Automated Malware Analysis
- Create an account on Triage and an account on MalwareBazaar.
- Malware samples are usually zipped and protected by a password. The password conventionally used in this context is 'infected'.
- Keep in mind that malware samples may be dangerous. Make sure you do not give them any opportunity to run (the best approach is to use a local virtual machine, handle malware samples only in that VM and then dispose the VM at the end).
Triage
Triage is a platform for automated malware analysis. You:
- upload a malware sample;
- select an architecture for the sandbox (a virtual machine whose input and output devices are automatically instrumented and observed);
- select other analysis parameter, e.g., a time interval for observing the execution behavior;
- start the automated analysis.
Execution lasts for a predefined amount of time. By default it runs unattended, i.e., without any user interaction. It is possible to select a random mouse movement as well as to interact directly with the running malware.
At the end of the execution you will obtain:
- A detailed report. Understanding all details of those reports is difficult and requires very specific knowledge. Be prepared to spend some time with search engines and do not expect to understand everything.
-
A set of numerical scores.
- A static score, based on an analysis of the file content, without executing it.
- A dynamic score for each selected sandbox. This score is based on an analysis of the file execution behavior in the selected sandbox. The analysis looks at predefined behavioral signatures, reputation of contacted domains/IPs and so on.
- A global score that summarizes all the assigned scores.
Keep in mind that automated execution of a malware sample may or may not trigger the malicious behavior:
- A malware may try to detect whether it is running within a sandbox, in which case it might not activate its malicious behavior.
- A malware may activate its malicious behavior depending on the occurrence of specific input events. For example, if a user is not clicking on certain buttons, nothing is typed on the keyboard and so on, then the malicious behavior is not triggered.
Analyze MalwareBazaar samples
AgentTesla
Have a look at this report, publicly available from Triage (the static and the sandbox reports are listed in the upper part of the page).
Try to understand:
- Which attack campaigns have been linked to the name that Triage has associated with the malware sample (just use a search engine).
- Which "signatures", i.e., malicious/suspicious behaviors have been observed.
- Which tactics/techniques are associated have been associated with this sample.
- Which domains/IPs have been contacted (you may want to investigate these domains/IPs on Alienvault and/or Greynoise; see Malware Detection)
A less known malware
- Download from MalwareBazaar the sample whose hash is
8404d3dc32b0555bc3b076d7fc080d2a341508b4a2c84805a1d5ffc0057e2b39
- Upload that sample to Triage.
- Execute an analysis and try to understand its output.
Another less known malware
- Repeat the above for this MalwareBazaar sample:
a43e0864905fe7afd6d8dbf26bd27d898a2effd386e81cfbc08cae9cf94ed968
- If the score is not very high (>9) then execute the analysis again, this time by interacting with the execution and click 'Next' when OneNote asks you to do so.
Compare to another analysis platform
Maybe the malware samples above have been submitted to other platforms... - Search one or more of the above file hashes in VirusTotal (search tab). - Compare the outcome of the analysis to those you obtained on Triage.