Sandboxes and dynamic analysis

Use Case

Dynamic analysis is the process of running a piece of malware and observing what it does. The easiest way of doing dynamic analysis is by running a piece of software in a sandbox. A sandbox is a safe, isolated environment which opens a potentially malicious file, URL, or program and generates a huge amount of data on it. This subtopic looks at sandbox analysis, what it can and cannot do, and how to do it.

Objectives

After completing this subtopic, practitioners should be able to do the following:

• Understand the use case for and limitations of dynamic analysis
• Understand the advantages and limitations of sandboxes
• Open a suspicious file, URL, or program in a sandbox
• Be able to perform some basic dynamic analysis on either Windows or Android binaries using off-the-shelf tools

Main Section

Dynamic analysis

When you conduct dynamic analysis on a potentially suspicious file, you will open and execute the file in a specialized tool and observe what this file does, whether it tries to access other files, if it makes network connections, and the like. Static analysis, outlined in subtopic 4, on the other hand, disassembles the file rather than opening or executing it.

Depending on the situation, dynamic analysis can be easier or harder than static analysis, and it can also be more or less accurate. In practice, a combination of static and dynamic analysis will likely produce the best results. Most dynamic analysis will also involve some static analysis, so the line between the two techniques is often blurred.

The general setup for dynamic analysis includes a sandbox in which the malware is run, a debugger to control and monitor program execution, system monitoring to watch for changes to the sandbox system’s state, and something to mediate internet access to block, observe, and/or modify network traffic. These might all exist on one system, or they might be separate virtual or physical devices. For example, you may use a jailbroken iPhone as your sandbox, one tool for remote debugging and system monitoring, and another tool for internet mediation. Not all systems may be used in every situation, for example you might just capture network traffic and monitor system changes without using a debugger.

There are many different methods in which we could conduct dynamic analysis, including by opening up the executable in a sandbox and checking the network connections it makes. For a great resource on detecting malware through the network traffic it generates, check out this guide.

In theory, dynamic analysis could tip off a threat actor that you are analyzing their malware. In practice, adversaries often expect their malware to be analyzed and it is very rare to encounter completely novel malware in your career. With the exception of some very sensitive cases, we would not worry about this risk.

Sandboxes

A (malware) sandbox is a safe environment in which you can open and run a file or an URL. It is essentially a custom-designed virtual machine that is launched before the file or URL is opened, and is then shut down after a certain amount of time.

All the activities in the sandbox, such as files that are opened or created as well as network connections made, are recorded and accessible through an activity report. The activity report can help you understand whether the file or URL was malicious. It can also help you link malware to previously seen activities, for example based on specific network connections or files that are created.

Running known malware inside a sandbox can also be very helpful as you are learning more about malware. It helps you understand what malware does and what changes it makes on the system. For example, a lot of malware when initially run tries to ensure persistence so that it will still run following a reboot. These persistence methods are something you can look for when you perform manual forensics on a possible infected device.

A lot of malware has anti-sandbox features built in: when the malware detects it is running inside a sandbox environment, it will terminate or sometimes do something harmless to confuse the analysis. Moreover, some malware is designed to only run if specific conditions are met, for example a specific version of the operating system, or an IP address located in a specific country. Sandboxes are often updated to respond to anti-sandbox methods and many sandboxes let you choose the certain properties.

This is important to keep in mind when reading a sandbox report: a lack of malicious activity doesn’t automatically mean the file or URL isn’t malicious. On the other hand, if malicious activity was shown, you can be certain that the file or URL was malicious.

Check out Chapter 10 of the Field Guide to incident response for civil society and media for a more in-depth introduction to sandboxes.

It is possible to run a sandbox locally. Cuckoo is an open source sandbox that has been around for many years. A new version is being developed but is not yet recommended for production use at the time of writing (July 2024).

While running a sandbox locally gives you full control of the environment and means you can keep your files and URLs fully private, it can be quite a lot of work to set up and maintain. Thankfully, there are many online sandboxes available, such as ANY.RUN, Hybrid Analysis, Joe Sandbox, Triage and even an online version of Cuckoo. All of them have free versions that allow you to upload malware and URLs, though some do require registration. Do keep in mind that if you use a free version, anything you run inside a sandbox will be publicly available. This can be a concern if you don’t want to tip off an adversary or are dealing with very private data, such as potentially infected confidential documents.

Dynamic analysis of Windows binaries

We recommend starting out with an overview class, this time from OpenSecurityTraining. Their Malware Dynamic Analysis class includes slides, lab materials, and videos, and it covers setup, analysis, and creating IoCs.

Dynamic analysis of Android binaries

Many tools can be used to dynamically analyze Android binaries. Those include some of the sandboxes outlined above and Frida (check out this tool for a GUI frontend to Frida).

PiRogue Tool Suite (outlined in the detecting malware learning path) can also do excellent dynamic analysis of Android binaries, though some of those analysis methods require you to first root your device.

Skill Check

General

1. Go to the ‘Sandbox’ section in Chapter 10 of the Field Guide to incident response for civil society and media and do exercises 10.2 to 10.4. In the last exercise, make sure you run at least one macOS and Android malware sample each.
2. In the same chapter, skip to the ‘Analyzing links’ subsection and do exercise 10.12.

Windows-specific

Perform dynamic analysis on a piece of non-malicious Windows software. It probably includes an installer, which will perform similar actions to malware. What files does it create? What registry keys does it create? What network traffic does it send?

Learning Resources