Choosing the best Sandbox for malware analysis

If you’re an IT Security researcher and you’d like to know how a particular malware works and what it does on infected machine, or maybe you just have a sample which you suspect to be malicious – you probably need a Sandbox.

There are dozens of articles about what Sandbox is and how it works – if you don’t know it already you can check a very good article here or a short description here.

In this article I’d like to cover less technical aspects, very important however for a person which have to choose the best solution for him or a company for which he’s working.

Let’s divide Sandboxes into 2 types:

  • Online,
  • Standalone.

Online Sandboxes are hosted outside of your environment by external organization. You cannot modify it’s settings to suit it to your needs – you get the interface to submit the file (most often a Web interface) and a final report from malware execution. You don’t have to bother yourself with Sandbox maintenance – it works instantly when you need it. At least in theory.

Standalone Sandboxes are totally maintained by you. You need a dedicated machine or a virtual appliance (with possibility to run another virtual machine on it), you have to install, configure and update your installment and – most important – you can customize it however you want, for example you can create testing environment based on different Windows versions or you can use your default company build to see how well it is protected from particular threat. You have to however keep in mind that during one of those updates something can break.

If you are a private researcher most likely you don’t have thousands of dollars to purchase a commercial product. Don’t worry – there are plenty of free to use and/or open source solutions out there. Let’s have a quick review.

Tested Sandbox solutions

Commonly used Online solutions are:

Commonly used Standalone solutions are:

When you are looking for the best solution which will suit most of your needs, few questions have to be asked: Will the solution be available when I’ll need it? Is the solution still developed? Will I get a proper support? And finally: What information returned from Sandbox after analysis is most important for me?

Our choices are related to many factors – not only our personal preferences count, but also target environment, available resources, already implemented solutions, etc. Different will be the choice made by freelancer from the one made by security staff in a company, especially if it’s a large one with very restrictive policies. Questions mentioned above are very basic, many other things should be considered  After spending couple of hours trying to find out what exactly do I need, I’ve written down some criteria which helped me take the choice. Let me shortly introduce you what I found to be best for me and what led to this choice.

I’ve chosen Cuckoo. But not only. Cuckoo is still a very young solution, sometimes problems occur, especially when it comes to generating report containing some foreign language characters – it drops number of errors and fails, at least in my environment. When Cuckoo doesn’t behave as expected, it’s good to have something else – like Anubis, or ThreatExpert.

Let my explain you why.

First of all – it’s an open source software and it runs on Linux. It can be configured to satisfy almost all needs and it can even work as an Online solution (check Malwr, it’s based on Cuckoo). It’s actively developed and has a good support from developers and community. You can create as many testing environments as you want and test any file or URL which can be opened within tested environment. Beside that, Cuckoo offers:

  • Generating variety of hashes (not available in Sandboxie directly, provided by Buster which is based on it),
  • After some extra configuration (modifying agent) it prevents malware from detected sandboxed environment (try achieving this with Zero Wine Tryouts…),
  • Checking detection score in VirusTotal (not available in Anubis, Comodo, ThreatExpert, Sandboxie, Buster or Zero Wine Tryouts),
  • Listing accessed/modified files,
  • Listing accessed/modified registry keys,
  • Listing full execution trace (like you’d get from debugger) for executable files launched by malware,
  • Analyzing network traffic (simple DNS and IP listing + pcap file for analysis in external tool, like f.e. Wireshark),
  • Creating memory dump, which can be further analyzed using f.e. Volatility Framework (obviously not possible for Online tools),
  • Can be fully controlled during malware execution process (obviously not possible for Online tools),
  • Extracting files created by malware,
  • Generates detailed and clear report in HTML (only Anubis created one I liked more),
  • It can be easily automated.

And how it scores when it comes to detection?” – you may ask. Take a look at Open-Source Security Tools Blog, where, which is based on Cuckoo is compered with Anubis, MWAnalysis (CWSandbox) and ThreatExpert. It shines among them.

That’s it. I’m using Cuckoo on daily basis, always keep it updated to the latest version from Git repository and it does the job nicely. In few upcoming articles I’ll cover installation process on Gentoo Linux, hardening and I’ll show you how malware analysis using Cuckoo looks.

If you have any questions or comments feel free to leave them below, I’ll answer as best I can.


Leave a Reply

Your email address will not be published. Required fields are marked *

Blue Captcha Image