Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.
I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.
As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.
Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.
The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).
MD5 | a040d77fc5e0db8d0cc9d276bf91d941 | ||
SHA-1 | 0e09104957c296cb07dc2c1c455366bb672ebe5a | ||
SHA-256 | ede69575920048000b817797568c66bba98c595c8b9be15ed958108a340e9155 | ||
SSDeep |
|
||
Filetype | ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped | ||
Filesize | 155916 bytes |
Findings | Count |
---|---|
Number of network connections attempted |
0
|
Number of registry keys read or modified |
0
|
Number of times identified as a virus | 0 |
Number of total global results | 20 |
- START EXECUTABLE INFORMATION
- ELF 32-bit MSB executable, MIPS, MIPS32 rel2 version 1 (SYSV), statically linked, stripped
- Section Name::
- Section Size::0
- Section Entropy::0.0
- Section Address::0
- Section Name:: .reginfo
- Section Size::24
- Section Entropy::1.45751874964
- Section Address::180
- Section Name:: .init
- Section Size::72
- Section Entropy::3.85408114471
- Section Address::204
- Section Name:: .text
- Section Size::128256
- Section Entropy::5.32139016311
- Section Address::288
- Section Name:: .fini
- Section Size::56
- Section Entropy::4.04831173795
- Section Address::128544
- Section Name:: .rodata
- Section Size::8384
- Section Entropy::5.31281073768
- Section Address::128608
- Section Name:: .eh_frame
- Section Size::4
- Section Entropy::0.0
- Section Address::136992
- Section Name:: .ctors
- Section Size::8
- Section Entropy::1.0
- Section Address::136996
- Section Name:: .dtors
- Section Size::8
- Section Entropy::1.0
- Section Address::137004
- Section Name:: .jcr
- Section Size::4
- Section Entropy::0.0
- Section Address::137012
- Section Name:: .data
- Section Size::912
- Section Entropy::2.98220118003
- Section Address::137024
- Section Name:: .got
- Section Size::1076
- Section Entropy::4.81891630417
- Section Address::137936
- Section Name:: .sdata
- Section Size::4
- Section Entropy::0.0
- Section Address::139012
- Section Name:: .sbss
- Section Size::192
- Section Entropy::3.53164822707
- Section Address::139016
- Section Name:: .bss
- Section Size::113720
- Section Entropy::3.41164157881
- Section Address::139016
- Section Name:: .comment
- Section Size::4446
- Section Entropy::3.50703035708
- Section Address::139016
- Section Name:: .gnu.attributes
- Section Size::16
- Section Entropy::2.7717822216
- Section Address::143462
- Section Name:: .mdebug.abi32
- Section Size::0
- Section Entropy::0.0
- Section Address::143478
- Section Name:: .pdr
- Section Size::11488
- Section Entropy::2.43542578362
- Section Address::143480
- Section Name:: .shstrtab
- Section Size::148
- Section Entropy::4.05547000495
- Section Address::154968
- END EXECUTABLE INFORMATION