{"id":5783,"date":"2023-09-19T08:02:46","date_gmt":"2023-09-19T08:02:46","guid":{"rendered":"\/cybersecurity-blog\/?p=5783"},"modified":"2024-06-03T10:21:18","modified_gmt":"2024-06-03T10:21:18","slug":"malware-analysis-anyrun-tips","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-anyrun-tips\/","title":{"rendered":"Malware Analysis for Keeping Up with the Latest Threats: Lessons from ANY.RUN\u00a0"},"content":{"rendered":"\n

At ANY.RUN<\/a>, the value of our product lies in its detection and analysis capabilities. Our service needs to be able to identify a threat as soon as it exhibits malicious activity. This is why we have a large team dedicated solely to discovering, analyzing, and reverse engineering new families of malware to extract the information needed to keep our system up-to-date.<\/p>\n\n\n\n

In this article, we want to offer you a behind-the-scenes look at our malware analysis department, showing their complete course of action when handling a fresh sample of malicious software and know-hows they use during every stage.<\/p>\n\n\n\n

Stage 1: Finding a new sample<\/h2>\n\n\n\n

Our team is constantly on the lookout for fresh malware samples<\/a>. In this regard, our public database<\/a> of submissions, which receives an inflow of thousands of daily uploads, serves as the core source for finding yet-unseen material.  <\/p>\n\n\n\n

\"\"
ANY.RUN\u2019s public database contains 6 million submissions<\/em><\/figcaption><\/figure>\n\n\n\n

Additionally, we hunt using OSINT sources and other popular platforms, including MalwareBazaar, from which we collect malicious files and links. Once we locate an object of interest, we make sure to gather as many samples of it as possible in order to examine every current variation of the malware and use the information gathered to update our service\u2019s detection capabilities. <\/p>\n\n\n\n

Tools used: <\/strong>ANY.RUN, MalwareBazaar, VirusShare.com, Virus.exchange.<\/p>\n\n\n\n

Stage 2: Classifying the malware<\/h2>\n\n\n\n

In this stage, we focus on identifying the malware’s type, purpose, and origin. The interactivity<\/a> offered by ANY.RUN lets us take a close look at any malware\u2019s behavior and gain a clear insight into the intention behind the malicious program and understand what steps we need to take next.  <\/p>\n\n\n\n

For instance, ANY.RUN highlights the entire execution path and network traffic of any sample. As a result, we can observe the actions undertaken by the malware and easily spot its primary type, whether it is ransomware that is encrypting files on the system or a stealer that is collecting user data and sending it to its command-and-control server. <\/p>\n\n\n\n

Tools used: <\/strong>ANY.RUN. <\/p>\n\n\n\n

ANY.RUN community experts: Germ\u00e1n Fern\u00e1ndez, twitter.com\/1ZRR4H<\/a> <\/p>\n\n\n\n

\n

The first thing I do is OSINT\/CSINT on the relevant elements of the sample, such as certain strings, communications, infection chain, IPs, domains, or certificates. Then, depending on the type of threat, I analyze it in sandboxes that allow me to simulate or fake an Internet connection to avoid alerting the attackers. If I do not get a positive response, I move to the analysis in my virtual machines until I piece the puzzle together. That is the path I usually follow to find out what it is.<\/em><\/p>\n<\/blockquote>\n\n\n\n

Stage 3: Identifying the sample\u2019s format, language, and packer <\/h2>\n\n\n\n

It is no surprise that attackers often attempt to disguise the malicious file\u2019s format by replacing its extension with a different one. Therefore, in order to ascertain the sample\u2019s format, we employ the \u201cfile\u201d utility or utilize Detect It Easy (DIE)<\/strong>.  <\/p>\n\n\n\n

DIE is a nifty tool that additionally helps us determine the programming language, in which the binary is written, as well as the packer used for encrypting the sample. <\/p>\n\n\n\n

\"\"
An XWorm sample<\/em><\/a> loaded into DIE<\/em><\/figcaption><\/figure>\n\n\n\n

Tools used: <\/strong>\u201cFile,\u201d Detect It Easy. <\/p>\n\n\n\n

Stage 4: Unpacking the sample <\/h2>\n\n\n\n

With the basic information in our pocket, we move on to unpacking. These days, malware developers implement a variety of ways to make it harder for cybersecurity professionals to conduct analysis. Packing is one of them.  <\/p>\n\n\n\n

To remove protective layers, we use a combination of different tools, including a debugger and Process Hacker 2, ProcDump, or Volatility <\/strong>launched in a virtualized environment, which allows us to make a proper memory dump suitable for further investigation. <\/p>\n\n\n\n

It is worth noting that the entire process which will be outlined below can be carried out much faster using ANY.RUN. Our service provides a detailed execution path and documents every event happening on the system, which is related to malware\u2019s activity, including in terms of the network traffic. The sandbox also makes it possible to download memory dumps of detected malware for closer inspection.<\/p>\n\n\n\n\n

\n\n

\nTest the interactivity and speed<\/span> of ANY.RUN using your malware sample \n<\/p>\n\n\nGet started with a free account\u00a0\n<\/a>\n<\/div>\n\n\n\n