Malware sandboxes offer a safe and controlled environment to analyze potentially harmful software and URLs. However, not all sandboxes incorporate features that are essential for proper analysis. Let’s look at five components that make a malware sandbox effective.
- Behavioral Analysis
Behavioral analysis is a critical aspect of malware sandboxing. It provides insights into the actions and potential threats posed by suspicious files. This involves monitoring several key areas:
AsynRAT’s process graph displayed by the ANY.RUN sandbox
- Processes: As malware often creates, injects, and terminates processes to carry out its malicious activities, tracking these changes and relaying them to the user in a digestible format is essential.
- Registry: Malware makes changes to the registry to achieve persistence, modify system settings, or disable security features. Detecting such activity proves useful in threat investigations.
- File system: Malware manipulates files and directories to store its components, steal data, or disrupt system functionality. A proper sandbox exposes all of these activities and reveals additional Indicators of Compromise (IOCs) that are not present in the code itself.
Additionally, advanced malware sandboxes should map the observed behaviors to the MITRE ATT&CK framework, a universal knowledge base of adversary tactics and techniques based on real-world observations.
This way, users can not only get a complete understanding of the threat’s scale, but also receive actionable information for predicting the impact of the malware, creating effective countermeasures, and improving the overall security posture of the organization.
- Network Analysis
Network analysis is another critical component of effective malware sandboxing, providing insights into the network-based activities. This process involves several key techniques:
- Packet Capture and Inspection: Logging network traffic and allowing the user to view its contents offers an in-depth view of the interactions between the malware and other systems. This includes information such as the source and destination IP addresses, the ports used, the protocols involved, and the timestamps of the communications. This can reveal if the malware is attempting to communicate with a command and control (C&C) server, scan for vulnerable systems, or perform other malicious activities.
- Encrypted Traffic Analysis: As more and more network traffic becomes encrypted, the ability to analyze it has become increasingly important. Sandboxes using built-in tools like MITM proxy make it possible to decrypt HTTPS traffic and thus identify malicious activity.
Suricata detection of AgentTesla’s exfiltration activity in ANY.RUN
- Network Threat Detection: For sandboxes, it is also important to not only give access to the network traffic, but also automatically detect potential threats based on predefined signatures or anomalies. Solutions like Suricata IDS can be used to enhance the network analysis capabilities of a malware sandbox and flag suspicious network activities.
- Static Analysis
Although sandboxes are usually used for dynamic analysis, they can be equally helpful in static analysis:
- Analyzing Files: Sandboxes can offer a static overview of various file types, such as PDFs, LNK files, and Microsoft Office documents. For instance, malicious PDFs can be analyzed to detect suspicious URLs, while LNK files can be inspected for embedded commands and scripts. Microsoft Office documents can be examined for malicious macros, images, QR codes, etc.
Static analysis of a phishing email in ANY.RUN using the Rspamd spam-filtering module
- Investigating Spam and Phishing Emails: Sandboxes offer email previews, display metadata, and list Indicators of Compromise (IOCs), enabling you to examine email content and origin details without opening the email itself. Moreover, sandboxes can effectively handle malicious archive attachments, such as ZIP, tar.gz, .bz2, and RAR files, which are often used to evade basic detection.
While static analysis is a powerful technique, it is important to note that it is not always sufficient on its own. This is why sandboxes should also offer interactivity to manually engage with files and links when needed.
- Interactivity and Flexibility
Interactivity is a key feature of advanced malware sandboxes that enables security teams to gain a more complete understanding of the behavior and capabilities of suspicious software.
Interactivity can help in cases like CAPTCHA-protected phishing pages
With interactivity, security teams can manually perform various user interactions, such as clicking on links, entering data, or opening files within the sandbox. These actions can trigger additional behaviors or reveal hidden capabilities of the malware that might not be exposed through automated analysis alone. For instance, a piece of malware designed to steal credentials may only exhibit its true nature when a user attempts to log in to a specific website or application.
In addition to manual user interactions, advanced malware sandboxes must enable security teams to customize and emulate different system and network conditions. This can involve various operating systems, software configurations, or network environments. By emulating these conditions, security teams can analyze how the malware behaves in diverse scenarios.
- Reporting
Since sandboxes are often the first tool for security analysts when addressing an incident or investigating a threat, they must offer detailed and easy-to-understand reports. Each report should provide a comprehensive summary of the malware’s behavior, including any actions taken, changes made to the system or network, and any IOCs identified.
Report on a Remcos sample in ANY.RUN
By giving clear, detailed, and actionable reports on its findings, an effective malware sandbox can enable security teams to make informed decisions about how to respond to threats, improving the organization’s overall security posture.
ANY.RUN Sandbox
ANY.RUN provides an interactive cloud sandbox that incorporates all the features necessary for conducting advanced malware and phishing analysis with ease and speed. The free version offers unlimited submissions and analysis in Windows 7 (x32), 10 (x64) and Linux VMs, while the premium plans let you analyze your files and URLs privately and work with your entire team in your private space.
Create your free ANY.RUN account to analyze cyber threats without limits.
Conclusion
A malware sandbox is a powerful tool in the arsenal of cybersecurity professionals, providing a safe space to analyze and understand potential threats. By incorporating behavioral analysis, network analysis, IOC extraction, interactivity, and comprehensive reporting, organizations can ensure their sandbox is not just a tool, but a robust and effective line of defense against cyber threats.
About the Author
Vlad Ananin is a Technical Writer at ANY.RUN. With 5 years of experience in covering cybersecurity and technology, he has a passion for making complex concepts accessible to a wider audience and enjoys exploring the latest trends and developments. Vlad can be reached online at the company website https://any.run/