Supplementary material for the paper "MAD-Agent: A Malware Analysis and Detection AI agent"

Dataset

The list of files that were selected from the MOTIF dataset can be found here: https://github.com/gxenos/malware-analysis-ai-agent/blob/main/motif_unique_reports.csv

Full list of tools

General analysis tools

1. get_file_hash
2. extract_strings
3. extract_pe_strings
4. calculate_entropy
5. analyze_with_capa

The implementation can be found here: https://github.com/gxenos/malware-analysis-ai-agent/blob/main/general_analysis_mcp_server.py

Sandbox tools

1. search_by_hash
2. get_report_details

The implementation is based on HybridAnalysis can be found here: https://gist.github.com/gxenos/29d41c18e6245e7c52b2702d7719b2b8

VirusTotal tools

The implementation can be found here: https://github.com/emeryray2002/virustotal-mcp

The Advanced Search Tool was not employed in the paper.

MITRE tools

The implementation can be found here: https://github.com/Montimage/mitre-mcp/

Example output

*   **File Hash (MD5):** 012f79570f720b997b9ef4ef327dd2da
*   **File Type:** Win32 EXE, .NET assembly.
*   **Compiler:** VB.NET, .NET (v2.0.50727), Microsoft Linker.
*   **Packer:** PEiD detected as ".NET executable".
*   *Note: Direct static analysis (entropy, detailed strings, capa analysis) could not be performed due to limitations in accessing the local file path. Information regarding file type, compiler, and packer is derived from the VirusTotal report.*

1b. Virus total results
*   **Detection Rate:** 56/75 (74.6%) antivirus engines detected this file as malicious.
*   **Popular Threat Classification:** Classified as `trojan`, `downloader`, `pua`. Suggested label: `trojan.bulz/msil`.
*   **File Information:**
    *   Meaningful Name: `pcchekapp.exe`
    *   Other Names: `pcchekapp.exe`, `1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce`, `1.exe`
    *   SHA1: `bad12e9c0b759d4653b4b24ef0b90b035efc019d`
    *   SHA256: `1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce`
    *   Size: 39424 bytes
    *   First Seen: September 15, 2016
    *   Last Seen: November 27, 2021
*   **Behavioral Info (from VirusTotal summary):** No specific autostart locations or available tools were listed directly in the summary.
*   **Relationships (summary):** Contacted 5 domains, 5 IPs, 5 URLs, and dropped 5 files.
*   **Sandbox Verdicts:** Lastline and Yomi Hunter reported it as malicious.
*   **Tags:** `direct-cpu-clock-access`, `spreader`, `malware`, `assembly`, `peexe`, `runtime-modules`, `detect-debug-environment`.

1c. Sandbox results
*   **Analysis Verdict:** Malicious (Hybrid Analysis threat score: 100).
*   **Environment:** Windows 7 32 bit.
*   **Processes:**
    *   `1c550dc73b7a39b0cd21d3de7e6c26ece156253ac96f032efc0e7fcc6bc872ce.exe` (main process, detected by AV as Gen:Variant.MSILPerseus)
    *   `csc.exe` (C# compiler, spawned by the main process)
    *   `cvtres.exe` (Microsoft Resource Converter, spawned by `csc.exe`)
*   **Network Activity:**
    *   Contacts domains: `checkip.dyndns.org`, `service.chrome-up.date`, `service.chrome-up.date:8080`.
    *   Contacts IPs: `162.88.193.70`, `58.158.177.102`.
    *   Performs GET requests to `checkip.dyndns.org` to identify its external IP address.
    *   Performs POST requests to `service.chrome-up.date:8080` (likely command and control communication).
    *   Uses network protocols on unusual ports (port 8080).
    *   Sends TCP traffic to `162.88.193.70` on port 80 and `58.158.177.102` on port 8080 without HTTP headers, indicating non-standard communication.
    *   Uses a User Agent typical for browsers (`Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 2.0.50727.8762)`) without launching a browser.
*   **File System Modifications:**
    *   Creates writable files in temporary directories (`%TEMP%`): `kzdvgwte.tmp`, `kzdvgwte.0.cs`, `kzdvgwte.dll`, `kzdvgwte.cmdline`, `kzdvgwte.out`, `kzdvgwte.err`, `CSCB685.tmp`, `RESB686.tmp`.
    *   Drops executable files: `kzdvgwte.dll` (PE32 DLL) and `RESB686.tmp` (80386 COFF executable).
    *   Marks several temporary files for deletion.
    *   Touches files in the Windows directory (e.g., `.NET Framework` related files, font files).
    *   Opens files with deletion access rights in the temporary directory and .NET configuration files.
*   **Registry Modifications:**
    *   Creates or modifies Windows services (specifically `HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS`).
    *   Modifies file/console tracing settings (`HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32`) which can be used to hide footprints.
    *   Reads cryptographic machine GUID and active computer name for environment awareness.
    *   Reads information about supported languages.
*   **Other Noteworthy Behaviors:**
    *   Creates mutants.
    *   Spawns new processes.
    *   Contains PDB pathways, suggesting it might be a development build.
    *   Loads the .NET runtime environment.
    *   Opens the Kernel Security Device Driver (KsecDD).
    *   Opened the service control manager.
    *   Installs hooks/patches the running process (Process Injection).
    *   Queries kernel debugger information (anti-debugging).
    *   Creates guarded memory regions (anti-debugging).
    *   Tries to sleep for a long time (anti-sandbox/anti-analysis technique).
    *   Writes data to a remote process and allocates virtual memory in a remote process (Process Injection).
    *   Uses YARA signature match for detection.

1d. Mitre results
The sandbox analysis identified the following MITRE ATT&CK techniques:
*   **Execution:**
    *   T1035: Service Execution (suspicious)
*   **Persistence:**
    *   T1215: Kernel Modules and Extensions (informative)
    *   T1179: Hooking (suspicious)
*   **Privilege Escalation:**
    *   T1055: Process Injection (malicious)
    *   T1179: Hooking (suspicious)
*   **Defense Evasion:**
    *   T1107: File Deletion (suspicious)
    *   T1055: Process Injection (malicious)
    *   T1045: Software Packing (informative)
    *   T1112: Modify Registry (malicious)
*   **Credential Access:**
    *   T1179: Hooking (suspicious)
*   **Discovery:**
    *   T1046: Network Service Scanning (suspicious)
    *   T1012: Query Registry (suspicious)
*   **Command and Control:**
    *   T1065: Uncommon Port (malicious)

2. List of IOCs
*   **Filenames and locations of files:**
    *   `%TEMP%\kzdvgwte.dll`
    *   `%TEMP%\RESB686.tmp`
    *   `%TEMP%\kzdvgwte.tmp`
    *   `%TEMP%\kzdvgwte.0.cs`
    *   `%TEMP%\kzdvgwte.cmdline`
    *   `%TEMP%\kzdvgwte.out`
    *   `%TEMP%\kzdvgwte.err`
    *   `%TEMP%\CSCB685.tmp`
*   **IPs:**
    *   `162.88.193.70`
    *   `58.158.177.102`
*   **Hostnames:**
    *   `checkip.dyndns.org`
    *   `service.chrome-up.date`
*   **Windows HKEYs:**
    *   `HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS`
    *   `HKLM\SOFTWARE\MICROSOFT\TRACING\RASAPI32`
*   **Potentially related file hashes:**
    *   `db3210748eaba514eb5cc18d5df735f7b3e07e7aefd4388d810f8046c6ffbdcb` (SHA256 for CSCB685.tmp)
    *   `906f3ac13592557c6b9f1e949dd5cf6d87e032ef9902ed43da4b30c988c267cd` (SHA256 for RESB686.tmp)
    *   `0eac6cda3f707a028c5bc885a049155b5fd7143b9b1a74c71ded60c85b7ef3d8` (SHA256 for kzdvgwte.cmdline)
    *   `97e546742f7462f3f5c69ba769a2cb28ec57f7cfab411abc5274bb53ec3b4bda` (SHA256 for kzdvgwte.0.cs)
    *   `7e1b6be3d8f6d89dccda50172bbd6d420265e977417f62deadbc5081bfa00661` (SHA256 for kzdvgwte.dll)
    *   `efdd389041423dce4db94a4a0363d2500d76ecbbedfe83d8135017a965f83b5b` (SHA256 for kzdvgwte.out)
    *   `729aa4033009ac894c1ef2a57dfd097be5d562dda70533820540904c2ef7882a` (SHA256 for csc.exe)
    *   `c97f276b4c70682c8f8d39b91e30f938bc6e86a42cd6b71e3ad08092dba528e9` (SHA256 for cvtres.exe)

3. Classification: Malicious

4. Description
The file is a malicious Windows executable, likely a Trojan or Downloader, written in .NET. Its primary goal appears to be establishing persistence and communicating with a command and control (C2) server. It attempts to identify its external IP address and sends data to a remote server over a non-standard port (8080), suggesting C2 communication. The malware employs anti-analysis techniques such as querying kernel debugger information, creating guarded memory regions, and sleeping for extended periods to evade detection by sandboxes and analysts. It also modifies registry settings related to service control and tracing to maintain persistence and hide its activities. The sample drops additional executable files (`.dll` and `.tmp` files) in temporary directories, which are then used in its operations, indicating a multi-stage infection or component-based functionality. Furthermore, it performs process injection by writing data and allocating memory in remote processes, a common technique for privilege escalation and defense evasion. The use of a browser-like User-Agent without an actual browser indicates an attempt to mimic legitimate network traffic.

5. Family: Bulz.Generic / MSIL

6. MITRE
*   **Execution**
    *   T1035: Service Execution
*   **Persistence**
    *   T1215: Kernel Modules and Extensions
    *   T1179: Hooking
*   **Privilege Escalation**
    *   T1055: Process Injection
    *   T1179: Hooking
*   **Defense Evasion**
    *   T1107: File Deletion
    *   T1055: Process Injection
    *   T1045: Software Packing
    *   T1112: Modify Registry
*   **Credential Access**
    *   T1179: Hooking
*   **Discovery**
    *   T1046: Network Service Scanning
    *   T1012: Query Registry
*   **Command and Control**
    *   T1065: Uncommon Port