How to Analyze Malware in 5 Steps

Trojans, ransomware, spyware, and other types of malware are significant threats to organizations. To stay informed and understand how the latest malware operates, cybersecurity professionals need to be able to analyze it. Here are five steps that security specialists can take to dissect malicious software and expose its functionality.

Step 1: Isolate the Malware

The first step in malware analysis is to isolate the malicious software from the rest of the system to prevent it from spreading or causing further damage. This isolation can be achieved by using a sandbox, a virtual machine, or a physical machine that is not connected to any network.

ANY.RUN lets you begin analysis of files and links in a couple of clicks

One of the easiest ways to achieve malware isolation is by uploading your malware samples to the ANY.RUN sandbox. This cloud-based service eliminates the need for any installation on your device and offers a free community plan that is sufficient for basic analysis.

Sign up for a free ANY.RUN account to analyze malware for free!

Step 2: Collect Static Information

Once the malware is isolated, the next step is to collect as much information as possible about it through static analysis. This involves examining the malware’s code without executing it. This can provide valuable insights into the malware’s functionality, its potential targets, and the techniques it uses to evade detection.

ANY.RUN provides you with the sample’s static analysis information in under 40 seconds. It is equipped with specialized modules for different file types, including:

  • PDF files: Extracts headers, HEX values, images, scripts, and URLs.
  • LNK files: Analyzes LNK files, revealing commands and potential malicious scripts.
  • MSG/Email files: Previews emails and lists metadata and IOCs to help spot spam and malicious elements.
  • Archives: Unpacks RAR, ZIP, tar.gz, and .bz2 formats, complementing the OLE module for Microsoft files.
  • Office documents: Extracts macros, scripts, images, and payloads from Office documents to help users spot and analyze potential threats.

Here is an analysis session of an email in the .eml format.

Static analysis information of the files related to the email sample 

In this instance, the email contains a RAR format archive. The sandbox enables us to open this attachment and examine its contents, revealing a malicious executable file disguised as a PDF document. All static analysis information about each file is provided by the sandbox.

Step 3: Conduct Dynamic Analysis

Dynamic analysis involves running the malware in a controlled environment and observing its behavior. This can reveal additional information that is not apparent in the static analysis, such as network communications, registry modifications, and file system changes.

ANY.RUN offers advanced dynamic analysis functionality with an interactive twist. It enables users to fully control the analysis environment and engage with it as they would with a standard virtual machine.

Dynamic analysis results in ANY.RUN reveal a wide range of important information, including:

  • Network activity: Incoming and outgoing HTTP calls, DNS requests, connections, as well as Suricata detection rules triggered during the analysis.
  • Processes: A hierarchical view of all the processes launched during the execution and their details, such as dumps.
  • Tactics, techniques, and procedures: All the TTPs used by the malware, mapped to the MITRE ATT&CK matrix.
  • Indicators of compromise: IOCs and malware configs, essential for further detection.

Just take a look at this analysis session to see how much information the ANY.RUN sandbox provides.

Sandbox analysis of an .LNK file revealed Formbook malware.

As part of the analysis, you get to view the entire execution chain and see exactly at which point the final Formbook payload was dropped. Plus, the service lists the malicious activities related to each process, including password stealing and PowerShell command execution.

Access all features of ANY.RUN in a 14-day free trial!

Step 4: Document the Findings

After the static and dynamic analysis, the next step is to document the findings. This should include a detailed description of the malware’s behavior, its potential impact, and any indicators of compromise (IOCs) that can be used for detection and mitigation. The documentation should be clear, concise, and accessible to both technical and non-technical stakeholders.

ANY.RUN offers ready-made malware reports that include all crucial information collected during the analysis.

ANY.RUN reports can be easily shared

These reports can be downloaded in different formats, such as PDF, HTML, or JSON.

Step 5: Ensure Mitigation and Prevention

The final step in malware analysis is to use the findings to mitigate the current threat and prevent future ones. This can involve updating the antivirus software, patching system vulnerabilities, or implementing new security policies and procedures. It’s also important to share the findings with the wider cybersecurity community to help others protect against the same malware.

Conclusion

Malware analysis is a complex and challenging process, but it is essential for effective cybersecurity. By following the steps outlined in this guide and using tools like ANY.RUN, cybersecurity professionals can gain a deep understanding of malware, its impacts, and how to defend against it.

Ad

No posts to display