Using OSINT Sandboxes To Fill The Gaps

Authors: Anaïs Sidhu and Samuel Cameron
In this article we will discuss what an OSINT Sandbox is, how it is used practically, and how it can help to accelerate your learning and fill the gaps in your security expertise.
*The authors do not encourage the download of malware on any devices that hold any valuable data assets.
*The views and opinions of this blog are the authors’ alone*
Background
We recently surveyed our network on LinkedIn to determine what they thought to be the most valuable skill when working in a Secure Operations Center (SOC). Provided the options of Malware Analysis Experience, Threat Intelligence Experience, Scripting Experience, and Red Team Experience, 45 percent of respondents felt that Threat Intelligence Experience is most valuable. Malware Analysis followed with 32 percent respondent favorability, while scripting Experience and Red Team Experience received 13 percent and 11 percent of the poll votes, respectively. With responses being dispersed across the four options, there is not any one option that stands out significantly. So, where should someone aspiring to work in cybersecurity start?
With all of the things that modern day security analysts and researchers are supposed to know, it can be quite confusing and a bit overwhelming when it comes time to determine what to really dig into. Here are just a few things you should know when doing security work: Indicators of Compromise (IOC), Indicators of Attack (IOA), net.exe, Sysinternals suite of tools, event log analysis, encoding schemes employed by malware, and anti-sandboxing mechanisms. Needless to say, that list could extend over several more pages. A lack of knowledge in any of these areas can be seen as a ‘barrier to entry’ and can really stop people from being confident in their abilities and from applying to security jobs.
What if we could integrate years of security research and expertise at the click of a button? What if we didn't have to know the ins and outs of the above topics to be effective and efficient in the realm of security operations? What if we had tools which given a sample to study could apply the aforementioned skills, and all we had to focus on was interpreting the outputted results?
It turns out that there is a mechanism to help us achieve just that. A sandbox, as it relates to cybersecurity, is a safe environment where files and URLs (referred to henceforward as ‘samples’) are detonated/executed in order to see what they do. It’s like playing with a live sample of the malware or malicious file, poking it, and seeing everything that it would try to do on a real system. A crucial aspect of this would be that you are able to detonate the malicious thing, without risking it affecting other systems.
Now that you have an idea of the benefits and fun possible within the scope of a sandbox, where do you get one? The good news is they are not expensive. You can get some pretty decent sandbox software, such as Cukoo, which is free to download and use. If you have a dedicated system and a lot of free time, this is a pretty good option. However, setting up a lab can not only be tedious but also downright difficult, especially if you are just starting out and trying to break into industry.
Fortunately, Open-Source Intelligence (OSINT) Sandboxes provide a solution. OSINT is being used very loosely here to refer to the practical use of Open-Source Intelligence into automated malware analysis using sandboxes. These sandboxes have both free and premium paid features. Let’s discuss some free version options.
There are more than a few publicly available sandboxes that security analysts can leverage free of charge, of note: AnyRun and Hybrid Analysis. Honorable mentions go to JoeSandbox and Malwr. A large portion of what remains of this blog will focus on AnyRun with a little bit of Hybrid Analysis for contrast.
Warning before we get started: The following tools are meant to detonate potentially unsafe files in a safe environment. Any file or URL that you upload to this site should be treated as if you are making the detonation report publicly available for all to see (the entire world). With that in mind, it is strongly encouraged that whatever file or URL you intend to upload does NOT contain sensitive, personal, company-affiliated, or in any way proprietary information which would be considered a breach of data if leaked on the internet.
One more thing: There are ways to actually download samples from these sites. You would have to intentionally and purposefully click the ‘Download’ or ‘Get Sample’ button in the tools in order to do so. BE CAREFUL as this is actual malware and will infect your system should you choose to download the sample and run it. Simply viewing the reports and such will NOT download the malware in any way.
If you want to follow along with the same sample that we used, please visit this link:
https://app.any.run/tasks/3cc5750e-958e-4868-8dc9-5b38fb75cab9
Detonating Files
Now we get into the fun stuff. Pretend you have a piece of malware, or at the very least, a piece of software that you would like to test. Perhaps that is a suspicious file that you received from a random email address with a subject field Invoice #00456. Alternatively, you can submit a URL if you so choose as opposed to a file, for example: hxxp://www.helloworld[.]com/en_us/portal/12345. Either way, you want to play around with the file or URL safely to ensure it doesn’t do anything fishy, pun intended.
At this point, you might be thinking, I’m a newbie, I don’t even know half of what to look for to call a file suspicious. Or, maybe you’re thinking “well I do have years of experience in security as an auditor, but I don’t have any malware analysis experience and little threat intelligence experience.” Still others may think “I am the furthest thing from a scripter or developer as one can be – I wouldn’t even know what a malicious piece of code looks like!” To those of you thinking along those lines - don’t panic. These tools DO THAT WORK FOR YOU. The only ask of you, as an opportunity to grow, is that you learn how to READ and INTERPRET sandbox findings. Sounds like a daunting task, but really, it’s not bad. So, let’s dive in.
Submitting your sample
Start with your piece of software or URL and visit the sandbox of your choosing. For this example, we’ll pick AnyRun. When you visit app.anyrun.com, you’re brought to the following screen:

Figure 1: AnyRun Upload Page

Figure 2: Hybrid Analysis Upload Page for Contrast
Clicking around the different buttons will give you a feel for the varying functionalities. There are far too many options and features to discuss in complete detail here, so we’ll cover the most important ones. Outlined above in red [Figure 1], you should see a button for ‘New Task’, this is the button we’ll use to submit our sample. We will not cover ‘Public Submissions’ in this blog but stay tuned as this topic may be in a future blog. In short, Public Submissions are where you can find old detonations that anyone on AnyRun has submitted up to ‘X’ number of days ago.
Next, you’ll click on ‘New Task’ and get ready to upload your file or submit your URL.