VMRay Analyzer 2.2 – An Improved User Experience for Malware Analysts and Incident Responders

At VMRay, our underlying malware detection and analysis technology clearly sets us apart from the competition. With the release of VMRay Analyzer 2.2, we’ve focused on:

  • improving the user experience
  • enhancing our detection efficacy
  • and providing more valuable threat intelligence to malware analysts and incident responders.

The latest release has a slew of new features including:

  • a brand-new user interface
  • redesigned analysis reports with new tabs and sections
  • enhanced URL reputation including WHOis information
  • enhanced file reputation including behavior-based classification
  • automatic extraction and analysis of URLs embedded in PDF documents
  • entry-point fuzzing for DLL analysis
  • fuzzy hashing
  • Windows 10 support for Office documents and PDF files to complement the existing support for other file types.

In the blog post and video below we will take a look at these new features in more detail.

New User Interface

New Sample Overview Page - VMRay Analyzer 2.2 (1)
Figure 1: New Sample Overview page associated with a malicious file

Our new user interface is designed to be more intuitive for a Malware Analyst or Incident Responder to use. Take, for example, the Sample Overview page. In addition to the severity classification, the new Sample Overview Page provides users with details about the submitted file or URL, associated analysis results and reports, associated VirusTotal and Metadefender scan results (if enabled), detected malicious behavior patterns (Threat Indicators) and a list of exportable IOCs, all in one view. For a submitted file or URL, users can choose to view all analysis reports associated with a specific analysis environment or a specific Threat Indicator or a specific IOC. Users can also resubmit the sample and regenerate reports directly from the Sample Overview page.

New Analysis Report Overview - VMRay Analyzer 2.2
Figure 2: Sample Overview page showing all reports associated with a specific analysis environment

Redesigned Analysis Reports

Redesigned Analysis Report - VMRay Analyzer 2.2
Figure 3: Redesigned Analysis Reports for a malicious file

In addition to redesigning our analysis reports, we have made many additions to them such as the ‘IOC’ tab which provides a complete list of the Indicators of Compromise. We have also improved navigation across the report by providing users with the ability to directly dive into the specific areas of the log files by simply clicking on high-level detected threats.

As an example (Figure 4), if one of the detected threats in the analysis report is related to code injection, a user can simply click to jump to the exact process where this occurs and also see the exact function call associated with this detected threat. The ability to quickly perform such deep dives helps malware analysts and incident responders save valuable time.

VTI Score to Behavior Section - VMRay Analyzer 2.2
Figure 4: Quickly dive into the Behavior Section from high-level threat information

Enhanced Threat Intelligence

By integrating the Sophos and Google URL threat intelligence services, VMRay Analyzer provides enhanced security against millions of malicious URLs and infected websites. In v2.2, analysis reports now provide additional threat intelligence information on URLs uncovered during analysis (such as command and control (C2) servers malware attempts to communicate with, and URLs embedded in PDFs).

For example, if a file attempts to connect to a known malicious URL, not only will VMRay Analyzer flag the URL as ‘Blacklisted’ and add it to the list of IOCs, it will also provide users with additional information associated with the URL such as category information as well as WHOIS data about the associated domain. Unknown domains created only a few days before the file analysis can be treated as ‘suspicious’.

This is also the case for threat intelligence associated with files. In addition to flagging known malicious files as ‘Blacklisted’, VMRay Analyzer will provide information such as the malware family that the file belongs to and its first-seen date.

Connection to Malicious URL - VMRay Analyzer 2.2
Figure 5: VMRay Analysis Report showing a file’s connection to known malicious URL

Continuing to bolster threat intelligence in v2.2, we’ve added Behavior-based classification to our Analysis reports. Malicious files will now be classified into categories based on their exhibited behavior. These categories include ransomware, Information stealer, keylogger, downloader and dropper.

Sample Classification - VMRay Analyzer 2.2
Figure 6: VMRay Analysis Report showing file classification based on behavior

Higher Detection Efficacy

VMRay Analyzer 2.2 also has added several features that improve its overall detection efficacy. One of these features is the extraction (and subsequent lookup) of URLs within a PDF document. URLs are extracted from a PDF document (even if they are not triggered during an analysis) to determine if they are malicious.

Known Malicious URLs PDF - VMRay Analyzer 2.2
Figure 7: VMRay Analysis Report showing known malicious URLs found in a PDF document

Another useful feature in v2.2 is the ability to configure several new options when submitting a sample. For example, users can now run an analysis with the system time set to a specific date. Very often this can be the difference between malware exhibiting its true behavior and malware showing no malicious behavior patterns at all.

Users can also disable the ‘Automatic User Interaction’ feature and manually interact with malware via the VNC interface within VMRay Analyzer.

Analysis Customization - VMRay Analyzer 2.2
Figure 8: Configuration options when a sample is submitted
Manual Interaction (Submitting File) - VMRay Analyzer 2.2
Figure 9: Submitting a sample with using customized configuration settings
Manual Interaction (Job in Queue) - VMRay Analyzer 2.2
Figure 10: Click into a job in queue to access the VNC
Manual Interaction (VNC) - VMRay Analyzer 2.2
Figure 11: Manual interaction with a sample through the VNC

Very often, a DLL sample submitted for analysis may not reveal its behavior unless the appropriate export function is called with the correct parameters. As a result, when users submit a DLL file for analysis, they need to provide a self-crafted custom loader that loads the module and calls the relevant export functions.

In v2.2, we have introduced the VMRay Fuzzer, a tool that automatically loads DLLs using a heuristic that aims at revealing as much activity as possible. Alternatively, users can manually select the different exported functions during submission via drag and drop with certain arguments. VMRay Analyzer will then call the exported functions in the right order with the provided arguments.

VMRay Analyzer Fuzzer - VMRay Analyzer 2.2
Figure 12: Entry-point fuzzing accessible from the sample submission page.

Additional Features

In addition to everything listed above, we’ve also rounded out the release by including the following features in VMRay Analyzer 2.2:

  • Windows 10 support for analysis of Office documents and PDF files to complement the existing Windows 10 support for other file types,
  • New VTI rules for malware detection

VMRay Analyzer Customers can access a full list of changes and fixes by referencing the changelog in the online documentation.