memory dumps

Dive into Analysis with Malware Configuration

At the moment, dump extraction and YARA matching are powerful and effective detection of already known malware families. Also, they reveal detailed information about malware injected into the memory of system processes. And today ANY.RUN presents a new extended functionality.  

Memory dumps – great opportunities for an incredible detection rate

ANY.RUN has always valued and cared for simple usage, interactivity, and speed of analysis. Any user can now enjoy instant access to the analysis (with no waiting at all!), redesigned and improved interface, detailed and structured data. 

That is why our team has decided to evolve and delve into other directions. We didn’t have a chance to dive into a deeper analysis of samples before. But the time has come, and we hope you are on board with brand new features. 

The first and most important task is the malware’s memory analysis. That is a vast area for a bunch of minor functionalities. Our goal is to provide more functionalities for analysts to speed up their work, get it more interesting, clear, and give specialists an opportunity to improve their skills in cybersecurity.

A part of the memory dump with the beginning of Amadey’s version 2.50 encoded config

The memory analysis is carried out with the help of dump extractions from specific regions of executed files. After that, we detect a malicious program using the set of the YARA rules. We follow algorithms designed for its analysis and configuration extraction if malware is identified.

Moreover, the created dumps and the YARA scanner effectively detect different anomalies like encrypted strings, the packer, anti-debug and anti-sandbox techniques, etc.

The most versatile task is finding all IOCs and understanding how malware works inside and out. One of the effective methods to solve that task is to get the malware configuration.  

Configuration feature: the key to the endless internal malware features

There are thousands of malware families in the world. In most cases, all files inside one family follow the same pattern designed by the author. The behavior of objects may vary only when a developer establishes this opportunity, depending on the settings of the initial build of a sample. When the configuration is different, the actions may differ, too. The malicious object may send data to either the email or a server, use messengers, or all three options depending on the settings.

New malware acquires module nature like this Arkei. It allows downloading additional modals to the initial build of a sample, like a keylogger, a bank module, or a miner. And according to the extra features, malware behavior changes. 

All of these customizations are stored inside of settings, so-called malware configurations. When there is an opportunity to extract configurations, we can identify the behavior of malicious objects. And cybersecurity specialists get all information, maybe even before a sample starts malicious activity or when its command servers are no longer available.

Here is a sample of Remcos that doesn’t connect to C2 anymore. However, its configuration is displayed for you. And another case, this sample is brand new, and configs are already available for your research. 

For example, if there are ten C&C servers inside malware, and the first one responds or not, we may never get to the others, like in this task with Emotet. The sample quite often sends all data to the first IP address. And this way, it’s impossible to find out about other IP addresses via the network traffic. Thankfully, the configuration extractor allows revealing this data without activity from the malware’s side. 

Let’s take a look at the Trickbot sample. Using mathematical procedures or other tricks, it sleeps for too long and doesn’t perform any actions. Trickbot starts the network activity, such as attempts to connect to the C2 server, after almost 300 seconds of inactivity. However, we can notice that ANY.RUN detects it by dumps just after 100 seconds, so our config with the list of C2 is already available.

Even though there are numerous malware families in the wild, we can focus on the popular ones with the most considerable percent of distribution according to the statistics and then move to other niche players. If we look at Malware Trends Tracker’s results, there are not that many widespread families – about 50. Then we may monitor targeted APTs and others. 

Every time malware analysts get inside the sample’s memory dump, reverse and debug it. But if we research Emotet with loads of code for analysis – it takes a while to complete such a task. 

Manual configuration extraction

However, we offer all specialists to do all this process automatically and save their time. 90% of the most well-known malware can be left for ANY.RUN’s new feature. 

Take a look –  only today, there have been a dozen Emotet uploads and all of the working samples already have configurations. Check them out in our public submissions

Emotet samples with configurations

Right now, Malware configuration functionality is available for all users. ANY.RUN is ready to surprise you from the very launch of the feature – you can already make use of 30 extractors of the most famous malicious programs:

Emotet
IcedId
Lokibot
FormBook
TrickBot
Arkei
Oski
Cobalt Strike
Remcos
RedLine
HawkEye
AZORult
ZLoader
GuLoader
Nanocore
Hancitor
Qbot
Netwire
Quasar
CryptBot
WSHRat
Matiex
SquirrelWaffle
SystemBC
Tofsee
Snake Keylogger
AsyncRat
BlackNet
DarkComet
Amadey

We tried to extract meaningful information about the build configuration. Also ANY.RUN provides encrypted strings’ data about downloaded system modules and API. No doubt, that information expands analysts’ awareness of how malware works. 

ANY.RUN system is entirely interactive, and it was a challenge with a delay in malware execution: sometimes, it is hard to detect a family when a malicious object doesn’t show up its functions. That is why we were determined to find an answer for it. And here you are –  malware configuration is one of the most powerful ways to solve the issue. It improves the speed of detection significantly and provides much more data. 

With the memory dump feature, you don’t need to wait for the start of malicious functionality. It’s important to have the image extracted from the memory. The way it behaves is not essential for this scenario. 

The system displays the following malware configurations: 

  • An IP address and a port to connect to a C2 server
  • The current sample name 
  • A malware family name, type, and version
  • A campaign ID
  • Encryption keys
  • Number and types of sub-modules
  • Anti-debugging, anti-sandbox, and other anti-evasion methods
  • Mutex 
  • DGA seeds
  • The targeted OS version
  •  Domain names and URL lists
  •  Other options

Sounds good, right? 

Suppose we investigate Emotet with many IP addresses apart from the FakeNet feature. Before malware configuration functionality, we only got to know about one of them. And right now, we get all of the IP addresses. Thanks, memory dump!

Emotet malware configuration

Remcos is one of the frequently uploaded malware families to our service. Here is just a part of the Remcos sample’s configuration

  • The domain names and ports list that malware connects with 
  • Botnet name 
  • Connection interval 
  • Catalog where malware stores its files 
  • Addition of OS’s autorun

Besides that, other characteristics are also available such as Mutex, the log files name, taking screenshots of the infected system. 

Remcos malware configuration

Different malware families will show various sets of characteristics. Sometimes it can only be the IP addresses of the C2 server with the port, login, and password for the connection. 

Malware configuration in ANY.RUN 

Now, it’s time for a short guide on using a new interface for this feature.

ANY.RUN is all about a concise, user-friendly, accessible, and informative interface. This functionality is no exception. Let’s take a look at it closely. 

ANY.RUN’s malware configuration 

The window is divided into three parts: 

  1. Process navigation is on the top. If several malware families are detected in the sample, you can find them all here. Also, in case several different builds of the same family are launched. Moreover, a brief malware description is displayed here for you. For more details and fresh IOCs, you can visit the corresponding page in Malware Tracker. 
  2. The information panel has two sections. You can see the list, select the necessary data, and copy it on the left side. 
  3. On the right is the data for specialists who require the export of this information in JSON format. For further information, there is a guide implemented in our new functionality. Click on the question mark to bring out the tooltip. 

Malware configuration can be found on the info panel after the task is finished or in real-time by the CFG tag next to the process, which is quite convenient. You don’t need to stop the analysis or wait till the end of the task – start working with IOCs right away. 

Get IOCs in a flash with API

With API functionality, you can get IOCs in a heartbeat, as it’s the fastest way to acquire this valuable data. Imagine you received hundreds of files in spam, and, of course, you need to analyze them all. There are two ways to do so. Investigate one of the files and understand how it works without an interactive approach, track how much time it takes. 

API response to get a report

And then, you can launch all of the files at once via API. If we get Emotet to investigate:


fast malware analysis

It takes 15 seconds from the moment of sending the executable file till the final results with IOCs. 15 seconds for everything!


A couple of years ago, these results seemed for us to be beyond reach. Could you imagine that it took 15 seconds just to launch a virtual machine not a long time ago? And now, this amount of time is for the complete analysis of malware families mentioned above. We can note that our competitors need several minutes just to get any data. 

Conclusion

We are expanding malware configuration functionality on a regular basis. So, almost 30 malware extractors are just the beginning. And you can also take part in it! Leave in the comments: 

  • What malware families do you think are the most popular? And we will make sure to add them to our malware configuration.
  • Please let us know of any flawed extractors. 
  • Need more data for your work? Share your thoughts with us.
  • If you notice a new version of the malware and we don’t have it – you know what to do!

Memory dump is a very profound functionality that lets us perform different exciting and helpful actions. And detection of malware, its family, and configuration extraction is just the beginning of its usage. 

The memory dump starts a new era of functionalities that allows ANY.RUN to give users access to the most interesting features. And it’s time to try them yourself.

Be more informed and save your time!

Subscribe
Notify of
1 Comment
Inline Feedbacks
View all comments