Performing Malware Analysis
The following topics explain how to perform malware analysis using the CLI:
- Submitting Malware to the Virtual Machine for Analysis
- Canceling Pending Malware Analysis Jobs
- Viewing the Results for the Malware Analysis
- Viewing Malware Submissions
Submitting Malware to the Virtual Machine for Analysis
Use these commands in this topic to perform the following functions:
- Download the malware to the specified URL.
- Analyze the malware on the virtual machine of the appliance.
- Show the results of the analysis.
After you submit a malware sample to the Malware Analysis appliance, it is assigned a system-generated Malware ID. You can use this identifier to check the status of the submission.
Prerequisites
Before submitting malware to the virtual machine for analysis, verify that you have completed the requirements in the following order:
- Configure the settings for the correct type of analysis.
- Obtain malicious URLs and save them as a .txt file to your local machine. This file contains a single malicious URL per line, as shown in the following example:
- Copy this .txt file to the /data/analysis directory. You must have the correct credentials to access this directory.
http://172.16.146.53/AllObjects/doc_1370846
http://172.16.146.53/AllObjects/doc_3429086
http://172.16.146.53/AllObjects/doc_3523707
To submit a single URL or file for analysis:
- Enable the CLI configuration mode.
- Enter one of the following commands.
- Assign a URL or file for analysis.
- (Optional) Specify a password to apply for an encrypted file submission.
- (Optional) Specify the interval after which the malware analysis times out if the analysis is not complete.
- (Optional) Specify the priority for this analysis. The default value is the normal setting.
- To set a normal setting, enter:
malware analyze sandbox url malicious-URL priority normal
- To set an urgent setting, enter:
hostname > enable
hostname # configure terminal
For sandbox:
hostname (config) # malware analyze sandbox
For live:
hostname (config) # malware analyze live
hostname (config) # malware analyze sandbox url malicious-URL
where malicious-URL is the URL or file that is associated with the malware.
For example, file:malware.exe
For example, http://1.2.3.4/1.exe
hostname (config) # malware analyze sandbox file filename password password
hostname (config) # malware analyze sandbox url malicious-URL timeout timeout
where timeout is the value in seconds. The range is 30–3600 seconds. The default value is 500 seconds.
malware analyze sandbox url malicious-URL priority urgent
- (Optional) Enable interactivity with the VM through VNC access.
- To enable VNC access for current submission only, enter
enable-vncafter specifying the object to analyze. For example:
malware analyze sandbox url file:mal75.zip enable-vnc force
|
When VNC access is enabled, automatic mouse simulation is disabled in the VM. |
- (Optional) Specify the guest operating system against which the malware is analyzed.
hostname (config) # malware analyze sandbox url malicious-URL guestos guestos-name
where guestos-name is the available guest image profile. The default is the winxp-sp3 guest image.
The following example shows how to submit a sandbox malware analysis with normal priority on the URL file:malware.exe for the winxp-sp2m guest image:
hostname (config) # malware analyze sandbox url file:malware.exe timeout 200 priority normal guestos winxp-sp2m
Malware Id = 802
To submit a list of malicious URLs for a text file for analysis:
- Enable the CLI configuration mode.
- Enter one of the following commands.
- Assign a URL list file for analysis.
- (Optional) Specify the interval after which the malware analysis times out.
- (Optional) Specify the priority for this analysis. The default value is the normal setting.
- To set a normal setting, enter:
malware analyze sandbox list URL-list-file priority normal
- To set an urgent setting, enter:
malware analyze sandbox list URL-list-file priority urgent
hostname > enable
hostname # configure terminal
For sandbox:
hostname (config) # malware analyze sandbox
For live:
hostname (config) # malware analyze live
hostname (config) # malware analyze sandbox list URL-list-file
where URL-list-file is the .txt file that is associated with the malware.
For example, file:urls.txt
hostname (config) # malware analyze sandbox list URL-list-file timeout timeout
where timeout is the value in seconds. The range is from 30–3600 seconds. The default value is 500 seconds.
- (Optional) Enable interactivity with the VM through VNC access.
- To enable VNC access for current submission only, enter
enable-vncafter specifying the object to analyze. For example: - To enable VNC access for all submissions, enter:
- To disable VNC access for all submissions, enter:
- To view the status of VNC access, enter:
malware analyze sandbox url file:mal75.zip enable-vnc force
_debug vmmd external-vnc enable
_debug no vmmd external-vnc enable
_debug show vmmd external-vnc
|
|
When VNC access is enabled, automatic mouse simulation is disabled in the VM. |
- (Optional) Specify the guest operating system against which the malware is analyzed.
- (Optional) Make the Malware Analysis appliance perform the submitted analysis even if it matches a previous submission.
hostname (config) # malware analyze sandbox list <URL-list-file> guestos <guestos-name>
where guestos-name is the available guest image profile. The default is the winxp-sp3 guest image.
hostname (config) # malware analyze sandbox list URL-list-file force
The following example shows how to submit a list of malicious URLS named urls.txt for sandbox malware analysis for the winxp-sp3 guest image:
hostname (config) # malware analyze sandbox list file:urls.txt guestos winxp-sp3m force
Analyzing URL 'http://172.16.146.53/AllObjects/doc_1370846' [ID: 1019]
Analyzing URL 'http://172.16.146.53/AllObjects/doc_3429086' [ID: 1020]
Analyzing URL 'http://172.16.146.53/AllObjects/doc_3523707' [ID: 1021]
Processed 3 URLs (3 submitted, 0 failed)
Canceling Pending Malware Analysis Jobs
You can cancel jobs that are pending analysis. Jobs that are already running in the MVX engine will continue to be processed and cannot be canceled.
Use the malware abort queued command to cancel all the pending malware analysis jobs that you have submitted. Include the all option to cancel all pending jobs submitted by other users. You must have administrator privileges to cancel queued jobs that are submitted by other users. You cannot selectively cancel jobs by a particular user.
To cancel pending malware analysis jobs:
- Start the CLI enable mode.
- Cancel all the pending malware analysis jobs that you submitted.
- Cancel all queued malware analysis jobs submitted by other users.
- Verify the canceled malware analysis jobs. Enter the show malware command.
hostname > enable
hostname # malware abort queued
hostname # malware abort queued all
hostname # show malware
Total Objects Submitted : 1337
Objects Queued : 10
Objects Running : 2
Objects Analyzed : 1325
Objects identified as Malicious : 1084
- VM verified : 1084
- Duplicate to VM verified : 0
- Known checksum match : 1
Total events : 5237
vm-signature-match events : 585
os-change-anomaly events : 1280
checksum-match events : 2978
vm-outbound-comm events : 394
Objects break down by system status, Total : 1337
Submitted for VM analysis : 1268
Submit Disabled : 3
Invalid : 55
Static Analysis Only : 11
Viewing the Results for the Malware Analysis
Use the show malware mode sandbox command to verify the results of the sandbox malware analysis job. Use the show malware mode live command to verify the results of the live malware analysis job.
To verify the results of the sandbox malware analysis job:
- Enable the CLI configuration mode.
- Enter the show malware mode sandbox command.
hostname > enable
hostname # configure terminal
hostname (config) # show malware mode sandboxMalware ID 800Submission ID 800Analysis Type: sandboxURL: http://172.16.146.53/AllObjects/pdf_7602255Analysis Timeout: 500Analysis Priority: normalApplication: Multiple Adobe Reader XForce: trueProfile Name: win7x64-sp1Profile ID: 66Md5Sum: 69e9125cbee713b96c09db95188fd138State: doneStatus: successSubmitted Time: 2015-08-27 20:54:21 UTCDownload Start Time: 2015-08-27 20:54:21 UTCDownload End Time: 2015-08-27 20:54:22 UTCRun Start Time: 2015-08-27 23:06:02 UTCRun End Time: 2015-08-27 23:15:00 UTCIM: YESNumber of Events: (null)Children Malware ID(s) -Parent Malware ID -
To verify the results of the live malware analysis job:
- Enable the CLI configuration mode.
- Enter the show malware mode live command.
hostname > enable
hostname # configure terminal
hostname (config) # show malware mode live
Malware ID 563
Submission ID 563
Analysis Type: live
URL: file:ftest4.bat
Analysis Timeout: 900
Analysis Priority: normal
Application: Windows Explorer
Force: true
Profile Name: win7-sp1m
Profile ID: 65
Md5Sum: ce42db4701504dcddc533e3afa85cdd2
State: done
Status: success
Submitted Time: 2015-08-27 11:42:17 UTC
Run Start Time: 2015-08-27 11:42:18 UTC
Run End Time: 2015-08-27 11:57:29 UTC
IM: YES
Number of Events: (null)
Children Malware ID(s) -
Parent Malware ID -
Event 638:
Occurrence Time : 2015-08-27 11:57:29 UTC
Event Type : os-change-anomaly
Analysis Type : Malware
Trace ID : 563
Malware ID : 563
OS Change Analysis:
EDP URL :
https://mil.fireeye.com/edp.php?sname=Malware.Binary.bat
PCAP URL :
https://10.2.252.201/event_stream/send_pcap_file?ev_id=638
PCAP (text) :
https://10.2.252.201/event_stream/send_pcap_ascii?ev_id=638
Viewing Malware Submissions
Use the show submission command to view detailed statistics about the number of malware submissions that were analyzed and the number submitted per minute during the past 24 hours.
Use the show submission malicious command to view detailed statistics about the malware submissions that are marked as malicious.
The results of both types of analysis are displayed on the Malware Analysis page in the Web UI. For details about each show submission command, refer to the FireEye CLI Reference.
To view statistics of malware submissions:
- Enable the CLI enable mode.
hostname > enable
- View the summary of malware submission jobs.
hostname # show submission
Runtime Submission Stats:
Total queued submission : 0
Total running submissions : 12
Total DA running submissions : 2
Cumulative Stats in timespan 2015-08-20 21:16:53 to 2015-08-21 21:16:53
: Total : Rate/minute
Submissions : 1019 : 0.708
Completed submissions : 1007 : 0.699
Malicious submission count : 932 : 0.647
To view statistics of the malware submissions that are marked as malicious:
- Enable the CLI enable mode.
- View the summary of the malware submissions that are marked as malicious.
hostname > enable
hostname # show submission malicious
Submission ID: 9351
Malware ID : 9381
md5sum : fa428563f4162ac3865b27e8a19ba95c
File type : exe
Status : success
Malicious : YES
Analysis Object ID : 8890
Analysis Object Name : fa428563f4162ac3865b27e8a19ba95c.bin
Analysis File Type : exe
md5sum : fa428563f4162ac3865b27e8a19ba95c
Static Analysis weight : 100
Dynamic Analysis jobs : 1
Static Analysis jobs : 4
SA engine weight : 100
SA job ID : 34401
SA sub-engine name : malware_intrinsic_analysis
SA sub-engine signature : Dropper.DTI.DroppedFiles
SA sub-engine weight : 100
SA engine weight : 100
SA job ID : 34399
SA sub-engine name : pe_sign
SA sub-engine signature : Wuhan Weijun Keji Co.,Ltd.
SA sub-engine weight : 0
Job ID : 8539
OS name : win7-sp1m
Application name : Windows Explorer
OS Changes weight : 0
CNC Match weight : 0
Assigned time : 2015-09-05 17:45:47.548646
Complete time : 2015-09-05 17:46:50.32269
Job runtime : 00:01:02.774044