Hello, ANY.RUN users! Today we announce a new update on the service. This time, we discuss a new browser that will blow the lid on threats that exploit Microsoft Edge. Also, we will unveil 3 fingerprinting methods that can change your malware analysis.
Update overview:
- Analyze with Microsoft Edge
Launch tasks in a new, more functional, and modern browser. Conquer all threats that exploit Edge.
- New JA3, JA3S, JARM fingerprinting methods
Find out more about TLS connections, improve the results of malware analysis, and get your report more informative.
Microsoft Edge use case
For a long time, the default browser in Windows was Internet Explorer. But time goes on, and it is outdated and can no longer cover all users’ needs.
It has been replaced by a more functional and modern browser: Microsoft Edge. The malware creators do not sleep either and have learned to take advantage of a new browser.
For example, they adapt phishing sites or write exploits working only in Edge. ANY.RUN online malware sandbox is caring for its users – we have added a Microsoft Edge browser to analyze new threats so that you can open malicious sites directly without unnecessary actions.
Let’s analyze a sample in Microsoft Edge together.
First of all, open a phishing link through the Edge browser.
After the link is launched in VM, the HTML file will be downloaded. Pay attention: the file will automatically run via Microsoft Edge (a standard Windows browser).
If we enter the data and click Next, we are redirected to an error. And if we look at the Requests this time, we see a POST request.
Inside of the POST request, we can find our data.
TLS fingerprinting
Malware creators use SSL/TLS protocols to hide malicious objects in encrypted traffic to make the detection and removal harder. Because the TLS encryption negotiation is transmitted in open, client applications can be tracked and identified.
TLS fingerprinting is designed to quickly identify known TLS connections and trace unknown TLS connections. Input data is received either by traffic monitoring or by reading PCAP files.
There are several implementations that the community uses:
- passive method using JA3 and JA3S hashes
- active tool for TLS server fingerprinting – JARM hashes.
| JA3 | JA3S | JARM |
| A method collects decimal byte values for the following fields in the client’s welcome packet: – TLS version – cipher suit – list of TLS protocol extensions – elliptic curves – elliptic curve formats | A server identification hash. A method is used to collect the decimal byte values for the following fields in the server’s welcome packet: – TLS version – cipher suite – a list of TLS protocol extensions. | It is a hybrid fuzzy hash. A method uses a combination of reversible and irreversible hashing algorithms to create a 62-character fingerprint. |
TLS fingerprinting is a useful part of malware analysis, with it you can:
- Make sure that all servers in the group have the same TLS configuration.
- Group various servers on the Internet by configuration.
- Identify default applications or infrastructure.
- Detect command centers and other malicious servers on the Internet.
In our today’s update, we have added these fingerprinting methods in ANY.RUN sandbox, so now you can carry out the analysis with them like in this sample.
0 comments