Supporting malware analysis at scale

Discover how VMRay combines industry-standard malware data formats with cutting-edge speed and scalability for effective cybersecurity operations.

When it comes to analyzing a vast number of malware samples, security teams require a standardized, industry-recognized format for handling configuration data. This ensures that the critical information extracted from these samples can be efficiently utilized and shared across security systems. 

In this chapter, we explore an industry-standard output format defined by the MWCP (Malware Configuration Parser) project.

The MWCP output format: A foundation for scalability

In the pursuit of a scalable solution for managing malware configurations, we conducted extensive research into available options. Ultimately, our choice led us to embrace the output format defined by the US Defense Cyber Crime Center’s MWCP project. This decision was underpinned by several key advantages that position MWCP as the optimal choice:

Vendor Neutrality:

The MWCP file format is vendor-agnostic, designed to be portable across various security products. This universality streamlines the integration of VMRay into existing security systems, as compared to using a proprietary format.


MWCP is an open-source project with robust community support. Unlike other formats that may be proprietary or abandoned, MWCP benefits from ongoing development and maintenance.

Flexibility for Diverse Threats:

The creators of this format possess a pragmatic understanding of malware configurations. they realize that certain types of configuration elements such as C2 URLs and encryption keys appear among different malware families, but they also leave room for adding data that is specific to the malware family using the type “other”.

Verified and Comprehensive:

The format definition is comprehensive and verifiable through an open-source JSON schema, enhancing its reliability and ensuring consistent use.

With this standardized format in place, security teams can efficiently manage and share malware configuration data, contributing significantly to their efforts to combat evolving threats effectively.

MWCP-style configuration JSON
MWCP-style configuration JSON

The Need for Speed and Scalability

In the realm of cybersecurity, speed and scalability are non-negotiable. VMRay’s platform is built on cutting-edge malware sandboxing technology, offering the dual advantages of speed and reliability. This is pivotal when security teams confront the formidable task of analyzing an extensive array of malware and phishing samples.

Furthermore, VMRay’s exceptional versatility shines in its ability to seamlessly integrate with major EDR (Endpoint Detection and Response), XDR (Extended Detection and Response), SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation, and Response) vendors. This integration empowers organizations to automate the analysis of large volumes of alerts and samples. The result is a significant reduction in manual analysis time, a critical aspect of scalability in modern cybersecurity operations.

In the final chapter, we’ll uncover the secret sauce that underpins VMRay’s reliable malware configuration extraction, solidifying its position as an invaluable asset in modern cybersecurity operations.

Course Homepage:
Malware Configurations: How to find and use them

Chapter 6: 
VMRay’s Malware Configuration Extraction – The Power of Underlying Data

Table of Contents

See VMRay in action.
Get a complete and noise-free picture of malware and phishing threats

Further resources


The most advanced malware and phishing sandbox


Explore how you can benefit from VMRay’s capabilities for Threat Hunting


Build the most reliable and actionable Threat Intelligence:

Welcome to the playground.

Explore what you can do with VMRay.

Click on the yellow dots to check the report formats, see the overview, explore the network connections of the sample, malicious behavior, and relevant files, map the threat on MITRE ATT&CK Framework, analyze and download IOCs and artifacts.

The analysis report tabs are available both for VMRayDeepResponse and VMRayTotalInsight. The bundle of VMRay FinalVerdict and VMRayDeepResponse also offers access to the analysis report tabs.

We’re sorry. 

The interactive tour is not available on mobile devices.

Unveiling the power:
See our experts showcasing VMRay’s capabilities.

Analysis of a malicious file

Join Fatih Akar from the VMRay team as he provides a detailed walkthrough of a malicious LNK file, a prevalent attack vector since Microsoft’s Office macros block.

Gain valuable insights into each tab of our comprehensive analysis report and get a sneak peek into what you’ll be exploring.

Analysis of a malicious URL

Join Andrey Voitenko, an expert in advanced malware and phishing analysis from the VMRay team, as he demonstrates how to submit emails and URLs to the VMRay platform using built-in connectors.

Discover the capabilities of our new Automation Dashboard, enabling one-click automation with your existing EDR, SOAR, SIEM, and TIP tools. Monitor analysis data seamlessly from your VMRay dashboard and unlock new levels of efficiency in your security operations.

Integrating with existing tools

Watch Michael Bourton showcasing the seamless integration of VMRay platform with your existing security stacks.

Discover how effortlessly you can leverage unparalleled detection and analysis capabilities by utilizing dedicated connectors or our Rest API.

Experience VMRay in Action:
Explore Real-world Malware Analysis Reports

Get a firsthand look at the power and capabilities of the VMRay platform by delving into our sample malware and phishing analysis reports.

Immerse yourself in a range of report formats, providing comprehensive insights.

Dive into the overview, explore intricate network connections, analyze malicious behavior in detail, and map threats using the MITRE ATT&CK Framework. See the possibilities to download clear IOCs.

Uncover the capabilities that await you.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator