We covered an introduction to logging where we discussed the logic of creating logs and we analyzed Konni RAT Malware which was developed by advanced persisten group APT37 according to MITRE ATT&CK. We performed dynamic malware analysis using Any.run cloud malware analysis sandbox. Konni malware masqureades as word document file which when opened downloads a spyware executable designed to exfitlrate and send machine OS and credentials data to the main C2 server. The malware uses powershell to execute system commands to achieve the aformentioned objectives.

Any.Run Free Profile

Setting up the Analysis in Any.Run

The first step was to upload the malware sample to Any.Run. It was important that the uploaded sample had an extension, like .zip, .exe, or .pdf.

For users with a Pro plan (which I was simulating), there’s more flexibility in configuring the analysis environment. This included:

  • Duration: I extended the analysis duration to the maximum (660 seconds) to ensure ample time for observation.
  • Network: Enabling network connections was crucial to monitor the malware’s communication.
  • Operating System: I opted for Windows 11 64-bit, as it’s a common enterprise OS, although other options like Windows 7 and Linux were also available.
  • Pre-installed Software: I chose a “complete set” of pre-installed programs on the Windows OS to create a more realistic environment, though I could have also chosen specific tools or a clean installation.
  • Tools Collection: Any.Run also allows uploading custom tools for the analysis, if needed.

Once configured, I initiated the analysis as a “public task.”

Analyzing the Malware Behavior

The uploaded sample was a zipped file. I extracted it to the desktop using the password "infected". The extracted folder contained both a PDF file and a Word document.

PDF File Analysis:

I opened the PDF file, which was written in North Korean. I carefully monitored network connections; initially, connections to Adobe for themes and configurations appeared normal. Even after enabling editing, I observed no significant changes in network requests or spawned processes for the PDF. This indicated the PDF itself wasn’t the primary malicious component in this specific case.

Word Document Analysis (Malicious Activity Detected):

Next, I opened the Word document. Notably, it lacked the typical “Enable Editing” option often seen in malicious documents with macros, making it appear stealthier. Immediately, I observed a significant spike in HTTP requests (33 requests).

  • Suspicious Network Activity:
    • I saw POST requests being made to a specific domain ending in ".stocks". These requests were initiated by PowerShell, which is highly unusual for a Word document. This strongly suggested communication with a Command and Control (C2) server, likely uploading stolen data.
    • I also noticed GET requests to the same domain but different URLs, possibly to download further malware components. These requests appeared to be Base64 encoded.
    • The IP address associated with the C2 domain was identified as Russian.
  • Threat Detection by Any.Run: Any.Run’s automated detection flagged the activity as “Spyware.” Specific alerts included “successful credential theft detected” and “network trojan was detected.” The malware was definitively identified as Konni APT, known for targeting South Korean users and often delivered via HWP and LNK files in zipped archives. The platform even showed the IDS (Intrusion Detection System) rule that triggered the alert.
  • Process Analysis: The main culprit process was identified as cmd.exe (command line), which then spawned PowerShell. I was able to view the full PowerShell command responsible for stealing OS information and credentials. Another malicious process, expand.exe, was dropped by the Word document and retrieved via PowerShell from the C2 server.

Extracting Indicators of Compromise (IOCs) and Reporting

Any.Run provided a dedicated section for Indicators of Compromise (IOCs), including hashes, domain names, and IP addresses. These are invaluable for security defenses, though some filtering was necessary to isolate the truly malicious entries.

The platform also displayed a MITRE ATT&CK report, highlighting tactics and techniques used by the malware, such as:

  • Persistence: The malware added registry entries to ensure it started with the system.
  • Privilege Escalation & Defense Evasion: It used obfuscation techniques to achieve these goals.

Finally, a comprehensive text report could be generated, summarizing all findings, including processes, modified registry keys, and screenshots. This report is even available on the free plan. It’s highly recommended to perform the analysis first and then export the report for thorough documentation.

Video Walkthrough | Full Analysis with Any.Run

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles