What is a sandbox, and why do you need one for malware analysis?
A sandbox is an isolated computer and network environment that is built for analyzing the behavior of software. This type of an environment is generally built to run risky files and determine whether those files represent a malware threat. Some sandboxes are also designed to check URLs to see if they are suspicious and lead to malware infection. Modern sandboxes allow companies or individuals to check any kind of files, including Microsoft Office files, PDF files and any executable file.
Every file received by corporations should really be checked in a sandbox before delivering it to the user, to avoid malware infections. Sandbox solutions can be plugged just anywhere into the corporate IT environment: checking email attachments, file downloads, etc.
SEE: NIST Cybersecurity Framework: A cheat sheet for professionals (free PDF) (TechRepublic)
What are the limits of sandboxes?
Sandboxes have limitations due to various reasons.
Most sandboxes run as virtual machines trying to mimic real legitimate machines. Efficient sandboxes have dozens of ways to pretend not to be virtual machines, but cybercriminals always try to find new ways to detect them. In most cases, when a malware detects that it runs in a testing environment, it stops executing, in an attempt not to be detected.
Sandboxes might not be helpful with malware targeting particular environments. A sandbox that only runs files on a Windows 8.1 operating system might not see the same file behavior as one running files on Windows 10, for example. Also, some malware might check the language of the operating system and run only on specified languages. That’s why some sandboxes offer to launch files in several different operating systems with different configurations.
Let’s look at two sandboxes with excellent reputations: ANY.RUN and Joe Sandbox.
What is the ANY.RUN sandbox?
ANY.RUN sandbox allows parsing of public submissions. This way, an analyst can hunt for any known indicator of compromise (IOC) and malware in the database first, to see if it has already been publicly analyzed, and get the results. It comprises millions of public submissions and this vast malware database is updated daily.
ANY.RUN allows those using the free version to send files or URLs to a Windows 7 32-bit virtual machine, while the paid version allows them to send files to Windows Vista, Windows 8 and Windows 10.
The greatest functionality of ANY.RUN lies in the possibility to interact in real time with the virtual environment that runs the suspicious file or URL. Once a file is submitted, the user can interact with the whole environment for 60 seconds (or more on paid plans). This is an incredible feature when analyzing malware that waits for specific actions to be done by the user before running any payload. Imagine a malware that quietly waits for the user to start a specific application (e.g., a browser) or waits for the user to click on a dialog box. That’s where this sandbox becomes really handy and powerful.
What is Joe Sandbox?
Joe Sandbox also allows the user to parse millions of public results from the sandbox.
The free version of Joe Sandbox enables users to send files, browse a URL, download and execute a file or submit a command line. It works for Windows operating systems, MacOS, Android, Linux and iOS, making it a complete solution for customers with a large variety of operating systems in their IT infrastructure.
The only Windows systems accessible in the free version are a Windows 7 64-bit virtual machine and a Windows 10 64-bit physical machine. Other systems are available in the Cloud Pro service. Not many sandboxes offer the possibility of running files in a real physical system, which is one of the greatest features of Joe Sandbox.
ANY.RUN vs. Joe Sandbox: Common functionalities
Both sandboxes only allow the submission to become private, and therefore not available for any other user, in their paid versions. In addition, both sandboxes do a great job of showing all the behaviors of the launched files. All activity that follows the execution of the suspicious file is logged and exposed: files accesses, Windows registry accesses, network communications.
In addition, both sandboxes have signatures and rules, which allow an easier and faster triage of files.
The MITRE Att&ck matrix is included in both sandboxes as well, making it easier to compare different malware samples based on their tactics and get a faster knowledge of the threat.
ANY.RUN vs. Joe Sandbox: Which malware analysis sandbox should you choose?
Of the two solutions, Joe Sandbox is the one to go to if you need to check files for multiple different operating systems and devices, while ANY.RUN covers only Windows systems. Joe Sandbox also offers lets you use real physical machines in addition to virtual machines, which is an awesome feature when it comes to evasive malware that are testing their environment to be sure they don’t run in a sandbox.
Yet ANY.RUN sandbox is a good choice if you need real-time interactions with the environment the suspicious files are run in. This is an invaluable feature for analyzing threats that need some clicking or user interaction before launching their payload.
While both sandboxes have REST API possibilities on paid plans, Joe Sandbox also comes with on-premises plans and an appliance, which may be appreciated by companies wanting extreme privacy.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.