Sandbox files corruption rating, Part 1. Online services
In the practice of researching executable files with possible malicious functionality, there is a rich arsenal of tools - from static analysis with disassembly to dynamic analysis with debuggers. In this review I will not try to give information on all possible techniques, since they require some specific knowledge, but I would like to arm an inexperienced user with a set of techniques that allow you to quickly analyze an unknown file.
So, the situation: we have a strange file with suspicion of harmfulness, while the existing multi-scanners like VirusTotal do not give any information. What to do?
ONLINE SANDWICHES
There are a number of information security projects in the network that implement their solutions as separately working virtualized systems for executing code and then analyzing the changes made. As a rule, these projects have online versions of such systems with free use. You can safely download a suspicious file and after some time get full information about what it does when it is running on the system.
')
Threatexpert
The ThreatExpert system compares system snapshots before and after launch, as well as intercepts certain APIs during code execution. As a result, you receive a report with the following information:
• What new processes, files, registry keys and mutexes were created during the execution of the code.
• With which hosts and IP connections were made, hexadecimal and ASCII dumps of the exchange data are also listed.
• Is there a detection of popular antiviruses on the file sent and the files created during the execution?
• What is the possible country of origin of the code based on language resources and other traces found in the code?
• Possible threat category (keylogger, backdoor, etc.) and its level.
• Screenshots of new windows, if any, were displayed during execution.
Registration on the site is possible, in which case the history of all your analyzes will be saved, and you can call it at any time. It is possible to install the Submission Applet program and automatically send files for analysis from the Explorer context menu.
CWSandbox is a development of University of Mannheim that sell this system. However, the analysis can be done online for free.
A feature of this sandbox is that the analysis is performed as a result of injecting the sandbox library into the executable code and intercepting all API calls. It is clear that if a native API call is made, or work in kernel mode, the sandbox does not work. However, due to the fact that an analysis of a real-life file is performed, CWSandbox sometimes gives more information than all the others.
The free online version has several limitations compared to the commercial one:
• Only RE-files can be analyzed. The paid version allows you to analyze BHO, zip-archives, documents Microsoft Office.
• The free version can only download via the web interface. In paid, it is possible to add files for analysis by mail, through a honeypot, etc.
• In the paid version, it is possible to choose to conduct analysis in a virtual environment or on a real system.
• The commercial version includes the analysis of files downloaded during code execution, created in system folders or injected into other processes.
Anubis
Anubis is one of the most common options for the sandbox, which has become popular due to the comprehensive content of the reports and the speed of response. Some features of this system:
• Ability to specify the URL instead of the malicious file itself. In this case, the system will load the specified URL into Internet Explorer and analyze the behavior of the system.
• Additional libraries can be loaded with the file under investigation (in a zip-archive without a password or with the password “infected”). This technique is very convenient for analyzing malicious dynamic libraries (if it is just as interesting - write in the comments, you can devote a separate article).
• The report is provided in various formats - HTML, XML, plain text, PDF, it is also possible to download the full network dump obtained during the analysis.
• It is possible to upload files to Anubis via SSL (conveniently if antivirus on the proxy blocks you).
Joebox
And finally - he. Joebox, Great and Awful. As a result of the work of Stefan Bulman, in my opinion Joebox is the most powerful system for analysis. The peculiarity of this system is that it is the only one that performs SSDT and EAT kernel interceptions during the file analysis. On the one hand, this leads to the loss of a small amount of information from top-level calls (for example, creating new processes using ShellExecute or WinExec), but on the other hand, it allows you to study malicious files that work with native APIs or in kernel mode. In addition, Joebox provides the following analysis capabilities:
• Joebox supports downloading and studying the behavior of executable files, DLL, kernel drivers, Microsoft Word documents, PDF files, etc.
• You can select the code execution environment: Windows XP, Windows Vista, or Windows 7.
• You can choose to execute code in a virtual environment or on a real system (in the latter case, a solution based on FOG is implemented)
• It is possible to receive a full dump of network traffic accumulated during the analysis.
• There is support for the popular amun and nepenthes sandbox modules to automatically download new samples from sandboxes to Joebox.
• There is support for AutoIT19 scripts to organize a controlled runtime of malicious files in Joebox.
In my opinion, support for the scripting language is of particular importance. On the project site there is a description of the possible functions and their interpretation, I will point out only the most popular ones.
1. Suppose that the malicious code checks the path where the file is located, and runs only if it is “where it should be”. Solved by a simple script:
2. If it is necessary to carry out the simplest analysis of a malicious library, you can use the following script (in this case, the new process of Internet Explorer is injected):
Similarly, you can analyze BHO - just register the necessary keys in the registry. However, a problem often arises: AppInit_DLLs is only valid for newly created processes, what if an injection is needed in explorer.exe? To do this, the following script will do:
3. If you want the network to come from a specific country, you can configure the proxy in the Joebox runtime environment:
Of course, the presence of such flexibility and wealth of opportunities makes Joebox one of the most popular sandboxes - and this is its worst side. Sometimes I had to wait for several days until the result of the analysis came. Well, the authors propose to buy their own copy of this wonderful sandbox, but quite expensive. How to build your own system for analyzing files without much cost - this will be in the next article, if, of course, the community about this opus approves and my karma finally melts;)
PS Examples of other online sandboxes:
* BitBlaze
* Comodo Instant Malware Analysis
* Eureka
* Norman Sandbox
Thank you ahtox74 for the reminder.
UPD: Joebox entered a mandatory registration: if you want to use the services of this online sandbox for free, send an email to info@joebox.org with the following information in English:
1. Your name
2. The purpose of registration and a brief description of what you will explore on Joebox
3. E-mail for sending research reports (it will henceforth be indicated in the first field of your request).
After filing the application they promise that they will open access for the specified mailbox.
UPD-UPD: The second part of the article here .
So, the situation: we have a strange file with suspicion of harmfulness, while the existing multi-scanners like VirusTotal do not give any information. What to do?
ONLINE SANDWICHES
There are a number of information security projects in the network that implement their solutions as separately working virtualized systems for executing code and then analyzing the changes made. As a rule, these projects have online versions of such systems with free use. You can safely download a suspicious file and after some time get full information about what it does when it is running on the system.
')
Threatexpert
The ThreatExpert system compares system snapshots before and after launch, as well as intercepts certain APIs during code execution. As a result, you receive a report with the following information:
• What new processes, files, registry keys and mutexes were created during the execution of the code.
• With which hosts and IP connections were made, hexadecimal and ASCII dumps of the exchange data are also listed.
• Is there a detection of popular antiviruses on the file sent and the files created during the execution?
• What is the possible country of origin of the code based on language resources and other traces found in the code?
• Possible threat category (keylogger, backdoor, etc.) and its level.
• Screenshots of new windows, if any, were displayed during execution.
Registration on the site is possible, in which case the history of all your analyzes will be saved, and you can call it at any time. It is possible to install the Submission Applet program and automatically send files for analysis from the Explorer context menu.
CWSandbox is a development of University of Mannheim that sell this system. However, the analysis can be done online for free.
A feature of this sandbox is that the analysis is performed as a result of injecting the sandbox library into the executable code and intercepting all API calls. It is clear that if a native API call is made, or work in kernel mode, the sandbox does not work. However, due to the fact that an analysis of a real-life file is performed, CWSandbox sometimes gives more information than all the others.
The free online version has several limitations compared to the commercial one:
• Only RE-files can be analyzed. The paid version allows you to analyze BHO, zip-archives, documents Microsoft Office.
• The free version can only download via the web interface. In paid, it is possible to add files for analysis by mail, through a honeypot, etc.
• In the paid version, it is possible to choose to conduct analysis in a virtual environment or on a real system.
• The commercial version includes the analysis of files downloaded during code execution, created in system folders or injected into other processes.
Anubis
Anubis is one of the most common options for the sandbox, which has become popular due to the comprehensive content of the reports and the speed of response. Some features of this system:
• Ability to specify the URL instead of the malicious file itself. In this case, the system will load the specified URL into Internet Explorer and analyze the behavior of the system.
• Additional libraries can be loaded with the file under investigation (in a zip-archive without a password or with the password “infected”). This technique is very convenient for analyzing malicious dynamic libraries (if it is just as interesting - write in the comments, you can devote a separate article).
• The report is provided in various formats - HTML, XML, plain text, PDF, it is also possible to download the full network dump obtained during the analysis.
• It is possible to upload files to Anubis via SSL (conveniently if antivirus on the proxy blocks you).
Joebox
And finally - he. Joebox, Great and Awful. As a result of the work of Stefan Bulman, in my opinion Joebox is the most powerful system for analysis. The peculiarity of this system is that it is the only one that performs SSDT and EAT kernel interceptions during the file analysis. On the one hand, this leads to the loss of a small amount of information from top-level calls (for example, creating new processes using ShellExecute or WinExec), but on the other hand, it allows you to study malicious files that work with native APIs or in kernel mode. In addition, Joebox provides the following analysis capabilities:
• Joebox supports downloading and studying the behavior of executable files, DLL, kernel drivers, Microsoft Word documents, PDF files, etc.
• You can select the code execution environment: Windows XP, Windows Vista, or Windows 7.
• You can choose to execute code in a virtual environment or on a real system (in the latter case, a solution based on FOG is implemented)
• It is possible to receive a full dump of network traffic accumulated during the analysis.
• There is support for the popular amun and nepenthes sandbox modules to automatically download new samples from sandboxes to Joebox.
• There is support for AutoIT19 scripts to organize a controlled runtime of malicious files in Joebox.
In my opinion, support for the scripting language is of particular importance. On the project site there is a description of the possible functions and their interpretation, I will point out only the most popular ones.
1. Suppose that the malicious code checks the path where the file is located, and runs only if it is “where it should be”. Solved by a simple script:
Script
_JBSetSystem(“xp”)
; Windows XP
_JBStartAnalysis()
;
_JBStartSniffer()
;
$NewFile = @SystemDir & “/” & “malware.exe”
FileCopy(“c:\malware.exe”, $NewFile, 1)
;
FileDelete(“c:\malware.exe”)
;
Run($NewFile, @TempDir, @SW_HIDE)
;
Sleep(120)
; 120
_JBStopSniffer()
;
_JBStopAnalysis()
;
EndScript2. If it is necessary to carry out the simplest analysis of a malicious library, you can use the following script (in this case, the new process of Internet Explorer is injected):
Script
#include <IE.au3>
; IE
_JBSetSystem(“xp”)
_JBStartAnalysis()
_JBStartSniffer()
$NewFile = @SystemDir & “/” & “malware.dll”
FileCopy(“c:\malware.dll”, $NewFile, 1)
RegWrite(
“HKLM\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows”,
“AppInit_DLLs”, “REG_SZ”, “malware.dll”)
; AppInit_DLLs
$oIE = _IECreate(“http://www.sbrf.ru”)
;
Sleep(120)
; done with IE now
_IEQuit ($oIE)
_JBStopSniffer()
_JBStopAnalysis()
EndScriptSimilarly, you can analyze BHO - just register the necessary keys in the registry. However, a problem often arises: AppInit_DLLs is only valid for newly created processes, what if an injection is needed in explorer.exe? To do this, the following script will do:
Script
Func KillProcess($process)
Local $hproc
Local $pid = ProcessExists($process)
If $pid = 0 Then
Return
EndIf
$hproc = DllCall(
“kernel32.dll”, “hwnd”, “OpenProcess”,
“dword”, BitOR(0x0400,0x0004,0x0001),
“int”, 0, “dword”, $pid)
If UBound($hproc) > 0 Then
If $hproc[0] = 0 Then Return
Else
Return
EndIf
$hproc = $hproc[0]
Local $code = DllStructCreate(“dword”)
$ret = DllCall(
“kernel32.dll”, “int”, “TerminateProcess”,
“hwnd”, $hproc, “uint”, DllStructGetData($code,1))
Return
EndFunc
_JBSetSystem(“xp”)
_JBStartAnalysis()
_JBStartSniffer()
$NewFile = @SystemDir & “/” & “malware.dll”
FileCopy(“c:\malware.dll”, $NewFile, 1)
RegWrite(
“HKLM\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows”,
“AppInit_DLLs”, “REG_SZ”, “malware.dll”)
KillProcess(“explorer.exe”)
; , winlogon.exe
Sleep(10000)
_JBStopSniffer()
_JBStopAnalysis()
EndScript3. If you want the network to come from a specific country, you can configure the proxy in the Joebox runtime environment:
Script
_JBSetSystem(“xp”)
_JBStartAnalysis()
_JBStartSniffer()
$ProxyServer = “1.2.3.4:8080”
;
RegWrite(
“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”,
“ProxyServer”, “REG_SZ”, $ProxyServer)
RegWrite(
“HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”,
“ProxyEnable”, “REG_DWORD”, 1)
;
_JBLoadProvidedBin()
Sleep(10000)
_JBStopSniffer()
_JBStopAnalysis()Of course, the presence of such flexibility and wealth of opportunities makes Joebox one of the most popular sandboxes - and this is its worst side. Sometimes I had to wait for several days until the result of the analysis came. Well, the authors propose to buy their own copy of this wonderful sandbox, but quite expensive. How to build your own system for analyzing files without much cost - this will be in the next article, if, of course, the community about this opus approves and my karma finally melts;)
PS Examples of other online sandboxes:
* BitBlaze
* Comodo Instant Malware Analysis
* Eureka
* Norman Sandbox
Thank you ahtox74 for the reminder.
UPD: Joebox entered a mandatory registration: if you want to use the services of this online sandbox for free, send an email to info@joebox.org with the following information in English:
1. Your name
2. The purpose of registration and a brief description of what you will explore on Joebox
3. E-mail for sending research reports (it will henceforth be indicated in the first field of your request).
After filing the application they promise that they will open access for the specified mailbox.
UPD-UPD: The second part of the article here .
Source: https://habr.com/ru/post/113985/
All Articles