Performing malware analysis on suspicious files is a bread and butter activity of any security operations or incident response team. Whether submitted to an abuse inbox, caught by an email gateway, detected by anti-virus, or found during a breach investigation, the malware analysis process is time-consuming, repetitive and manual – which is why many teams are examining malware analysis automation.
There are dozens of approaches to analyzing potentially malicious files and binaries, including using static and dynamic analysis . For now at least, nothing will perform better than a sophisticated malware reverse engineer interacting with and analyzing a file manually in a secure environment. However until humans can work at the scale and speed of malware analysis engines, relying on some form of automation is necessary.
One of the most popular methods of Malware Analysis Automation to determine the maliciousness of suspicious files is using public and private sandboxes. Popular sandboxes include Any.Run, Hybrid Analysis, Joe Sandbox, Valkyrie Sandbox, Cuckoo Sandbox. In this blog we examine some private and public sandboxes that analyze suspicious files. We’ll also learn how the results of the analysis can help proactively protect our environments.
Firstly, a word of caution: at Tines we don’t want you to think that you can completely automate the process of securing your environment by analyzing suspicious files. There are dangers and pitfalls to completely automating the analysis of malware. Modern malware often requires multiple applications to be running on a box for the malware to be triggered. Other malware can detect that it’s running in a sandbox. Furthermore, in many cases different contamination levels will require different triggers. Automated sandboxes struggle to accurately simulate the activities of a real, infected end-user. However, several sandboxes like app.any.run allow interactive analysis with malware and may help in this regard.
When should I automate the analysis of malware?
Using a Sandbox is the right approach for frequent, repetitive malware analysis tasks. A good example of a process like this is analyzing files which AV software detects as suspicious. Attachments which users submit to an abuse mailbox are another source of files which frequently require non-sophisticated malware analysis.
There are several free, public sandboxes available online, however if you suspect that a suspicious file may be targeted at your organization directly you should consider using a private sandbox. This will help prevent a targeted attacker knowing you have detected their activity.
You can setup your own free private sandbox like Cuckoo Sandbox, or you can make a private submission to sandboxes like app.any.run, hybrid analysis or other commerical sandboxes like the Crowdstrike Falcon or Palo Alto Wildfire.
How can I upload files programatically?
Uploading files to app.any.run, cuckoo, or hybrid analysis from Tines is simple once the contents of the file are in Tines. Tines can read the contents of email attachments, or, in some cases, extract the contents of files in a shared drive or the contents of a quarantined file. Once the contents are base64 encoded it’s possible to upload them using any api with a file upload capability.
In the below templates can see how to upload a file to three popular online sandboxes – Cuckoo, App.Any.Run and Hybrid Analysis. In the examples we simply replace the base64 encoded contents with the contents from a previous agent and you can upload to any sandbox. Below you’ll see examples of how to upload to any.run, hybrid analysis and cuckoo sandbox. There are also templates available for uploading to VirusTotal and several other sandboxes in your own Tines tenant.
Before uploading to any sandbox, we recommend checking to see if the file has been seen before in tools like VirusTotal or Hybrid Analysis or your own threat intel platform. If VirusTotal or your threat intelligence platform has seen the file before we can avoid duplicating work and take response actions immediately. You can read more about VirusTotal automation here.
We can easily check if a file exists in VirusTotal using the below agent template
This template requires the MD5 of the file to check in VirusTotal. If you do not have the MD5 of the file, you can use the agent template below to extract the md5 of a file in Tines.
Note, you can also upload files programmatically from a desktop using curl and a command similar to:
curl -X POST -H 'Authorization: Basic ZW1haWw6cGFzc3dvcmQ=' -F 'email@example.com' -i '<a href="https://api.any.run/v1/analysis">https://api.any.run/v1/analysis</a>'<br>
curl -H "Authorization: Bearer S4MPL3" -F file=@/path/to/file http://cuckoo.tines.dev:4443/tasks/create/file
Analysis of Manually Uploaded Files
At Tines we recognize that many processes involve analyzing files found manually – for example suspicious files found during a breach investigation. This does not mean that the results of the analysis can not be extracted and automated however. Using Tines we can extract indicators from every file analyzed in your private sandbox, regardless of how it is submitted.
Analyzing the results of all files uploaded to a Malware Sandbox
The most obvious aim in analyzing malware using a sandbox is to determine its maliciousness. A secondary aim is to extract potential indicators which can be searched for across our environment.
The best way to automate this in Tines is to create a HTTP Request Agent. The HTTP Request agent periodically polls your Sandbox for any new files that have been uploaded. Tines can then extract all the relevant indicators for those reports.
In this story, we’ve used several liquid filters to extract out the relevant elements of the malware analysis report:
The end result is an event that looks like the below – replete with registry modifications, file modifications, network connections etc. The extracted data is in a format that can then be easily used by other agents.
Post Analysis Automation Actions
You can use these results of this file analysis to take other automated actions in your environment. For example, for every domain that the malware connected to you can you can search for associated traffic to the network indicators. If the file was found to be malicious, you can ban malicious hash from endpoints in your enterprise. You can also search for unique file modifications or registry modifications in an EDR tool, for example. In addition, the Tines Security Automation, Orchestration and Response platform can use these results to
- Isolate or quarantine infected endpoints
- Block domains or IP addresses in Firewalls or in DNS tools
- Document details about the file to ticketing systems like JIRA, including PCAPs for analysis etc.
- Collate all the analysis of multiple to help build better detections on known threats for your environment
- Use the detailed results to help prioritize detections using the Mitre Attack Framework
- Upload artifacts like malware PCAPs into ServiceNow or Jira or The Hive
- Perform memory dumps on infected endpoints
- Block email addresses or domains on your email gateway
In short, automating the malware analysis process can help security operations teams react more quickly to potential threats. This allows them to focus on more impactful, risk-reduction efforts
Note – this should not be taken as a complete method for analyzing malware. The correct approach will depend on your environment and risk tolerance. However this is illustrative of some of the analysis that you can automate using Tines and malware sandboxes.
Malware Analysis Automation can have several benefits in allowing teams to move quickly and automatically extract the most relevant data from malware reports.
To learn more about the automating malware analysis, or what this might look like in your environment you can book a demo, start a free trial, or contact us firstname.lastname@example.org. You can also directly download the Cuckoo Sandbox Story or App.Any.Run Story directly for your own Tines tenant.