TI Lookup: Real-World Use Cases from a Malware Researcher
Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog. ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases. How Threat Intelligence Lookup Works Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as: Processes Modules Files Network and registry activity All of these are logged by the ANY.RUN sandbox. The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query. Figure 1: Main page of Threat Intelligence Lookup service The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends. Figure 2: Threat Intelligence Lookup panel overview After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters. Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform. Let’s now look into a few use cases with some of TI Lookup’s key search parameters. Test TI Lookup to see how it can benefit your threat investigations Request free trial Searching for Stealers Reaching out to Telegram We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use. Here is the query: destinationIpAsn:"Telegram Messenger Inc" AND threatName:"stealer" AND threatName:"exfiltration" Figure 3: Lookup for stealers reaching out to Telegram and the result overview The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats. Figure 4: Overview of the Files tab From the Files tab, users can extract indicators and save them in JSON format. Figure 5: Static discovering of the PE file Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself. Figure 6: Network threats tab We can confirm the exfiltration activity via Telegram within the Network threats tab. Start your first investigation in TI Lookup Request free trial Looking for LummaC2 samples and C2s To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query: url:".shop/api$" The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow. Figure 7: Search results for .shop/api$ From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure. Figure 8: URLs and Domains findings Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs: url:"softokn3.dll$" and url:"mozglue.dll$" Figure 9: The output from running the query that searches for URLs retrieving the DLL dependencies From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs. Additionally, we identified another pivot point with the ASN “1337team Limit
Editor’s note: The current article is authored by Anna Pham (also known as RussianPanda), a threat intelligence researcher. You can find her latest research and insights on X, LinkedIn, and her blog.
ANY.RUN introduced Threat Intelligence Lookup in February 2024, followed by the YARA Search in April 2024. This article will explore both services and their use cases.
How Threat Intelligence Lookup Works
Threat Intelligence Lookup allows users to search through the database of sandbox tasks by examining specific details such as:
- Processes
- Modules
- Files
- Network and registry activity
All of these are logged by the ANY.RUN sandbox.
The service helps users find critical information like IOCs (Indicators of compromise), events, sandbox reports, and other data corresponding to the search query.
The main page of the Threat Intelligence service provides a summary of the most common MITRE techniques used, malware threat statistics, and popular Suricata rules derived from submitted samples, offering valuable insight into current cyber threat trends.
After navigating to the Lookup section you’ll be able to submit your search query using over 40 different search parameters.
Explore all search parameters available in TI Lookup in the following article. ANY.RUN also offers a comprehensive query guide for the TI Lookup once you’re on the platform.
Let’s now look into a few use cases with some of TI Lookup’s key search parameters.
Test TI Lookup to see how it can benefit your threat investigations Request free trial
Searching for Stealers Reaching out to Telegram
We can create a query to identify stealers reaching out to Telegram IPs, potentially exfiltrating sensitive data, using the “destinationIpAsn” and “threatName” parameters, as shown below, for the past three months or 180 days. You can also search within 60, 30, 14, 7, 3, or 1-day intervals and bookmark the search query for later use.
Here is the query:
destinationIpAsn:"Telegram Messenger Inc" AND threatName:"stealer" AND threatName:"exfiltration"
The search results show the associated IPs, Events, Files, Tasks, Synchronization (events and mutexes created), and Network threats.
From the Files tab, users can extract indicators and save them in JSON format.
Note: You can export data from any category, such as IPs, Events, Tasks, etc., in JSON. Additionally, users can view binary characteristics with static analysis or download the binary itself.
We can confirm the exfiltration activity via Telegram within the Network threats tab.
Start your first investigation in TI Lookup Request free trial
Looking for LummaC2 samples and C2s
To identify LummaC2 samples and C2 domains, we can use Lumma’s domains that are known to end with “.shop/api” via the following query:
url:".shop/api$"
The dollar sign ($) in a search represents the end of a string. When used in a search pattern, it ensures that the search string must match the end of the text being evaluated. So, using $ in the pattern “.shop/api$” ensures that the URL ends exactly with .shop/api and no other characters follow.
From the search results, we identified 26 URLs and domains related to LummaC2, which can be exported and operationalized for further monitoring, blocking, or threat hunting within the security infrastructure.
Searching for URLs Used to Retrieve DLL Dependencies and Pivoting on the ASN
We know that some stealers, such as Vidar Stealer, RecordBreaker (Raccoon Stealer v2), and StealC, use additional DLL dependencies like “softokn3.dll” and “mozglue.dll” to facilitate data exfiltration from browsers, so we can create a query to look for URLs delivering the DLLs:
url:"softokn3.dll$" and url:"mozglue.dll$"
From the results below, we can see the processes that initiated the connections to the URLs to retrieve the DLLs, along with the associated URLs, IP addresses, and the countries of origin for those IPs.
Additionally, we identified another pivot point with the ASN “1337team Limited”:
destinationIpAsn:"1337team Limited"
Pivoting on the ASN mentioned above revealed more events and IPs, some of which are associated with StealC, Redline, and Amadey activities.
Searching for Interesting Samples Using MITRE
Users can search for relevant samples using MITRE techniques or IDs. ANY.RUN provides predefined IDs and their definitions, eliminating the need to search for them elsewhere.
We can look for phishing samples containing malicious QR codes via the following query, where T1566 is Phishing:
MITRE:"T1566" and ruleName:"qr code contains url with email"
Now, we can spice up the query and look for phishing links containing the Cloudflare challenge that is commonly used by Tycoon 2FA and other phishing kits:
domainName:"challenges.cloudflare.com" AND MITRE:"T1566"
The query can also be adjusted to show the phishing samples with URL submissions only instead of the file attachments using the threatLevel “malicious” to avoid false positives:
MITRE:"T1566" and taskType:"url" and threatLevel:"malicious"
Searching for samples using CommandLine
We can search for Latrodectus downloader samples, which is known to drop the copy of itself under the “%AppData%\Custom_update\” path. We can leverage that knowledge to create a query that looks for command lines containing that path:
commandLine:"C:\\Users\\admin\\AppData\\Roaming\\Custom_update"
From the Synchronization tab, we notice the mutex “runnung” being used, so we can also leverage that to look for Latrodectus samples.
We can also leverage CommandLine to look for malicious PowerShell commands, for example, while looking for a RobotDropper, aka LegionLoader samples.
So, for the query, we are going to grab a snippet of the base64-encoded command, which partially decodes to “$w=new-object”:
commandLine:"powershell -windowstyle hidden -e JAB3AD0AbgBlAHcALQBvAGIAagBlAGMAdA"
We have 13 samples that match our query, all of which are true positives.
Investigate cyber threats using TI Lookup Request free trial
Searching for Gh0stRAT Samples and C2s from a Specific Country
We can also create a query that searches for Gh0stRAT samples and C2s using “destinationIPgeo” as one of the search parameters; this query looks for Gh0stRAT samples that connect to servers located in China:
destinationIPgeo:"cn" and threatLevel:"malicious" and threatName:"gh0st"
YARA Search
In addition to the Threat Intelligence Lookup service, ANY.RUN offers YARA Search, enabling users to scan its database of collected and analyzed threat data using YARA rules, whether imported from the local machine or created on the fly.
We can create a YARA rule to look for LummaC2 Stealer samples, and in under 10 seconds, we get the results, which is impressively fast. Users can also run multiple YARA scans in separate tabs.
You can view the binary’s PE characteristics from the results, download it, and export the results in JSON format.
Conclusion
ANY.RUN’s Threat Intelligence Lookup and YARA Search services allow for precise threat hunting and the extraction of valuable insights into current cyber threat trends. What’s impressive is how fast these scans are—they significantly speed up the analysis process, allowing for quick detection of threats and malware.
ANY.RUN is making it easier for organizations to take a proactive and informed stance on cybersecurity, which is essential in our constantly evolving threat landscape.
Test ANY.RUN’s Threat Intelligence Lookup and YARA Search in a free trial →
The post TI Lookup: Real-World Use Cases
from a Malware Researcher appeared first on ANY.RUN's Cybersecurity Blog.
Article Link: TI Lookup: Real-World Use Cases from a Malware Researcher
1 post - 1 participant
What's Your Reaction?