During the previous Hacks Weekly episode #52 Malware Analysis with AnyRun
we went through analyzing malware inside the AnyRun cloud software.
Besides AnyRun, cybersecurity professionals use different software and platforms to verify ransomware or test it. This time we will focus on hybrid-analysis.com, which has similar usage to the AnyRun website.
Our video starts with the main page where you can find a file’s name: owo_im_not_ransomware_xd.exe. It can be explored by searching the hash of the file. If we scroll down the page a little bit, we can also find the block of Anti-Virus Results, which is a result of scanning the given file. The outcome is very high. Why?
In our case, we can find inside the famous WannaCry ransomware, a cryptoworm that has spread across the corporate network since 2017.
After the Anti-Virus Results, you will find the Related Hashes section. If you place any of these hashes into the search, it will search the mentioned file. Also, we can find here the sandboxes (Falcon Sandbox Reports section) and its reports, that were run on the website. In our video, we picked the third sandbox, which was analyzed on December 2020.
Let’s open this Report. What we can see obviously is the threat score and the AV antivirus detection rate. In some cases, you can download this file, but I do not recommend it as it is a real ransomware file.
Let’s scroll down the page to the bottom. Here we can see which MITRE ATT&CK tactics this file was using. You can read the details by clicking View all details. We can also download it as a CSV file. You can analyze the whole table and see what was going on after the file’s launch.
Then, we can scroll a little bit down. You can see the section with indicators that were happening after executing the file.
To find something really interesting, please go down to the file details section, where you can see File Metadata with File Compositions, Imported Objects and all that it contains. In our case, it is a C++ code. Let’s see also what the file has imported – you can see here the list of every .dll. Similarly to the AnyRun, you can also see the screenshots, as well as the process tree.
In this case, you can see that the WanaDecryptor.exe was run. This is another confirmation that we are dealing with the WannaCry ransomware.
Scroll down to the bottom and see the Network Analysis. You can identify hosts and countries that this file was trying to connect to. In this case, we see all successful attempts.
Another interesting section is Extracted Strings with All Strings tab. Some people use it to perform malware analysis. It is all depends on you.
You can see also the Extracted Files and filter the executable type, as well as its hashes.
In the end, you can see the community comments of those that are signed in to the Hybrid Analysis website. If you’d be logged, you could also add your own comments, giving additional value to the hybrid analysis community.
Hybrid-analysis sandbox is one of the alternatives to AnyRun. If you analyze a malware sample using both (or more) sandboxes you can verify if the results received from both of them match each other, which can be useful when trying to confirm or reject your assumptions.