How to get more malware samples and IOCs from sandbox service
I am an amateur malware analyst, and I am going to share my, at this point, relatively modest experience here on Medium as well as interesting findings of the various aspects of malware analysis. Typical geek stuff, so to say, though I do hope others in my position will find it useful.
I guess everyone who has been doing malware analysis for a while is familiar with those situations when you are working with a malware sample but can’t pinpoint to which family this sample belongs. To understand what malware I am dealing with, I can, of course, conduct a whole reverse engineering to this sample, but these things take a lot of time and resources. Sometimes I don’t have said resources, or I just don’t want to spend them in a particular situation.
I found that in this case, you can avoid reverse engineering using filtration in public submissions in ANY.RUN malware analysis service. With filters, I can sort tasks by tags or by file extensions. Another useful feature is the ability to filter by domain name or by IP address. For example, if the C2 of a sample that I am working with is already inactive, I can still find a task where the same payload was downloaded from the server, and the task was successfully executed.
Let me demonstrate with an example. I was looking for tasks with maldocs that were related to TA505 and came across this task: https://app.any.run/tasks/9ed460c6-dc4b-43a0-961e-b72b98e3c459. The task was not 100% completed because the payload was not downloaded from the server.
Let’s copy the IP address or the domain name and paste them into the filter that can be found in public submissions.
Not a bad catch! What’s more, we actually don’t even need to open all those tasks to figure out which is the one where the payload was downloaded, and the malware was executed — all we need is to consider the tags. Let’s open a task that has pony and fareit tags.
That’s better! Like this, even if we get a maldoc that will try to receive the payload from an offline server, we can still find out what it tried to download by sorting through the tasks in public submissions.
https://app.any.run/tasks/f40a4a37-7926-40a6-8f53-775bbb070792/
While I was writing this article I also found out about another neat new feature in ANY.RUN — Malware Trends Tracker. Now I use it to keep an eye on top currently active malware, copy IOCs of various malware families (for example, IP addresses, domain names, and hashes of emotet). In addition, I like that there is a short description of each malware and an execution example as well as the ability to open the newest uploaded samples in ANY.RUN and dig right into the analysis.
The main page of the tracker has a convenient search where I can select an article from the list, and it also features autofill, which I thought is neat when you try to type in those complicated malware names. The “last seen at” section has 20 of the last uploaded tasks with selected malware. In this example, I was searching for emotet.
If you navigate to Public submissions, you will be redirected to a Public submissions page with tasks already filtered by tag.
IOCs column also features the last 20 IP addresses, hash sums, and domain names.
So here we go, guys, a little look at two features that regularly save me significant time and energy when I don’t want to reverse engineer samples to find more general or basic information.
