How to speed up malware analysis

Today malware evolves very fast. Loaders, stealers, and different types of ransomware change so quickly, so it’s become a real challenge to keep up with them. Along with that analysis of them becomes harder and more time-consuming. But cybersecurity specialists can’t waste their time, waiting can cause serious damage. So, how to avoid all of that and speed up malware analysis? Let’s find out.

Malware analysis

The goal of malware analysis is to research a malicious sample: its functions, origin, and possible effects on the infected system. This data allows analysts to detect malware, react to the attack effectively, and enhance security.

Generally, there are two ways of how to perform malware analysis:

• Static analysis: get information about a malicious program without running, just having a look at it. With this approach, you can investigate content data, patterns, attributes, and artifacts. However, it’s very hard to work with any advanced malware using only static analysis.
• Dynamic analysis: examine malware while executing it on hardware or, more frequently, in a sandbox, and then try to figure out its functionality. The great advantage here is that the virtual machine allows you to research malicious files completely safe for your system.

Sandboxes

The main part of the dynamic analysis is to use a sandbox. It is a tool for executing suspicious programs from untrusted sources in a safe environment for the host machine. There are different approaches to the analysis in sandboxes. They can be automated or interactive.

Online automated sandboxes allow you to upload a sample and get a report about its behavior. This is a good solution especially compared to assembling and configuring a separate machine for these needs. Unfortunately, modern malicious programs can understand whether they are run on a virtual machine or a real computer. They require users to be active during execution. And you need to deploy your own virtual environment, install operation systems, and set software needed for dynamic analysis to intercept traffic, monitor file changes, etc.

Moreover, changing settings to every file takes a lot of time and anyway, you can’t affect it directly. We should keep in mind that analysis doesn’t always follow the line and things may not work out as planned for this very sample. Finally, it’s lacking the speed we need, as we have to wait up to half an hour for the whole cycle of analysis to finish. All of these cons may cause damage to the security if an unusual sample remains undetected. Thankfully, now we have interactive sandboxes.

With ANY.RUN, you can detect, analyze, and monitor threats. And one of its main advantages is that malware can be tricked into executing as if it is launched on a real machine. A user can influence the simulation and interact with the virtual environment: click a mouse, input data, reboot the system, open files, etc. You receive initial results straight after a task is run. One or two minutes are usually enough to complete the research after the end of a task. You may also collect Indicators of Сompromise (IOCs), information that helps to detect a threat in the network. Cybersecurity specialists can use IOCs to identify which malicious program has got into the system, or analyze samples and collect data to protect organizations from possible attacks.

Fast analysis with ANY.RUN

ANY.RUN users can upload their research publicly, so their tasks are available for your research in the public submissions. It’s a huge database of fresh malware samples and completed reports. More than 8000 uploads are performed here daily. You can also use them to speed up your analysis. The simplest way is to make a hash sum search there and it is possible that the sample has already been investigated.

Let’s analyze one of the submissions to see the fast analysis in action.

By looking at the process tree we can see the EXCEL.EXE process running and just after a couple of seconds the EQNEDT32.EXE starts execution. It means that exploitation of the Microsoft equation editor vulnerability (CVE-2017-11882) was used, which shows us that the sample is malicious. After the exploitation, the EQNEDT32.EXE process is downloading and starting the executable file from the Command & Control server. Thanks to the easy-to-understand GUI, we can tell that the analyzed sample is malicious just 3 seconds after the task is started, so we can complete the analysis within minutes.

And as we can notice from the picture below, 14 seconds are more than enough to get the malware family detected by the network’s Suricata rules. Note that this sample is also detected by local signatures after it creates files and writes into the registry. The real-time analysis starts a few seconds after the task is launched. Once the Excel file is opened, the infection process starts. In the virtual machine, we have an opportunity to react to it and maybe trigger the possible malware to act.

The RegAsm.exe system process is injected, then it steals personal data, drops applications, and changes the autorun value in the registry. Moreover, Lokibot is detected. We also know from “HTTP Requests” that EQNEDT32.EXE downloads the main payload from the following URL http://192.210.214.146. In the “Connections” field we can find out that RegAsm.exe connects with microdots.in.

Our task is still running and we’ve already collected a lot of data. But if something seems a little off, the executed file or maldoc may not have worked out. You can relaunch the task with new configurations: pick a different system’s locale, run it with Tor, or choose another OS. And you may get a completely new outcome within a couple of minutes.

After that, you can spend more time performing a more comprehensive analysis with the help of the MITRE ATT&CK matrix, the process graph. You can work on one sample jointly, save or share your task with colleagues using various types of reports.

Sometimes you don’t need to wait until local or network signatures detect malware family – you can determine it by yourself in no time! For example, Wshrat requests payload by the POST method and names itself in this process 21 seconds after the following task is started.

Here’s another situation, your sample doesn’t run in the chosen environment. For example, the malware checks the locale and doesn’t start the execution if the language doesn’t meet the criteria. In the task below a malicious document checks the language in the operational system and Microsoft Office. The malware runs only if the locale’s Italian (en-US / it-IT).

In a virtual machine, you need to perform many manual steps to add additional language both in the OS and Office. But with ANY.RUN you just restart your task with a different locale – pretty time saving: a couple of seconds instead of minutes and hours!

This isn’t the only example — malware can check the environment, work in 64-bit systems, be geofenced, etc. And all you need to do is to expand your analysis in a couple of mouse clicks and don’t waste hours on creating new virtual environments, making snapshots, downloading software, and reading manuals. Save your time!

Conclusion

Cybersecurity professionals need to evaluate threats fast and respond efficiently, before damage occurs. Since all basic functionality of ANY.RUN is free, you can try it out and see how it can save your time and speed up malware analysis.