Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease.
1. Interactivity
Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. This way, you can not only observe its execution but also see how it responds to your inputs and triggers specific behaviors.
Plus, it saves time by allowing you to download samples hosted on file-sharing websites or open those packed inside an archive, which is a common way to deliver payloads to victims.
The initial phishing email containing the malicious pdf and password for the archive |
Check out this sandbox session in the ANY.RUN sandbox that shows how interactivity is used for analyzing the entire chain of attack, starting from a phishing email that contains a PDF attachment. The link inside the .pdf leads to a file-sharing website where a password-protected .zip is hosted.
The website hosting the .zip file |
The sandbox allows us not only to download the archive but also to enter the password (which can be found in the email) and extract its contents to run the malicious payload.
You can manually enter a password to open protected archives in ANY.RUN |
After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims' machines and steal sensitive data.
ANY.RUN provides a conclusive verdict on every sample |
It adds corresponding tags to the interface and generates a report on the threat.
Analyze files and URLs in a private, real-time environment of the ANY.RUN sandbox.
Get a 14-day free trial of the sandbox to test its capabilities.
2. Extraction of IOCs
Collecting relevant indicators of compromise (IOCs) is one of the main objectives of dynamic analysis. Detonating malware in a live environment forces it to expose its C2 server addresses, encryption keys, and other settings that ensure its functionality and communication with the attackers.
Although such data is often protected and obfuscated by malware developers, some sandbox solutions are equipped with advanced IOC collecting capabilities, making it easy to identify the malicious infrastructure.
As part of each analysis session in ANY.RUN, you get a comprehensive IOC report |
In ANY.RUN, you can quickly gather a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS requests, and more.
AsyncRAT sample configuration extracted by the ANY.RUN sandbox |
The ANY.RUN sandbox goes one step further by not only presenting a list of relevant indicators collected during the analysis session but also extracting configurations for dozens of popular malware families. See an example of a malware configuration in the following sandbox session.
Such configs are the most reliable source of actionable IOCs that you can utilize with no hesitation to enhance your detection systems and improve the effectiveness of your overall security measures.
3. MITRE ATT&CK Mapping
Preventing potential attacks on your infrastructure is not just about proactively finding IOCs used by attackers. A more lasting method is to understand the tactics, techniques, and procedures (TTPs) employed in malware currently targeting your industry.
The MITRE ATT&CK framework helps you map these TTPs to let you see what the malware is doing and how it fits into the bigger threat picture. By understanding TTPs, you can build stronger defenses tailored to your organization and stop attackers at the doorstep.
TTPs of an AgentTesla malware sample analyzed in the ANY.RUN sandbox |
See the following analysis of AgentTesla. The service registers all the main TTPs used in the attack and presents detailed descriptions for each of them.
All that's left to do is take into consideration this important threat intelligence and use it to strengthen your security mechanisms.
4. Network Traffic Analysis
Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware.
Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware's communication with external servers, the type of data being exchanged, and any malicious activities.
Network traffic analysis in the ANY.RUN sandbox |
The ANY.RUN sandbox captures all network traffic and lets you view both received and sent packets in the HEX and text formats.
Suricata rule that detects AgentTesla's data exfiltration activity |
Apart from simply recording the traffic, it is vital that the sandbox automatically detects harmful actions. To this end, ANY.RUN uses Suricata IDS rules that scan the network activity and provide notifications about threats.
You can also export data in PCAP format for detailed analysis using tools like Wireshark.
Try ANY.RUN's advanced network traffic analysis with a 14-day free trial.
5. Advanced Process Analysis
To understand the malware's execution flow and its impact on the system, you need to have access to detailed information about the processes spawned by it. To assist you in this, your sandbox of choice must provide advanced process analysis that covers several areas.
Visual graph in the ANY.RUN sandbox showing AsynRAT malware's execution |
For instance, visualizing the process tree in the ANY.RUN sandbox makes it easier to track the sequence of process creation and termination and identifies key processes that are critical for the malware's operation.
ANY.RUN sandbox notifies you about files with untrusted certificates |
You also need to be able to verify the authenticity of the process by taking a look at its certificate details, including the issuer, status, and validity.
Process dump of the XWorm malware available for download in ANY.RUN |
Another useful feature is process dumps, which may contain vital information, such as encryption keys used by the malware. An effective sandbox will let you easily download these dumps to conduct further forensic analysis.
ANY.RUN displays detailed breakdowns of PowerShell, JavaScript, and VBScript scripts |
One of the recent trends in cyber attacks is the use of fileless malware which executes only in memory. To catch it, you need to have access to the scripts and commands being run during the infection process.
Files encrypted by the LockBit ransomware during analysis in the ANY.RUN sandbox |
Tracking file creation, modification, and deletion events is another essential part of any investigation into malware's activities. It can help you reveal if a process is attempting to drop or modify files in sensitive areas, such as system directories or startup folders.
Example of XWorm using the the Run registry key to achieve persistence |
Monitoring registry changes made by the process is crucial for understanding the malware's persistence mechanisms. The Windows Registry is a common target for malware-seeking persistence, as it can be used to run malicious code on startup or alter system behavior.
Analyze Malware and Phishing Threats in ANY.RUN Sandbox
ANY.RUN provides a cloud sandbox for malware and phishing analysis that delivers fast and accurate results to streamline your investigations. Thanks to interactivity, you can freely engage with the files and URLs you submit, as well as the system to explore the threat in-depth.
You can integrate ANY.RUN's advanced sandbox with features like Windows and Linux VMs, private mode, and teamwork in your organization.
Leave your trial request to test the ANY.RUN sandbox.
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.