Sandbox Integration for Dynamic File Analysis

Use Case Description

Information about the capabilities and communication paths used by a malware sample is invaluable for removing an infection and developing usable indicators of compromise for network detection. Malware authors commonly attempt to conceal this information, making static analysis of a sample to extract indicators extremely time consuming and resource intensive.

Through execution of malware on a target system, these indicators can be easily collected through observation of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems to allow dynamic analysis of files and objects in a contained environment.

Our Solution

To provide InQuest users with the best possible information about suspicious samples, InQuest has provided built-in integrations for several of the best and most popular sandbox solutions, including Cuckoo, FireEye, Joe, and VxStream sandboxes.

Cuckoo Sandbox

Cuckoo Sandbox is an open-source dynamic malware analysis engine. It performs API call tracing and can be used in conjunction with Volatility for analysis of the memory space of malicious processes. It includes support for Windows, Linux, Mac, and Android.

InQuest interfaces with Cuckoo Sandbox via the Cuckoo Sandbox API. Once an instance of Cuckoo Sandbox is set up and running, the administrator can set the hostname or IP and port of the Cuckoo Sandbox API and whether or not to use global proxy settings. Administrators can also configure InQuest so that files are submitted automatically to Cuckoo Sandbox and if an alert should be generated from Cuckoo those results are returned to InQuest for Threat Score consumption.

FireEye

FireEye provides a hardware appliance that acts as a sandbox for dynamic analysis of suspicious files. The FireEye sandbox monitors from system level changes to file systems, memory, and registries by the operating system or installed applications. Using the FireEye Multi-Vector Virtual Execution (MVX) engine, FireEye executes code through the entire attack chain to provide a more comprehensive view of its capabilities. Network traffic generated by the sample is captured to allow analysis of URLs and embedded code. The FireEye appliance supports Windows and Mac.

Integration of a FireEye appliance requires an administrator to specify the API URL and proxy settings and uses a username/password authentication scheme. Users can specify the operating system to be emulated (defaults to Windows XP SP 3), whether files should be submitted automatically to the appliance for analysis, and whether an alert should be generated when a report is received from the appliance.

Joe Sandbox

Joe Sandbox is a malware analysis tool that provides capabilities for static, dynamic, hybrid, and graph analysis of suspicious files. It employs instrumentation, hooking, hardware virtualization, and emulation and supports Windows, Mac, iOS, and Android.

Integration of Joe Sandbox requires a Joe Sandbox API key and appropriate proxy settings. Administrators can also specify whether files should be submitted automatically and whether an alert should be generated when a report is received.

VxStream Sandbox

The VxStream Sandbox is an automated malware analysis system developed by Payload Security (which was acquired by Crowdstrike). It analyzes runtime behavior and the memory space of malicious processes. VxStream Sandbox also extracts strings and API calls from analyzed malware. Support for defeating common anti-VM techniques and kernel-mode monitoring (to conceal itself from user-mode malware) is also included.

VxStream Sandbox communicates over the tool’s API and requires setting the host URL and proxy settings, but it also requires an authentication key and authentication secret for the API. The environment variables for running samples in VxStream can also be configured. VxStream can also be set to run automatically for each file and to generate an alert when results are received.