Sandbox Integration for Dynamic File Analysis

Use Case Description

Information about the capabilities and communication paths used by a malware sample is invaluable for removing an infection and developing usable indicators of compromise for network detection. Malware authors commonly attempt to conceal this information, making static analysis of a sample to extract indicators extremely time consuming and resource intensive.

Through execution of malware on a target system, these indicators can be easily collected through observation of the effects of the malware on the system and host network. Multiple vendors have developed sandbox systems to allow dynamic analysis of files and objects in a contained environment.

Our Solution

To provide InQuest users with the best possible information about suspicious samples, InQuest has provided built-in integrations for several of the best and most popular sandbox solutions, including VMRay, CrowdStrike, and Hatching sandboxes.

Hatching

Hatching offers Triage, a revolutionary malware sandboxing solution, which allows organizations to conduct automated, high-volume malware analysis. Purposefully developed for performance and built to grow alongside its clients' analysis needs, Triage enables unprecedented scale for a sandboxing service.

VMRay

The VMRay Platform involves a ground-breaking sandbox, and 30+ best-of-breed technologies that bring additional capabilities to detect the threats that others miss. To provide true business benefit, a sandbox must go beyond mere malware analysis and add value to the extended environment. VMRay Analyzer helps you to design a security approach that leverages integration, automation, and shared threat intelligence.

Cuckoo Sandbox

Cuckoo Sandbox is an open-source dynamic malware analysis engine. It performs API call tracing and can be used in conjunction with Volatility for analysis of the memory space of malicious processes. It includes support for Windows, Linux, Mac, and Android.

InQuest interfaces with Cuckoo Sandbox via the Cuckoo Sandbox API. Once an instance of Cuckoo Sandbox is set up and running, the administrator can set the hostname or IP and port of the Cuckoo Sandbox API and whether or not to use global proxy settings. Administrators can also configure InQuest so that files are submitted automatically to Cuckoo Sandbox and if an alert should be generated from Cuckoo those results are returned to InQuest for Threat Score consumption.

Joe Security

Joe Security is a malware analysis tool that provides capabilities for static, dynamic, hybrid, and graph analysis of suspicious files. It employs instrumentation, hooking, hardware virtualization, and emulation and supports Windows, Mac, iOS, and Android.

Integration of Joe Security requires a Joe Security API key and appropriate proxy settings. Administrators can also specify whether files should be submitted automatically and whether an alert should be generated when a report is received.

CrowdStrike Falcon Sandbox

The CrowdStrike Falcon Sandbox is an automated malware analysis system developed by Payload Security (acquired by Crowdstrike). It analyzes runtime behavior and the memory space of malicious processes. CrowdStrike Falcon Sandbox also extracts strings and API calls from analyzed malware. Support for defeating common anti-VM techniques and kernel-mode monitoring (to conceal itself from user-mode malware) is also included.

CrowdStrike Falcon Sandbox communicates over the tool’s API and requires setting the host URL and proxy settings, but it also requires an authentication key and authentication secret for the API.