{"id":691,"date":"2020-09-17T13:25:00","date_gmt":"2020-09-17T13:25:00","guid":{"rendered":"http:\/\/blog.susp.io\/?p=691"},"modified":"2022-12-21T06:53:51","modified_gmt":"2022-12-21T06:53:51","slug":"malware-detection-guide","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/","title":{"rendered":"Guide to Malware Detection with ANY.RUN"},"content":{"rendered":"\n

Before analyzing malware or dealing with the consequences of an attack the analyst needs to detect the threat. Unfortunately, with modern malware using so many anti-detection techniques, relying on automatic tools is not enough anymore.<\/p>\n\n\n\n

In this post, we will talk about how ANY.RUN can help you detect malware where standard automatic systems fail.<\/p>\n\n\n\n

Malware is Detected with Signatures<\/h2>\n\n\n\n

We use signatures to detect malicious programs. When threat actors took to the internet way in the past, they gained a way to distribute malware in horrifying quantities that security professionals couldn’t imagine at the time. In response, pioneers of the cybersecurity industry developed early AV software that incorporated what is now known as signature-based detection.
<\/p>\n\n\n\n

With signature-based detection, the AV software constantly analyses files and assigns a unique signature or hash to each. A hash is then added to the global online database. Antiviruses tap into that database and compare files against known hashes associated with malicious activity. If there is a match, the antivirus isolates the file. 
<\/p>\n\n\n\n

Signature-based detection has been a staple of malware detection, but it’s slowly becoming less effective.<\/p>\n\n\n\n

But Sometimes Signature-Based Detection is not Enough<\/h2>\n\n\n\n

Today, most malware samples are polymorphic. This means that they are equipped with a mutation engine that can change certain parameters like file names and hash sums, completely throwing off antiviruses. In other words, every instance of the same malware strain generates unique signatures, making it impossible to find a match in the signature-database. 
<\/p>\n\n\n\n

Emotet<\/a> Trojan and Qbot<\/a> are examples of widely known malware families that use polymorphism. 
<\/p>\n\n\n\n

One way to overcome the challenge is to use sandboxes. Sandboxes allow analysts to launch malware in a virtual environment and watch the execution process. This enables us to see exactly what the suspicious file will do on an infected machine and collect the data we need for identification.
<\/p>\n\n\n\n

The problem is that a lot of modern malware families use another evasion technique. They know when they are launched on a virtual machine and behave differently than they would in a real environment, thus avoiding detection.
<\/p>\n\n\n\n

This is where ANY.RUN<\/a> comes in.
<\/p>\n\n\n\n

ANY.RUN\u2019s Interactivity Throws-Off Malware Evasion Techniques<\/h2>\n\n\n\n

ANY.RUN can trick malware into executing as if it was launching on a real machine because our service is interactive. As a user, you can influence the simulation at any time and interact with the virtual environment: drag a mouse, tap keys, and so on. You can also control an extensive list of simulation parameters like setting up a virtual OS version.
<\/p>\n\n\n\n

With all of the above, the simulation can be corrected when a researcher notices that something strange is going.
<\/p>\n\n\n\n

Let\u2019s Look at a Few Examples<\/h2>\n\n\n\n

ANY.RUN is a solid tool for malware identification. Let\u2019s take a quick look at how you can use it to identify malware.
<\/p>\n\n\n\n

Imagine that we are analyzing a suspicious file in ANY.RUN. Every malware is different and creates different signatures. A good place to start is by looking at the network connections.<\/p>\n\n\n\n

\"Network<\/figure>\n\n\n\n

The network connections tab is at the bottom of the screen by default. Some malware strains connect with the C&C using the POST method. If you are lucky, you can find the malware strain in the user agent name.
<\/p>\n\n\n\n

Just click POST to open a pop-up window with additional details of the request.<\/p>\n\n\n\n

\"Request<\/figure>\n\n\n\n

Sure enough, we got lucky and we can clearly see that we\u2019re dealing with WSHRAT<\/a>. As simple as that, we\u2019ve identified the malware.
<\/p>\n\n\n\n

But network requests won\u2019t work every time. Let\u2019s take a look at one more example.<\/p>\n\n\n\n

This time we don\u2019t have any information in the HTTP requests, so we will have to look elsewhere. 
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let\u2019s take a look at the \u201cFiles tab\u201d and search for file names associated with malicious behavior. The console will show us files created or modified by the malware.
<\/p>\n\n\n\n

\"Files<\/figure>\n\n\n\n

We can see a directory named \u201cZulycjadyc\u201d. Usually, it is created by Qbot. We can say that we are dealing with this banking Trojan simply by finding the file or directory that it is known to generate. 
<\/p>\n\n\n\n

In both cases, it would take us just a couple of minutes to analyze the file and identify the malware strain. Pretty impressive.
<\/p>\n\n\n\n

Conclusion<\/h2>\n\n\n\n

As malware is getting more advanced and automatic signature-based detection methods start to fail, we need new tools to identify malicious programs with a high degree of success. ANY.RUN<\/a> can help researchers get results quickly when analyzing suspicious files and it will work where fully automatic sandboxes fail. 
<\/p>\n\n\n\n

Next time that you come across a file that raises concerns, make sure to take a few minutes and run it through ANY.RUN!
<\/p>\n","protected":false},"excerpt":{"rendered":"

Before analyzing malware or dealing with the consequences of an attack the analyst needs to detect the threat. Unfortunately, with modern malware using so many anti-detection techniques, relying on automatic tools is not enough anymore. In this post, we will talk about how ANY.RUN can help you detect malware where standard automatic systems fail. Malware […]<\/p>\n","protected":false},"author":2,"featured_media":3059,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6],"tags":[32,33,15],"class_list":["post-691","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","category-instructions","tag-detection","tag-guides","tag-malware"],"acf":[],"yoast_head":"\nGuide to Malware Detection - ANY.RUN Blog<\/title>\n<meta name=\"description\" content=\"Malware is getting more advanced and automatic detection methods start to fail. Let's discuss new opportunities that an interactive approach gives us.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Guide to Malware Detection with ANY.RUN\",\"datePublished\":\"2020-09-17T13:25:00+00:00\",\"dateModified\":\"2022-12-21T06:53:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\"},\"wordCount\":799,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"detection\",\"guides\",\"malware\"],\"articleSection\":[\"Cybersecurity Lifehacks\",\"Instructions on ANY.RUN\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\",\"name\":\"Guide to Malware Detection - ANY.RUN Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2020-09-17T13:25:00+00:00\",\"dateModified\":\"2022-12-21T06:53:51+00:00\",\"description\":\"Malware is getting more advanced and automatic detection methods start to fail. Let's discuss new opportunities that an interactive approach gives us.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Instructions on ANY.RUN\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Guide to Malware Detection with ANY.RUN\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN's Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Guide to Malware Detection - ANY.RUN Blog","description":"Malware is getting more advanced and automatic detection methods start to fail. Let's discuss new opportunities that an interactive approach gives us.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Guide to Malware Detection with ANY.RUN","datePublished":"2020-09-17T13:25:00+00:00","dateModified":"2022-12-21T06:53:51+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/"},"wordCount":799,"commentCount":3,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["detection","guides","malware"],"articleSection":["Cybersecurity Lifehacks","Instructions on ANY.RUN"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/","url":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/","name":"Guide to Malware Detection - ANY.RUN Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2020-09-17T13:25:00+00:00","dateModified":"2022-12-21T06:53:51+00:00","description":"Malware is getting more advanced and automatic detection methods start to fail. Let's discuss new opportunities that an interactive approach gives us.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malware-detection-guide\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Instructions on ANY.RUN","item":"https:\/\/any.run\/cybersecurity-blog\/category\/instructions\/"},{"@type":"ListItem","position":3,"name":"Guide to Malware Detection with ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN's Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/691"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=691"}],"version-history":[{"count":1,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/691\/revisions"}],"predecessor-version":[{"id":3801,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/691\/revisions\/3801"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3059"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=691"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=691"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=691"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}