Simply these days, DFIR information & content material materials creator/educator Steven from the YouTube channel MyDFIR launched a new video exhibiting how DFIR professionals can leverage the ANY.RUN Sandbox to successfully analyze malware and extract actionable intelligence.
The video provides a step-by-step data on investigating real-world threats, along with the best technique to quickly decide and analyze Indicators of Compromise (IOCs) and uncover key behavioral insights.
In case you’re searching for to boost your investigation workflows and see smart examples of malware analysis in movement, we extraordinarily counsel watching the video to watch along with the skilled’s course of.
Proper right here’s our overview of the necessary factor highlights lined throughout the video.
About ANY.RUN Sandbox
The ANY.RUN Sandbox is an interactive malware analysis platform that allows security professionals to analysis malicious recordsdata in a keep, user-driven ambiance. It permits DFIR professionals to:
- Uncover the behaviors and methods of malware.
- Shortly gather necessary Indicators of Compromise (IOCs).
- Uncover malware configurations and decide threats in precise time.
By providing detailed insights by the use of choices like course of timber, group monitoring, and built-in ATT&CK mapping, ANY.RUN helps analysts hold ahead of rising threats and streamline investigations.
Use Case 1: Investigating Formbook Infostealer
Formbook is a widespread infostealer that targets credentials, cookies, and completely different delicate information. Proper right here’s how DFIR professionals can use ANY.RUN to analysis it.
Take into consideration you might have obtained the subsequent alert: malware detected and quarantined.
The alert moreover provides particulars harking back to:
- Hostname: SALESPC-01
- Client: Bobby
- Filename: suchost.exe
- Current Itemizing: C:UsersBobbyDownloads
- SHA256: 472a703381c8fe89f83b0fe4d7960b0942c5694054ba94dd85c249c4c702e0cd
Use this information to impress your investigation.
Confirm Earlier Analyses
The very very first thing you should do is look at if ANY.RUN analyzed this file beforehand. Navigate to ANY.RUN’s Tales half, positioned on the left-hand aspect.
Look for the hash of the flagged file. If the file has already been analyzed, overview the prevailing research. In another case, add the file to impress a recent analysis.
In our case, there are 2 analysis courses found from October 2024. Let’s choose the first report and look nearer at what’s inside.
After clicking on the prevailing entry, you’ll be redirected to the ANY.RUN sandbox supplied with a lot of useful information.
Let’s use this analysis to see how the sandbox can help us.
Examine Preliminary Outcomes
ANY.RUN provides an abstract of the analysis, along with malicious train indicators, the working system used for analysis (e.g., Residence home windows 10 64-bit), and a set of decisions, harking back to:
- Get Sample: Receive the file for deeper analysis.
- IOC Tab: View all related IOCs.
- MalConf: Uncover indicators extracted from the malware’s configuration.
- Restart: Re-run the analysis if wished.
- Textual content material Report: Get an in depth overview of findings.
- Graph: Visualize the tactic tree and events.
- ATT&CK Tab: Overview associated methods, strategies, and procedures (TTPs).
- AI Summary: Summarize key findings.
- Export Selections: Save ends in quite a few codecs like STIX or MISP JSON.
Analyze the Course of Tree
Look at the parent-child relationship throughout the course of tree to know how the file behaves.
As an example, Formbook would possibly create a registry key to establish persistence. By clicking on the tactic, you can view command-line particulars and trace the registry key creation and file execution paths.
Look at Group Train
Use the network-related tabs to hint events like HTTP requests and connections. ANY.RUN simplifies this by flagging requests with recognition icons:
- Inexperienced checkmark: Recognized and safe.
- Question mark: Unknown.
- Fireplace icon: Malicious. Doc any flagged IOCs, harking back to suspicious IP addresses or domains, and cross-check them inside your ambiance.
Leverage Menace Wanting Choices
Benefit from tabs like MalConf and AT&CK to uncover further insights. For example, MalConf would possibly reveal hardcoded strings or configurations that will help in danger looking out.
The AT&CK tab provides a breakdown of associated TTPs, serving to analysts understand how the malware evades detection or escalates privileges.
Inside the current analysis session, these are the TTPs the sandbox acknowledged:
AI Summary
The AI-powered summary distills the technical findings into easy-to-understand insights. That’s considerably useful for:
- Shortly understanding the file’s habits with out diving into the technical minutiae.
- Aiding junior analysts or teams new to malware analysis by providing clear explanations of what the file is doing.
By leveraging these choices, DFIR professionals can perform detailed, thorough, and setting pleasant malware analysis, tailoring their investigations to the exact desires of their group.
Be taught to analysis cyber threats
See an in depth data to using ANY.RUN’s Interactive Sandbox for malware and phishing analysis
Study full data
Use Case 2: Analyzing Lumma Stealer with Superior Choices
The next use case focuses on analyzing a file using the ANY.RUN sandbox, notably specializing in a particular infostealer referred to as Luma Stealer. The latter is one different malware geared towards exfiltrating information.
For this demonstration, the free plan is used, nevertheless comparisons to the paid plan capabilities might also be highlighted.
Importing a File to ANY.RUN
To analysis a file in ANY.RUN, start by deciding on Submit File alternative from the on the market 3 decisions.
When importing a file, perceive that as a free individual Analysis could be publicwhich implies anyone can view it. Stay away from importing delicate information. On a regular basis search the recommendation of alongside together with your group if unsure.
The free plan, however, offers privateness decisions to restrict entry to your analysis.
After deciding on the file, you’ll see two key decisions:
- Deep analysis: Preferrred for file-based malware investigations.
- Safebrowsing: Applicable for URL-based fast analysis.
For this case, we’re performing Deep Analysis on the Luma Stealer sample.
Uncover your complete analysis session
Configuration Selections
ANY.RUN enables you to customise execution and ambiance settings to simulate real-world conditions. For example, you can specify personalized command-line arguments to set off explicit malware behaviors.
- The free plan offers 60 seconds of analysis.
- With the paid plan, you can lengthen to 10+ minutes for deeper analysis.
You might also choose the place you should execute the file, for example, temp itemizing, desktop, downloads itemizing, AppData, and additional.
For the group web site guests the subsequent decisions could be discovered:
- FakeNet: Simulates group web site guests.
- TOR Routing: Routes web site guests by the use of Tor for anonymity.
- Residential Proxy: Assigns a residential IP to your VM.
Then, choose the working system, harking back to Residence home windows 7 (32-bit), Residence home windows 10 (64-bit), and Ubuntu 22.04. The paid plan moreover offers Residence home windows 11.
Working the Analysis
As quickly as configurations are set, click on on Run Analysis. In case you resolve to associate with the Public mode, a warning will remind you that the analysis information could be publicly accessible. To make your analysis private, you will have to get a Hunter or Enterprise plan subscription.
The sandbox begins dynamic analysis, executing the file and recording all processes, behaviors, and group actions.
A timer (top-right) displays the remaining analysis size. You probably can add time to grab extended malware behaviors.
Observing Ends in Precise Time
As quickly because the analysis begins, you can work along with the sandbox ambiance. Have a look on the parent-child relationships of processes generated by the malware.
On the suitable nook you can already see the sandbox identifies the processes as Lumma malware and potential phishing.
Furthermore, we’re in a position to observe that the sandbox moreover detected a web site used for C2 connection:
With the paid plan you can also see how this particular Suricata rule was generated:
Extracting IOCs and Key Artifacts
As quickly because the analysis completes, go to the IOC tab to extract key indicators, along with:
- IP addresses
- Domains
- File hashes
- URLs
Why DFIR Professionals Rely upon ANY.RUN
ANY.RUN’s real-time, interactive capabilities make it a favorite amongst DFIR specialists. Proper right here’s why:
- Tempo: Analyze malware habits and extract IOCs faster than ever.
- Ease of use: Its intuitive interface works for every seasoned analysts and newcomers.
- Flexibility: From free plans to enterprise choices, ANY.RUN matches teams of all sizes.
- Menace intelligence integration: Enrich your investigations with further context to verify thorough outcomes.
About ANY.RUN
ANY.RUN helps better than 500,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that concentrate on every Residence home windows and Linux applications. Our danger intelligence merchandise, TI Lookup, YARA Search and Feeds, allow you to find IOCs or recordsdata to be taught further regarding the threats and reply to incidents faster.
With ANY.RUN you can:
- Detect malware in seconds
- Work along with samples in precise time
- Save time and money on sandbox setup and maintenance
- Report and analysis all aspects of malware habits
- Collaborate alongside together with your group
- Scale as you need
Get 14-day free trial of ANY.RUN’s Interactive Sandbox →
