Dynamic malware analysis is a key part of any threat investigation. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. Effective analysis must be fast, in-depth, and precise. These five tools will help you achieve it with ease.
Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. This way, you can not only observe its execution but also see how it responds to your inputs and triggers specific behaviors.
Plus, it saves time by allowing you to download samples hosted on file-sharing websites or open those packed inside an archive, which is a common way to deliver payloads to victims.
Check out this sandbox session in the ANY.RUN sandbox that shows how interactivity is used for analyzing the entire chain of attack, starting from a phishing email that contains a PDF attachment. The link inside the .pdf leads to a file-sharing website where a password-protected .zip is hosted.
The sandbox allows us not only to download the archive but also to enter the password (which can be found in the email) and extract its contents to run the malicious payload.
After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims’ machines and steal sensitive data.
It adds corresponding tags to the interface and generates a report on the threat.
Analyze files and URLs in a private, real-time environment of the ANY.RUN sandbox.
Get a 14-day free trial of the sandbox to test its capabilities.
Collecting relevant indicators of compromise (IOCs) is one of the main objectives of dynamic analysis. Detonating malware in a live environment forces it to expose its C2 server addresses, encryption keys, and other settings that ensure its functionality and communication with the attackers.
Although such data is often protected and obfuscated by malware developers, some sandbox solutions are equipped with advanced IOC collecting capabilities, making it easy to identify the malicious infrastructure.
In ANY.RUN, you can quickly gather a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS requests, and more.
The ANY.RUN sandbox goes one step further by not only presenting a list of relevant indicators collected during the analysis session but also extracting configurations for dozens of popular malware families. See an example of a malware configuration in the following sandbox session.
Such configs are the most reliable source of actionable IOCs that you can utilize with no hesitation to enhance your detection systems and improve the effectiveness of your overall security measures.
Preventing potential attacks on your infrastructure is not just about proactively finding IOCs used by attackers. A more lasting method is to understand the tactics, techniques, and procedures (TTPs) employed in malware currently targeting your industry.
The MITRE ATT&CK framework helps you map these TTPs to let you see what the malware is doing and how it fits into the bigger threat picture. By understanding TTPs, you can build stronger defenses tailored to your organization and stop attackers at the doorstep.
See the following analysis of AgentTesla. The service registers all the main TTPs used in the attack and presents detailed descriptions for each of them.
All that’s left to do is take into consideration this important threat intelligence and use it to strengthen your security mechanisms.
Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware.
Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware’s communication with external servers, the type of data being exchanged, and any malicious activities.
The ANY.RUN sandbox captures all network traffic and lets you view both received and sent packets in the HEX and text formats.
Apart from simply recording the traffic, it is vital that the sandbox automatically detects harmful actions. To this end, ANY.RUN uses Suricata IDS rules that scan the network activity and provide notifications about threats.
You can also export data in PCAP format for detailed analysis using tools like Wireshark.
Try ANY.RUN’s advanced network traffic analysis with a 14-day free trial.
To understand the malware’s execution flow and its impact on the system, you need to have access to detailed information about the processes spawned by it. To assist you in this, your sandbox of choice must provide advanced process analysis that covers several areas.
For instance, visualizing the process tree in the ANY.RUN sandbox makes it easier to track the sequence of process creation and termination and identifies key processes that are critical for the malware’s operation.
You also need to be able to verify the authenticity of the process by taking a look at its certificate details, including the issuer, status, and validity.
Another useful feature is process dumps, which may contain vital information, such as encryption keys used by the malware. An effective sandbox will let you easily download these dumps to conduct further forensic analysis.
One of the recent trends in cyber attacks is the use of fileless malware which executes only in memory. To catch it, you need to have access to the scripts and commands being run during the infection process.
Tracking file creation, modification, and deletion events is another essential part of any investigation into malware’s activities. It can help you reveal if a process is attempting to drop or modify files in sensitive areas, such as system directories or startup folders.
Monitoring registry changes made by the process is crucial for understanding the malware’s persistence mechanisms. The Windows Registry is a common target for malware-seeking persistence, as it can be used to run malicious code on startup or alter system behavior.
ANY.RUN provides a cloud sandbox for malware and phishing analysis that delivers fast and accurate results to streamline your investigations. Thanks to interactivity, you can freely engage with the files and URLs you submit, as well as the system to explore the threat in-depth.
You can integrate ANY.RUN’s advanced sandbox with features like Windows and Linux VMs, private mode, and teamwork in your organization.
Leave your trial request to test the ANY.RUN sandbox.
