This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.
Report
Share
Report
Share
1 of 15
More Related Content
Automating Malware Analysis
2. Execute malware in a controlled/monitored environment
Monitors file system, registry, process and network activity
Outputs the results in mutiple formats
Examples of Sandboxes
◦ Cuckoo Sandbox
◦ ThreatExpert
◦ Anubis
◦ CWSandbox
3. To determine:
The nature and purpose of the malware
Interaction with the file system
Interaction with the registry
Interaction with the network
To determine identifiable patterns
5. Automates static, dynamic and Memory analysis using open source tools
Written in python
Can be run in sandbox mode or internet mode
In sandbox mode it can simulate internet services (this is the default mode)
Allows you to set the timeout for the malware to run (default is 60 seconds)
Stores final reports, pcaps, desktop screeshot , and malicious artifacts for
later analysis
6. Takes sample as input
Performs static analysis
Reverts VM to clean snapshot
Starts the VM
Transfers the malware to VM
Runs the monitoring tools ( to monitor process, registry, file system,
network activity)
Executes the malware for the specified time
7. Stops the monitoring tools
Suspends the VM
Acquires the memory image
Performs memory analysis using Volatility framework
Stores the results (Final reports, destkop screenshot, pcaps and malicious
artifacts for later analysis)