How to do a malware scan?

According to Malwarebytes 2022 Threat Review findings, 40 million Windows business computer threats were detected in 2021. In order to combat and prevent these types of attacks, malware scanning is essential. In this article, we will detail the purpose of malware investigation and how to perform malware analysis with a sandbox.

What is malware analysis?

Malware analysis is a process of studying a malicious sample. During the study, a researcher’s goal is to understand the type, functions, code, and potential dangers of a malicious program. Receive the information the organization needs to respond to the intrusion.

Scan results you get:

  • How malware works: If you study the program code and its algorithm, you will be able to prevent it from infecting the whole system.
  • program features: improve detection by using malware data like its family, type, version, etc.
  • what is the purpose of malware: to trigger the execution of the sample to verify the data it is intended for, but of course, do this in a safe environment.
  • who is behind the attack: get IP addresses, origin, TTPs used and other fingerprints hidden by hackers.
  • a plan on how to prevent this kind of attack.

Types of malware analysis

Static and dynamic malware analysis

Malware Scanning Key Steps

During these five stages, the main goal of the investigation is to learn as much as possible about the malicious sample, the execution algorithm, and how the malware works in various scenarios.

We believe that the most effective way to analyze malware is to mix static and dynamic methods. Here is a short guide on how to do the malware scan. Just follow the next steps:

Step 1. Configure your virtual machine

You can customize a virtual machine with specific requirements such as a browser, Microsoft Office, choose the operating system bitness and regional settings. Add tools for analysis and install them in your VM: FakeNet, MITM proxy, Tor, VPN. But we can do it easily in ANY.RUN sandbox.

Malware scan
Customizing VM in ANY.RUN

Step 2. Examine static properties

This is a static malware analysis step. Examine the executable file without running it: check the strings to understand the functionality of the malware. Hashes, strings, and header content will provide insight into malware intent.

For example, in the screenshot below, we can see the hashes, PE header, mime type, and other information from the Formbook example. To get a brief idea of ​​the functionality, we can take a look at the Import section in a sample malware scan, where all imported DLLs are listed.

Malware scan
Static discovery of the PE file

Step 3. Monitor malware behavior

Here is the dynamic approach to malware analysis. Upload a malware sample to a secure virtual environment. Interact directly with malware to make the program act and observe its execution. Check network traffic, file changes, and registry changes. And any other suspicious events.

In our online sandbox example, we can peek inside the network stream to receive the rogue’s credentials at C2 and the information that was stolen from an infected machine.

Malware scan
Attacker IDs
Malware scan
Review of stolen data

Step 4. Break down the code

If threat actors have obfuscated or packaged the code, use de-obfuscation and reverse engineering techniques to reveal the code. Identify features that were not exposed in previous steps. Even just looking for a function used by malware can tell a lot about its functionality. For example, the “InternetOpenUrlA” function indicates that this malware will establish a connection with an external server.

Additional tools, such as debuggers and disassemblers, are needed at this point.

Step 5. Write a malware report.

Include all of your findings and data that you have uncovered. provide the following information:

  • Summary of your search with malware name, origin and key features.
  • General information about malware type, file name, size, hashes and virus detection capabilities.
  • Description of malicious behavior, infection algorithm, propagation techniques, data collection and means of communication C2.
  • Number of operating system bits, software, executables and initialization files, DLLs, IP addresses and necessary scripts.
  • Review behavioral activities such as where it steals credentials, if it modifies, removes, or installs files, reads values, and checks language.
  • Code analysis results, header data.
  • Screenshots, logs, lines of text, excerpts, etc.
  • CIO.

Interactive malware analysis

Modern antiviruses and firewalls could not handle unknown threats such as targeted attacks, zero-day vulnerabilities, advanced malware, and unknown-signature dangers. All of these challenges can be solved by an interactive sandbox.

Interactivity is the main advantage of our service. With ANY.RUN, you can work with a suspect sample directly as if you had opened it on your personal computer: click, run, print, restart. You can work with delayed malware execution and work out different scenarios to achieve effective results.

During your investigation, you can:

  • Get interactive access: work with VM as on your personal computer: use a mouse, enter data, restart the system and open files.
  • Modify the parameters: Pre-installed software package, multiple operating systems with different bits and versions are ready for you.
  • Choose tools for your virtual machine: FakeNet, MITM proxy, Tor, OpenVPN.
  • Research Network Connections: intercept packets and get a list of IP addresses.
  • Instant access to analysis: the VM immediately starts the scanning process.
  • Monitor system processes: observe the behavior of malware in real time.
  • Collect IOCs: IP addresses, domain names, hashes and more are available.
  • Get the MITER [email protected] matrix: review the TTP in detail.
  • Have a process graph: evaluate all processes in a graph.
  • Download a ready-to-use malware report: print all data in a convenient format.

All of these features help reveal sophisticated malware and see the anatomy of the attack in real time.

Write the promotional code “HACKERNEWS” in the subject of the email to [email protected] and get 14 days of ANY.RUN premium subscription for free!

Try to crack malware using an interactive approach. If you use ANY.RUN sandbox, you can perform malware scan and enjoy fast results, simple search process, investigate even sophisticated malware and get detailed reports. Follow the steps, use smart tools and hunt malware successfully.

Previous OceanFirst Financial Corp. organizes a conference on the results
Next Can undocumented immigrants apply for a credit card?