution for visualizing and viewing CAD and similar data.

The answer to the "riddle" came later. This is what the results of analyzing the file looked like during the first check:
Как увидеть ссылки? | How to see hidden links?
And here is what the site shows when re-uploading the same file a day later (after receiving the "mysterious" report):
Как увидеть ссылки? | How to see hidden links?
As you can see, the scan results have changed: "interesting" behavior patterns have been added to the title, and new tabs have appeared in the full report, containing the analysis of the file's behavior: which files it opens, which URLs it visits, which registry keys it changes, which processes it launches, and so on.

It turns out that VirusTotal runs uploaded apps in multiple virtual machines / sandboxes (aka multisandboxing) to determine details of its behavior. In particular, the file we uploaded has been verified in C2AE (presumably Как увидеть ссылки? | How to see hidden links?), Sysinternals Sysmon tool, and VirusTotal's own sandbox: Jujubox.

This feature has existed in VirusTotal since 2012, when Как увидеть ссылки? | How to see hidden links? - a clone of Как увидеть ссылки? | How to see hidden links?. Как увидеть ссылки? | How to see hidden links? in 2017, and Как увидеть ссылки? | How to see hidden links? in 2019.

It is not hard to figure out that EurekaLog's report is a result of executing the uploaded file in one of these sandboxes (presumably - Jujubox). Now getting a "sudden" report does not seem so surprising anymore.
 
Похожие темы
Автор темы Заголовок Форум Ответы Дата
F Component EurekaLog causes Integer Overflow? Статьи / Articles 0
emailx45 Support for FastMM 5 is available in EurekaLog by FastMM Статьи / Articles 0

Похожие темы