Write informative malware analysis report in one click

Malware Analysis Report in One Click

Malware analysis is a challenge as it is. But after your hard work on cracking a new sample, it is important to present all your results to the company and colleagues. And today, we will talk about how to write a malware analysis report in one click. 

How to write a malware analysis report?

To write a typical malware analysis report, you should cover the following points:

  1. Summary. Provide the highlights of your research with the malicious program’s name, origin, and main characteristics.  
  2. General information. Include malware type, file’s name, size, and current antivirus detection capabilities. Don’t forget about hashes: MD5, SHA1, SHA256, and SSDEEP. And if a sample has different family names, it’s worth mentioning them, too. 
  3. Characteristics. Write how the sample infects a system, self-preserves, distributes, communicates with servers, collects data, etc. 
  4. Dependencies. Note malware functionality with the required OS version, software set, executables and initialization files, DLLs, list of URLs, and scripts.
  5. Behavior activities. Give a review of the behavior activities like what executable files malware drops, if it checks the language, runs injected code in another process, or changes any settings.
  6. Static information. Code analysis results, headers information.
  7. Additional data. Attach screenshots, logs, string lines excerpts, etc. 
  8. IOCs. Show indicators of compromise that are necessary for successful detection and future prevention.

Get an automated malware analysis report with ANY.RUN 

It’s essential to save and share your reports for further cybersecurity strategy and investigation. And ANY.RUN sandbox allows you to do it effortlessly and with just one click. 

You can download text reports with detailed information, get PCAP and SSL keys, check request/response content, copy malware config information from the memory dump, use the process graph and MITRE ATT&CK matrix. Besides that, you can export data in JSON format.

We took the RedLine malware sample to show all report examples. 

1. Text malware reports

Our HTML report is a one-click option to get all data about a sample. It’s a ready-made solution, so you don’t need to write a malware report by yourself. Information is displayed conveniently, so you can easily find whatever you need. 

You can also adjust the document online, share and print it. Also, get the report via API. 

The text report includes all data from the task: 

  • created processes
  • events and files in the registry
  • information about network activity
  • IOCs
  • screenshots 
  • process behavior graph

Depending on your goal, you can customize an HTML report and choose what sections to include. 

Text malware report

2. JSON

Download a summary of all task information in JSON format. You can parse the maximum information with this file and analyze precisely the data you need. Then include it in the final report to show all malware footprints.

JSON summary

3. PCAP and SSL keys

One of ANY.RUN features is to intercept network traffic. SSL Keys and network dump in a PCAP format are available for your report and further analysis. Just download it from the task and include it in your final report.

PCAP and SSL keys

4. Request/response content

Take a look at the content from HTTP/HTTPS requests and responses. Besides, connection streams are also available. You can also investigate the header’s query. And this data should be highlighted in the report. 

Request/response content

5. Malware configuration 

ANY.RUN extracts the content of the malicious process’s memory dump, so you can dive into analysis with malware configuration: encrypted strings, IP addresses, ports that communicate with the C2 server, family name, version, mutex, and other data.  

Malware configuration

6. Process graph 

One of the most effective ways to get a summary of malicious execution is to use a process graph of behavior activities. All processes are presented clearly and logically, especially if the process tree is large. The graph gives you a new angle to look at the processes’ relations and maybe discover something new.  Also, it helps to point out the conclusion about the program’s behavior quickly. 

Process graph

7. MITRE ATT&CK matrix

Research sample’s tactics and techniques. In ANY.RUN, you can analyze malware functionality with the MITRE ATT&CK matrix.

MITRE ATT&CK matrix

Check how to get free malware samples and reports from ANY.RUN’s 6 million database. It will help to see other versions of malware samples and provide a more profound investigation for your research.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments