Phishing and malware threats are becoming increasingly widespread every year. In fact, nearly 1.2% of all emails sent globally are malicious, translating to around 3.4 billion phishing emails daily.
To defend yourself and your organization from potential threats, it’s crucial to quickly analyze any suspicious files or URLs you encounter.
One of the most effective tools for this purpose is a malware sandbox. The latter allows anyone to safely examine potential malware or phishing threats without worrying about the harm they might cause.
What is a Malware Sandbox
Contents
Malware sandbox is a type of cybersecurity tool that allows users to analyze the malicious file or URL inside an isolated virtual environment without causing harm to your systems.
Interactive malware sandboxes like ANY.RUN let you not only analyze threats in real time, but also engage with them to expose sophisticated malicious behaviors requiring user interaction to trigger.
ANY.RUN has an intuitive interface and is fully cloud-based. You can upload your file or link for analysis and get a conclusive verdict in under 40 seconds along with a thorough report on the threat.
| Create a free ANY.RUN sandbox account to analyze phishing and malware in your browser |
How to Analyze a Suspicious File
Let’s use a LockBit ransomware sample as an example for our analysis.
Upload your file
Select file or link analysis
Navigate to ANY.RUN sandbox and click on the corresponding button to upload a file or paste a URL you want to analyze.
Configure VM
VM settings available in ANY.RUN
Switch to the “Pro Mode” to fine-tune the environment of your analysis.
You can choose the operating system (Windows or Linux), network settings (residential proxy and TOR routing), duration of your analysis (up to 20 mins), etc.
To get detailed explanations for each setting, click on the question mark icon in the top right corner.
Start analyzing
After clicking “Run a public/private analysis”, you’ll access the analysis page.
Here, you can examine the execution of the malicious file in real time and interact with it manually like you would on a standard computer.
In the example below, you can see the analysis of LockBit ransomware.
LockBit ransomware analysis in ANY.RUN
We can see how the malware encrypts files and replaces the device’s wallpaper with an image instructing the user to open a ransom note.
ANY.RUN gives a conclusive verdict on the threat
The sandbox instantly identifies this as “malicious activity” and generates comprehensive analysis of the malicious behavior.
As part of your investigation, you can access:
- Modified files;
- Registry changes / Registry keys;
- Synchronization;
- HTTP Requests;
- Connections;
- Network threats;
IOCs extracted as part of the LockBit sample analysis
You can also collect indicators of compromise (IOCs) of the threat, which are important elements for timely detection of malware.
How to Analyze a Suspicious Link
Using an interactive malware sandbox like ANY.RUN, you can also safely analyze suspicious links to determine if they pose a threat.
As an example, let’s study a phishing URL disguised as a Google page.
Phishing website analyzed in ANY.RUN sandbox
This page prompts us to download a fake Google Authenticator, which gets instantly recognized by the sandbox.
The sandbox immediately notifies us that this is a phishing page
Thanks to our sandbox’s interactivity, we can easily do so to investigate the behavior of this malicious file further.
File downloaded from the fake website
Once we launch the retrieved file, the sandbox signals that it is a DeerStealer sample, malware used by attackers to steal users’ credentials and other sensitive data.
Analysis of the executable file distributed via the phishing page
We can learn more about the malicious process, which started on the computer after we executed the file, by clicking on the “More Info” option.
Advanced details window gives a thorough overview of each process
The sandbox provides us with an overview of the activities performed by the malware, including system information collection and connection to command-and-control (C2) server.
Report by ChatGPT in ANY.RUN
If you’re unsure whether the process at hand is malicious or not, you can simply use the ChatGPT button to receive a detailed explanation of what the process does in seconds.
Conclusion
To effectively combat malware and phishing threats, it’s crucial to use tools like malware sandboxes, where you can safely analyze the behavior of each potential threat without risking damage to your system or computer.
ANY.RUN allows you to analyze malicious files or links directly in your browser, providing a secure environment to observe their behavior in real-time.
By following the steps outlined above, you can detect malicious activities and develop better strategies to protect your systems, all based on the thorough analysis provided by ANY.RUN.