For a forensic network investigator, it is important to find the behavior and network patterns of a malware. Consider that you have received a few binaries (executable) and their hashes (signature) from the incident response team that are likely to be carrying malware. However, the analysis on PE/COFF executable is generally done by malware analysts and reverse engineers. What can you do with the PE executable? You don't have to study reverse engineering and malware analysis overnight to analyze the sample.
Consider that you have received the file hash as ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa. You can use websites such as https://www.virustotal.com/gui/home/upload and https://www.hybrid-analysis.com/ to analyze your sample without analyzing it on your system. The following screenshot shows the VirusTotal website:
Let's search the hash of the file at VirusTotal. The results should show up if the file has previously been analyzed:
Oops! 62/70 antivirus engines detect the file as malicious, and consider that it may be a WannaCry ransomware sample. Let's see the details from the DETAILS tab as follows:
Plenty of detail can be seen on the DETAILS tab especially the common names of the files causing this infection. We can also see that the file has been analyzed previously with a different name. Additionally, we have the following details:
We can see that there are five IP addresses contacted by the WannaCry executable. We can obviously filter the network based on these details to check infections in the network and pinpoint the infected source. Let's also upload/search the sample on the Hybrid-Analysis website (https://www.hybrid-analysis.com/) as well:
On searching the sample on Hybrid-Analysis, we can see that we have the list of connected IP addresses, and a list of ports as well. This information will help us to narrow the outbound connections down from the infected system. We can see that Hybrid-Analysis has gone ahead and executed the associated sample file of the hash we provided for analysis in a secured environment:
Clearly, we can see the state of the system before and after the execution of the malware, where we can see that the system got infected with WannaCry ransomware.
Additionally, we can check network patterns from a PCAP file on VirusTotal (https://www.virustotal.com/gui/home/upload) as well. Let's look at the following example:
We can see that the traffic from PCAP was tested against Suricata and Snort, which are popular intrusion detection systems. Let's look at the generated alerts in detail:
We can see that we have the DNS requests from the PCAP previously listed. Let's see what we have in the HTTP section in the following screenshot:
Right below the HTTP requests, we have the Snort and Suricata sections of the matched rules, as follows:
We now have plenty of details from this section. Looking at the third section, we can see that an executable traveled onto the network that was detected by Snort. Additionally, a network Trojan, a command and control communication, and an exploit kit were also detected. Let's see Suricata-matched rules as well:
We can see that, based on the PCAP data, Suricata not only matched Trojan activity but has also identified Internet Explorer version 6 running on a system. So, we can see how, without using any additional analysis tools, we are able to discover plenty of information about the malware. Additionally, we can use a VirusTotal graph to view the sample in a graphical format, as shown in the following screen:
We can see that the nodes with red icons are found to be malicious in nature. Let's analyze the node by selecting it, as shown in the following screenshot:
Kaspersky has detected this as a malware. Websites like VirusTotal and Hybrid-Analysis quickly provide an analysis of the PCAP and executable, speeding up our investigations on the time constraints. So, inputs should always be taken from these websites before starting with the manual analysis.