analyze malware with ANY.RUN

Introduction to Malware Analysis

When analyzing malware, it is often necessary to go beyond static analysis techniques and make use of dynamic analysis as well. This way helps to understand the functionality of the malware better and find more IOCs, which is often our end goal. 

Using a sandbox can automate the dynamic analysis process for you, saving you the time of having to do the process manually. Let’s take a look at two different samples using the sandbox from ANY.RUN, and some of the features this service provides. The focus will be on dynamic analysis, mainly through the network traffic generated by the document. ANY.RUN uses Suricata for its threat detection and will provide the alerts that result from said network traffic.

IcedID malware analysis

During the execution of a task ANY.RUN provides interactive access to the virtual machine. And when the task has been completed, either screenshots or videos are available. So you can view what is happening when the malware becomes active.

The first sample comes from a malicious Office Excel document. In this case, we just see an Excel opening and a prompt to enable editing and content, typical of malicious Office documents. One sign of possible malicious content is poor grammar and spelling mistakes, and here we see that button is misspelled as “bytton”.

 Misspelling of “byttun” inside of Excel document

To get an overview of what is happening, the panel on the right side displays a process tree, beginning with the initial process and continuing with all further spawned processes. In this example, Excel spawns three Rundll32.exe processes and can be seen in the picture below.

Process tree for Excel document

The bottom panel has network information such as HTTP Requests, Connections, DNS Requests, and Threats (IDS alerts). A great feature of ANY.RUN is that network activity is displayed in real time. You don’t have to wait for malware to finish detonation and a final summary report to be created to begin to see IOCs and other helpful information.

Networking information panel

One important IOC is URLs that the malware is attempting to connect to. Under the HTTP Request tab, we can see to whom requests are being made, the location of the address, and the process name and ID. We can see that Excel is making multiple requests for executable files, which is suspicious. The requests are also going to dotted-quad IP addresses instead of a typical web address, like www.google.com, which is uncommon. You can click on the “executable” cell under the Content tab to see the actual request and response data.

Response data from the HTTP request

You can see summary data as well as hash values. Under the data section, you can clearly see the “magic number” MZ, which indicates that this is a PE file. Looking back at the requests, the newly created processes try to request additional files from hxxp://630mordorebiter[.]website/, which were not successful in this case, but are still recognized as malicious sites. Looking under the Threat tab, you can see all the alerts generated by Suricata

Suricata alerts from Excel document

As we noticed earlier, Excel is downloading a PE file, and the request addresses are dotted quads, both of which were detected by Suricata. Also, the two additional rundll32 processes that were spawned were recognized as malware, specifically, IcedID, which were trying to download other content from hxxp://630mordorebiter[.]website/. Looking at the DNS request and Connections tab will give you more detailed network information if you desire.

In the upper right-hand corner of the website, you will find summary information such as file name, hashes, malware type, and environment run-time. Also, you can download the sample and get a list of all the IOCs in one place, which is convenient. All of these services are free. Some, like sample downloads, require an account, but again, all free.

Summary information and downloads

IOCs

Summary of IOCs

Dridex malware analysis

The next sample is another Excel document. It claims to be a “report” but is very small and hard to read, which is probably done on purpose. Even though a button is intended to incite action from the user, the macros are still executed when the document is opened and content-enabled. These social engineering techniques are used to add more perceived credibility to the document.

View of open Excel document

The process tree shows Excel launches wmic.exe, which in turn launches rundll32, which is used to run fnb5b.dll.

Processes spawned from Excel document

Under the HTTP Requests tab, we can see that wmic.exe, spawned by the Excel doc, makes a GET request to hxxp://pbotv[.]tv/ in order to presumably download a PHP file, which seems suspicious. 

HTTP requests tab

To dig a little deeper, we can click the icon under the “Content” tab of the same request and ANY.RUN will provide the contents of the download.

Content of HTTP response

As you can see, the file is actually identified as a DOS executable, which we can verify in the hex data with the “magic” MZ and the “DOS mode” text. This process then uses rundll32 to execute the downloaded PE file, which makes two more GET requests. You can click directly on the process in the process tree or under the HTTP Request tab to view more details. ANY.RUN supplies a threat score, which is 100/100 here, and lists specific threats below.

Threat Score of document

Lastly, under the Threats tab, we are given the specific alerts that were triggered in Suricata. Here, wmlc.exe downloads a PE file via HTTP Get request. Then rundll32 executes a dll which is recognized specifically as Dridex malware. Again, the Connections and DNS Requests tabs will give more details if desired.

Suricata alerts from document

IOCs

http://pbotv.tv/wp-content/plugins/sg-cachepress/vendor/a5hleyrich/y8UzX1Zf0ZWtO.php

pbotv.tv

C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\y8UzX1Zf0ZWtO[1].php

35.214.243.127

77.220.64.140

8.253.204.120

8.4.9.152 

sha256   23c625b550dea7fb8847a4c34f931181066e18a97ea40d3018d6a1f77ece9772 

sha1        d6be6c4b01e1690923b06253783c79ce3b352e14 

Sample 1: https://app.any.run/tasks/e65f0c6d-3754-4a30-a09f-e2ecfbfaeaae/

MD5 4cd507abe0d01f83a133f7bd8e9f8915

Sample 2: https://app.any.run/tasks/7dd4537b-eaf3-4b42-b123-a3c5e3d0316d/

MD5 caf32427ed8b4558c25adbf5c3701594

Conclusion

In-depth manual malware analysis can be very time-consuming and cumbersome. The use of a feature-rich sandbox, like ANY.RUN can streamline your workflow and make your life much easier. This brief analysis of these two samples only highlights some of the features this site provides and is intended as a starting point for sample analysis.

guest writer
Ryan Blevins
+ posts

My name is Ryan Blevins, and I live in the Pacific North West, where I love spending time out in the wild to recharge myself. I earned a BS in Cyber Operations from Dakota State University. My professional interests include cyber-security, especially reverse engineering and all things malware-related.

Subscribe
Notify of
2 Comments
Inline Feedbacks
View all comments