VMRay Analyzer version 4.5 adds the capability to extract malware configurations. In this blog post we take a deep dive into malware configurations: what are they, how can they be used, and how VMRay Analyzer extracts and presents them.
Figure 1. The malware configuration of an Agent Tesla sample, extracted by VMRay Analyzer 4.5
The configuration of a malware sample defines how the malware behaves. Automatically extracting the configuration brings many benefits to defenders.
Figure 2. Years of Ursnif samples clustered based on data extracted from their configuration in a VMRay-SANS webcast last year
To understand malware configurations, we should first look into how malware is typically generated with malware builders.
Countless different malware samples are used in the wild every day, but they are not all that different as they might first seem. Malware development is a long, resource-intensive process, and it’s almost never worth it for a malware developer to create malware just for a single attack. Instead, malware developers create so-called malware builders. People using the builder can conveniently configure and generate new malware that fit their needs. The collection of malware samples generated by the same builder is referred to as a malware family.
A malware builder allows its user to configure options that make the malware sample unique: which C2 URLs to connect, what malicious behaviors are enabled, how persistence is achieved, how to exfiltrate data, what evasion methods are enabled, and anything else that the malware developer implemented. The builder also adds its own automatically generated data, such as encryption keys. All of this valuable configuration data is stored somewhere within the malware, typically obfuscated. VMRay Analyzer now automatically extracts and parses these configurations for supported malware families.
Figure 3. NanoCore malware builder graphical interface
VMRay Analyzer extracts configuration from supported families, and presents them in three ways:
Figure 4. Extracted configuration for the malware NanoCore as seen on the analysis overview
As an example, the configuration above shows the data that was extracted from a NanoCore sample. It first includes common data, such as the version of the malware, its mutex and the socket used to connect home, and timings such as how much time to wait between C2 connections. The table also shows family-specific data, such as which of the malicious features are enabled. In the table we can see that the malware is configured to execute on startup, attempts to bypass UAC, clears the Zone identifier, prevents the system from going to sleep, and uses 22.214.171.124 as a DNS server instead of the one configured in Windows.
VMRay Analyzer distinguishes between artifacts and IOCs. In VMRay’s terminology:
This allows filtering out useless sandbox artifacts, and having only a list of IOCs that matter.
The configuration extractors also add new artifacts and IOCs based on the information they found within the malware. Such as in the extraction above, we found two IOCs: an URL and a mutex. The extractor has added both of them as malicious IOCs.
This means that when the family is supported by configuration extractors, we will have all IOCs such as URLs that were part of the configuration, even if during the sandbox execution there was not enough time to reach them. The differentiation between IOCs and artifacts also becomes way more accurate, such as the extractors allow us to differentiate between benign network connections and callbacks to C2 URLs found in the configuration.
Figure 5. URL IOC added by the configuration extractor
When analyzing huge number of malware samples, we want to receive malware configurations in a well-defined, predictable, industry-standard format that can be easily integrated into a security system. After researching all available options we could find, we settled on using the output format defined by the US Defense Cyber Crime Center’s MWCP project.
The format has many advantages that we think make it the best choice:
Figure 6. MWCP-style configuration JSON
The secret sauce that makes VMRay’s malware configuration extraction work well is the very high quality underlying data, produced by an elaborate monitoring system. Malware developers are aware that the configuration data is valuable, and often try to hide it with layers of obfuscation and evasion. To extract the configuration, some de-obfuscation and parsing steps are done by the sandbox’s monitor, and the final parsing steps must be implemented manually by the VMRay Labs team family-by-family. Since the data produced by the sandbox’s monitor is very high quality, there are less steps left to implement manually, and extraction becomes more robust and resistant to changes. VMRay’s monitoring technology helps extractors in three core ways:
Based on its unique monitoring technology, VMRay Analyzer extracts malware configurations that provide data that is actionable, reliable, and easy to integrate into existing systems and security automation.
We continuously add new extractors, maintain existing ones and release changes regularly with Signature & Detection updates to both VMRay Cloud and On-premise. With the 4.5 release, we provide configuration extraction for the following malware families: