Site icon Tapscape

Step-by-Step Guide to Malware and Phishing Analysis in Your Browser

Step-by-Step Guide to Malware and Phishing Analysis in Your Browser

Phishing and malware threats are becoming increasingly widespread every year. In fact, nearly 1.2% of all emails sent globally are malicious, translating to around 3.4 billion phishing emails daily.

To defend yourself and your organization from potential threats, it’s crucial to quickly analyze any suspicious files or URLs you encounter.

One of the most effective tools for this purpose is a malware sandbox. The latter allows anyone to safely examine potential malware or phishing threats without worrying about the harm they might cause.

What is a Malware Sandbox

Malware sandbox is a type of cybersecurity tool that allows users to analyze the malicious file or URL inside an isolated virtual environment without causing harm to your systems.

Interactive malware sandboxes like ANY.RUN let you not only analyze threats in real time, but also engage with them to expose sophisticated malicious behaviors requiring user interaction to trigger.

ANY.RUN has an intuitive interface and is fully cloud-based. You can upload your file or link for analysis and get a conclusive verdict in under 40 seconds along with a thorough report on the threat.

Create a free ANY.RUN sandbox account to analyze phishing and malware in your browser

How to Analyze a Suspicious File 

Let’s use a LockBit ransomware sample as an example for our analysis.

Upload your file

Select file or link analysis

Navigate to ANY.RUN sandbox and click on the corresponding button to upload a file or paste a URL you want to analyze.  

Configure VM

VM settings available in ANY.RUN

Switch to the “Pro Mode” to fine-tune the environment of your analysis.

You can choose the operating system (Windows or Linux), network settings (residential proxy and TOR routing), duration of your analysis (up to 20 mins), etc.

To get detailed explanations for each setting, click on the question mark icon in the top right corner.

Start analyzing

After clicking “Run a public/private analysis”, you’ll access the analysis page.

Here, you can examine the execution of the malicious file in real time and interact with it manually like you would on a standard computer.

In the example below, you can see the analysis of LockBit ransomware.

LockBit ransomware analysis in ANY.RUN

We can see how the malware encrypts files and replaces the device’s wallpaper with an image instructing the user to open a ransom note.

ANY.RUN gives a conclusive verdict on the threat

The sandbox instantly identifies this as “malicious activity” and generates comprehensive analysis of the malicious behavior.

As part of your investigation, you can access:

IOCs extracted as part of the LockBit sample analysis

You can also collect indicators of compromise (IOCs) of the threat, which are important elements for timely detection of malware.

How to Analyze a Suspicious Link

Using an interactive malware sandbox like ANY.RUN, you can also safely analyze suspicious links to determine if they pose a threat.

As an example, let’s study a phishing URL disguised as a Google page.

Phishing website analyzed in ANY.RUN sandbox

This page prompts us to download a fake Google Authenticator, which gets instantly recognized by the sandbox.

The sandbox immediately notifies us that this is a phishing page

Thanks to our sandbox’s interactivity, we can easily do so to investigate the behavior of this malicious file further.

File downloaded from the fake website

Once we launch the retrieved file, the sandbox signals that it is a DeerStealer sample, malware used by attackers to steal users’ credentials and other sensitive data.

Analysis of the executable file distributed via the phishing page

We can learn more about the malicious process, which started on the computer after we executed the file, by clicking on the “More Info” option.

Advanced details window gives a thorough overview of each process

The sandbox provides us with an overview of the activities performed by the malware, including system information collection and connection to command-and-control (C2) server.

Report by ChatGPT in ANY.RUN

If you’re unsure whether the process at hand is malicious or not, you can simply use the ChatGPT button to receive a detailed explanation of what the process does in seconds.

Conclusion

To effectively combat malware and phishing threats, it’s crucial to use tools like malware sandboxes, where you can safely analyze the behavior of each potential threat without risking damage to your system or computer.

ANY.RUN allows you to analyze malicious files or links directly in your browser, providing a secure environment to observe their behavior in real-time.

By following the steps outlined above, you can detect malicious activities and develop better strategies to protect your systems, all based on the thorough analysis provided by ANY.RUN.