Recorded Future Sandbox - Submitting Zip Files

Secops_threat.pngIntroduction

Malware can be deployed in a huge variety of ways, not all of which make analysis as simple as running a single file. Whether it is a DLL, configuration file, or data resource many samples need to have certain content available on the system in order to function properly. This can especially be true for samples recovered during Incident Response, as the initial dropper may not be available while the 2nd stage malware itself is spread across multiple files.

This short blog post will cover how to submit multiple files to the Recorded Future Sandbox for analysis at the same time, as well as a couple of examples on leveraging this to give more control over the way in which a sample is executed.

Submitting Multiple Files via Web UI

In order to submit the files in one go, create a zip file containing everything you want to end up on the Virtual Machine for analysis.

From the sandbox portal dashboard, click Submit and you will be presented with a page like this:

sandbox_uploaded-zip.png

Each executable file will have a checkbox next to it in the table on the left - selecting the box for a file will create a new analysis where the chosen file is executed by the agent on the VM.

Note: Eml files are handled as an archive and the corresponding extracted files from .eml need to be preselected.

For each analysis spawned all files in the archive will be extracted onto the machine as well as the chosen file. This means that in most cases the sample will be able to find them if it needs access to them during execution. The files can be found in the Local AppData folder atC:\\Users\\Admin\\AppData\\Local\\Temp:

SZF_2.png

Submitting with custom options

Sometimes a sample might look at a particular path for a file, or require certain command-line parameters to run properly. There are multiple ways to do this, but due to the functionality outlined above it is relatively easy to customize the execution process by creating a PowerShell script to perform the actions you need and submit it in a zip, selecting only the .ps1 file as above. For example:

Move-Item -Path "example-dll-1.dll" -Dest "C:\System32\sample-dll.dll"
Start-Process -FilePath "example-sample.exe" -ArgumentList "-t","-x"

The above .ps1 script will copy a DLL to the System32 folder and then execute the sample with specific options.

SZF_3.png

Submitting Multiple Files via Console API

It is also possible to choose which file is executed when submitting via the API. You can use these to customize launch options when submitting via API, including defining a particular file in an archive which should be run by the Virtual Machine.

The following command allows you to submit an archive and choose an analysis target:

curl -H 'Authorization: Bearer <API-KEY>' \
  -X POST \
  -F 'file=@<LOCAL PATH TO ARCHIVE>' \
  -F '_json={"profiles":[{"pick":"<TARGET FILEPATH IN ARCHIVE>","profile":"<PROFILE ID>"}],"kind":"file","interactive":false}' \
  'https://api.tria.ge/v0/samples'

Note that we choose the file to be run using thepickfield of theprofilesobject. The path entered here should be relative to the root of the archive itself. If we do not specify this when submitting an archive, the Sandbox will create a separate analysis for each file it supports.

You can get a list of your available profile IDs for the above command via the/profilesAPI endpoint:

curl -H 'Authorization: Bearer <API-KEY>' https://api.tria.ge/v0/profiles

If we then check the status of the sample, we can see that a single task has been created for the specified file:

curl -s -H 'Authorization: Bearer <API-KEY>' 'https://api.tria.ge/v0/samples/<SAMPLE-ID>'
{
  "id": "<SAMPLE-ID>",
  "status": "reported",
  "kind": "file",
  "filename": "example-2.zip",
  "private": true,
  "tasks": [
    {
      "id": "task1",
      "status": "reported",
      "target": "example-ps1.ps1"
    }
  ],
  "submitted": "2020-01-14T16:18:55.746135Z",
  "completed": "2020-01-14T16:20:09Z"
}

Conclusion

We hope this guide will help you to get the most out of Recorded Future Sandbox. Further information on the API, including command examples, can be found in our Sandbox API documentation

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
3 out of 3 found this helpful

Articles in this section

See more