How to Do Malware Analysis?
Based on the results of the 2022 Malwarebytes Threat Review, 40 million threats to Windows enterprise computers were detected in 2021. To combat and avoid these types of attacks, malware analysis is essential. In this article, we explain the goal of scanning malicious programs and how to perform malware analysis using a sandbox.
What is malware analysis?
Malware analysis is a process of examining a malicious sample. During study, a researcher’s goal is to understand the type, functions, code, and potential dangers of a malicious program. Get the information the organization needs to respond to the intrusion.
Results of the analysis you will receive:
- How Malware Works: By examining the code of the program and its algorithm, you can prevent it from infecting the entire system.
- Features of the program: Improving detection using data about malware such as family, type, version, etc.
- What is the goal of malware: triggering the execution of the sample to check what data it is targeting, but of course in a safe environment.
- who is behind the attack: Get IPs, provenance, TTPs used and other traces hackers hide.
- a plan to prevent this type of attack.
Types of malware analysis
 |
| Static and dynamic malware analysis |
Important steps of malware analysis
In these five steps, the focus of the investigation is to find out as much as possible about the malicious example, the execution algorithm, and how malware works in different scenarios.
We believe that the most effective way to analyze malware is to combine static and dynamic methods. Here is a short guide to malware analysis. Just follow the steps below:
Step 1. Set up your virtual machine
You can customize a VM with specific requirements such as a browser, Microsoft Office, select the operating system bitness and locale. Add tools for analysis and install them in your VM: FakeNet, MITM proxy, Tor, VPN. But we can easily do it in the ANY.RUN sandbox.
 |
| VM customization in ANY.RUN |
Step 2. Check the static properties
This is a static malware analysis stage. Examine the executable without running it: examine the strings to understand how the malware works. The content of hashes, strings, and headers provides an overview of malware intentions.
For example, in the screenshot below, we can see the hashes, PE header, MIME type, and other information of the formbook example. To get a quick overview of how it works, let’s take a look at the Import section in a malware analysis example, where all the imported DLLs are listed.
 |
| Static detection of the PE file |
Step 3. Monitor malware behavior
Here is the dynamic approach to malware analysis. Upload a malware sample in a secure virtual environment. Interact directly with malware to make the program act and observe its execution. Check network traffic, file changes, and registry changes. And any other suspicious events.
In our online sandbox example, we might peek into the network stream to get the crook’s credentials for C2 and information stolen from an infected computer.
 |
| Attacker credentials |
 |
| Verification of the stolen data |
Step 4. Break the Code
If threat actors obfuscated or packaged the code, use de-obfuscation techniques and reverse engineering to uncover the code. Identify features not exposed in the previous steps. Even if you’re just looking for a feature used by malware, you can tell a lot about its functionality. For example, the InternetOpenUrlA function indicates that this malware is connecting to an external server.
Additional tools such as debuggers and disassemblers are required at this stage.
Step 5. Write a malware report.
Add all your insights and data you found out. provide the following information:
- Summary of your research with the name, origin and main characteristics of the malicious program.
- General information about malware type, filename, size, hashes and virus detection capabilities.
- Description of malicious behavior, infection algorithm, propagation techniques, data collection and communication channels of С2.
- Required bit counts of the operating system, software, executable and initialization files, DLLs, IP addresses and scripts.
- Review of behavioral activities, e.g. B. where credentials are stolen from, whether files are modified, deleted or installed, values are read and the language is checked.
- Code analysis results, header data.
- Screenshots, logs, strings, excerpts, etc.
- IOC’s.
Interactive malware analysis
The modern antivirus programs and firewalls could not deal with unknown threats such as targeted attacks, zero-day vulnerabilities, advanced malware and threats with unknown signatures. All these challenges can be solved through an interactive sandbox.
Interactivity is the key advantage of our service. ANY.RUN allows you to work directly with a suspicious sample as if you had it open on your PC: click, run, print, restart. You can work with the malware’s delayed execution and work out different scenarios to achieve effective results.
During your investigation you can:
- Get interactive access: Work with VM like on your PC: use a mouse, enter data, restart the system and open files.
- Change the settings: pre-installed soft set, several operating systems with different bit counts and builds are ready for you.
- Select tools for your VM: FakeNet, MITM proxy, Tor, OpenVPN.
- Research Network Connections: Intercept packets and get a list of IP addresses.
- Instant access to the analysis: The VM immediately starts the analysis process.
- Monitor system processes: Watch malware behavior in real-time.
- Collect IOCs: IP addresses, domain names, hashes and others are available.
- Get the MITER ATT@CK matrix: Check TTP in detail.
- Do you have a process diagram: evaluate all processes in a graphic.
- Download a ready-made malware report: Print all data in a convenient format.
All of these features help uncover sophisticated malware and see the anatomy of the attack in real-time.
Write the promo code “HACKERNEWS” in the subject of the email to [email protected] and get 14 days ANY.RUN Premium Subscription for free!
Try cracking malware using an interactive approach. Using the ANY.RUN sandbox, you can perform malware analysis and enjoy fast results and a simple research process, examine even sophisticated malware, and get detailed reports. Follow the steps, use smart tools and hunt malware successfully.