After launching the executable file found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular malware family used by attackers to remotely control victims' machines and steal sensitive data. The ANY.RUN sandbox goes one step further by not only presenting a list of relevant indicators collected during the analysis session but also extracting configurations for dozens of popular malware families. Although such data is often protected and obfuscated by malware developers, some sandbox solutions are equipped with advanced IOC collecting capabilities, making it easy to identify the malicious infrastructure. Analysis of HTTP requests, connections, and DNS requests can provide insights into the malware's communication with external servers, the type of data being exchanged, and any malicious activities. It involves executing a sample of a malicious program in the isolated environment of a malware sandbox to monitor its behavior and gather actionable indicators. ANY.RUN provides a cloud sandbox for malware and phishing analysis that delivers fast and accurate results to streamline your investigations. For instance, visualizing the process tree in the ANY.RUN sandbox makes it easier to track the sequence of process creation and termination and identifies key processes that are critical for the malware's operation. To assist you in this, your sandbox of choice must provide advanced process analysis that covers several areas. Having the ability to interact with the malware and the system in real-time is a great advantage when it comes to dynamic analysis. Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware. Dynamic malware analysis is a key part of any threat investigation. To understand the malware's execution flow and its impact on the system, you need to have access to detailed information about the processes spawned by it. Detonating malware in a live environment forces it to expose its C2 server addresses, encryption keys, and other settings that ensure its functionality and communication with the attackers. See an example of a malware configuration in the following sandbox session. The sandbox allows us not only to download the archive but also to enter the password (which can be found in the email) and extract its contents to run the malicious payload. Another useful feature is process dumps, which may contain vital information, such as encryption keys used by the malware. An effective sandbox will let you easily download these dumps to conduct further forensic analysis. Monitoring registry changes made by the process is crucial for understanding the malware's persistence mechanisms.
This Cyber News was published on thehackernews.com. Publication date: Wed, 02 Oct 2024 12:13:06 +0000