{"id":2433,"date":"2022-06-28T05:34:25","date_gmt":"2022-06-28T05:34:25","guid":{"rendered":"\/cybersecurity-blog\/?p=2433"},"modified":"2024-07-24T07:47:40","modified_gmt":"2024-07-24T07:47:40","slug":"3-ways-to-analyze-geo-targeted-malware","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/","title":{"rendered":"3 Ways to Analyze Geo-Targeted Malware"},"content":{"rendered":"\n<p>Cyber attacks get more personalized, and malware authors trick victims using individual approaches. Such campaigns adapt malicious programs to the attacked country: using local language, services, currency, and others.&nbsp;<br><\/p>\n\n\n\n<p>In some cases, the geofenced malware won&#8217;t start execution if it detects the OS&#8217;s language or IP of a non-targeted country. Today we will discuss how to analyze location-based malware in <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=geo_targeted_malware\" target=\"_blank\">ANY.RUN<\/a>.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why does malware aim at geolocation?&nbsp;<\/h3>\n\n\n\n<p>Hackers never seize to surprise us with their sophisticated and malicious methods. Unfortunately, this creativity hits the ground, and victims fall into their trickery.&nbsp;<br><\/p>\n\n\n\n<p>Malware&#8217;s goal is to imply all possible ways to impersonate legitimate software. Among the others is geolocation. When a user launches a program and speaks with them in their native language, it creates common ground and builds trust.&nbsp;<br><\/p>\n\n\n\n<p>Here are other reasons why malware creators aim to create geo-located malware:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>infects computers more effectively with localized phishing campaigns&nbsp;<\/li>\n\n\n\n<li>attacks the specific country or region<\/li>\n\n\n\n<li>evades detection longer<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s discuss the types and <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-explained\/\" target=\"_blank\">how to analyze<\/a> these narrowly specialized malicious objects.<br><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How does geofenced malware work?<\/h3>\n\n\n\n<p>Cars, clothes, and food brands usually localize their marketing campaigns, adapting products to the specific region for distribution. Hackers quickly picked up this trend and started to design malware to get highly successful attacks.&nbsp;<br><\/p>\n\n\n\n<p>Geo-targeted malware can check the geolocation of the infected host to avoid delivery in non-target countries. It means you won&#8217;t get a payload during analysis if your malware analysis environment is not from the targeted country.&nbsp;<br><\/p>\n\n\n\n<p>Here is a usual scheme of how geofenced malware work:<br><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">1. <strong>Distribution&nbsp;<\/strong><\/h5>\n\n\n\n<p>Cybercriminals can put bank malware on computers in any region they prefer. It may be a rich country or just where crooks have opportunities, such as recruiting people to take money from the local ATMs using card numbers and PIN codes stolen by malware or skimmers.<br><\/p>\n\n\n\n<p>There are many cases when criminals go to the black market to use compromised Traffic Direction Systems (TDS) that provide bets online and traffic direction to find the most suitable victims. That is similar to legal advertising networks that provide the most relevant ad every time you visit a website.<br><\/p>\n\n\n\n<p>According to <a href=\"https:\/\/go.kaspersky.com\/rs\/802-IJN-240\/images\/KSB_statistics_2021_eng.pdf\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">the Kaspersky research<\/a>, here is the percentage of users who experienced faced the financial threat in different countries during 2021:<br><\/p>\n\n\n\n<p><strong>Countries attacked by banking malware<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Country<\/strong><\/td><td><strong>%<\/strong><\/td><\/tr><tr><td>Turkmenistan<\/td><td>8.4<\/td><\/tr><tr><td>Afghanistan<\/td><td>6.7<\/td><\/tr><tr><td>Tajikistan<\/td><td>6.6<\/td><\/tr><tr><td>Uzbekistan<\/td><td>5.7<\/td><\/tr><tr><td>Yemen<\/td><td>3.1<\/td><\/tr><tr><td>Paraguay<\/td><td>2.9<\/td><\/tr><tr><td>Costa Rica<\/td><td>2.7<\/td><\/tr><tr><td>Sudan<\/td><td>2.4<\/td><\/tr><tr><td>Kazakhstan<\/td><td>2.2<\/td><\/tr><tr><td>Syria<\/td><td>2.2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">2. <strong>Adapting<\/strong><\/h5>\n\n\n\n<p>How does a compromised web server work? It identifies your IP address that often shows your computer&#8217;s location after sending malicious data. And finally, you turned out to be using the malware &#8220;designed&#8221; for your region.<br><\/p>\n\n\n\n<p>Crooks prefer this type of IP address identification using <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-protect-banks-from-cyberattacks\/\" target=\"_blank\">banking malware<\/a>. Most of them work with a defined country or region. For example, German users are likely to be Deutsche Bank users. And malicious programs targeted at this bank could reach a high success rate. <br><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">3. <strong>Theft<\/strong><\/h5>\n\n\n\n<p>Most geo attacks aim at financial data theft. Several malware types help reach this goal. Banking trojans, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/ransomware\/\" target=\"_blank\">ransomware<\/a>, and RATs are explicitly designed for this need. Also, different regions are attacked by specific malware families. For example, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/malware-trends\/dridex\" target=\"_blank\">Dridex<\/a> is frequently used in the USA and Germany; Ursnif prefers Italy.&nbsp;&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/-0UEd7UyBmHpl5ulPbV41m7PekQ4nw5DeTJUogVV7aWlZnOR1580ZWXuTJR9affpLJr15PffjNW2UlBC9MiMDrJOLQafeTXUOb364vkAoXcQyJg_Le6FHIjSuiw5EChhbauEg-bqNjLeC41-qA\" alt=\"Top malware uploads in 2021\"\/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">How to analyze geo-located malware<\/h3>\n\n\n\n<p>There are a few ways to detect geo malware in <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=geo_targeted_malware\" target=\"_blank\">ANY.RUN<\/a>. Let&#8217;s go through them using samples from <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/submissions?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=geo_targeted_malware\" target=\"_blank\">public submissions<\/a>.<br><\/p>\n\n\n\n<p>We can start by using the Network Geolocation feature. It allows analyzing malicious objects from a wide list of countries. You can turn on Tor or add your own VPN configuration. Moreover, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/mitm-proxy-fake-net\/\" target=\"_blank\">HTTPS MITM proxy and FakeNet<\/a> are helpful, too.&nbsp;&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/R8PwjPcgQ5sET-f55XfkbjTZuyU2340K1_1y6g8IV8iJZZBWpXAb0q2rFcoETUz-K-cMAN64_1ThdiSJ1acSPt2k6iweJdYaUXqBVtytN918ubPKm7I3GD6llNLpWhj7arkdZrtA9fGH3KpjaA\" alt=\"ANY.RUN features for network geolocation\"\/><figcaption class=\"wp-element-caption\">ANY.RUN features for network geolocation<\/figcaption><\/figure>\n\n\n\n<h5 class=\"wp-block-heading\">1. <strong>HTTPS MITM proxy&nbsp;<\/strong><\/h5>\n\n\n\n<p>Analyze samples using cryptographic protocols designed to provide communications security, such as SSL and TLS. It allows you to save complete HTTP conversations for later analysis.<br><\/p>\n\n\n\n<p>With the HTTP MITM Proxy option, you can use the route via Tor, but only with the fastest geolocation.<br><\/p>\n\n\n\n<p>Today we have a <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/139506ac-9fc1-481e-bbb7-4cca67a29064\" target=\"_blank\">phishing sample.<\/a> It&#8217;s a popular technique designed to steal victims&#8217; financial information. Thanks to the legit-looking design and a complex delivery method with social engineering, this is one of the most successful cyberattacks. And in most cases, <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/phising-types-of-attacks\/\" target=\"_blank\">phishing<\/a> malicious emails and files track your geolocation.&nbsp;<br><\/p>\n\n\n\n<p>If we open this website that looks trustworthy, the authorization window offers to input a password there. And if you do so in the secure environment, then in the HTTP requests, we can see a request with a special log-file record &#8211; this is our password.&nbsp;<\/p>\n\n\n\n<p>In the Connections tab, we can see malware using the 443 port to interact with the network.<br><\/p>\n\n\n\n<p>Because malware uses a cryptographic protocol for network interaction, the contents of the packets can&#8217;t be read without using additional tools. We haven&#8217;t had any problems since we checked HTTP MITM Proxy.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/vU6YiETyFUEPFAs59njwCffLMuQcHgGmO350VWdSu4WL8ldAT_FgxOrbAy-vpNVhTagA80BgosP8WGu4KzhJNx9jWWZYuE37It68LQ0BqABsm8QXlVPOb4fA0kQwKtXucz_9vHHQEfWu9_bNVQ\" alt=\" Decoded content of the packets \"\/><figcaption class=\"wp-element-caption\"> Decoded content of the packets<\/figcaption><\/figure>\n\n\n\n<p>Analysts can use HTTPS MITM proxy to <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-details\/\" target=\"_blank\">get deeper data<\/a> when malware uses SSL or TLS protocols to send or receive information. It helps log and save the SSL\/TLS master keys so that analysts can decrypt traffic connections with programs like Wireshark.<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">2. Tor and locale <\/h5>\n\n\n\n<p>Sometimes malicious objects contain macros that check Microsoft Office&#8217;s LanguageID and the first letter of its title. And they don&#8217;t work if the required settings are wrong.&nbsp;<br><\/p>\n\n\n\n<p>Sometimes we can guess which country we need to choose for detecting malicious activity by looking at the malicious document decoy language in its description.&nbsp;<br><\/p>\n\n\n\n<p>We may choose different countries in the Tor field in the expanded settings. It will fool malware that sends requests to the IP services that return the country of IP origin. Malware will quit execution if the country is not targeted. And with Tor, all we need is to determine what <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/cybersecurity-blog\/cybersecurity-threats-2022\/\" target=\"_blank\">threat<\/a> we&#8217;re dealing with in less than three minutes.&nbsp;<br><\/p>\n\n\n\n<p>Combine Tor and locale to get better and faster results: some malware use quite simple checks related to geolocation. We can select different locales to bypass malware geo evasion during malware analysis. It includes changing:<br><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keyboard layout<\/li>\n\n\n\n<li>Country &amp; currency<\/li>\n\n\n\n<li>Time zone &amp; format<\/li>\n<\/ul>\n\n\n\n<p>Some malware will stop executing if there is a particular language in the system. For example, let&#8217;s start <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/6bca21e7-012d-4c0c-ac54-68e831e5b676\" target=\"_blank\">a task with a Raccoon stealer<\/a>, selecting the locale Belarusian (be-BY). It&#8217;s easy to notice that all processes were terminated right after the start of the malware.<br><\/p>\n\n\n\n<p>Now let&#8217;s <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/bbbde0da-a993-4380-95cd-8eecb8ab9903\/\" target=\"_blank\">restart the task<\/a> and change the locale to the United States (en-US).&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/ulbxSt0ho7ZkeNtY9wkvJWPVtknLK28gz6_CemxMeygTz2byV0zQJjc6B6fJPoev3RJDZv1dA4lApYwbDTXjLoy3zTp7h65wwCDXl6hyGtU-tDa9d4EHpoFMJTxcwQ5tSLbkLENJc8duz0WQ0A\" alt=\"Analyze Geo-Targeted Malware with locale\"\/><figcaption class=\"wp-element-caption\">Raccon&#8217;s processes with different locale<\/figcaption><\/figure>\n\n\n\n<p>The increased activity is immediately noticeable: the <a href=\"https:\/\/any.run\/cybersecurity-blog\/detection-with-suricata-ids\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">detected malware<\/a>, <a href=\"https:\/\/any.run\/malware-trends\/raccoon\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Raccoon<\/a>, started exchanging information over the network, changing system certificate settings, etc.<br><\/p>\n\n\n\n<p>As you can see, just changing the locale made a striking difference \u2013 in one case, the malware simply doesn&#8217;t work, while in the other, it shows its malicious properties.&nbsp;<br><\/p>\n\n\n\n<h5 class=\"wp-block-heading\">3. <strong>VPN&nbsp;<\/strong><br><\/h5>\n\n\n\n<p>You could also use your own VPN configurations for analysis. Check your Profile page on the service and upload the OpenVPN config file. Besides that, add your file while creating a new task in the network section and go straight to the analysis.&nbsp;<br><\/p>\n\n\n\n<p>Excel process uses the DDE function to initiate a dynamic data exchange in <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/a889c7a5-201d-422e-8d23-c0b60fc866fc\" target=\"_blank\">a sample without a VPN<\/a>. The process tries downloading the payload from the remote server and launches two regsvr32 processes. One has to run the 4137 file from the C:\\Users\\admin\\AppData\\Local\\Temp\\ catalog. But the payload wasn&#8217;t downloaded from the inmanagment.com source. That is why regsvr32 hasn&#8217;t launched it.&nbsp;<\/p>\n\n\n\n<p>Suppose we rerun this task and change the simulation&#8217;s configurations. By checking the file&#8217;s characteristics in Static discovering, we find that there are Italian words. It means that the whole campaign is geotargeted.&nbsp;<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/06\/Screenshot-at-Jun-28-11-12-26.png\" alt=\"File's characteristics in Italian\" class=\"wp-image-2469\"\/><figcaption class=\"wp-element-caption\">File&#8217;s characteristics in Italian<\/figcaption><\/figure>\n\n\n\n<p>Use ANY. RUN&#8217;s Italian VPN for redirection and change OS locale to it-IT like in<a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/app.any.run\/tasks\/57f92934-2041-4709-aec9-e18fe4babfd5\" target=\"_blank\"> a sample with VPN<\/a>.<\/p>\n\n\n\n<p>After 20 sec, the Excel process successfully launches the executable file. The T1497.003 Sandbox Evasion: Time Based Evasion technique establishes the payload. The payload stays inactive.&nbsp;<br><\/p>\n\n\n\n<p>Ursnif, aka Gozi\/ISFB, acquires the same method. Moreover, the malware uses the T1497.002 Sandbox Evasion: User Activity-Based Checks \u2013&nbsp;it tests if there is any activity in the network. After some API for network activity is used, the malware starts execution. It performs numerous operations: injects malicious code into OS&#8217;s applications, deletes itself, exchanges data with the remote server, etc.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/8ihGPXvoNMj8MauhtFmgSHVkWspCx-y7LZB3MExGXzwvd0vN8oE_wEqvExuCUKIGiKuHpj5qIoAjYOQUO1fO9KgqUIF-9zM4hOHkDDxoO7qiZuahpNFsz4dBwsufHU1fOrvKpyg6w6wRtnB1Mw\" alt=\"Analyze Geo-Targeted Malware with VPN\"\/><figcaption class=\"wp-element-caption\">Ursnif execution without and with VPN<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>To sum it up<\/strong><\/h3>\n\n\n\n<p>Investigating malicious programs on systems outside the targeted region will not reveal their entire behavior, especially when the malware has built-in location checks. We discussed 3 ways to analyze a location-based malware that demonstrates different behavior in a specific country:&nbsp;<br><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>HTTPS MITM proxy&nbsp;<\/li>\n\n\n\n<li>Tor and locale<\/li>\n\n\n\n<li>VPN<\/li>\n<\/ol>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=geo_targeted_malware\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"ANY.RUN (opens in a new tab)\">ANY.RUN<\/a>&#8216;s various features allow cybersecurity specialists to route traffic through their country of choice and uncover all data of geo-targeted malware.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyber attacks get more personalized, and malware authors trick victims using individual approaches. Such campaigns adapt malicious programs to the attacked country: using local language, services, currency, and others.&nbsp; In some cases, the geofenced malware won&#8217;t start execution if it detects the OS&#8217;s language or IP of a non-targeted country. Today we will discuss how [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3702,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[34],"class_list":["post-2433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>3 Ways to Analyze Geo-Targeted Malware - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Geofenced malware won&#039;t reveal its behavior outside the targeted area, as it has built-in location checks. But ANY.RUN features can help: read in the post!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"3 Ways to Analyze Geo-Targeted Malware\",\"datePublished\":\"2022-06-28T05:34:25+00:00\",\"dateModified\":\"2024-07-24T07:47:40+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\"},\"wordCount\":1497,\"commentCount\":4,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\",\"name\":\"3 Ways to Analyze Geo-Targeted Malware - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-06-28T05:34:25+00:00\",\"dateModified\":\"2024-07-24T07:47:40+00:00\",\"description\":\"Geofenced malware won't reveal its behavior outside the targeted area, as it has built-in location checks. But ANY.RUN features can help: read in the post!\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"3 Ways to Analyze Geo-Targeted Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"3 Ways to Analyze Geo-Targeted Malware - ANY.RUN&#039;s Cybersecurity Blog","description":"Geofenced malware won't reveal its behavior outside the targeted area, as it has built-in location checks. But ANY.RUN features can help: read in the post!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"3 Ways to Analyze Geo-Targeted Malware","datePublished":"2022-06-28T05:34:25+00:00","dateModified":"2024-07-24T07:47:40+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/"},"wordCount":1497,"commentCount":4,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/","url":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/","name":"3 Ways to Analyze Geo-Targeted Malware - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-06-28T05:34:25+00:00","dateModified":"2024-07-24T07:47:40+00:00","description":"Geofenced malware won't reveal its behavior outside the targeted area, as it has built-in location checks. But ANY.RUN features can help: read in the post!","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/3-ways-to-analyze-geo-targeted-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"3 Ways to Analyze Geo-Targeted Malware"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2433"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=2433"}],"version-history":[{"count":2,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2433\/revisions"}],"predecessor-version":[{"id":8307,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/2433\/revisions\/8307"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3702"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=2433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=2433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=2433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}