5 use cases with a malware sandbox

Malware attacks are commonplace today, executing within minutes and causing damage for weeks or months. Rapid detection and swift, effective incident response are essential in this situation.

Today we will discuss five use cases of how a malware sandbox can help, so you can avoid any threats and find out the truth behind insidious files.

What is a malware sandbox?

Any company’s security system involves several layers of protection. A sandbox is one of the stages, and the modern security system would be incomplete without it. The tool helps solve digital forensics and incident response tasks.

A malware sandbox is a tool for suspicious programs’ execution in the virtual environment, safe for your computer. And an interactive service allows any manipulations with the analyzed sample and the OS inside the virtual machine. You can work with a suspicious sample directly as if you opened it on your personal computer: click, open, reboot.

There are situations where malicious files or a link will stay inactive or won’t show their true nature. And using other security tools will be insufficient or time-consuming.

For example, some malware samples will only execute if certain conditions are met.

• Banking trojans may activate if a user visits a particular online banking website. And thanks to interactivity, analysts can gather more indicators of compromise.
• Some malware has files with distinguishing names or registry keys. Cybersecurity specialists can add them in a sandbox to get more IOCs: check maldoc’s language, change the system locale, and restart tasks.
• Working with a sample directly allows testing multiple execution variants. By doing so, analysts are able to get data quickly.

Let’s find out how the tool works with malicious files and links using ANY.RUN online malware sandbox.

Use case 1. Follow a malicious link and files in real-time

The first step when you get an email with a link or attachment is to stop and do nothing. Then give it a sharp look: spelling mistakes, the sender name, greetings, the file name. Once you decide it might be a scam – go straight to a sandbox.

You can open files and follow links here in a completely secure environment. And safely check where it leads and what files are downloaded in real-time.

If you enter your login and password, you’ll be directed to the original site in the task with questionable content. But all the data has already been stolen. The sandbox gives you details about where traffic has gone and what URL is opened. ANY.RUN intercepts packets with the data that malware has stolen and transmitted, including credentials.

Use case 2. Malicious files’ and links’ network stream analysis

Imagine that you got a PDF file with an image or text decoy. You click on a link and get an invitation to download a file with a long name or extra underscores.

Once the file is opened, you’ve installed malware that can steal sensitive information, or it can be a part of a more significant attack, for example, ransomware.

The network stream example demonstrates how Mass Logger sends the authorization information in plain text. Copy and paste the domain name, login, password and collect information about the infected systems.

Use case 3. Locale change analysis

Several malware programs stop working if the system lacks a certain language, time, or currency.

For example, in the Raccoon Stealer sample, all processes were terminated if you selected the Belarus locale (be-BY).

We’ll reboot the task and change the locale to the United States (en-US). Immediately after detection, activities increase: the Raccoon malware exchanges information over the network and alters certificate settings.

A simple change of the locale brought good results: in one case, the malware doesn’t run, and in the other, it shows its malicious properties.

Use case 4. Reboot support

Several malware families enter the active phase only after a system reboot to avoid detection. By restarting the OS with ANY.RUN analysts can identify a cyber threat, observe malware behavior, and collect additional compromise indicators.

The downloaded executable file in Nanocore’s sample adds itself to the startup folder and stops the OS’s execution. This simple trick is widely exploited to bypass antivirus detection.

After the y6s2gl.exe process was added to a startup, all processes’ activities stopped. But If we reboot the system, the malicious file successfully executes and is detected as Nanocore.

Use case 5. Instant access to the analysis and fast results

IT security specialists must react as fast as possible if an incident occurs. Time is of the essence. And the first step to improved security is quick malware analysis results.

The file from the Agent Tesla sample contains a malicious program. ANY.RUN provides instant access to the analysis, and the virtual machine starts running immediately, allowing you to change the analysis vector in the current session.

A specialist monitors the process being created and collects all the information in real-time.

And here is a quick analysis: 10 seconds is enough to identify Agent Tesla and extract its configuration data from the memory dump.

These use cases help reveal even advanced malware and ensure that your data is safe – use the promo code and run all files and links in ANY.RUN online malware sandbox.

Write the “HELPNET” promo code at support@any.run using your business email address and get 14 days of ANY.RUN premium subscription for free!

Hackers employ various strategies and brand names for attacks. To identify the fraud quickly, you need to check suspicious content. Don’t fall for malware tricks, and don’t trust any files and links. Use a sandbox and stay safe.