Today at Blackhat Europe, a new malware analysis service was unveiled called SNDBOX that utilizes artificial intelligence and a hardened virtual environment to perform static and dynamic analysis of malware samples.
Prior to its release, BleepingComputer was given a demo account so that we could play around with the system and from our tests it definitely looks like a worthwhile tool to add to your kit.
SNDBOX is currently a free service located at www.sndbox.com that allows you to submit a malware sample to be analyzed. When submitting a sample, you can configure various options and whether the sample would be public or private to all of the users on the site.
For this article, we uploaded a ransomware sample to see what SNDBOX would tell us about it.
Once you submit the file, SNDBOX will execute it and perform static and dynamic analysis of the file while it runs. When finished, it will provide a report with three different sections that you can use to learn more about the malware and what actions it performs. These sections are Static Analysis, Dynamic Analysis, and Network, which are described below.
The Static analysis section allows you to view the submitted file’s information such as file metadata, section table, import table, and export table. This information is already readily available using many different tools and sites and SNDBOX provides the same info that you would expect.
The dynamic analysis section is where the true power of SNDBOX comes into play. When performing the analysis SNDBOX will keep track of all files and processes that were created as well as any system API calls, registry queries and changes, and WMI requests.
The AI comes into play when it analyzes the sample’s execution patterns and code to classify it as a particular malware or behavior. For example, based on the fact that it tried to clear Shadow Volume Copies it added it to the Ransomware bucket and because it drops a file it is also added to the Dropper bucket. For other malware, such as the information stealer Loki, you can see that it adds it to a Stealer bucket.
This section will also list any files that are created, searches for interesting strings in them, and if possible decode them. For example, if it detects a base64 encoded string, it will automatically decode it in the output.
Finally, you can double-click on any node in the process execution tree to get more information about command lines, API calls, and child and parent processes.
The Network section allows you to see all of the network traffic conducted while running the sample. Using this information, the AI will look for any unusual information and list it under network indicators. This allows you to quickly spot network traffic that is rare or uncommon and not be bogged down looking through traffic that is common among many executables.
The network activity will also be broken down into different network services, so that you can focus on only DNS traffic or HTTP traffic instead of seeing it all at once. SNDBOX also utilizes the Suricata IDS to detect known malicious traffic signatures and patterns.
You can see examples of the service grouping and Suricata detections in the image below.
Full JSON report
Not all information that was gathered by SNDBOX is displayed on the site. For example, POST data for HTTP requests are not displayed in the dashboard.
Instead you will need to download a full JSON report that contains all of the information gathered by SNDBOX.
In addition to downloading a JSON report, you can also download a PCAP capture of the network traffic or the sample itself.
Overall, SNDBOX is another excellent tool for those who routinely perform malware analysis or for those who discover a suspicious file on their computer abd want to see what it does.
If you give it a try, let us know your thoughts.