Simply recently, DFIR information & content material materials creator/educator Steven from the YouTube channel MyDFIR launched a new video displaying how DFIR professionals can leverage the ANY.RUN Sandbox to successfully analyze malware and extract actionable intelligence.
The video offers a step-by-step data on investigating real-world threats, along with straightforward strategies to quickly decide and analyze Indicators of Compromise (IOCs) and uncover key behavioral insights.
For many who’re attempting to boost your investigation workflows and see wise examples of malware analysis in movement, we extraordinarily counsel watching the video to watch along with the expert’s course of.
Proper right here’s our overview of the necessary factor highlights lined inside the video.
About ANY.RUN Sandbox
The ANY.RUN Sandbox is an interactive malware analysis platform that permits security professionals to analysis malicious data in a dwell, user-driven ambiance. It permits DFIR professionals to:
- Uncover the behaviors and strategies of malware.
- Quickly gather necessary Indicators of Compromise (IOCs).
- Uncover malware configurations and decide threats in precise time.
By providing detailed insights by way of choices like course of bushes, group monitoring, and built-in ATT&CK mapping, ANY.RUN helps analysts maintain ahead of rising threats and streamline investigations.
Use Case 1: Investigating Formbook Infostealer
Formbook is a widespread infostealer that targets credentials, cookies, and totally different delicate data. Proper right here’s how DFIR professionals can use ANY.RUN to analysis it.
Take into consideration you’ll have obtained the subsequent alert: malware detected and quarantined.
The alert moreover offers particulars much like:
- Hostname: SALESPC-01
- Particular person: Bobby
- Filename: suchost.exe
- Current Itemizing: C:UsersBobbyDownloads
- SHA256: 472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd
Use this information to impress your investigation.
Take a look at Earlier Analyses
The very very first thing it’s best to do is look at if ANY.RUN analyzed this file beforehand. Navigate to ANY.RUN’s Research half, positioned on the left-hand facet.
Look for the hash of the flagged file. If the file has already been analyzed, overview the prevailing evaluations. In some other case, add the file to impress a current analysis.
In our case, there are 2 analysis durations found from October 2024. Let’s choose the first report and look nearer at what’s inside.
After clicking on the prevailing entry, you’ll be redirected to the ANY.RUN sandbox launched with numerous useful information.
Let’s use this analysis to see how the sandbox can also assist us.
Take a look at Preliminary Outcomes
ANY.RUN offers an abstract of the analysis, along with malicious train indicators, the working system used for analysis (e.g., Residence home windows 10 64-bit), and a set of decisions, much like:
- Get Sample: Receive the file for deeper analysis.
- IOC Tab: View all related IOCs.
- MalConf: Uncover indicators extracted from the malware’s configuration.
- Restart: Re-run the analysis if wished.
- Textual content material Report: Get an in depth overview of findings.
- Graph: Visualize the strategy tree and events.
- ATT&CK Tab: Overview associated strategies, strategies, and procedures (TTPs).
- AI Summary: Summarize key findings.
- Export Decisions: Save ends in various codecs like STIX or MISP JSON.
Analyze the Course of Tree
Analysis the parent-child relationship inside the course of tree to know how the file behaves.
As an illustration, Formbook might create a registry key to determine persistence. By clicking on the strategy, you might view command-line particulars and trace the registry key creation and file execution paths.
Study Neighborhood Train
Use the network-related tabs to hint events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with reputation icons:
- Inexperienced checkmark: Recognized and guarded.
- Question mark: Unknown.
- Fire icon: Malicious. Doc any flagged IOCs, much like suspicious IP addresses or domains, and cross-check them inside your ambiance.
Leverage Threat Looking Choices
Profit from tabs like MalConf and AT&CK to uncover additional insights. As an illustration, MalConf might reveal hardcoded strings or configurations which will help in threat trying.
The AT&CK tab offers a breakdown of associated TTPs, serving to analysts understand how the malware evades detection or escalates privileges.
Throughout the current analysis session, these are the TTPs the sandbox acknowledged:
AI Summary
The AI-powered summary distills the technical findings into easy-to-understand insights. That’s notably useful for:
- Quickly understanding the file’s conduct with out diving into the technical trivia.
- Aiding junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing.
By leveraging these choices, DFIR professionals can perform detailed, thorough, and atmosphere pleasant malware analysis, tailoring their investigations to the exact desires of their group.
Research to analysis cyber threats
See an in depth data to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Be taught full data
Use Case 2: Analyzing Lumma Stealer with Superior Choices
The next use case focuses on analyzing a file using the ANY.RUN sandbox, significantly specializing in a particular infostealer often called Luma Stealer. The latter is one different malware geared towards exfiltrating data.
For this demonstration, the free plan is used, nevertheless comparisons to the paid plan capabilities could even be highlighted.
Importing a File to ANY.RUN
To analyze a file in ANY.RUN, start by selecting Submit File alternative from the obtainable 3 decisions.
When importing a file, keep in mind that as a free particular person Analysis might be publicwhich implies anyone can view it. Avoid importing delicate data. Always search the recommendation of alongside along with your crew if undecided.
The free plan, however, affords privateness decisions to restrict entry to your analysis.
After selecting the file, you’ll see two key decisions:
- Deep analysis: Greatest for file-based malware investigations.
- Safebrowsing: Acceptable for URL-based fast analysis.
For this case, we’re performing Deep Analysis on the Luma Stealer sample.
Uncover your whole analysis session
Configuration Decisions
ANY.RUN means you could customise execution and ambiance settings to simulate real-world conditions. As an illustration, you might specify custom-made command-line arguments to set off specific malware behaviors.
- The free plan affords 60 seconds of research.
- With the paid plan, you might lengthen to 10+ minutes for deeper analysis.
It is also doable to pick out the place it’s essential execute the file, for example, temp itemizing, desktop, downloads itemizing, AppData, and additional.
For the group website guests the subsequent decisions might be discovered:
- FakeNet: Simulates group website guests.
- TOR Routing: Routes website guests by way of Tor for anonymity.
- Residential Proxy: Assigns a residential IP to your VM.
Then, choose the working system, much like Residence home windows 7 (32-bit), Residence home windows 10 (64-bit), and Ubuntu 22.04. The paid plan moreover affords Residence home windows 11.
Working the Analysis
As quickly as configurations are set, click on on Run Analysis. For many who resolve to go together with the Public mode, a warning will remind you that the analysis data might be publicly accessible. To make your analysis personal, it would be best to get a Hunter or Enterprise plan subscription.
The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and group actions.
A timer (top-right) displays the remaining analysis interval. You probably can add time to grab extended malware behaviors.
Observing Results in Precise Time
As quickly because the analysis begins, you might work along with the sandbox ambiance. Have a look on the parent-child relationships of processes generated by the malware.
On the very best nook you might already see the sandbox identifies the processes as Lumma malware and attainable phishing.
Furthermore, we’re capable of phrase that the sandbox moreover detected a web site used for C2 connection:
With the paid plan you can also see how this particular Suricata rule was generated:
Extracting IOCs and Key Artifacts
As quickly because the analysis completes, go to the IOC tab to extract key indicators, along with:
- IP addresses
- Domains
- File hashes
- URLs
Why DFIR Professionals Rely on ANY.RUN
ANY.RUN’s real-time, interactive capabilities make it a favorite amongst DFIR specialists. Proper right here’s why:
- Tempo: Analyze malware conduct and extract IOCs faster than ever.
- Ease of use: Its intuitive interface works for every seasoned analysts and newcomers.
- Flexibility: From free plans to enterprise choices, ANY.RUN fits teams of all sizes.
- Threat intelligence integration: Enrich your investigations with additional context to ensure thorough outcomes.
About ANY.RUN
ANY.RUN helps higher than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target every Residence home windows and Linux strategies. Our threat intelligence merchandise, TI Lookup, YARA Search and Feeds, allow you to find IOCs or data to check additional regarding the threats and reply to incidents faster.
With ANY.RUN you might:
- Detect malware in seconds
- Work along with samples in precise time
- Save time and money on sandbox setup and maintenance
- File and look at all components of malware conduct
- Collaborate alongside along with your crew
- Scale as you need
Get 14-day free trial of ANY.RUN’s Interactive Sandbox →
