The most sought-after source of these indicators is malware configurations.
Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to investigate incidents and streamline threat analysis.
Malware configurations are essentially instructions provided by the attacker to the malware.
The behavior of individual malware stems from the configuration settings defined during its initial development.
Its configuration parameters determine all of these.
Analyzing configurations provides insights into the malware's operational capabilities and how it interacts with the target system.
Malware with multiple C&C servers typically communicates with the first IP address, leaving the rest hidden from network traffic monitoring.
Configuration extractors prove invaluable in such situations, revealing these concealed details without actively engaging with the malware.
Getting malware configurations is a laborious task that involves breaking through lines of heavily obfuscated code, delving into memory dumps of malware samples, reverse engineering and debugging.
The challenge is even greater with modern malware that uses modular architecture.
Extracting the configurations of these modules adds complexity to the procedure.
This allows adding new components, such as keyloggers and miners, to the initial malware build, expanding its functionality and altering its behavior.
Analyse Shopisticated Malware with ANY.RUN. More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide.
Sandboxes for malware analysis are one of the tools that let you easily access malware configurations of different threats.
ANY.RUN is a prime example of such a service.
ANY.RUN effectively identifies all malware families within the sample, including all variants even if multiple builds of the same family exist.
The interface provides a concise description of the malware and offers the option to visit Malware Tracker for more details and the latest IOCs.
Analyze malware in interactive Windows VMs and get their configs in seconds.... Consider Trickbot, a malware known for its stalling tactics, employing lengthy mathematical computations to delay its execution.
While Trickbot may only initiate network activities, such as connecting to a C&C server, after a 300-second delay, tools like ANY.RUN can swiftly detect and extract its configurations in a mere 100 seconds.
Get to analyze malware in interactive cloud virtual machines just like on your own computer.
This Cyber News was published on gbhackers.com. Publication date: Tue, 06 Feb 2024 17:13:05 +0000