How to Extract Malware Configurations in a Sandbox


Indicators of Compromise (IOCs) are the fuel that powers our cybersecurity defenses and keeps them effective. The most sought-after source of these indicators is malware configurations.

Accessing them is equal to exposing the attacker’s playbook. Hence, thousands of analysts spend dozens of hours uncovering them. But what exactly are these configs, and how do we get them faster? Let’s explore.

Malware Sandboxing Leader ANY.RUN handles the heavy lifting of phishing and malware analysis for SOC and DFIR teams and also helps 300,000 professionals use the platform to investigate incidents and streamline threat analysis.  

What is a Malware Configuration?

Malware configurations are essentially instructions provided by the attacker to the malware. They usually contain URLs used for connecting the Command-and-control (C&C) server, encryption keys, targeted OS, and functions performed by the malicious software. 

How Does It Work?

The behavior of individual malware stems from the configuration settings defined during its initial development. Its configuration parameters determine all of these.

For instance, a malicious program might transmit data via email, contact servers directly, leverage messaging applications such as Telegram, or a combination.

Why Do You Need a Malware Configuration?

Analyzing configurations provides insights into the malware’s operational capabilities and how it interacts with the target system. The information they offer helps unearth critical details that might otherwise go unnoticed. 

For instance, malware with multiple C&C servers typically communicates with the first IP address, leaving the rest hidden from network traffic monitoring.

Configuration extractors prove invaluable in such situations, revealing these concealed details without actively engaging with the malware.

How to Extract Malware Configurations in a Sandbox
Debugging is an essential process of manual configuration extraction

Here comes the hard part. Getting malware configurations is a laborious task that involves breaking through lines of heavily obfuscated code, delving into memory dumps of malware samples, reverse engineering and debugging.

The challenge is even greater with modern malware that uses modular architecture. Extracting the configurations of these modules adds complexity to the procedure.

This allows adding new components, such as keyloggers and miners, to the initial malware build, expanding its functionality and altering its behavior.

Thankfully, in most cases, hours of stressful and hard work to obtain configs have been already spent by professional analysts. To get them, you simply need to click a button.

Document

Analyse Shopisticated Malware with ANY.RUN

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Join the community to conduct in-depth investigations into the top threats and collect detailed reports on their behavior..

How Malware Sandboxes Help us Extract Malware Configs

How to Extract Malware Configurations in a Sandbox
Remcos malware config provided by ANY.RUN

Sandboxes for malware analysis are one of the tools that let you easily access malware configurations of different threats. They enable instant retrieval of relevant information, significantly enhancing your productivity.

ANY.RUN is a prime example of such a service. The sandbox’s database features malware configurations for over 50 common malware families, including Remcos, RedLine, and Formbook, that can be accessed by simply clicking the “MalConf” button.

ANY.RUN effectively identifies all malware families within the sample, including all variants even if multiple builds of the same family exist.

The interface provides a concise description of the malware and offers the option to visit Malware Tracker for more details and the latest IOCs. 

Specialists can export the extracted data in JSON format for further analysis. A tooltip guide is available for further information, accessible by clicking the question mark icon.

Document

Analyse Shopisticated Malware with ANY.RUN

More than 300,000 analysts use ANY.RUN is a malware analysis sandbox worldwide. Analyze malware in interactive Windows VMs and get their configs in seconds.
..

Example of how ANY.RUN lets you get malware configs

Consider Trickbot, a malware known for its stalling tactics, employing lengthy mathematical computations to delay its execution.

While Trickbot may only initiate network activities, such as connecting to a C&C server, after a 300-second delay, tools like ANY.RUN can swiftly detect and extract its configurations in a mere 100 seconds. View this interactive session on ANY.RUN to see it yourself.

Try ANY.RUN for free 

Test the full range of features offered by ANY.RUN by requesting a 14-day free trial. Get to analyze malware in interactive cloud virtual machines (VMs) just like on your own computer. Collect IOCs, extract configs, and generate comprehensive threat reports in seconds to streamline your investigations.



Source link