At VMRay, our underlying malware detection and analysis technology clearly sets us apart from the competition. With the release of VMRay Analyzer 2.2, we’ve focused on:
- improving the user experience
- enhancing our detection efficacy
- and providing more valuable threat intelligence to malware analysts and incident responders.
The latest release has a slew of new features including:
- a brand-new user interface
- redesigned analysis reports with new tabs and sections
- enhanced URL reputation including WHOis information
- enhanced file reputation including behavior-based classification
- automatic extraction and analysis of URLs embedded in PDF documents
- entry-point fuzzing for DLL analysis
- fuzzy hashing
- Windows 10 support for Office documents and PDF files to complement the existing support for other file types.
In the blog post and video below we will take a look at these new features in more detail.
New User Interface
Figure 1: New Sample Overview page associated with a malicious file
Our new user interface is designed to be more intuitive for a Malware Analyst or Incident Responder to use. Take, for example, the Sample Overview page. In addition to the severity classification, the new Sample Overview Page provides users with details about the submitted file or URL, associated analysis results and reports, associated VirusTotal and Metadefender scan results (if enabled), detected malicious behavior patterns (Threat Indicators) and a list of exportable IOCs, all in one view. For a submitted file or URL, users can choose to view all analysis reports associated with a specific analysis environment or a specific Threat Indicator or a specific IOC. Users can also resubmit the sample and regenerate reports directly from the Sample Overview page.
Figure 2: Sample Overview page showing all reports associated with a specific analysis environment
Redesigned Analysis Reports
Figure 3: Redesigned Analysis Reports for a malicious file
In addition to redesigning our analysis reports, we have made many additions to them such as the ‘IOC’ tab which provides a complete list of the Indicators of Compromise. We have also improved navigation across the report by providing users with the ability to directly dive into the specific areas of the log files by simply clicking on high-level detected threats.
As an example (Figure 4), if one of the detected threats in the analysis report is related to code injection, a user can simply click to jump to the exact process where this occurs and also see the exact function call associated with this detected threat. The ability to quickly perform such deep dives helps malware analysts and incident responders save valuable time.
Figure 4: Quickly dive into the Behavior Section from high-level threat information
Enhanced Threat Intelligence
By integrating the Sophos and Google URL threat intelligence services, VMRay Analyzer provides enhanced security against millions of malicious URLs and infected websites. In v2.2, analysis reports now provide additional threat intelligence information on URLs uncovered during analysis (such as command and control (C2) servers malware attempts to communicate with, and URLs embedded in PDFs).
For example, if a file attempts to connect to a known malicious URL, not only will VMRay Analyzer flag the URL as ‘Blacklisted’ and add it to the list of IOCs, it will also provide users with additional information associated with the URL such as category information as well as WHOIS data about the associated domain. Unknown domains created only a few days before the file analysis can be treated as ‘suspicious’.
This is also the case for threat intelligence associated with files. In addition to flagging known malicious files as ‘Blacklisted’, VMRay Analyzer will provide information such as the malware family that the file belongs to and its first-seen date.
Figure 5: VMRay Analysis Report showing a file’s connection to known malicious URL’
Continuing to bolster threat intelligence in v2.2, we’ve added Behavior-based classification to our Analysis reports. Malicious files will now be classified into categories based on their exhibited behavior. These categories include ransomware, Information stealer, keylogger, downloader and dropper.
Figure 6: VMRay Analysis Report showing file classification based on behavior
Higher Detection Efficacy
VMRay Analyzer 2.2 also has added several features that improve its overall detection efficacy. One of these features is the extraction (and subsequent lookup) of URLs within a PDF document. URLs are extracted from a PDF document (even if they are not triggered during an analysis) to determine if they are malicious.
Figure 7: VMRay Analysis Report showing known malicious URLs found in a PDF document
Another useful feature in v2.2 is the ability to configure several new options when submitting a sample. For example, users can now run an analysis with the system time set to a specific date. Very often this can be the difference between malware exhibiting its true behavior and malware showing no malicious behavior patterns at all.
Users can also disable the ‘Automatic User Interaction’ feature and manually interact with malware via the VNC interface within VMRay Analyzer.
Figure 8: Configuration options when a sample is submitted
Figure 9: Submitting a sample with using customized configuration settings
Figure 10: Click into a job in queue to access the VNC
Figure 11: Manual interaction with a sample through the VNC
Very often, a DLL sample submitted for analysis may not reveal its behavior unless the appropriate export function is called with the correct parameters. As a result, when users submit a DLL file for analysis, they need to provide a self-crafted custom loader that loads the module and calls the relevant export functions.
In v2.2, we have introduced the VMRay Fuzzer, a tool that automatically loads DLLs using a heuristic that aims at revealing as much activity as possible. Alternatively, users can manually select the different exported functions during submission via drag and drop with certain arguments. VMRay Analyzer will then call the exported functions in the right order with the provided arguments.
Figure 12: Entry-point fuzzing accessible from the sample submission page.
Additional Features
In addition to everything listed above, we’ve also rounded out the release by including the following features in VMRay Analyzer 2.2:
- Windows 10 support for analysis of Office documents and PDF files to complement the existing Windows 10 support for other file types,
- New VTI rules for malware detection
VMRay Analyzer Customers can access a full list of changes and fixes by referencing the changelog in the online documentation.
