{"id":9599,"date":"2024-11-02T11:41:05","date_gmt":"2024-11-02T11:41:05","guid":{"rendered":"\/cybersecurity-blog\/?p=9599"},"modified":"2024-11-02T13:35:33","modified_gmt":"2024-11-02T13:35:33","slug":"how-to-analyze-malicious-network-traffic","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-analyze-malicious-network-traffic\/","title":{"rendered":"How to Capture, Decrypt, and Analyze Malicious Network Traffic with ANY.RUN"},"content":{"rendered":"\n

Network traffic analysis provides critical insights into malware and phishing attacks. Doing it effectively requires using proper tools like ANY.RUN’s Interactive Sandbox<\/a>. It simplifies the entire process, letting you investigate threats with ease and speed. <\/p>\n\n\n\n

Take a look at the key ways you can monitor and analyze network activity with the service. <\/p>\n\n\n\n

Connections <\/h2>\n\n\n\n

Examining network connections involves looking at source and destination IP addresses, ports, URLs, and protocols. During this process, you can observe all activities that may pose a risk to the system, such as connections to known malicious domains and attempts to access external resources.\u00a0<\/p>\n\n\n\n

To correlate the network activity with other behaviors or components of the malware, ANY.RUN identifies the process name and Process Identifier<\/a> (PID) initiating the connection. This allows you to gain a better understanding of the threat\u2019s functionality and purpose.\u00a0<\/p>\n\n\n

\n
\"\"
The Connections tab monitors all the network activity on the system <\/em><\/figcaption><\/figure><\/div>\n\n\n

In the Connections<\/em> section, additional attributes like the country (CN) and Autonomous System Number (ASN) provide context for the geographical location and the organization managing the IP address. <\/p>\n\n\n\n

The service also lists DNS requests that help you identify malicious domains used for Command & Control (C&C) communication or phishing campaigns. <\/p>\n\n\n\n

Use Case: Identifying Agent Tesla\u2019s Data Exfiltration Attempt  <\/h3>\n\n\n\n

Consider the following sandbox session<\/a>. Here, we can discover a malicious connection to an external server.\u00a0<\/p>\n\n\n

\n
\"\"
Malicious connection identified by the ANY.RUN sandbox and marked with a flame icon<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n

We can navigate to the process that started this connection (PID 6904) to see the details.\u00a0\u00a0<\/p>\n\n\n

\n
\"\"
The sandbox shows that the process connected to a server controlled by attackers<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n

The service displays two signatures related to the connection, which specify that it was made to a server suspected of data theft over the SMTP port. The sandbox also links the process of Agent Tesla<\/a>, a malware family used by cyber criminals for remote control and data exfiltration.\u00a0\u00a0<\/p>\n\n\n

\n
\"\"
Suricata rule used for detecting Agent Tesla\u2019s malicious connection<\/em><\/figcaption><\/figure><\/div>\n\n\n

Thanks to ANY.RUN\u2019s integration of Suricata IDS<\/a>, you can discover triggered detection rules by navigating to the Threats<\/em> tab.\u00a0The detection of data exfiltration over SMTP in this case is done without decryption. The sandbox relies solely on specific sequences of packet lengths characteristic of sending victim data.\u00a0<\/p>\n\n\n\n

HTTP Requests and Content <\/h2>\n\n\n\n

ANY.RUN provides comprehensive analysis of HTTP requests and their content. To access header information, simply navigate to the Network<\/em> tab. Here, you’ll find a detailed list of all HTTP requests recorded by the sandbox. <\/p>\n\n\n

\n
\"\"
You can investigate HTTP Requests in detail in ANY.RUN<\/em><\/figcaption><\/figure><\/div>\n\n\n

Click on a specific request to view its headers, which include information such as the request method, user-agent, cookies, and response status codes.\u00a0<\/p>\n\n\n\n

ANY.RUN also offers static analysis of the resources transmitted as part of HTTP requests and responses. These may include HTML pages, binary, and other types of files. The sandbox extracts their metadata and strings. <\/p>\n\n\n\n

Use Case: Discovering a Server for Collecting Stolen Passwords\u00a0<\/h3>\n\n\n\n

When investigating phishing attacks, it is sometimes necessary to check which server ends up receiving the passwords entered by victims on a malicious webpage. To accomplish this task, we need to enable Man-in-the-Middle (MITM) Proxy.\u00a0<\/p>\n\n\n

\n
\"\"
Switching on MITM Proxy takes just one click in the VM setup window<\/em>\u00a0<\/figcaption><\/figure><\/div>\n\n\n

The feature acts as an intermediary between the malware and the server, allowing analysts to intercept and decrypt even HTTPS traffic, typically used for secure communication.\u00a0<\/p>\n\n\n

\n
\"\"
ANY.RUN allows you to interact with the VM including by entering text <\/em><\/figcaption><\/figure><\/div>\n\n\n

Here is an example of a typical attack<\/a> that is designed to trick users into entering their real login credentials on a fake webpage.\u00a0<\/p>\n\n\n\n\n

\n
\n
Please Note<\/div>\n <\/div>\n
\n

Under no circumstances should you enter real credentials when analyzing threats in the ANY.RUN sandbox. Instead, use a non-existent test email and password.<\/p>\n <\/div>\n<\/div>\n\n\n\n\n