Malware Analysis is the process of analyzing the malware to know its malicious behavior of suspicious files. In the modern world, time flies. Running malware in a sophisticated environment and monitoring each and every activity costs much time. In the meantime Malware, Researchers, and Incident Responders need to act as soon as possible once the breach happens. Instead of Analyzing the malware manually, malware can be processed by some malware analysis engines by predefined automation concepts. This process is reliable and fast, so most of the security operations team prefers fully automated analysis as the first choice to identify the kind of malware that caused the breach. Later on, manual analysis of malware will take place to avoid lateral movements.
A motive of a malware author won’t stop after making a breach into the victim machine or servers. In most cases, Malware authors try to create a persistent connection with the victim machine by creating a command and control server. This leads the malware author to gather or monitor the activities of the victim until or unless it’s discovered.
Why Automated Analysis:
As we discussed above lateral movement is the major threat for the victim affected by malware. Once the breach happens, the main task for an incident response team or a Malware Researcher is to identify the threats as soon as possible to patch them to prevent future attacks. There are a lot of publicly available automated malware analysis engines which come in handy in this situation. Unless or until the malware author used a custom-written malicious program, previously known malware’s can be easily identified by these engines and can also list out what the malware is up to. So it will be a piece of cake for a Security Operations team to respond accordingly based on the reports.
Fully Automated Analysis:
[Note]: The malware sample used in this series has been cloned from the mentioned GitHub repository. The password to unlock the malware zip files is [ infected].
[ Statutory Warning: All the demonstrations done in this tutorial were illustrated in a sophisticated environment. It’s important that if you are following the same, make sure not to run on your host machine. It’s compulsory to run this malware on an isolated machine. We also don’t encourage trying any malicious activities with anyone except yourself. If anything happens by breaking the above-mentioned rules, we are not responsible for that. ]
Steps Involved in Fully Automated Analysis:
As a malware researcher, I strongly recommend doing an Antivirus scan on the suspicious file before taking it to an analysis. The first thing is to check whether the suspicious file is malicious or not by scanning the file with various Antivirus-Engines. It helps to identify whether the malicious file has been previously identified by other malware researchers out there to avoid analyzing the file instead of referring to the previously documented analysis of the particular file.
But this process looks too complicated. To do that we need to install various antivirus engines on the machine to scan the suspicious file. And it will be more time-consuming too. But that’s not necessary, there are a lot of online service providers which allow us to upload the suspicious file for analysis. The vendor itself scans the file with various antivirus engines and provides the scan output of various antivirus engines. There are some service providers who provide the service free for non-commercial uses.
VirusTotal is an online service that analyzes files and URLs for the detection of viruses, worms, trojans, and other kinds of malicious content using antivirus engines and website scanners. In the below example, I have uploaded a malware sample from the zoo repositories and the result shows 67 out of 70 engines have identified the file as malicious as result.
Hash : db349b97c37d22f5ea1d1841e3c89eb4
Sandbox is a sophisticated environment that allows users to execute programs or applications in a restricted environment. Sandbox plays a major part in software development, cybersecurity, and software testing practices. Malware Researchers use the sandbox to run malicious or suspicious files to analyze its activities without affecting the host system, network, or any other devices that are connected.
While talking about sandboxes, we don’t need to worry if you don’t know how to create a virtually isolated environment for malware analysis or to manually analyze through automation on isolated sandboxes. There are few vendors who created an open-source malware analysis sandbox that is free of cost for non-commercial uses. These sandboxes have predefined malware analysis scripts that run in an isolated environment upon successfully uploading the suspicious files to it. Once the malware gets analyzed a detailed report on the malware activities and its behavior has been generated. Here are a few links to some open-sourced sandboxes listed below.
Why Private sandbox, if there are a lot of public sandboxes which most of them are even open source. Public sandboxes keep history and have data of what file has been uploaded. So if a breach happens and that’s too personal for an individual or an organization by target, trusting open source is not a good choice. By creating our own private sandbox for analysis, the malware author gets to know that the incident response team or a malware researcher detected the malicious activity. It also helps in customizing the analysis techniques according to us instead of doing predefined rules to follow.
I hope the tutorial is informative and helps to learn the importance of fully automated analysis, public sandboxes, and private sandboxes. In our future series, let’s try to analyze some malware with all the steps mentioned above. Read more about The Art of Malware Analysis.