VMRay Analyzer V 1.11: YARA, CarbonBlack and more

Jul 28th 2016

VMRay Analyzer  V 1.11 is now out, and once again we’re happy with the result and the added functionality we’ve baked in. Here’s an overview of some of the new features:

 

CarbonBlack Connector

CarbonBlack (CB) is the industry’s leading EDR vendor so they were a logical choice for our first out of the box integration. With this connector, joint customers can have CB automatically submit files for analysis by VMRay, and ingest IOCs resulting from analysis. We’ll provide more details in an upcoming blog post.  You can download the connector on Github here.

 

Redesigned Dashboards

We’ve improved the user experience across the board, for both administrators and users. Convenient filtering and searching have been added.
We redesigned the:

  • Sample view page
  • Analysis overview page
  • Analysis file page
  • HTML documentation, added Search

We also improved user administration management in admin dashboard.
You can now search for comments in the extended search.

 


Sample Overview Page

Sample Overview Page

Analysis File Page

 

YARA rules support

YARA Rules are a popular way to share IOCs within communities and to flag particular malware attributes and activity. V 1.11 adds support for YARA. Rulesets can be created in the user profile. Analysis reports can be regenerated when new YARA/VTI rules are applied.

 

 

Browser-based VNC access

VMRay Analyzer has supported manual interaction with samples being analyzed for quite some time through VNC. However, this was only an option for on-premise customers and required allowing a VNC connection from the user desktop to VMRay. Now, remote interaction with malware being analyzed is possible through a browser. We’ve added direct integration of VNC into the web interface. Users can view and interact with the VM directly on the job view page (see job view page).

 

Auto-detonation of links in Office docs

Accurately replicating user interaction inside an automated analysis environment is a big challenge. Malware authors rely ever more heavily on social engineering. Successful malware installs depend on coaxing unwitting users to allow malware to install and run on their machines, as we discussed in our post on Word macro malware. With this release, we’ve gone further than automating button and prompt clicking. VMRay Analyzer now performs automated clicks in MS Office and PDF documents to detonate any links, even when obfuscated in images rather than buttons.

 

Additional features in V 1.11

  • Physical memory dumps can now be stored at the end of analysis
  • Configuration option added for maximum PCAP file size
  • Added date filters to REST API queries
  • REST API now supports UID queries
  • Added pause button to halt all workers temporarily (in admin dashboard)
  • Signature strings can be specified instead of IDs for the “jobrule_entries” parameter when submitting samples via the REST API
  • Every sample type now has its own analysis type in the configuration. This simplifies jobrule creation.
  • Ssamples and analyses can now be tagged (see sample and analysis overview page)
  • Added support for .wsf and .jse samples
  • Dumped data in HTML report can now be downloaded directly

For the full list of changes and fixes, customers can consult the changelog in the online documentation.
Follow us on Twitter @VMRay to get updates on future blog posts like this.