Systems and methods for automated malware artifact retrieval and analysis
DCFirst Claim
Patent Images
1. A computerized method for automatically processing a plurality of files, comprising:
- receiving user input comprising a universal resource locator, the universal resource locator identifying a malware artifact file at a command and control node;
retrieving the malware artifact file stored at the command and control node;
determining whether the malware artifact file is at least partially obfuscated;
decoding the malware artifact file to reverse at least one obfuscating transformation if the malware artifact file is at least partially obfuscated;
storing the malware artifact file in an electronic data store; and
analyzing the malware artifact file retrieved from command and control node at an analyzer device separate from the command and control node and a victim computing device to determine whether it contains a command stored therein, the command being exchanged between an attacker computing device and the victim computing device.
1 Assignment
Litigations
0 Petitions
Accused Products
Abstract
An automated malware analysis method is disclosed which can perform receiving a first universal resource locator identifying a first intermediate network node, accessing the first intermediate network node to retrieve a first malware artifact file, storing the malware artifact file in a data storage device, analyzing the malware artifact file to identify a second universal resource locator within the malware artifact file, and accessing a second intermediate network node to retrieve a second malware artifact file.
68 Citations
20 Claims
-
1. A computerized method for automatically processing a plurality of files, comprising:
-
receiving user input comprising a universal resource locator, the universal resource locator identifying a malware artifact file at a command and control node; retrieving the malware artifact file stored at the command and control node; determining whether the malware artifact file is at least partially obfuscated; decoding the malware artifact file to reverse at least one obfuscating transformation if the malware artifact file is at least partially obfuscated; storing the malware artifact file in an electronic data store; and analyzing the malware artifact file retrieved from command and control node at an analyzer device separate from the command and control node and a victim computing device to determine whether it contains a command stored therein, the command being exchanged between an attacker computing device and the victim computing device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computerized method for automatically processing a plurality of files, comprising:
-
receiving, from an electronic universal resource locator store, a universal resource locator identifying a command and control node; receiving, from a user, a fetch schedule identifying a monitoring schedule for attempting to access a malware artifact file at the command and control node; and repeatedly accessing the command and control node according to the fetch schedule and attempting to retrieve the malware artifact file available at the first universal resource locator; determining whether the malware artifact file is at least partially obfuscated; decoding the malware artifact file to reverse at least one obfuscating transformation if the malware artifact file is at least partially obfuscated; storing the malware artifact file in an electronic data store; and analyzing the malware artifact file retrieved from command and control node at an analyzer device separate from the command and control node and a victim computing device to determine whether it contains a command stored therein, the command being exchanged between an attacker computing device and the victim computing device. - View Dependent Claims (14)
-
-
15. An electronic framework for automatically processing a plurality of files, comprising:
-
an electronic data store configured to store an identification of a first universal resource locator corresponding to a target resource object at a first command and control node; wherein the first target resource object contains least one command stored therein, the command being exchanged between an attacker computing device and a victim computing device; a task manager configured to; insert into a queue a request for a fetch attempt for the target resource object at the first command and control node; and automatically execute the fetch attempt for the target resource object at the first command and control node; and a processor module configured to; store a fetched target resource object in the electronic data store; determine whether the target resource object is at least partially obfuscated; decode the target resource object to reverse at least one obfuscating transformation if the target resource object is at least partially obfuscated; store the target resource object in the electronic data store; and analyze the decoded target resource object at an analyzer device separate from the command and control node and the victim computing device to determine if a new universal resource locator is identified in the fetched target resource object. - View Dependent Claims (16, 17)
-
-
18. A non-transitory computer readable storage medium comprising code executable by a processor for performing a method, the method comprising:
-
receiving user input comprising a universal resource locator, the universal resource locator identifying a malware artifact file at a command and control node; retrieving the malware artifact file stored at the command and control node; determining whether the malware artifact file is at least partially obfuscated; decoding the malware artifact file to reverse at least one obfuscating transformation if the malware artifact file is at least partially obfuscated; storing the malware artifact file in an electronic data store; interpreting the decoded malware artifact file at an analyzer device separate from the command and control node and a victim computing device to determine whether it contains stored therein; a) a command being exchanged between an attacker and the victim computing device, wherein the command is a command to malware to perform a function;
orb) a command being exchanged between an attacker and the victim computing device, wherein the command is a command to the victim computing device to perform a function;
orc) a data file containing exfiltrated data;
ord) a universal resource locator; storing the decoded malware artifact file in an electronic data store; and executing a next instruction based on the interpretation of the decoded malware artifact file. - View Dependent Claims (19, 20)
-
Specification