Skip to content

Malware Sandboxes

links: MAI TOC - Dynamic Analysis - Index


Intro

Malware sandboxes are automated tools designed to analyze the behavior of suspicious files (binaries, documents, URLs) in a controlled and isolated environment. They allow for quick determination of whether a file is malicious, identification of the malware family, and extraction of indicators of compromise (IOCs).

Overview of Malware Sandboxes

How Sandboxes Work

  1. Sample Submission: Suspicious files are submitted to the sandbox.
  2. Execution Environment: The sandbox executes the files in an instrumented environment, typically within an isolated virtual machine (VM).
  3. Behavioral Analysis: The sandbox records system activities, API or system calls, file and registry operations, network communications, and other interactions during execution.
  4. Report Generation: After execution, the sandbox analyzes the recordings and generates a report detailing the observed behavior.
  5. Reset Environment: The VM is reset to a clean state to ensure that subsequent analyses are not affected by remnants of previous samples.

malware_analysis_overview.png

Benefits of Malware Sandboxes

  • Quick Analysis: Rapidly determines whether a file is malicious.
  • Behavioral Insights: Provides detailed insights into the malware's behavior, such as process injection, file modifications, and network activity.
  • IOC Extraction: Identifies potential IOCs that can be used for further detection and response efforts.

Instrumentation Techniques

Malware sandboxes use various techniques to record malware behavior and API calls:

  • DLL Injection and Hooking: Injecting DLLs into the malware process to intercept and log API calls.
  • System Call Interception: Intercepting system calls at the kernel level.
  • Hypervisor-based Breakpointing: Using hypervisors to set breakpoints and monitor execution.
  • CPU Emulation and Instruction Tracing: Emulating the CPU to trace instruction execution (e.g., using QEMU).
  • Dynamic Binary Instrumentation: Modifying the binary code at runtime to insert monitoring code.

malware_analysis_instrumentation.png

Recorded Activities and Artifacts

During execution, sandboxes typically record the following:

  • Process and Thread Start/Exit: Monitoring the creation and termination of processes and threads.
  • Registry Operations: Tracking changes to the Windows registry.
  • File and Directory Operations: Observing file creation, modification, deletion, and access.
  • Network Activity: Capturing network traffic to identify communication with C2 servers.
  • Mutexes and Other System Activities: Monitoring mutex creation and other system-level activities.
  • Screenshots: Capturing screenshots to analyze GUI interactions.
  • Memory Dumps: Capturing memory dumps for further analysis of unpacked or decrypted code.
  • API and System Calls: Recording API calls, including arguments and return values.

Detection & Identification

Sandbox reports typically include a detection verdict indicating whether the file is considered malicious. Unlike traditional antivirus software, which often provides a binary “malicious/non-malicious” verdict, sandbox verdicts can be more nuanced, often presented on a scale (e.g., 1-10 or 1-100) to reflect varying degrees of suspicion.

  • Detection Verdict: An assessment of whether the file is malicious based on its behavior during execution.
  • Identification: Information about the malware family, which helps in understanding the type and characteristics of the malware.

Indicators of Compromise (IOCs)

Sandboxes are useful for extracting IOCs that can be used to detect and respond to malware across an organization’s network. IOCs include:

  • File Paths: Locations of files created, modified, or accessed by the malware.
  • Registry Keys: Registry keys and values modified by the malware.
  • Network Indicators: IP addresses, domain names, and URLs contacted by the malware.
  • Process Information: Details about processes and services created or manipulated by the malware.

Malware Configuration Extraction

Modern malware often includes configurable parameters embedded within the binary. Sandboxes can extract this configuration data, providing valuable information such as:

  • C2 Servers: Command and control servers the malware contacts after infection.
  • Exfiltration Endpoints: Servers where stolen data is sent.
  • Botnet Information: Details about the malware's version and botnet affiliations.

Maldoc Analysis

Malicious documents (maldocs) are a common vector for cyberattacks. Sandboxes can dynamically analyze these documents to uncover multi-stage payloads and embedded scripts.

  • Dynamic Analysis: Identifies the different stages downloaded by a maldoc and any scripts or payloads executed.
  • Example: Analyzing a malicious Excel file that spawns child processes or downloads additional malware components.

Memory Dumping

Memory dumping is an essential feature in sandboxes, as many malware samples unpack or decrypt their code in memory during execution.

  • Memory Capture: Sandboxes capture memory dumps of running processes, allowing analysts to extract and examine the in-memory code.
  • Unpacked Code: Analyzing memory dumps helps in identifying transient or unpacked malware code that is not visible in static analysis.
  • Example: Using a sandbox to dump memory during malware execution and then using tools like Yara or AV scanners to analyze the captured data.

Sandbox Tools

There are various commercial and open-source sandbox solutions available:

  • CAPE Sandbox: An open-source sandbox available at CAPE Sandbox.
  • VMRay: A commercial sandbox available at VMRay.
  • Triage: A commercial sandbox with a freemium version available at Triage.
  • Joe Sandbox: Developed by a former BFH master student, available at Joe Sandbox.
  • AnyRun: A commercial sandbox with a freemium version available at AnyRun.

Using Sandbox Reports

Sandbox reports typically include key elements such as:

  • Detection Verdict: An assessment of whether the file is malicious.
  • Identification: Information about the malware family.
  • Process and Activity Logs: Details of processes, file and registry activities, and network communications.
  • Memory Dumps: Captured memory for deeper analysis.
  • Screenshots: Visual evidence of GUI interactions.
  • Configuration Extraction: Data extracted from malware configurations, such as C2 servers and exfiltration endpoints.

links: MAI TOC - Dynamic Analysis - Index