Malware Analysis with Sandbox
email: alex.adamoff@gmail.com
LinkedIn: https://ua.linkedin.com/in/alexanderadamov

About Author
Alexander Adamov is a malware researcher and a
security trainer with over nine years’ experience in
the antivirus industry working for Kaspersky Lab and
Lavasoft.
Alexander is a university lecturer who develops new
courses for EU universities and gives lectures and
trainings in network security, reverse engineering,
and malware analysis at the same time.
At present he is running Cloud Sandbox startup.

Outline
1) Use Cases
2) Sandbox Intro
3) Sandbox Report
4) Features
5) Web Interface
6) Incident Response and Data Flow
7) Technical Requirements
8) Demo
9) Conclusions

USE CASES

Case 1: APT “CosmicDuke” Analysis
APT* “CosmicDuke/MiniDuke” – July 2014
The malware can steal a variety of information, including files based on extensions and file name
keywords:
*.exe;*.ndb;*.mp3;*.avi;*.rar;*.docx;*.url;*.xlsx;*.pptx;*.ppsx;*.pst;*.ost;*psw*;*pass*;
*login*;*admin*;*sifr*;*sifer*;*vpn;*.jpg;*.txt;*.lnk; *.dll;*.tmp;*.obj;*.ocx;*.js
Also, the backdoor has many other capabilities including:
– Keylogger
– Skype password stealer
– General network information harvester
– Screen grabber (grabs images every 5 minutes)
– Clipboard grabber (grabs clipboard contents every 30 seconds)
– Microsoft Outlook, Windows Address Book stealer
– Google Chrome password stealer
– Google Talk password stealer
– Opera password stealer
– TheBat! password stealer
– Firefox, Thunderbird password stealer
– Drives/location/locale/installed software harvester
– WiFi network/adapter information harvester
– LSA secrets harvester
– Protected Storage secrets harvester
– Certificate/private keys exporter
– URL History harvester
– InteliForms secrets harvester
– IE Autocomplete, Outlook Express secrets harvester
– and more...

Example: “CosmicDuke” Builds
• 7 builds per day
in average
• Spoofs legitimate
Apps
• Uses polymorphic encryption by UPolyXv05_v6 to
harden AV detection.

Example: “CosmicDuke” Victims
The victims of “CosmicDuke” fall into these categories:
• government
• diplomatic
• energy
• telecom operators
• military, including military contractors
• individuals involved in the traffic and selling of illegal and controlled
substances

Analysis in Sandbox
Old CosmicDuke 2013
Report:
https://www.dropbox.com/s/avxyrtcdkqtaqfq/report_edf7a81dab0bf0520bfb8204a010b730.htm?dl=0
New CosmicDuke 2014:
• NVIDIA WLMerger App
Report:
https://www.dropbox.com/s/41t111saz3jy5yl/report_1276d0aa5ad16fb57426be3050a9bb0b.htm?dl=0
• Adobe Acrobat Updater
Report: https://www.dropbox.com/s/kvmp6rrc8f43s5t/report_d92faef56fa25120cb092f1b69838731.htm?dl=0
12 minutes

Case 2: APT “Epic Turla” Attack
The attackers behind Epic Turla have infected
several hundreds computers in more than 45
countries, including:
• government institutions,
• embassies,
• military,
• education,
• research and pharmaceutical companies.
“Epic Turla” – is a massive cyber-espionage operation.

Type of “Epic Turla” Attacks
• Spearphishing e-mails with Adobe PDF exploits (CVE-2013-
3346 + CVE-2013-5065)
• Social engineering to trick the user into running malware
installers with ".SCR" extension, sometimes packed with RAR
• Watering hole attacks using Java exploits (CVE-2012-1723),
Flash exploits (unknown) or Internet Explorer 6,7,8 exploits
(unknown)
• Watering hole attacks that rely on social engineering to trick
the user into running fake "Flash Player" malware installers.
Watering Hole example:
Infected Palestinian
Authority Ministry of
Foreign Affairs
The attacks in this campaign fall into several different categories
depending on the vector used in the initial compromise:

Analysis in Sandbox
• Adobe PDF Exploits (Note_№107-41D.pdf CVE-2013-5065)
Report: https://www.dropbox.com/s/6l25orn9nlgl6ea/report_6776bda19a3a8ed4c2870c34279dbaa9.htm
– Dropped file (Epic/Tavdig/Wipbot backdoor):
Report: https://www.dropbox.com/s/lqw3vvzeudyt4kq/report_111ed2f02d8af54d0b982d8c9dd4932e.htm
• Spearphishing files:
– NATO position on Syria.scr
https://www.dropbox.com/s/6powxf2vo4y3fjp/4d667af648047f2bd24511ef8f36c9cc_report.htm
• Dropped Epic/Tavdig/Wipbot backdoor:
https://www.dropbox.com/s/citfclr08eul04x/report_ab686acde338c67bec8ab42519714273.htm
• Turla Carbon package
Report: https://www.dropbox.com/s/rivavmk8w2d56io/report_cb1b68d9971c2353c2d6a8119c49b51f.htm
20 minutes

Similar Solutions on the Market
• Norman G2 Analyzer
• ThreatAnalyzer (former GFI Sandbox,
CWSandbox )
• Cuckoo Sandbox
• VirusTotal online service
• FireEye MAS
• AlienVault Reputation Monitor
• Kaspersky Application Advisor (Beta)

SANDBOX REPORT

A Comparison of Sandbox Reports - 1
Data Type Cuckoo
Sandbox
Norman G2
MalwareAnalyze
r
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
Summary/File
Details
YES YES YES YES YES
Static Analysis
Dropped from no no no no YES
Downloaded by no no no no YES
Polymorphic no no no no YES
PE Sections no no no YES YES
VersionInfo no no no YES YES

A Comparison of Sandbox Reports - 2
Dynamic Analysis Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
Payload=Behavior class no no no no YES
Process activities YES YES YES YES YES
File Activities YES YES YES no YES
Registry activity YES YES YES no YES
Rootkit activity no no no no YES
Dropped PE Files YES no no no YES
HOSTS file anomalies no no no no YES
Propagation no no no no YES
Named Objects (Mutexes,
Events)
YES YES YES YES YES

A Comparison of Sandbox Reports - 3
Network
Activities
Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
URLs/DNS YES YES YES YES YES
IDS Verdicts no no no YES YES
Traffic no YES YES YES YES
Detections
Virus Total no YES YES YES YES
Internal Verdicts - YES YES YES YES
Yara YES no no YES YES
Threat Type no no YES no YES
Behavior class no no YES no YES
Danger level no YES YES no no

A Comparison of Sandbox Reports - 4
Others Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
Screenshot YES YES YES no YES
Map no no no no YES
Strings from
dumps
no no no no YES
Removal
Instructions
no no no no YES
Architecture
Sandbox
Hypervisor Type
Ubuntu/Virtual
Box
IntelliVM - - VMWare
ESX/Workstation
Scalability no YES YES YES YES
Custom sandbox
instances
YES YES YES - YES

A Comparison of Sandbox Reports - 5
User Interface Cuckoo
Sandbox
Norman G2
MalwareAnaly
zer
GFI/
ThreatTrack
Sandbox
VirusTotal ==SitC==
UI Type Console
(Python
scripts)
Web Web Web Web
Dashboard No YES YES No No
Queue Manager No YES YES No YES
Report Type HTML PDF PDF Web report HTML/ PDF/Blog
Sales Freeware Direct Direct Direct -
Total number of
“YES”
10 15 17 12 30

More Report Examples
https://www.dropbox.com/s/kh7dm8rngokd2f6/7a500c46d62f6f39e4bb2716a323bc3
4_report.htm
https://www.dropbox.com/s/rz7vzueqyxy53hy/e046da1b39202825155947371254a4e
6_report.htm
https://www.dropbox.com/s/cl5h1fi91dkbt0d/e76d42578057862b5823ac926304cc22
_report.htm

VMRay Analyzer
Source: http://www.vmray.com/vmray-analyzer-features/
Covers all kind of behavior
• All kind of low-level control flow (API function calls, system calls, interrupts, APCs, DPCs, ..)
• All kind of high-level semantics (filesystem, registry, network, user/group administration, ..)
• Monitors user- and kernel-mode code
• All process creation, code injection, and driver installation methods are tracked and detected
• Layer7 protocols (HTTP, FTP, IRC, SMTP, DNS, …) are identified and parsed
Comprehensive Data Collection
• Enriched output with function prototype information, geoip lookup information, and process dependency
graphs
• Takes screenshots from running execution
• Monitors network traffic and stores PCAP files
• Detects and stores all files that are generated or modified by the malware

VMRay Analyzer
Process dependency graphs

LastLine
Source: http://advancedmalware.lastline.com/discovery-report-for-
2/21/2015-to-2/27/2015
Lastline Malware Risk Assessment

Sandbox Intro
• Sandbox in-the-cloud (SitC) – is a new malware
analysis system in the cloud for IS professionals
and advanced users.
• It allows to get a comprehensive analysis
report in 4-5 minutes.

Integration to ISP Infrastructure

SANDBOX FEATURES

Sandbox Features
• Get analysis report/verdict by hash/file.
• Searching and tracking for analyzed malware
samples.
• Custom Yara rules are supported.
• Analysis time ~4 min.
• Scalable architecture (no limits in number of
processing samples) under VMWare ESX.
• Web interface
• >5000 analyzed samples on 8 CPU cores (iCore7)
daily.

Yara Rules are Supported
• Add your own signature to detect
files/memory dumps/traffic:

SANDBOX INTERFACE

Web Interface
• Search by MD5
• Manual upload sample via the web form (high
priority)
• Stream analysis (low priority)
• Advanced search in Sandbox database by time
frame, verdicts, Yara rule, etc.
• Report (HTML, PDF) can be sent by email.

INCIDENT RESPONSE AND
DATA FLOW

Incident Response with SitC
Detection
Investigation
Analysis
Remediation
Prevention
Unknown threats can be sent for analysis to SitC as files or
metadata when entering a trust perimeter.
SitC can assign a severity level for a submitted threat,
so the most critical ones will go to IRT immediately.
Malware analysis takes ~4 mins.
All malicious activities are presented in the SitC report, as well
as removal recommendations. The removal script or tool can
be generated in advance.
SitC report contains information about propagation
which helps understanding an attack vector.

Operational Modes
1. On-Demand Analysis (High Priority)
– The user submits an object (file/traffic) via Web page which will be analyzed and
kept on the storage.
– The report will be generated and sent to a user’s email.
– The user can choose type of a virtual machine (pre-defined) to be used for the
analysis when submitting an object.
2. Stream Analysis (Low Priority)
– The input object (file/traffic) can be also copied to the sandbox incoming folder
and will be processed in automated way with low priority.
– The user can get access to the analysis data saved on the storage to do extra
analysis.
– The user can search for already analyzed object by MD5 hash via Web page to get
HTML report.
3. Sandbox Configuration
– The user can insert new Yara rules via Web page to detect files/dumps/traffic.

Technical Requirements for
SitC Deployment
• VMWare ESXi Server 5.1 (free use up to 32 GB RAM):
• 8 CPU cores
• 16 Gb RAM
• 4 Tb low speed HDD and 2 x SSD 120 GB
• Internet access (so malware can connect to remote servers
and download updates)
• Incoming traffic (PE files, PCAP dumps) to the Sandbox
• Remote access via vSphere to setup and control Sandbox
• Sandbox server should be well isolated inside the local
network to prevent unsolicited malware spreading.

DEMO
• Cloud Sandbox Video – 2:38

Conclusions
1) SitC can be potentially used for:
• Analysis and detection of malicious or suspicious files.
• Analysis and detection of network traffic (PCAP).
• Triggering for custom Indicators-of-Compromise (IoCs) using Yara.
• Finding 0-day cyber attacks and APT (via traffic analysis).
• Discovering infected hosts by malicious traffic (connections to C&C servers).
2) SitC prototype has the most comprehensive malware
analysis report in the industry and we want to test it in real
life environment.