Based on the findings of Malwarebytes’ Threat Review for 2022, 40 million Windows business computers’ threats were detected in 2021. In order to combat and avoid these kinds of attacks, malware analysis is essential. In this article, we will break down the goal of malicious programs’ investigation and how to do malware analysis with a sandbox.
Malware analysis is a process of studying a malicious sample. During the study, a researcher’s goal is to understand a malicious program’s type, functions, code, and potential dangers. Receive the information organization needs to respond to the intrusion.
Results of analysis that you get:
Across these five steps, the main focus of the investigation is to find out as much as possible about the malicious sample, the execution algorithm, and the way malware works in various scenarios.
We believe that the most effective method to analyze malicious software is to mix static and dynamic methods. Here is a short guide on how to do malware analysis. Just follow the following steps:
You can customize a VM with specific requirements like a browser, Microsoft Office, choose OS bitness, and locale. Add tools for the analysis and install them in your VM: FakeNet, MITM proxy, Tor, VPN. But we can do it easily in ANY.RUN sandbox.
This is a stage for static malware analysis. Examine the executable file without running it: check the strings to understand malware’s functionality. Hashes, strings, and headers’ content will provide an overview of malware intentions.
For example, in the screenshot below, we can see the hashes, PE Header, mime type, and other information of the Formbook sample. To take a brief idea about functionality, we can take a look at the Import section in a sample for malware analysis, where all imported DLLs are listed.
Here is the dynamic approach to malware analysis. Upload a malware sample in a safe virtual environment. Interact with malware directly to make the program act and observe its execution. Check the network traffic, file modifications, and registry changes. And any other suspicious events.
In our online sandbox sample, we may take a look inside the network stream to receive the crook’s credentials info to C2 and information that was stolen from an infected machine.
If threat actors obfuscated or packed the code, use deobfuscation techniques and reverse engineering to reveal the code. Identify capabilities that weren’t exposed during previous steps. Even just looking for a function used by malware, you may say a lot about its functionality. For example, function “InternetOpenUrlA” states that this malware will make a connection with some external server.
Additional tools, like debuggers and disassemblers, are required at this stage.
Include all your findings and data that you found out. Provide the following information:
The modern antiviruses and firewalls couldn’t manage with unknown threats such as targeted attacks, zero-day vulnerabilities, advanced malicious programs, and dangers with unknown signatures. All these challenges can be solved by an interactive sandbox.
Interactivity is the key advantage of our service. With ANY.RUN you can work with a suspicious sample directly as if you opened it on your personal computer: click, run, print, reboot. You can work with the delayed malware execution and work out different scenarios to get effective results.
During your investigation, you can:
All of these features help to reveal sophisticated malware and see the anatomy of the attack in real-time.
Try to crack malware using an interactive approach. If you use ANY.RUN sandbox, you can do malware analysis and enjoy fast results, a simple research process, investigate even sophisticated malware, and get detailed reports. Follow the steps, use smart tools and hunt malware successfully.
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.
