Hello and welcome to the Tuesday, February 27th, 2024 edition of the Sandcent Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

In today's diary, we do have a guest diary by Kegan Hamlin, one of our interns, and Kegan is writing about

how to automate some of the malware analysis with our honeypot.

We are using the Cowry Honeypot, and it does collect any attempts to upload binaries or any file, really, to the Honeypot and it does collect any attempts to upload binaries or any file really to the Honeypot.

And of course, there is malware among those binaries.

The tricky part is to serve a quick triage on what's interesting, what's new.

Virus Totals API comes in really handy here. You may just use it to

submit a hash of the file and then you'll get back some basic properties that VirusTotal

knows about the file. As a rule of them, well, if VirusTotal has a record of the particular

hash, it's probably

not that terribly interesting, even less interesting if there are a lot of hits in existing

anti-malreras engines. Now, once you make it past this step, there's some interesting

additional step that is being explained here, and that's the

behavioral or dynamic analysis of the files, and here using any run. Any run is a service that you can

use to then quickly, basically run a file and get a quick report as to what it does. Works pretty well,

and then in addition to that, you have tools that you can sort of deploy yourself, like

a Mockenbird or Kuku3, which are also allowing you to get a quick behavioral snapshot of some unknown matter.

Some of these sort of on-premise systems, of course, take a little bit work to get set up

and configure.

They often require a set of different virtual machines and the necessary automation

to then periodically reset everything. Again, this is

...