Skip to main content

Computer Systems Security Planning for Success

Dr. Jan Pearce, Editor

Section 3.7 Lab: Malware Analysis

The website Any Run
 1 
any.run
offers free interactive malware analysis in a sandboxed VM in the cloud. We will use this site to avoid the complications of running malware locally.
🔗
Visit Any Run
 2 
any.run
and register with your university email. Once registered, follow their tutorial using the demo-sample to observe how malware executes in a sandbox. Feel free to take your time, even after the time expires you will still be able to look at the running processes and analyze HTTP Requests, Connections, DNS Requests, and Threats.
🔗
This lab focuses on Emotet
 3 
www.malwarebytes.com/emotet
, a banking trojan discovered in 2014. On the Any Run site, go to Reports → Public Submissions and search for the following MD5 hash: 0e106000b2ef3603477cb460f2fc1751. You may choose any of the many available reports. After going through the pictures, the steps below will instruct you how to recreate the analysis in Any Run’s sandbox.
🔗

Note 3.7.1.

Some reports are incomplete or broken. We recommend using this known-working public report to begin: Emotet Sample Report
 4 
app.any.run/tasks/f93a7b25-9ce1-4a95-9591-83622300bae4
.
🔗
🔗

Checkpoint 3.7.2. Launching Emotet Sample in Any Run.

Follow these steps to run the malware:
🔗
  1. Click “Restart” in the upper-right corner of the page.
    🔗
  2. Select the Windows 7 64-bit VM template.
    🔗
  3. Then click Run Public Analysis, this will start the VM instance.
    🔗
  4. You can Add more time to the analysis by clicking Add Time.
    🔗
  5. Use the panel below the sandbox screen to explore HTTP Requests, Connections, DNS Requests, and Threats.
    🔗
Hint.
If you’re stuck or the malware doesn’t behave as expected, refer to the screenshots we analyzed earlier for guidance, or try a different public report with the same MD5.
🔗
🔗
🔗

Note 3.7.3.

When the malware runs, open Notepad on the VM, type your name, and take a screenshot in case your instructor asks for verification.
🔗
🔗
After that, you can explore another sample of your choice from the public report database. Any Run hosts over 10 million reports!
🔗

Checkpoint 3.7.4.

Why is malware often put inside an archive file instead of being distributed as a simple executable?
🔗
  • It reduces file size.
    🔗
  • Not quite — while file size is slightly reduced, that’s not the main reason for using an archive.
  • It changes how the malware works.
    🔗
  • Incorrect. The archive format doesn’t alter the behavior of the malware itself.
  • It becomes harder for email and antivirus tools to detect.
    🔗
  • Correct! Archives can sometimes bypass email filters or antivirus scans, especially when the archive is password-protected or deeply nested.
  • It is able to be automatically run after unzipping.
    🔗
  • Incorrect. Files in an archive must be manually extracted and executed — they don’t run automatically.
🔗

Checkpoint 3.7.5. Check Your Understanding..

Answer the following questions about your analysis:
🔗
  1. What malware did you explore? What is its name and what does it seem to do?
    🔗
    🔗
  2. What does this malware do to ensure it stays running in the background?
    🔗
    🔗
  3. What IP addresses (if any) does the malware try to contact?
    🔗
    🔗
  4. Does this malware resolve any DNS names? How can you tell?
    🔗
    🔗
  5. How could you uniquely identify this file as malware? (e.g., hash, behavior, strings)
    🔗
    🔗
  6. What are Indicators of Compromise (IoCs), and what are the IoCs for this malware?
    🔗
    🔗
🔗
You have attempted 1 of 2 activities on this page.
🔗
PrevTopNext