How to Analyze Malware Network Traffic in a Sandbox

Analyze Malware Network Traffic

Malware detection covers a wide range of activities, including examining network traffic for malware. To be effective at this, it is important to understand the common challenges and how to overcome them. Here are three common issues you may encounter and the tools you need to address them.

Decrypting HTTPS traffic

Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to hide their malicious activities. By blocking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrate sensitive data, install additional payloads, and receiving instructions from operators.

However, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use proxy man-in-the-middle (MITM). The MITM proxy acts as an intermediary between the client and the server, preventing their communication.

The MITM proxy helps analysts in real-time monitoring of the malware’s network traffic, giving them a clear view of its activities. Among other things, analysts can access the content of request and response packets, IPs, and URLs to see details of malware communications and identify stolen data. The tool is particularly useful for extracting SSL keys used by malware.

Used case

Analyze Malware Network Traffic
Information about AxileStealer provided by the ANY.RUN sandbox

on this example, the initial file, 237.06 KB in size, drops the AxilStealer executable file, 129.54 KB in size. As a typical thief, it gains access to passwords stored in web browsers and starts transferring them to attackers through the Telegram messenger connection.

Malicious activity is indicated by the rule “STEALER (ANY.RUN) Attempt to exfiltrate through Telegram”. Thanks to the MITM proxy feature, the malware traffic was decrypted, revealing many details about the incident.

Malware Analysis

Use a MITM proxy and dozens of other advanced features for deep malware analysis in the ANY.RUN sandbox.

Request a free trial

Malware family discovery

Malware family identification is an important part of any cyber investigation. Yara and Suricata rules are commonly used tools for this task, but their effectiveness can be limited when dealing with malware samples whose servers are no longer active.

FakeNET offers a solution to this challenge by creating a fake server connection that responds to malware requests. Tricking the malware into sending a request triggers a Suricata or YARA rule, which accurately identifies the malware family.

Used case

Analyze Malware Network Traffic
Inactive servers are detected in the ANY.RUN sandbox

To analyze this samplethe sandbox focuses on the fact that malware servers are not responsive.

Analyze Malware Network Traffic
The Smoke Loader malware was identified using FakeNET

However, after enabling the FakeNET feature, the malicious software immediately sends a request to the fake server, triggering a network rule that identifies it as Smoke Loader.

Catching geo-targeted and evasive malware

Many attacks and phishing campaigns target specific geographic regions or countries. Subsequently, they include mechanisms such as IP geolocation, language detection, or website blocking that may limit the ability of analysts to identify them.

With geo-targeting, malware operators can use techniques to avoid analysis in sandbox environments. A common method is to determine if the system uses a data center IP address. If confirmed, the malicious software will stop executing.

To overcome these obstacles, analysts use a residential proxy. This wonderful tool works by transferring the IP address of the analyst’s device or virtual machine to the residential IPs of ordinary users from different parts of the world.

This feature empowers professionals to bypass geo-restrictions by impersonating local users and studying malicious activities without exposing their sandbox environment.

Used case

Analyze Malware Network Traffic
The Smoke Loader malware was identified using FakeNET

HERE, Xworm immediately checks a host IP address when it is uploaded to a sandbox. However, because the VM has a residential proxy, the malware continues to execute and connect to its command-and-control server.

Try all these tools in ANY.RUN

Setting up and using each of the aforementioned tools individually can take a lot of effort. To access and use all of them easily, use cloud-based ANY.RUNNING sandbox.

The key feature of the service is interactivity, which allows you to safely interact with the malware and the infected system as you would on your own computer.

You can check out these and many other features of ANY.RUN, including a private space for your team, Windows 7, 8, 10, 11 VMs, and API integration completely free.

Just use it 14 day trial, no strings attached.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment