Artificial Intelligence (AI) proves invaluable in a myriad of contexts, including cybersecurity. Its ability to process large amounts of data, learn from patterns, and adapt to new situations makes it ideal for analyzing viruses and other malware. Here are key areas where AI plays a significant role in malware analysis.

Process Tree Analysis

Inspecting processes as part of malware analysis involves an examination of system or individual process behavior. It helps: 

• Identify process injection techniques employed by malware to execute malicious code within legitimate processes
• Analyze process interactions to reveal suspicious relationships 
• Monitor resource usage to detect resource-intensive malware activities
• Examine process loading and unloading events to uncover advanced malware tactics
• Investigate process origins to assess potential risks associated with individual processes. 

How Artificial Intelligence Can Assist in Examining Malware Processes

One of the possible ways to use AI to study malicious processes is via the ANY.RUN sandbox. 

This cloud service not only provides advanced tools for investigating suspicious files and URLs, but also integrates several Artificial intelligence modules that make it easier for security analysts to understand the behavior of different threats.

Check out this sandbox analysis of an .xz archive containing Agent Tesla, one of the most widespread malware families

Analysis of Agent Tesla in ANY.RUN

Apart from providing a complete overview of the threat’s network, registry, file system activities, the service also offers ChatGPT-generated reports for each process recorded during the malware’s execution.

AI report on the malicious process in ANY.RUN

Above, you can see an AI report for the process related to the main file. The report summarizes the sandbox analysis, providing the following insights into the malicious activities associated with the process: 

• Reading sensitive information from the registry
• Stealing personal data and credentials
• Checking for external IP
• Connecting to SMTP port
• Attempting to transmit email messages via SMTP

The AI also explains these activities, helping the user understand how the malware operates on the system.

Command Line

Malware might use command line arguments to execute embedded scripts, launch additional malicious processes, or modify system configurations. By reviewing command history, analysts can identify patterns of malicious activity, such as repeated attempts to access restricted resources or execute unauthorized commands, which could signify a compromised account or an ongoing attack. 

How AI Helps Investigate Command Lines

In this sandbox session, we observe the execution of Latrodectus, a relatively new malware family with extensive data stealing capabilities. 

The process tree lets us see that during the analysis, “wscript.exe” was launched via the command line.

AI reveals malicious script execution by Latrodectus

By clicking on the corresponding AI report, we discover that this process was likely initiated by the malware to deploy a malicious JavaScript script.

Suricata Rule Detection 

Suricata is an open-source tool used for network security monitoring, intrusion detection, and prevention. When a Suricata rule is triggered, it signifies a potential security threat based on predefined rules and signatures. Understanding these triggers involves investigating the rule that was triggered, the corresponding event data, and the context in which it occurred. This detailed analysis provides insight into the threat, its potential impact, and the appropriate response strategy.

How AI Helps Understand Suricata Detection

Thanks to the Chat-GPT integration, ANY.RUN offers detailed AI-generated explanations of each Suricata detection instance.

Let’s continue with our analysis of Latrodectus.

Suricata rule used for detecting MSI file downloads

By navigating to the triggered Suricata rule and clicking on the ChatGPT icon, we can access the AI report.

AI overview of the triggered Suricata rule 

The AI message informs us about a “Potential Corporate Privacy Violation” caused by traffic from the source IP to the destination IP over port 80. The report also indicates that it is a request for downloading and installing MSI files.

HTTP Connections 

Analyzing HTTP connection data is crucial in detecting network-based threats. Malware often communicates with its Command and Control (C&C) servers via HTTP connections to receive instructions or exfiltrate data. By reviewing HTTP connection data, cybersecurity professionals can identify suspicious network activity, such as unusual data transfer patterns, unauthorized connections, or connections to known malicious IP addresses.

AI Analysis of HTTP Connections

Let’s take a look at this sandbox session, which once again involves Agent Tesla.

When reviewing the detected HTTP requests, we come across a suspicious ip-api[.]com[/]line/?fields[=]hosting connection.

AI report on the suspicious HTTP connection

When we click on the ChatGPT icon, we receive an explanation that it is the malware’s potential attempt to determine if it is operating within a virtual environment. 

It does this by requesting information about the device’s IP address to establish whether it is residential or hosting-based.

Conclusion

AI’s role in malware analysis is multifaceted and critical. It automates complex tasks, providing insightful analysis and enabling real-time threat detection. 

Use the free ANY.RUN sandbox to conduct advanced malware and phishing analysis with AI assistance!