A Detailed Guide To Analyze Malware Packers With Any.Run Sandbox – Soc/Difr

Nowadays, users are trying to sneak in (. exe) files into a system without using the anti-virus. They are not even conscious of it. Certainly, this activity is just like an effort to acquire a server rack past a security guard. Well, how conspicuous it is! Want to get rid of this problem? If so, this blog post can be proven to be useful for you.

In such circumstances, attackers prefer to use packers. These are known as utilities that allow you to compress files. In an exceptional case of run-time packers, it also confounds the code. Honestly speaking, the main aim of doing so is to make the source code unfeasible to identify and analyze as well.

Do you want to know how attackers use the fundamental packers? If so, you are in the right place. In this blog post, you will surely be aware of what you need to look out for in a cloud Sandbox. Furthermore, you can also know an ideal way of using the information to analyze static research.

Let’s explore the blog.

An Overview Of Packer

Generally speaking, a packer is known as a program that consists of a file that uses an algorithm. Undoubtedly, packers are similar to a few compression tools. These tools include - ZIP and RAR. Some of the most prominent packers are namely - ZIP, SFX, and UPX.

If you want to be familiar with the malicious purposes behind using these packers, this section is very useful to you. In this section, we have provided you with the relevant information about it. So, let’s have a view of the key details mentioned.

Types Of The Packer

Let’s have an overview of the literal meaning of the types of packers namely - ZIP, SFX, and UPX.

  • ZIP 

It’s just like a true packer, that does not encrypt the code. This packer is used by archivers to distribute malware. The main purpose of using it is to conceal the authorized files and password-protecting archives that have already been attached to emails. To be honest, this is the easiest way to allow malicious code to bypass email security measures.

  • SFX 

SFX is known as - a self-extracting archive. It comprises a compressed program as well as an unpacking module. Besides, an installer allows it to extract the contents and begin with the installation. Certainly, it helps decompose the content without the requirement for any external decompression utility.

Practically, it means that if you click on a ZIP archive, you can extract the content into a folder. On the contrary, when you click on SFX, the content installation process automatically begins. In the simplest terms, it may be a fake installer or a hidden installation.

  • UPX 

Simply put, UPX is prominent as the ultimate Packer for Executables. It is an open-source packer. You can distribute it under the GNU GPL License. You might not know that it has been in existence since 1998. As compared to ZIP and SFX, it’s quite different.

UPX consists of an executable file and is also helpful in encrypting its content. When the execution process begins, the file automatically starts decompressing into memory. This way, it can run in a normal way.
 

Type 

ZIP 

SFX 

UPX 

Used to 

Compress either a single file or more than one file into an archive 

Pack together a compressed payload and executable module into a single archive 

Obfuscate the code and prevent packing.

Used by 

A multitude of phishing campaigns

Phishing campaigns like - Lu0bot

Gh0stRAT, PlanetStealer malware, AgentTesla, RedLine 

 

What Is ANY.RUN?

ANY.RUN is famous as an interactive malware sandbox. It enables security teams to analyze 

malware more efficiently via online mode. This way, you can surely deliver a detailed and immediate analysis of cybersecurity threats.

In addition to this, it also allows users to interact with probable malicious samples. Moreover, it is an ideal way to save a virtual machine environment in real time. What is the best part of ANY.RUN? Well, it helps you to solve problems related to malware analysis. These issues include -

  1. Simplifies SOC/DFIR operations
  2. Offers valuable data for threat detection and elimination 
  3. Safeguards clients’ resources
  4. Provides a more cost-effective alternative to on-premises VMs 
  5. Has an intuitive interface to make cybersecurity more accessible

How To Analyze Malicious Archives?

In this section, we’ll provide you with a few techniques to analyze the type of archive you are dealing with. Well, there is a range of tools available, which can help you to identify the archive. These tools are namely - “file” commands on Unix, TrID, Hex editors, and ANY.RUN. Let’s see how far ANY.RUN is a helpful tool in analyzing the archives namely - ZIP,  SFX, and UPX.

Identifying ZIP Archives in ANY.RUN

To be honest, it’s self-explanatory. For its analysis, you need not take much stress. The one thing that you have to do is - look at the File extension. Later on, it requires you to right-click and use the context menu to decompress.

Analyzation Of SFX Archives

SFX archives are a little bit complicated. Sandbox has already declared SFX a malicious file. It indicates SFX as a red banner and threat tags. For an ideal analysis, it requires you to verify the file headers. 

To do this, you have to follow a  few key steps. These steps are as follows -

  1. Click on the file itself.
  2. Open the Static Discovering window.

Note: The file description "Win32 Cabinet Self-Extractor" indicates that it is compressed using SPX.

  1. Download and decompress this self-extracting archive.
  2. Explore SFX’s contents in a file browser.
  3. You’ll find a collection of files.

  1. .bat extension is the most malicious payload that you can execute by the instructions within the self-extracting routine.

UPX File Identification In ANY.RUN

It’s a stealer packed with UPX. To analyze it, you have to follow the steps including -

  1. Click on the file itself.
  2. Open the Static Discovering window.
  3. Next,  open the Hex Editor tab.
  4. Now, scroll down to look for an entry for the compression strategy.
  5. ANY.RUN will enable you to convert hex values to plain text.

This way, you can analyze a sequence of bytes at the beginning of the file. It will let you know about the use of compression methods. Once you start scrolling, you’ll find the ASCII characters UPX.

Bottom-line

Ultimately, after taking a dive into this blog post, you will be aware of ZIP, SFX, and UPX. The information mentioned will let you know how legitimate these tools are. But the matter of worry is that hackers use these tools to compress the biggest payloads. Along with this, these tools enable hackers to deliver them into the system in the absence of alerting security systems.

As per the key details given, you’ll be conscious of the noteworthy ANY.RUN tool. For static and dynamic analysis, no other tool is as helpful as ANY.RUN. To be precise, with the help of this tool, you can investigate all sorts of threats in a short span. So, be ready to run tasks, explore reports & malware samples, and accumulate valuable information about malicious links.

Did you find this guide interesting? Join our TTB Community on LinkedIn for more exclusive blogs & the latest updates.