What is a malware detonation platform?
This malware analysis tool implies opening suspicious files and links on a virtual machine for malicious activity control and performing additional actions in safe mode. The malware detonation platform helps to understand the nature of malware and its activities in case of successful exposure.
Difference between malware detonation platform and malware sandbox
Facing sophisticated targeted attacks using complex malware, traditional malware sandboxes are not enough as this class of malware analysis tools perform only single-object analysis. Malware connects with the attackers’ servers using typical network protocols during the attack. Malware sandboxes cannot detect such communications.
Malware detonation platform is the next generation of malware analysis tools. It’s more complex than a traditional malware sandbox and requires more capacity for the quality detection. Enriched with functions and tools for in-depth malware analysis, malware detonation platform comes closer to digital forensic processes and raises awareness of modern malware capabilities.
Malware detonation platform capabilities
Malware behavior analysis
A high-quality malware detonation platform is capable of predicting the scenario of a targeted attack and adjusting the virtual environment operating system to the expected conditions. This function provides an opportunity to perform malware analysis by screening the attack through behavioral markers and signature analysis in far less time.
Tailored malware sandbox
This class of malware analysis tools is aimed to execute malicious code and extract essential indicators of compromise. Analysis of potential malware is conducted in virtual infrastructure which replicates the original victim’s infrastructure.
Malware detonation
This capability is considered a major malware detonation platform advantage. In addition to malware analysis and detection, the malware detonation platform implies all the necessary functionality for prompt incident response and malicious file detonation. This component, unusual for a malware analysis tool, enables cybersecurity specialists to build effective defense tactics and prevent damage from a potential attack.
Extended malware analysis reporting
The detailed and comprehensible reporting is crucial for malware analysis. Malware detonation platform should include full changes logs in random access memory (RAM), file system, registry, and network communications. All received malware analysis and detonation logs are backed up with precious artifacts: samples of files that have been changed for downloading, network sessions record in PCAP format, etc.
How to upheave malware analysis and detonation capabilities of a platform?
Malware analysis and threat attribution opportunities a malware detonation platform provides can be extended through the integration with threat intelligence platforms. This class of solutions enriches malware detonation platforms with insights on threat actors’ tactics, techniques, and tools.
To expand the malware detonation and incident response functionality, the malware detonation platform can be integrated with an extended detection and response platform. Integration with business email compromise protection & prevention solutions allows to send suspicious attachments and links received by email straight to a malware detonation platform decreasing the probability of a successful BEC-attack.
Group-IB malware detonation platform
Group-IB malware detonation platform comes in integration with Managed Extended Detection and Response (MXDR) solution. Objects for malware analysis are received from the other components of Group-IB MXDR or via manual upload.
Thanks to this integration, Group-IB malware detonation platform provides extended malware analysis and detonation capabilities. Out of box, the solution is enriched with Threat Intelligence data, which makes the malware detection more effective. In-depth reports from TI allow administrators to take further actions.
The Managed XDR console allows customization of a virtual machine to mimic the customer infrastructure and access the malware analysis process. Objects for analysis are extracted by Network Traffic Analysis appliances, endpoint detection and response agents, or uploaded via API or manually.