Dynamic Malware Analysis

Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease.

1. Interactivity

Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. This way, you can not only observe its execution but also see how it responds to your inputs and triggers specific behaviors.

Plus, it saves time by allowing you to download samples hosted on file-sharing websites or open those packed inside an archive, which is a common way to deliver payloads to victims.

Dynamic Malware Analysis
The initial phishing email containing the malicious pdf and password for the archive

Check out this sandbox session in the ANY.RUN sandbox that shows how interactivity is used for analyzing the entire chain of attack, starting from a phishing email that contains a PDF attachment. The link inside the .pdf leads to a file-sharing website where a password-protected .zip is hosted.

Dynamic Malware Analysis
The website hosting the .zip file

The sandbox allows us not only to download the archive but also to enter the password (which can be found in the email) and extract its contents to run the malicious payload.

Dynamic Malware Analysis
You can manually enter a password to open protected archives in ANY.RUN

After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims’ machines and steal sensitive data.

Dynamic Malware Analysis
ANY.RUN provides a conclusive verdict on every sample

It adds corresponding tags to the interface and generates a report on the threat.

Analyze files and URLs in a private, real-time environment of the ANY.RUN sandbox.

Get a 14-day free trial of the sandbox to test its capabilities.

2. Extraction of IOCs

Collecting relevant indicators of compromise (IOCs) is one of the main objectives of dynamic analysis. Detonating malware in a live environment forces it to expose its C2 server addresses, encryption keys, and other settings that ensure its functionality and communication with the attackers.

Although such data is often protected and obfuscated by malware developers, some sandbox solutions are equipped with advanced IOC collecting capabilities, making it easy to identify the malicious infrastructure.

Dynamic Malware Analysis
As part of each analysis session in ANY.RUN, you get a comprehensive IOC report

In ANY.RUN, you can quickly gather a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS requests, and more.

Dynamic Malware Analysis
AsyncRAT sample configuration extracted by the ANY.RUN sandbox

The ANY.RUN sandbox goes one step further by not only presenting a list of relevant indicators collected during the analysis session but also extracting configurations for dozens of popular malware families. See an example of a malware configuration in the following sandbox session.

Such configs are the most reliable source of actionable IOCs that you can utilize with no hesitation to enhance your detection systems and improve the effectiveness of your overall security measures.

3. MITRE ATT&CK Mapping

Preventing potential attacks on your infrastructure is not just about proactively finding IOCs used by attackers. A more lasting method is to understand the tactics, techniques, and procedures (TTPs) employed in malware currently targeting your industry.

The MITRE ATT&CK framework helps you map these TTPs to let you see what the malware is doing and how it fits into the bigger threat picture. By understanding TTPs, you can build stronger defenses tailored to your organization and stop attackers at the doorstep.

Dynamic Malware Analysis
TTPs of an AgentTesla malware sample analyzed in the ANY.RUN sandbox

See the following analysis of AgentTesla. The service registers all the main TTPs used in the attack and presents detailed descriptions for each of them.

All that’s left to do is take into consideration this important threat intelligence and use it to strengthen your security mechanisms.

4. Network Traffic Analysis

Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware.

Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware’s communication with external servers, the type of data being exchanged, and any malicious activities.

Dynamic Malware Analysis
Network traffic analysis in the ANY.RUN sandbox

The ANY.RUN sandbox captures all network traffic and lets you view both received and sent packets in the HEX and text formats.

Dynamic Malware Analysis
Suricata rule that detects AgentTesla’s data exfiltration activity

Apart from simply recording the traffic, it is vital that the sandbox automatically detects harmful actions. To this end, ANY.RUN uses Suricata IDS rules that scan the network activity and provide notifications about threats.

You can also export data in PCAP format for detailed analysis using tools like Wireshark.

Try ANY.RUN’s advanced network traffic analysis with a 14-day free trial.

5. Advanced Process Analysis

To understand the malware’s execution flow and its impact on the system, you need to have access to detailed information about the processes spawned by it. To assist you in this, your sandbox of choice must provide advanced process analysis that covers several areas.

Dynamic Malware Analysis
Visual graph in the ANY.RUN sandbox showing AsynRAT malware’s execution

For instance, visualizing the process tree in the ANY.RUN sandbox makes it easier to track the sequence of process creation and termination and identifies key processes that are critical for the malware’s operation.

Dynamic Malware Analysis
ANY.RUN sandbox notifies you about files with untrusted certificates

You also need to be able to verify the authenticity of the process by taking a look at its certificate details, including the issuer, status, and validity.

Dynamic Malware Analysis
Process dump of the XWorm malware available for download in ANY.RUN

Another useful feature is process dumps, which may contain vital information, such as encryption keys used by the malware. An effective sandbox will let you easily download these dumps to conduct further forensic analysis.

Dynamic Malware Analysis
ANY.RUN displays detailed breakdowns of PowerShell, JavaScript, and VBScript scripts

One of the recent trends in cyber attacks is the use of fileless malware which executes only in memory. To catch it, you need to have access to the scripts and commands being run during the infection process.

Dynamic Malware Analysis
Files encrypted by the LockBit ransomware during analysis in the ANY.RUN sandbox

Tracking file creation, modification, and deletion events is another essential part of any investigation into malware’s activities. It can help you reveal if a process is attempting to drop or modify files in sensitive areas, such as system directories or startup folders.

Dynamic Malware Analysis
Example of XWorm using the the Run registry key to achieve persistence

Monitoring registry changes made by the process is crucial for understanding the malware’s persistence mechanisms. The Windows Registry is a common target for malware-seeking persistence, as it can be used to run malicious code on startup or alter system behavior.

Analyze Malware and Phishing Threats in ANY.RUN Sandbox

ANY.RUN provides a cloud sandbox for malware and phishing analysis that delivers fast and accurate results to streamline your investigations. Thanks to interactivity, you can freely engage with the files and URLs you submit, as well as the system to explore the threat in-depth.

You can integrate ANY.RUN’s advanced sandbox with features like Windows and Linux VMs, private mode, and teamwork in your organization.

Leave your trial request to test the ANY.RUN sandbox.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

Source: thehackernews.com/