When analyzing malware, it is often necessary to go beyond static analysis techniques and make use of dynamic analysis as well. This way helps to understand the functionality of the malware better and find more IOCs, which is often our end goal.
Using a sandbox can automate the dynamic analysis process for you, saving you the time of having to do the process manually. Let’s take a look at two different samples using the sandbox from ANY.RUN, and some of the features this service provides. The focus will be on dynamic analysis, mainly through the network traffic generated by the document. ANY.RUN uses Suricata for its threat detection and will provide the alerts that result from said network traffic.
IcedID malware analysis
During the execution of a task ANY.RUN provides interactive access to the virtual machine. And when the task has been completed, either screenshots or videos are available. So you can view what is happening when the malware becomes active.
The first sample comes from a malicious Office Excel document. In this case, we just see an Excel opening and a prompt to enable editing and content, typical of malicious Office documents. One sign of possible malicious content is poor grammar and spelling mistakes, and here we see that button is misspelled as “bytton”.
To get an overview of what is happening, the panel on the right side displays a process tree, beginning with the initial process and continuing with all further spawned processes. In this example, Excel spawns three Rundll32.exe processes and can be seen in the picture below.
The bottom panel has network information such as HTTP Requests, Connections, DNS Requests, and Threats (IDS alerts). A great feature of ANY.RUN is that network activity is displayed in real time. You don’t have to wait for malware to finish detonation and a final summary report to be created to begin to see IOCs and other helpful information.
One important IOC is URLs that the malware is attempting to connect to. Under the HTTP Request tab, we can see to whom requests are being made, the location of the address, and the process name and ID. We can see that Excel is making multiple requests for executable files, which is suspicious. The requests are also going to dotted-quad IP addresses instead of a typical web address, like www.google.com, which is uncommon. You can click on the “executable” cell under the Content tab to see the actual request and response data.
You can see summary data as well as hash values. Under the data section, you can clearly see the “magic number” MZ, which indicates that this is a PE file. Looking back at the requests, the newly created processes try to request additional files from hxxp://630mordorebiter[.]website/, which were not successful in this case, but are still recognized as malicious sites. Looking under the Threat tab, you can see all the alerts generated by Suricata.
As we noticed earlier, Excel is downloading a PE file, and the request addresses are dotted quads, both of which were detected by Suricata. Also, the two additional rundll32 processes that were spawned were recognized as malware, specifically, IcedID, which were trying to download other content from hxxp://630mordorebiter[.]website/. Looking at the DNS request and Connections tab will give you more detailed network information if you desire.
In the upper right-hand corner of the website, you will find summary information such as file name, hashes, malware type, and environment run-time. Also, you can download the sample and get a list of all the IOCs in one place, which is convenient. All of these services are free. Some, like sample downloads, require an account, but again, all free.
Dridex malware analysis
The next sample is another Excel document. It claims to be a “report” but is very small and hard to read, which is probably done on purpose. Even though a button is intended to incite action from the user, the macros are still executed when the document is opened and content-enabled. These social engineering techniques are used to add more perceived credibility to the document.
The process tree shows Excel launches wmic.exe, which in turn launches rundll32, which is used to run fnb5b.dll.
Under the HTTP Requests tab, we can see that wmic.exe, spawned by the Excel doc, makes a GET request to hxxp://pbotv[.]tv/ in order to presumably download a PHP file, which seems suspicious.
To dig a little deeper, we can click the icon under the “Content” tab of the same request and ANY.RUN will provide the contents of the download.
As you can see, the file is actually identified as a DOS executable, which we can verify in the hex data with the “magic” MZ and the “DOS mode” text. This process then uses rundll32 to execute the downloaded PE file, which makes two more GET requests. You can click directly on the process in the process tree or under the HTTP Request tab to view more details. ANY.RUN supplies a threat score, which is 100/100 here, and lists specific threats below.
Lastly, under the Threats tab, we are given the specific alerts that were triggered in Suricata. Here, wmlc.exe downloads a PE file via HTTP Get request. Then rundll32 executes a dll which is recognized specifically as Dridex malware. Again, the Connections and DNS Requests tabs will give more details if desired.
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\y8UzX1Zf0ZWtO.php
In-depth manual malware analysis can be very time-consuming and cumbersome. The use of a feature-rich sandbox, like ANY.RUN can streamline your workflow and make your life much easier. This brief analysis of these two samples only highlights some of the features this site provides and is intended as a starting point for sample analysis.