search

Hunting

Now that we have a general idea of the sample, let's continue our research to see if we can find other samples that are identical or similar to the first sample.

Hunting for other samples is an important step in malware analysis. Now that we have a general idea of the sample, let's continue our research to see if we can find other samples that are identical or similar to the first sample.

Finding new samples might start to give you an understanding of the type of victims being targeted and the Tactics, Techniques, and Procedures (TTPs) malicious actor/s are using.

Without further ado, let's get into it! Pithus offers different tools to run hunts. Let's check what we have based on the current sample.

hashtag
Search by similarity

In the Fingerprints tab, scroll down to the SSdeep and Dexofuzzy results.

By clicking on the little magnifying glass, we can start to look for similar samples. At the time this room was created, there are no results from this search.

hashtag
Search by identified names

In the Threat Intel tab, scroll down to Most Popular AV Detections. Sometimes, samples are quite unique, and they are not so easily detected. However, Anti-Virus companies might use their knowledge to identify specific patterns in samples. Thanks to this, we can look for samples for a specific name of malware or group.

Check the questions before moving on.

Based on the threat names, we could gain an idea of who the threat actor might be based on pre-existing research or the type of sample that we are analyzing. Take some time to research "Finspy" to get acquainted with this actor.

hashtag
Search by Yara rules

For the moment, Yara searches are only available for registered users. If you have a Github account, you can use it to connect yourself to Pithus. After that, you will see "My Hunting" in the top bar.

In this section, you will be able to add your own Yara rules to look for other samples. Pithus allows you also to retroactively search for older samples. Pithus also allows you also to create private or public Yara rules. In the case of public rules, anyone using the platform will have access to any public rules.

Important: Pithus only supports vanilla Yara for the moment. If you try to use modules, it will not work.

You might have already noticed that our samples have Yara matches if you look into the Threat Intelligence section.

The rules used are public and can be found on this Github pagearrow-up-right.

Keep in mind when writing Yara rules for APKs, you can always specify the APK's magic bytes: uint32(0) == 0x04034b50, so your rule will only look into APK files. This is not important when using Pithus but might be good to know if you use your rules on VirusTotal or other platforms.

Let's look for the "search feature" that Pithus offers!

On the home page of Pithus, there is a query field available.

Clicking the ? icon brings up more information for some features described below.

Here are some tricks:

  • You can list all samples available in Pithus with this search: * (Note that not all samples will be shown at once.)

  • You can combine searches and look for all files that have a rating on VirusTotal with: * and vt > 0

  • Sometimes, searches will yield a low amount of results. You can expand the search with * — For example: threat_name:*finspy*

PreviousGetting into the APKNextConclusion

Last updated