The evolution of cloud services has driven advancements in malware analysis, with cloud sandboxes emerging as a notable example. These platforms address numerous challenges, such as the need for scalable analysis environments, efficient deep threat analysis, and seamless collaboration. While not fully replacing traditional tools, cloud sandboxes prove to be an effective solution for modern malware analysis, providing robust capabilities in a streamlined approach to meet real-world demands. Here is how.
The Purpose of a Malware Analysis Sandbox
A malware sandbox provides a controlled environment for analyzing the behavior, functionality, and impact of malicious software. It lets users isolate the sample, whether it is a file or link, within a virtual environment and execute it without risking damage to their own infrastructure. A sandbox provides insights into the malware by offering information on its network traffic, file system changes, registry modifications, and processes, and other details.
Where a Sandbox Fits in the Broader Security Architecture
A sandbox is used in the threat detection and response phases of the cybersecurity lifecycle. Once a security team gets notified about a potential threat, they can analyze it in the sandbox to understand its behavior and potential impact.
The analysis results can then inform the organization’s response, helping to contain and mitigate the threat or improve the organization’s preventive measures.
Benefits of Using a Cloud-based Solution
- Scalability and Cost-Effectiveness: A cloud sandbox is flexible, allowing users to scale up or down based on their current needs. Even with large volumes of malware samples such solutions completely remove the need for significant investment in hardware. Online sandboxes also typically operate on a subscription model, offering more control over resource allocation.
- Accessibility: These platforms can be accessed from anywhere with an internet connection, allowing for remote analysis, collaboration, and threat response.
- Maintenance: Cloud-based solutions are maintained by the service provider, eliminating the need for in-house maintenance and updates, saving time and resources.
- Security and Privacy: Such sandboxes provide a secure environment for malware analysis, while also offering privacy to users, letting them keep their data away from the public.
- Integration: These services can easily integrate with other security tools and systems, improving the overall efficiency of the security operations.
How a Cloud-based Sandbox Streamlines Advanced Malware Analysis
To demonstrate the capabilities of modern online sandboxes, we can use ANY.RUN. It is a service that has been in operation for eight years and has a community of over 300,000 security professionals around the world.
Interactive Approach
The VNC window is fully interactive in ANY.RUN
ANY.RUN’s interactive approach to malware analysis is one of its standout features. At the heart of this approach is the VNC (Virtual Network Computing) window, a technology that enables remote control of another computer. This allows users to not only observe the execution of malware in real time, but also perform necessary actions within the system themselves like on any standard computer, such as downloading and opening phishing email attachments, launching programs, and browsing the internet. You can try the service by signing up for free.
Such a hands-on approach lets users observe the malware’s actions in real-time and even influence its behavior through their interactions. ANY.RUN also supports system reboots, which is crucial when analyzing malware that only activates on a fresh boot.
Full View of Malware Behavior
A malicious process analysis in ANY.RUN
The service leverages the MITRE ATT&CK matrix to map the malware’s tactics, techniques, and procedures (TTPs). ANY.RUN also presents a clear visual representation of all processes occurring during the malware analysis session in the form of a tree or graph. It facilitates investigations into particular details of individual processes, including modified files, registry changes, synchronization, HTTP requests, connections, network threats, modules, and debug information. This comprehensive approach provides a full view of the malware’s actions.
In-depth Static Analysis
A preview of a file from a .zip archive shown in ANY.RUN
ANY.RUN’s static malware analysis uses specialized modules for different file types, including PDF, LNK, MSG/Email, OneNote, ZIP, and Office files. These modules extract various components like headers, scripts, images, and payloads, aiding in the analysis of potential threats. The platform auto-detects the file type and activates the relevant modules, with multiple modules potentially running simultaneously. The listed modules are just some of the available capabilities in ANY.RUN’s Static Discovering feature,
Complete View of Network Traffic
Suricata rule used for detecting Gh0st RAT malware displayed in ANY.RUN
ANY.RUN’s network monitoring capabilities let users observe malware’s network actions in real-time. The tool offers in-depth data on HTTP requests, such as the content and response of URL connections, along with connections made through other protocols. The section also presents DNS requests, revealing the link between domain names and IP addresses. Furthermore, ANY.RUN employs Suricata rules to identify intrusions and potential threats within the network traffic.
Access to IOCs and Malware Configuration
ZLoader malware configuration shown in ANY.RUN
The service automatically extracts and provides relevant indicators of compromise (IOCs), as well as malware configurations, which greatly saves time and resources of security professionals. Users can quickly collect all the information on the threat they analyze in the form of a convenient report, available in HTML, JSON, and MISP. Process dumps can also be downloaded for further investigation.
Vast VM Settings
VM environment settings available to ANY.RUN users
ANY.RUN users can customize the analysis environment to suit their needs. This includes configurable network settings, such as the use of a MITM proxy, FakeNet, or a residential proxy, which is useful for bypassing geo-restrictions and evasion techniques. The platform also provides a range of software and operating systems, from Windows 7 to 11 and Linux, enabling users to analyze different types of malware in environments which are identical to those used in their organizations.
Integrate ANY.RUN in Your Organization
Your security team can get first-hand experience of using the cloud-based ANY.RUN sandbox by signing up for the service.
