Module 3
Sandboxes and dynamic analysis
Last updated on: 5 September 2024
Edit this page on GitHubModule 3
Last updated on: 5 September 2024
Edit this page on GitHubDynamic analysis is the process of running a piece of malware and observing what it does. The easiest way of doing dynamic analysis is by running a piece of software in a sandbox. A sandbox is a safe, isolated environment which opens a potentially malicious file, URL, or program and generates a huge amount of data on it. This subtopic looks at sandbox analysis, what it can and cannot do, and how to do it.
After completing this subtopic, practitioners should be able to do the following:
When you conduct dynamic analysis on a potentially suspicious file, you will open and execute the file in a specialized tool and observe what this file does, whether it tries to access other files, if it makes network connections, and the like. Static analysis, outlined in subtopic 4, on the other hand, disassembles the file rather than opening or executing it.
Depending on the situation, dynamic analysis can be easier or harder than static analysis, and it can also be more or less accurate. In practice, a combination of static and dynamic analysis will likely produce the best results. Most dynamic analysis will also involve some static analysis, so the line between the two techniques is often blurred.
The general setup for dynamic analysis includes a sandbox in which the malware is run, a debugger to control and monitor program execution, system monitoring to watch for changes to the sandbox system’s state, and something to mediate internet access to block, observe, and/or modify network traffic. These might all exist on one system, or they might be separate virtual or physical devices. For example, you may use a jailbroken iPhone as your sandbox, one tool for remote debugging and system monitoring, and another tool for internet mediation. Not all systems may be used in every situation, for example you might just capture network traffic and monitor system changes without using a debugger.
There are many different methods in which we could conduct dynamic analysis, including by opening up the executable in a sandbox and checking the network connections it makes. For a great resource on detecting malware through the network traffic it generates, check out this guide.
In theory, dynamic analysis could tip off a threat actor that you are analyzing their malware. In practice, adversaries often expect their malware to be analyzed and it is very rare to encounter completely novel malware in your career. With the exception of some very sensitive cases, we would not worry about this risk.
A (malware) sandbox is a safe environment in which you can open and run a file or an URL. It is essentially a custom-designed virtual machine that is launched before the file or URL is opened, and is then shut down after a certain amount of time.
All the activities in the sandbox, such as files that are opened or created as well as network connections made, are recorded and accessible through an activity report. The activity report can help you understand whether the file or URL was malicious. It can also help you link malware to previously seen activities, for example based on specific network connections or files that are created.
Running known malware inside a sandbox can also be very helpful as you are learning more about malware. It helps you understand what malware does and what changes it makes on the system. For example, a lot of malware when initially run tries to ensure persistence so that it will still run following a reboot. These persistence methods are something you can look for when you perform manual forensics on a possible infected device.
A lot of malware has anti-sandbox features built in: when the malware detects it is running inside a sandbox environment, it will terminate or sometimes do something harmless to confuse the analysis. Moreover, some malware is designed to only run if specific conditions are met, for example a specific version of the operating system, or an IP address located in a specific country. Sandboxes are often updated to respond to anti-sandbox methods and many sandboxes let you choose the certain properties.
This is important to keep in mind when reading a sandbox report: a lack of malicious activity doesn’t automatically mean the file or URL isn’t malicious. On the other hand, if malicious activity was shown, you can be certain that the file or URL was malicious.
Check out Chapter 10 of the Field Guide to incident response for civil society and media for a more in-depth introduction to sandboxes.
It is possible to run a sandbox locally. Cuckoo is an open source sandbox that has been around for many years. A new version is being developed but is not yet recommended for production use at the time of writing (July 2024).
While running a sandbox locally gives you full control of the environment and means you can keep your files and URLs fully private, it can be quite a lot of work to set up and maintain. Thankfully, there are many online sandboxes available, such as ANY.RUN, Hybrid Analysis, Joe Sandbox, Triage and even an online version of Cuckoo. All of them have free versions that allow you to upload malware and URLs, though some do require registration. Do keep in mind that if you use a free version, anything you run inside a sandbox will be publicly available. This can be a concern if you don’t want to tip off an adversary or are dealing with very private data, such as potentially infected confidential documents.
We recommend starting out with an overview class, this time from OpenSecurityTraining. Their Malware Dynamic Analysis class includes slides, lab materials, and videos, and it covers setup, analysis, and creating IoCs.
Many tools can be used to dynamically analyze Android binaries. Those include some of the sandboxes outlined above and Frida (check out this tool for a GUI frontend to Frida).
PiRogue Tool Suite (outlined in the detecting malware learning path) can also do excellent dynamic analysis of Android binaries, though some of those analysis methods require you to first root your device.
Perform dynamic analysis on a piece of non-malicious Windows software. It probably includes an installer, which will perform similar actions to malware. What files does it create? What registry keys does it create? What network traffic does it send?
Chapter 10, Field Guide to incident response for civil society and media
FreeIn-depth look at using sandboxes to analyze email payloads.
Any.run
Free only for non-commercial useCommercial sandbox for analyzing malware.
Joe Sandbox
Free for public accounts (results published on website)Commercial sandbox service for malware analysis.
Cuckoo Sandbox
FreeSandbox service by Estonian CERT for malware analysis.
Hybrid Analysis
FreeSandbox service by CrowdStrike mixing static and dynamic analysis.
Triage sandbox
Registration requiredCommunity-driven sandbox for analyzing malware.
Online class on malware dynamic analysis
FreeThree-day class on dynamic malware analysis.
Case study 1: Dynamic Analysis of a Windows Malicious Self-Propagating Binary
FreeBlogpost demonstrating dynamic analysis of a Windows binary.
Case study 2: Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool
FreeCase study on dynamic analysis of obfuscated malware in a Windows domain.
Case study 3: Starting dynamic analysis on a Windows x64 rootkit
FreeIn-depth look at dynamic analysis of Windows rootkits.
Malware traffic analysis
FreeGuide on using captured network packets to analyze malware.
Hack The Box course on mobile penetration testing
FreeIntroduction to mobile malware dynamic analysis.
Hack The Box: Intro to Android Exploitation
FreeExercises on mobile application penetration testing.
Frida and House for Android
FreeTools for dynamic monitoring and debugging of Android apps.
Advanced guide - How to use PiRogue to intercept the TLS traffic of a mobile app
FreeInstructions on using PiRogue Tool Suite for dynamic analysis of Android binaries.
Congratulations on finishing Module 3!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
You've completed all modules in this learning path.