VMRay Analyzer v2.1 Enhances Detection Efficacy & Fileless Malware Analysis

VMRay Analyzer 2.1 will be officially announced at Black Hat 2017 this week. Over the last three years, VMRay has set itself apart from the competition in the Automated Malware Analysis (AMA) industry with its unique agentless hypervisor-based approach to malware detection. This approach enables DFIR Specialists and CERTs using VMRay Analyzer to detect new and evasive malware by generating complete, accurate results during sandbox analysis.

With the release of v2.1, we have bolstered the detection efficacy of our analysis engine, added support for new file types, integrated a new URL reputation engine into the product and reinforced support for pattern based matching using YARA rules. In addition, we have significantly improved the quality of our machine-readable reports by making them available in more detailed, more easily-ingestible formats. Here’s an overview of the new features.

Enhanced Fileless Malware Analysis

Fileless malware is defined by malware analysis expert Lenny Zeltser as “..malware that operates without placing malicious executables on the file system.” An important nuance here is there *may* be files associated with fileless malware and they *may* modify existing file structures on the target machine.

One common method used by malware authors is to implement registry changes. In v2.1 of VMRay Analyzer, we have enhanced the tracking and scoring of malicious registry modifications.

Built-in Global YARA Rulesets to Identify Exploits and Classify Malware

YARA rules help malware researchers identify and classify malware by family based on known binary patterns and strings. Users of VMRay Analyzer have been able to create and add their own YARA rules since v1.11. In v2.1, users will have access to several hundred built-in YARA rules to bolster detection efficacy and get enhanced metadata on the analysis results.

Amongst the YARA rulesets included are ones for CVEs and Exploit Kits. The rulesets identify malware behavior that corresponds to a known exploit using a known vulnerability. A match on the CVE ruleset, for example, will identify the specific vulnerability in the targeted application (for example, a vulnerability in a particular application like Word within a specific version of MS Office). This is helpful to quickly identify which of your enterprise’s desktop and server environments are at greater risk from the analyzed malware.

Built-In Yara Rules - VMRay Analyzer V2.1
Figure 1: Built-in YARA Rulesets in VMRay Analyzer V 2.1

YARA rule matches are also listed under ‘Detected threats’ along with other Indicators of Compromise (IOC) in the analysis report. These rule matches directly affect the overall severity score of the sample under analysis. For detailed information about the built-in YARA rulesets in our v2.1 release read our related blog post.

Yara Rule Match - VMRay Analyzer V2.1
Figure 2: YARA rule match affects the overall severity score of the sample

Support for Analysis of Malicious Code in Password Protected Documents

A prominent tactic used by malware authors to evade automated sandboxing technologies is embedding malicious code in password protected documents. With VMRay Analyzer, it has always been possible to manually interact with malware using browser based VNC access. By disabling automatic interaction, users can manually enter the password during the process of interacting with malware.

In v2.1, VMRay Analyzer will completely automate the process by allowing users to provide a password at the time of submission and this password will be entered by the sandbox during the behavioral analysis.

Password Protected Document Support - VMRay Analyzer v2.1
Figure 3: Automated analysis of password protected documents

Analysis Summary Reports in JSON Format to Facilitate Threat Intelligence Sharing

Threat intelligence sharing is centered around the ability to describe cyber threat information in a consistent format. VMRay Analyzer provides analysis reports in XML format (STIX/CybOX) so that it can be consumed, analyzed and shared in an automated manner.

In v2.1, analysis summary reports will also be available in JSON format. These JSON reports will provide more detailed information about Indicators of Compromise (IOC’s), processes and associated memory regions, YARA rule matches, dropped and modified files, and threat scores. They will facilitate the extraction of threat intelligence and enable users to share threat indicators for faster detection of malware across networks.

JSON Format - VMRay Analyzer V2.1
Figure 4: Analysis Summary Report in JSON format

Customization of Analysis Environment

VMRay Analyzer v2.1 will allow users to customize the analysis environment for every submission in the web interface. Analysis environment settings that can be customized include analysis timeout, enable/disable automatic user interaction, prescript timeouts, run sample as administrator etc. It is also possible to choose which analysis environment settings can be customized on the submission page.

Analysis Environment - VMRay Analyzer v2.1
Figure 5: Customization of the Analysis Environment when a sample is submitted

Integrated Domain/URL Reputation Engine for Greater Detection Efficacy

In v2.0, we introduced the VMRay File reputation engine which contains a database of known malicious file hashes and known benign file hashes that can be looked up before starting an analysis. v2.1 also includes an integrated Domain/URL reputation engine.

Sometimes during a behavioral analysis the URL of a Command and Control (C&C) server may not be reachable because it has already been taken down. Consequently, no instructions or malicious files are downloaded from the C&C and as a result  the sample may not be classified as particularly malicious.  Having a reputation engine that looks up not only the file reputation but also the reputation of the URL associated with the C&C ensures that no known malicious files go under the radar for reasons such as an unreachable C&C. If a sample attempts to connect to a known malicious URL during the analysis, this will be flagged by the analyzer. Attempts to connect to a known malicious/ suspicious URL will also affect the VMRay Threat Indicator (VTI) score of the sample.

Built-In URL Reputation Engine - VMRay Analyzer V2.1
Figure 6: Attempts by the sample to connect to a known malicious URL affect the VTI score

More New Features in VMRay Analyzer V2.1

In addition to the features listed above, VMRay Analyzer v2.1 also includes:

  • Support for analysis of Shell-Link file format (.lnk for pwrsh, bat, hta, and dll)
  • A new ‘Auto reboot’ feature after MBR infection, modification of autostart registry keys and/or executables in autostart folders
  • Several new anti-evasion features to counter evasive malware

For the full list of changes and fixes, please refer to the changelog in the online documentation.