How To Write A Malware Analysis Report In One Click Using ANY.RUN Sandbox

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

The analyzed malware, a fileless ransomware variant named “Cryptomine,” infiltrates systems by exploiting vulnerabilities in Microsoft Exchange servers.

Once inside, it leverages PowerShell to execute malicious code, encrypt sensitive data and demand a ransom.

Cryptomine evades detection by using obfuscation techniques and establishing persistent backdoors, as the malware’s dependencies include PowerShell, Windows Server 2019, and specific network connections.

Indicators of Compromise (IOCs) associated with Cryptomine include unusual PowerShell activity, encrypted files with a specific extension, and network traffic to command-and-control servers.

Malicious activity

ANY.RUN streamlines malware analysis reporting, allowing users to capture crucial details with a single click, where they can download comprehensive text reports, network traffic (PCAP) and encryption keys (SSL), analyze request/response data, extract malware configuration from memory dumps, and visualize process flow using a process graph.

The reports also map attacker tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework for a standardized view, which is demonstrated with a RedLine malware sample report.

Text malware report

The HTML report offers a comprehensive and customizable solution for analyzing malware samples, which automatically generates detailed reports, including information on processes, registry activity, network traffic, indicators of compromise (IOCs), screenshots, and process behavior graphs.

Users can easily customize the report to include only relevant sections and share or print it directly and the report can be accessed via API for integration into other systems or workflows.

JSON summary

The JSON report provides a comprehensive overview of all task-related information, offering a structured and machine-readable format for detailed analysis.

By parsing this file, users can extract crucial data points such as task IDs, execution times, command lines, and associated processes, which enables precise identification and analysis of malware footprints, facilitating a thorough investigation and comprehensive reporting of malicious activities.

Export → STIX 

ANY.RUN allows export of threat analysis data in the standardized STIX format for seamless integration with Security Information and Event Management (SIEM) systems.

This STIX report includes details like sandbox session links, file hashes, network traffic analysis, filesystem modifications, and Tactics, Techniques, and Procedures (TTPs) used by the threat, which enable security analysts and incident response teams to share threat data across various platforms for faster and more efficient detection and response.

Request/response content

It also allows in-depth analysis of suspicious files by providing captured network traffic in PCAP format alongside SSL keys for decryption, enabling inspection of request/response content, including headers and data streams, to identify malicious communication patterns.

Analyze unlimited malware by signing up for free on ANY.RUN!

By extracting configuration data from the malware’s memory dump, it reveals encrypted strings, C2 server details (IP addresses, ports), family name, version, and mutexes used for persistence, as this combination of network capture and memory analysis empowers researchers to fully understand the malware’s behavior and communication channels.

Malware configuration

Security analysts can gain a swift understanding of malware behavior through process graphs, which visually map program activities and their relationships, which allows for efficient identification of potential threats and pinpointing the program’s overall malicious intent.

Further analysis can be conducted by researching the sample’s tactics and techniques using the MITRE ATT&CK matrix, while public malware repositories like ANY.RUN offer access to a vast database for comparison, enabling a more in-depth investigation.

Finally, AI reports provide detailed, human-readable explanations of suspicious activities observed during the malware execution, offering valuable insights for threat assessment.

Join ANY.RUN today for fast, easy, and unlimited access to comprehensive malware analysis!