Page 205 - Cyber Defense eMagazine August 2024
P. 205
AsynRAT’s process graph displayed by the ANY.RUN sandbox
● Processes: As malware often creates, injects, and terminates processes to carry out its
malicious activities, tracking these changes and relaying them to the user in a digestible format
is essential.
● Registry: Malware makes changes to the registry to achieve persistence, modify system
settings, or disable security features. Detecting such activity proves useful in threat
investigations.
● File system: Malware manipulates files and directories to store its components, steal data,
or disrupt system functionality. A proper sandbox exposes all of these activities and reveals
additional Indicators of Compromise (IOCs) that are not present in the code itself.
Additionally, advanced malware sandboxes should map the observed behaviors to the MITRE ATT&CK
framework, a universal knowledge base of adversary tactics and techniques based on real-world
observations.
This way, users can not only get a complete understanding of the threat’s scale, but also receive
actionable information for predicting the impact of the malware, creating effective countermeasures, and
improving the overall security posture of the organization.
2. Network Analysis
Network analysis is another critical component of effective malware sandboxing, providing insights into
the network-based activities. This process involves several key techniques:
Cyber Defense eMagazine – August 2024 Edition 205
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
