Broader Picture

Gathering and using threat intelligence is a core capability in cyber security that most organizations are still learning. As these capabilities mature in organizations, having access to broader data sets becomes more critical. This is where Falcon MalQuery (CrowdStrike’s Malware Search Engine) comes into play.

Introduction

Falcon MalQuery is a search engine for malware that allows you to search and attribute samples from your investigations. Having access to such a vast collection of samples is critical to making better determinations regarding the source, code reuse, and familial attributes of the malware you are researching. Access to a vast data set will also aid in the threat hunting, prevention, and YARA rule creation & monitoring process.

Key Capabilities:

• Over 1 Billion Samples going back 5 years
• Indexed for fast searching
• Flexible search capabilities for strings, hex, or even YARA rules

Below illustrates the typical Malware research process that many organizations adopt and MalQuery exists to simplify each aspect of the research process.

Video

In this video we’ll go over the purpose behind MalQuery and how you can use it to aid in your malware research process.

A Day in the Life

As a malware researcher, you encounter an unmanaged asset not protected by CrowdStrike, that has been infected with ransomware. Where do you start? With MalQuery we can start our investigation with a unique string related to the sample. In our example we’re going to take the Bitcoin wallet ID to see if we can find other samples using the same wallet and determine if it’s been seen elsewhere in our environment.

With the Bitcoin wallet ID copied, we’ll search MalQuery’s database for related samples:

In the search results we can get a timeline of when samples containing this wallet ID were first seen. We can also get an idea of the malware families related to the wallet ID.

Taking things even further, we can download the sample to investigate for other characteristics.

After downloading the sample we’ll use the “strings” utility to extract all readable characters and identify any unique messages inside the binary file. Performing a quick ocular patdown we find a string of interest; the ransom message. We can use MalQuery to identify any other samples with the same message.

Searching for the ransom message yields results, and we can see that samples go as far back as 2016 and give us an idea of their delivery method and possible malware family.

Hex Based Search

Another important aspect of malware research is being able to search based on hex values within your library of malware. This gives you the ability to quickly identify other samples with similar byte patterns.

Actor Attribution and Intelligence Reports

Beyond identifying other samples with the same characteristics you will be able to identify possible adversaries and review reports related to their techniques, tactics, and procedures. CrowdStrike offers a variety of intelligence reports that are released weekly or in response to an emerging threat. The intel reports are also catered to specific verticals (government, financial, technology, etc…), threat actors, and motivations.

YARA Rule Validation

Another reason MalQuery is so unique is that it gives you the ability to validate YARA rules against CrowdStrike’s extensive library of malware. Validating your YARA rules against our malware library is crucial because it helps prevent false positives and provides understanding of rule scope. Performing YARA rule validation in MalQuery takes seconds or minutes rather than days as you might experience with a self-maintained and incomplete body of malware samples.

YARA Rule Monitoring

YARA Monitoring automatically runs saved YARA rules new files are loaded into MalQuery. Any monitored YARA rule will allow you to receive notifications for any files that match your search. Notification options are available via email or the MalQuery API.

Conclusion

Falcon MalQuery is a malware search engine that provides you quick access to a continually updated malware library (over 1 billion samples) and provides you with unique capabilities such as YARA rule validation and monitoring. Falcon MalQuery is a part of CrowdStrike Falcon® Intelligence premium or is offered as a standalone capability.

More resources

• CrowdStrike 15-Day Free Trial
• CrowdStrike Tech Center
• Sign up for a weekly Falcon demo
• Request a 1:1 Demo
• Guide to AV Replacement
• CrowdStrike Products
• White Paper on Falcon OverWatch