How to Analyze Malware’s Network Traffic in A Sandbox

Analyze Malware Network Traffic

Malware analysis encompasses a broad range of activities, including examining the malware’s network traffic. To be effective at it, it’s crucial to understand the common challenges and how to overcome them. Here are three prevalent issues you may encounter and the tools you’ll need to address them.

Decrypting HTTPS traffic

Hypertext Transfer Protocol Secure (HTTPS), the protocol for secure online communication, has become a tool for malware to conceal their malicious activities. By cloaking data exchange between infected devices and command-and-control (C&C) servers, malware can operate undetected, exfiltrating sensitive data, installing additional payloads, and receiving instructions from the operators.

Yet, with the right tool, decrypting HTTPS traffic is an easy task. For this purpose, we can use a man-in-the-middle (MITM) proxy. The MITM proxy works as an intermediary between the client and the server, intercepting their communication.

The MITM proxy aids analysts in real-time monitoring of the malware’s network traffic, providing them with a clear view of its activities. Among other things, analysts can access content of request and response packets, IPs, and URLs to view the details of the malware’s communication and identify stolen data. The tool is particularly useful for extracting SSL keys used by the malware.

Use case

Analyze Malware Network Traffic
Information about AxileStealer provided by the ANY.RUN sandbox

In this example, the initial file, 237.06 KB in size, drops AxilStealer’s executable file, 129.54 KB in size. As a typical stealer, it gains access to passwords stored in web browsers and begins to transfer them to attackers via a Telegram messenger connection.

The malicious activity is indicated by the rule “STEALER [ANY.RUN] Attempt to exfiltrate via Telegram”. Thanks to the MITM proxy feature, the malware’s traffic is decrypted, revealing more details about the incident.

Malware Analysis

Use a MITM proxy and dozens of other advanced features for in-depth malware analysis in the ANY.RUN sandbox.

Request a free trial

Discovering malware’s family

Malware family identification is a crucial part of any cyber investigation. Yara and Suricata rules are commonly used tools for this task, but their effectiveness may be limited when dealing with malware samples whose servers are no longer active.

FakeNET offers a solution to this challenge by creating a fake server connection that responds to malware requests. Tricking the malware to send a request triggers a Suricata or YARA rule, which accurately identifies the malware family.

Use case

Analyze Malware Network Traffic
Inactive servers detected by the ANY.RUN sandbox

When analyzing this sample, the sandbox points to the fact that the malware’s servers are unresponsive.

Analyze Malware Network Traffic
Smoke Loader malware identified using FakeNET

Yet, after enabling the FakeNET feature, the malicious software instantly sends a request to a fake server, triggering the network rule that identifies it as Smoke Loader.

Catching geo-targeted and evasive malware

Many attacks and phishing campaigns focus on specific geographic regions or countries. Subsequently, they incorporate mechanisms like IP geolocation, language detection, or website blocking which may limit analysts’ ability to detect them.

Alongside geo-targeting, malware operators may leverage techniques to evade analysis in sandbox environments. A common approach is to verify whether the system is using a datacenter IP address. If confirmed, the malicious software stops execution.

To counter these obstacles, analysts use a residential proxy. This nifty tool works by switching the IP address of the analyst’s device or virtual machine to ordinary users’ residential IPs from different parts of the world.

This feature empowers professionals to bypass geo-restrictions by mimicking local users and study malicious activities without revealing their sandbox environment.

Use case

Analyze Malware Network Traffic
Smoke Loader malware identified using FakeNET

Here, Xworm instantly checks for a hosting IP address as soon as it is uploaded to a sandbox. Yet, since the VM has a residential proxy, the malware continues to execute and connects to its command-and-control server.

Try all of these tools in ANY.RUN

Setting up and using each of the aforementioned tools individually can take a lot of effort. To access and utilize all of them with ease, use the cloud-based ANY.RUN sandbox.

The key feature of the service is interactivity, allowing you to safely engage with malware and the infected system just like you would on your own computer.

You can explore these and numerous other features of ANY.RUN, including private space for your team, Windows 7, 8, 10, 11 VMs, and API integration completely for free.

Just use a 14-day trial, no strings attached.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.