Corporate computer networks face cybersecurity threats on a daily basis. Some of these threats consist of malware that is not yet recognized and, as a consequence, is not stopped by security solutions. This malware eventually ends up on a victim’s workstation or on a corporate server, where it can cause havoc. Malware analysis sandboxes can be used to extract useful information from this type of malware to improve your protection level.

When a security incident is caused by malware, it is important to contain the incident, assess the damage it has caused and extract information on its behavior. Collecting this information allows you to find other similar infections on your network and develop updated protection rules for your existing security infrastructure.

Indicator of Compromise

This collected information can serve as an indicator of compromise (IOC). These are artifacts on a computer that indicate a high likelihood of an infection. It is intelligence that you can use and share — for example, via STIX or CybOX — to update your security devices.

What type of information will you be looking for? Ask yourself the following questions:

  • What are the file hashes (MD5, SHA1, etc.)?
  • How exactly does it affect the system?
  • What files does it create or change?
  • Are there recognizable pointers (mutexes)?
  • How does it spread or propagate?
  • Does it use specific IP addresses, network ports or domains?

Read the white paper: Evading the Malware Sandbox

How Do You Get the Information?

How do you find the answers to these questions? If you have an infected machine, you can analyze it. Often, there’s not enough time to conduct a thorough investigation. It might even be difficult to pinpoint the exact malware that caused the issue.

If you have a sample of the malware, you can apply static analysis and extract the parts of the information that are useful to you. But this will not give you the same information as observing how the malware behaves in a controlled environment such as a sandbox.

There are three basic types of sandboxes:

  • A custom-built lab with your own toolset;
  • A purchased solution (preferably on-premises);
  • A publicly available sandbox.

Having a custom-built lab or a purchased solution is not always available for everyone, either because it is too complex, too time consuming or too expensive. That is when the free malware analysis sandboxes can help. Their reports on analyzing malware are meant to give you a basic initial view on what the malware does and provide easy extraction of some basic IOCs.

What Do You Share?

Public sandboxes are, obviously, publicly available. You should understand that everything you share or upload to these sandboxes is accessible to everyone — including the bad guys.

There are a number of circumstances where you do not want to upload your samples to a public service. If you upload a malware sample that was specifically targeted for your environment, then you’re essentially giving away to your adversaries that you have detected their operations. Similarly, it’s not a good idea to upload samples that contain specific information about your environment, such as hard-coded passwords or configuration settings. You should also refrain from sharing samples that contain confidential user or customer data or material that is copyright-protected. Don’t forget, you’re sharing these files with the whole world.

If you run into a situation where you cannot use a public sandbox, then you should run an on-premises sandbox. Note that some antivirus solutions might automatically submit your samples to their networks without clearly notifying you. This is important to consider when you do the pre-analysis.

VirusTotal

VirusTotal is a subsidiary of Google that analyzes files and URLs. Apart from the free interface, VirusTotal also has both a private and a public API.

The results from VirusTotal include the detection results of the malware by the supported antivirus engines. Although these engines are not exactly the same as the ones used by end users, they give information that tells you if the uploaded malware is already detected. This allows you to better evaluate if you are at risk.

You can upload different types of files, such as a Windows executable, Android APKs, PDFs, images and JavaScript code.

The online reports are not individually downloadable, but they are very detailed. They give you everything you need to know on what files the malware accessed, what it changed in the registry and how it behaved. It is not possible to download the analyzed samples or get a network capture of what happened. The online report does give you an overview of the detailed network requests.

Anubis

Anubis is developed by the International Secure Systems Lab and analyzes both files and URLs. It supports Windows executable files and Android APKs.

Although the interface isn’t as slick as some of its counterparts, it gives you access to everything that you need to know. The reports can be downloaded as HTML, XML, PDF or text. You can download the network captures in pcap format, but you cannot download the samples. Anubis reports also tell you if the malware communicated with specific device paths.

VxStream

The VxStream sandbox is powered by Payload Security. It only analyzes files and does not do URLs. It supports Windows executable files, Office files, PDF files and executable JAR files.

You can download the reports, the network captures and the samples. The reports indicate YARA signature matching and give you information on possible anti-VM emulation checks — a technique often used by malware to prevent analysts to run the sample in a virtualized environment. The reports and analysis interface are very appealing, with an intuitive access to the necessary details.

Malwr

The sandbox from Malwr is a free malware analysis service and is community-operated by volunteer security professionals. It only analyzes files and does not do URLs.

It is built on top of the Cuckoo sandbox and supports Windows executables.

You can download the samples if they are shared by the uploader. A downloadable network capture is not available, but you do get, for example, the full HTTP request in the online report. If you cannot set up your own Cuckoo sandbox, this is an excellent replacement solution.

A useful addition to Malwr is a visualization provided by MalwareViz. You first have to analyze the file with Malwr and then use the returned reference URL to feed the visualizer.

Compare Them

Below is a table comparing the features of the different online sandboxes. They all run different Windows flavors. The configurations are basic, but of course, these will always be different from your real production environment. This is something you’ll have to live with when using a free public sandbox.

All of the malware sandboxes provide the upload service via a secured SSL connection and give screenshots of what visually happened.

VirusTotal Anubis VxStream Malwr
Windows executable X X X X
Office files X X X
PDF files X X X
Java files X X X
Android APK X X
URLs X X
File details X X X X
Display hashes X X X X
DLL usage X X X X
Mutexes/Mutants X X X X
Registry changes X X X X
File interaction X X X X
Started processes or services X X X X
Network activity X X X X
Device monitoring X
YARA support X
Download sample X X
Download PCAP X X
Scroll to view full table

Conclusion

Free online sandboxes are a great replacement if you do not have your own in-house solution. They provide good information for a basic analysis and getting some early indicators ready to scan your infrastructure for existing infections. It also provides a quick way to further protect your infrastructure.

There are some limitations, however. Integrating the information from the online reports with your own environment still requires some manual work; having access to an API will greatly improve this process. They are also not fitted for analyzing targeted malware and evaluating how malware behaves in a specific environment.

Beyond these limitations, these online tools give you good initial insight on malware behavior and are an excellent addition to your toolset for protecting your infrastructure.

Read the white paper: Evading the Malware Sandbox

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…