Tools for Conducting Malware Traffic Analysis in a Sandbox

A malware sandbox is a versatile solution that offers a variety of tools for studying malicious behavior, including threats’ network traffic.

A quick sandbox analysis can reveal tons of useful information, such as the malware’s communication with its command-and-control server and external sources where its payloads are stored. Let’s find out what else a sandbox can help us learn as part of traffic investigations.

EHA

1. HTTP Requests Analysis 

HTTP request analysis is a method of examining the details of connection requests made by the malware.

In a sandbox like ANY.RUN, users can get a comprehensive view of these details, including the response of the URL connection and its content. The ability to filter by URL is also available, making it easier to focus on specific connections.

Example: Exposing Malware’s Evasion Attempt

Let’s upload a sample of the Agent Tesla malware to the sandbox to demonstrate how network traffic analysis can be performed.

The HTTP Requests tab reveals connections which are related to specific processes launched during the malware execution.

HTTP connection and the PID 6444 process it corresponds to

In our case, the PID 6444 process corresponds to the Agent Tesla payload. Further examination of the HTTP protocol connection associated with the process shows that the malware attempted to connect to ip-api.com, a legitimate internet diagnostics service.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware files

Threat actors use it to gather additional client information, including to detect a sandbox environment by checking if the machine is using a hosting provider IP address. The malware may cease operation to evade detection based on this information.

Residential proxy lets you select any preferred country’s residential IP  

The ANY.RUN sandbox makes it easy to counter this evasion technique by enabling the Residential Proxy feature that routes network traffic through a residential proxy during analysis. This prevents ip-api.com from revealing the sandbox’s actual IP address and ensures that the malware executes without interruptions.

ANY.RUN provides HTTP request details

When clicking on the ip-api.com connection in the HTTP Requests tab of the network block, we see HTTP connection data such as the URL for the GET request (…ip[-]api[.]com/line/?fields=hosting) and the server’s response – false.

2. Suricata Rule Detection

Suricata is an open-source network security tool that can be used within a sandbox for real-time traffic analysis. ANY.RUN’s database contains over 1,800 rules, created by the service’s in-house team of analysts, to detect suspicious traffic, including malware-related activities. It also integrates Emerging Threats Pro and Emerging Threats Open rulesets.

Example: Viewing Agent Tesla’s C2 Communication 

Let’s continue with the analysis of the Agent Tesla sample and explore the list of triggered Suricata rules. The service shows that all the threats detected by Suricata IDS stem from the same PID 6444 process.

The Threats tab in ANY.RUN contains all Suricata rules used during analysis 

Selecting the IDS alert at 19 sec. 381 ms after the analysis launch by clicking on the message “ET MALWARE AgentTesla Exfil via FTP” indicates that the malware uses a C2 FTP channel for data exfiltration.

ANY.RUN helps you see the captured packets

In the opened window, there are three tabs: Main, Stream Data, and Suricata rule.

The Main tab provides details about the threat, including metadata, a description of the triggered rule, a copyable filter for easy searching of the connection in Wireshark, transport layer and application layer protocols, addresses and ports of the connection. 

ANY.RUN helps you see the captured packets

The Stream Data tab lets you view the in-depth connection data in a convenient, compact format. It makes it easy to expand network messages and scroll through them.

Suricata rule contents in ANY.RUN 

The Suricata rule tab allows you to explore the details of the Suricata rule used for detection.

3. Network Stream Analysis

Network stream analysis is another powerful functionality of sandboxes that facilitates the understanding of malware behavior. In ANY.RUN, you can examine packet content and streams, or download data in the PCAP format for further analysis. 

The analysis provides insights into malware configuration (proxies, C2 addresses, data packing/retrieval), stolen data (passwords, logins, cookies), and downloads (including PE files).

Example: Viewing Malware’s Connections

ANY.RUN presents a list of connections, recorded during the analysis. The first one is an IP address request, the second is an FTP control connection, and the third contains the stolen data. 

Clicking on the Agent Tesla client’s connection with ftp.jeepcommerce[.]rs on port 60365 displays a Network Stream window, where we can study the communication between the two hosts.

Here, you can also get a Wireshark filter or select and copy HEX/Text substrings for further use, e.g., in CyberChef.

Analyze Malware and Phishing Attacks in ANY.RUN

ANY.RUN’s sandbox streamlines phishing and malware analysis, delivering actionable insights into threats in less than 40 seconds. 

You can explore ANY.RUN’s advanced features, including a private team workspace, Windows 10 and 11 VMs, and flexible analysis environment configurations for free.

Integrate ANY.RUN Malware Sandbox solutions into your company: Request a 14-day free trial of the service!

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.