HomeService Updates
Identify Suspicious or Tampered Files Faster with Digital Signatures  
HomeService Updates
Identify Suspicious or Tampered Files Faster with Digital Signatures  

Speed is one of the biggest advantages of the ANY.RUN sandbox. You can often recognize that a file is potentially malicious in under 20 seconds — whether it’s through the process tree, network stream analysis, or config extraction. Today, we’re adding a new feature to enhance your threat detection: digital signatures. Now, you can easily identify files that have been counterfeited or tampered with. 

Digital signatures act like official seals, validating the code’s issuer and signaling to analysts that a file can be trusted. Most large companies use them, signing every file. Kept up to date in public databases, signatures provide robust authenticity checks. 

Signature indicators in ANY.RUN

In ANY.RUN, you’ll find new digital signature icons next to processes in the process tree. Semi-transparent icons at the bottom indicate that a process or module has a certificate. Bigger icons at the top mark processes that require further investigation. Here’s when we display them: 

  • When a module certificate is missing, revoked, or untrusted 
  • When a process certificate is missing, revoked, or untrusted 

Track signatures in ANY.RUN 

Create free account

How new signature icons work in ANY.RUN 

Note that we show different icons for process and module signatures. Even if a process has a valid signature, if its module doesn’t have one — it’s a red flag. 

A small cog overlay makes it easy to identify a module signature, differentiating it from its process counterpart. 

Using these icons, you can quickly: 

  • Spot malicious software. A red “untrusted” icon means the signature issuer isn’t recognized. And a hollow icon indicates that a signature is missing. 
  • Identify untrustworthy files. A yellow “revoked” icon appears if the signature’s public key is compromised. 
  • Track expired signatures. A light-blue icon shows when the signature’s validity has run out. 

Want to know more about the signature? Click on the icon and a code signing window will appear. 

A code signing window

Dive Even Deeper with the ASN.1 Tree

Expired signatures are a dime a dozen in older or end-of-life software. But what if you encounter a suspicious file and want to investigate it further? This is when ASN.1 trees come into the picture. These structured records dive deep into the issuer’s details, revealing who signed the file, when it was signed, and more. 

In cases that leave you on the fence, this breakdown can provide the missing piece of the puzzle, enabling you to confidently say if the file is trustworthy. 

Signatures' ASN.1 tree

To view the ASN.1 tree, first click on a process and then scroll to the bottom of the process tree, to the process detail window. Then, click the “More info” button. Once the advanced process details page appears, select the new “Code signing” tab. You will see the signature overview on the left side of the window, and the ASN.1 tree will occupy the right side. 

From here, you can search the ASN.1 record right in ANY.RUN or download and analyze it further in your system. 

Here’s How You Can Use Digital Signatures in the Real-world  

Certificates can be one of the first red flags indicating that a sample warrants a closer look. 

Untrusted signature

An untrusted status — like in this example — is an obvious indication of malicious code, as the name implies. That is something you will never come across in a legitimate program.  

Revoked signature

Revoked certificates are similarly unambiguous — this status often indicates that a company has manually called back that certificate. Chances are, they suspect or know that it’s become compromised. That’s exactly what we see in this sample

And in this task, the certificate is expired. On the surface, this tells us that its validity period has passed and there is foul play, but such cases are still worth a look. 

Sometimes attackers steal certificates when they compromise a company. And that is precisely what happened in this task. We’re looking at Agent Tesla, signed with a leaked certificate. Even in a complicated case like this, the system notifies us about a potential certificate irregularity.  

Also, there is an icon for valid certificates — it will show up in the process tree if a module signature is missing, indicating a suspicious case. 

A few words about ANY.RUN 

ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis. 

Request a demo today and enjoy 14 days of free access to our enterprise plan.  

Request demo → 

What do you think about this post?

2 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.

0 comments