VMRay Analyzer 3.0: Raising the Bar for Automated Malware Analysis & Detection

With today’s release of VMRay Analyzer 3.0, we’ve set a new standard of performance and accuracy with our flagship solution for automated malware analysis and detection. With version 3.0 security teams can quickly analyze and detect advanced, zero-day and targeted malware—and initiate incident response—stopping attacks and threats that other technologies miss.

The new release:

  • Expands coverage to include the analysis of files in macOS environments
  • Bolsters VMRay analysis engines to deliver comprehensive, in-depth analysis of URLs
  • Introduces relationships between malware samples
  • Provides new, high-level reports for managers
  • Adds several other features critical to effective enterprise security and incident response.

In this blog post, we briefly describe and illustrate these significant new capabilities, which reinforce VMRay’s position as a market leader in automated malware analysis. Built on an agentless hypervisor-based approach, VMRay Analyzer delivers unparalleled detection efficacy with full visibility into malware behavior, evasion resistance and noise-free analysis results. The platform’s Now, Near, Deep architecture combines our dynamic analysis engine with the strengths of a built-in rapid reputation service and our own static analysis engine. The result: VMRay Analyzer empowers security teams to handle larger analysis volumes, speed up detection and improve the productivity and efficiency of security personnel and infrastructure.

 

macOS Malware Analysis

VMRay Analyzer now supports comprehensive analysis of macOS executables and app bundles, enabling security teams to better secure heterogeneous IT operating environments. Analysis results include the following capabilities.

Detailed function logs with full visibility into the behavior of macOS malware

 

Detailed macOS Function Log - VMRay Analyzer 3.0

Figure 1: Detailed function log file generated by the macOS analysis engine, showing malware from high-level API Calls (Objective-C) to direct system calls

 

Detection of sandbox evasion techniques and persistence mechanisms

 

Detection of Sandbox Evasion macOS - VMRay Analyzer 3.0
macOS VTI - VMRay Analyzer 3.0

Figure 2: macOS ransomware sample displaying anti-analysis and persistence techniques

 

Network analysis

 

macOS Network tab - VMRay Analyzer 3.0 (1)

Figure 3: macOS Network Tab shows contacted URLs and HTTP Requests

 

Created, modified and embedded files

 

macOS Created Modified Files - VMRay Analyzer 3.0

Figure 4: macOS analysis: Created, modified and embedded files

 

Yara Matches

 

YARA Matches macOS - VMRay Analyzer 3.0

Figure 5: YARA Tab displays all matches with rule type and classification

 

In-Depth URL Analysis

URLs embedded in emails or documents are a major infection vector. To fully understand the scope of a new threat or conduct a post-mortem forensic analysis, security teams must be able to quickly assess what is triggered when a user visits a suspicious website. In 3.0, we have bolstered our URL analysis engine in the following areas.

  • Detection and analysis of browser exploits.
  • Recursive analysis: If a website analysis leads to a direct file download, the file behind the URL is automatically analyzed.
  • Full SSL visibility and URL redirection: VMRay Analyzer can track all URL redirections and determine the reputation information associated with each. In addition, we have added tree views to visualize these redirections for further context.

 

URL Redirections - VMRay Analyzer 3.0

Figure 6: Tree view representation of URL redirections

 

  • Configurable User Agent: Users can now choose from a list of predefined user agent strings or add their own customized string before analyzing a website.

 

Customizable User Agent - VMRay Analyzer 3.0

Figure 7: Customization of user agent strings for URL analysis

 

Sample Relations

The relationships that exist between malicious files and URLs provide security teams with a great deal of insight into malware attacks. Sample relations expose the relationship between a URL and the associated direct download, a dropper and the associated dropped file, an infostealer and the associated C2 server and so on. These relationships provide contextual information to digital forensic and incident response (DFIR) teams which is critical to responding to an attack as well as preventing one in the future.

VMRay Analyzer 3.0 automatically displays relationships between samples in relevant scenarios. The severity rating of a file or a URL is adjusted based on the nature of its relationship with another malicious sample. There are many sample relation categories, one of which is illustrated below.

 

Sample Relations - VMRay Analyzer 3.0

Figure 8: Sample Relations – A downloaded file and its parent URL

 

Manager Reports

In order to facilitate sharing analysis reports with team managers, we have introduced ‘Manager Reports’ which summarize analysis results into a crisp one-page PDF document. These reports can be downloaded from the user interface and shared across the team. Manager Reports include basic information about the file or URL, a severity score, analysis results in each target environment and a list of associated threat indicators.

 

Manager Report - VMRay Analyzer 3.0

Figure 9: Manager Report downloadable in PDF format

 

Improved Network Traffic Parsing and Memory Dumping

We have also significantly improved network traffic parsing in VMRay Analyzer 3.0 using an open source network traffic analyzer. This helps us present a comprehensive record of every connection– including application-layer sessions such as all HTTP sessions with their requested URIs, key headers, MIME types, server responses and all files transmitted via HTTP. Analysis reports also include DNS queries and responses.

 

Improved Network Traffic - VMRay Analyzer 3.0

Figure 10: Improved Network Traffic parsing and interactive Network tab

 

We have also significantly improved our memory dumps by selecting smarter triggers for this process. Smart memory dumping provides smaller, more relevant memory dumps that can help, for example, in the analysis of a packed malware executable that unpacks itself at run time.

Customized Data Retention Policies

  • In our latest release, users and accounts can also define their own data retention policies on our Cloud service using a simple drop-down menu.

User Experience Improvements

  • We have also introduced several user experience improvements. These include a redesigned menu layout, new interactive network options to investigate network analysis results and tree view graphs to visualize URL redirections in reports.

Additional New Features

  • New REST APIs to enhance detection results with external file and URL reputation sources
  • New REST APIs to monitor server and worker health for on-prem deployments
  • Support for analysis on Windows 10 RS3 (1709)
  • Support for detection of UEFI-based rootkits
  • New VTI rules to detect advanced, evasive malware – this includes the detection of information stealing from over 100 applications

 

Related Resources