Malware analysis sandboxing

In this article we will discuss about sandboxing, how it works, ,list of free sandboxing environment etc. Hybrid analysis, Malware analysis and Threat analysis, they all use same technology called sandboxing.

What is sandboxing?

Sandboxing is a technology that provide a virtual platform to use security mechanism against the untested code or third party software whose source is not verified or any programs that seems to be threat or suspicious for system.

How sandboxing works?

We run suspicious programs in the sandbox environment to check the behavior i.e., activities of program on execution. While analyzing, it gives us a risk free environment where we can run and analyze the behavior of program.

After analysis sandbox makes a report that contains all the activities of processes that were executed by the program tested in the sandbox.

In matters of sec or minutes [depend on file] sandbox environment will provide you the detail output that contain all the activities of file/program
Ex:- what this file did, what it tried to do and what commands it runs, which process was triggered and on which process it failed to call, to which domains and IP’s it tried to communicate, memory dump etc.

In the end, it will provide you the total score based analysis on all activities and indicator of compromise. If the file found to be malicious then it will also tell us about the nature of file i.e., it meets to which threat category. Below is the list of free sandboxing environment:

List of free sandboxing environment:

  1. Reverse.it: It is free malware analysis service running on VxStream Sandbox v6.50 in the backend.
  2. Valkyrie runs several analysis using run-time behavior and can warn users against malware undetected by classic antivirus. Click here to know more.
  3. Virus total: It is a free malware analysis system which can detect malware from files or urls. Click here to know more.
  4. Viacheck.ca: You can upload any kind of file including executable ones for malware analysis. It will email complete report based on analysis.
  5. Cukoo sandbox: It is the opensource automated malware system. Click here to know more.

Preparing a sandbox: 

Instead of using online sandbox environment we can also prepare our own sandbox environment as per the requirement. But before installing and configuring a sandbox environment, we should take care of few things like:

  1. What we want to achieve and how?
  2. Which type of file we have to analyze?
  3. Which operating system do we need to install to run the analysis?
  4. And which type of information we want from file analysis?

Virtual machine preparation is the most important and critical part of sandboxing, step by step planning is needed for the same.

For example:

  1. Which operating system and patching level we should use.
  2. Which version and which software we must install [ security software that requires analyzing the threats and software version matters when analyzing the exploits].




How sandboxing works?

Sandboxing provide an option to upload the file. After submission of file virtual machine start executing the file and analyzing the behavior of that file. Not only the file we can also submit url and email to identify the nature of that url and email. If you doubt on any email just save that email in mail template and submit in analysis environment.

For example : Below is the screenshot of an email that we received from Gartner.

Gartner, Malware analysis

Now, we are going to test this email. We are trying to find whether this is a phishing email or spam email.

Below are the step to step screenshots, for analysis of this email:

  1. Browse and submit the saved mail or file you need to check and click on submitSandboxing
  2. Installed virtual machine will start execution automaticallysandbox enviornement
  3. The email we have submitted, will be open automatically into the installed Virtual machineMalware analysisHybrid analysis
  4. URL available in the mail will be open in the browser. And will make you reach on the exact destination where email sender want you to reach i.e., redirection of url, any phishing site or any site from any suspicious file got downloaded automatically.
    Hybrid analysisSandbox
  5. Malware analysisIf any file got downloaded, then virtual machine will execute that file and monitor the file behavior.
  6. In paid sandbox environment, you can see all these activities happening live in the environment. While in the free version like hybrid analysis or virus total, we will get a report of the submitted file.

Below is the link of the generated report on the above analysis of gartner email.

Report on Gartner_email 

Screenshots attached below, were taken form the report of latest ransomware “Wannacry”. Report was generated by one of paid sandbox named Threat Grid provided by Cisco.

wannacry, ransomware

ransomware, wannacry

wanncry killswitch, ransomware

 

Have something to ask or want to add in article? Please ask in comments or contact us.
Follow us on Facebook, Google Plus and Twitter.

NO COMMENTS