Recorded Future Sandbox - Submitting a sample with cmdline arguments

Secops_threat.png

When submitting files or URLs to the Recorded Future Sandbox there are a wide range of different configuration options which can be leveraged to get the most out of the analysis process. For files specifically one of the more important examples is the ability to configure the command which is used to execute the file. This feature is available after initial submission of the file when the platform displays the Static Report, File Tree and configuration options for the virtual machine analysis - just click the command-line icon next to the relevant entry in the File Tree to open the text field.

If no custom arguments are added here then the sandbox will select a default command based on the file type of the target. For example a DLL can be run either with regsvr32.exe [filename.dll] or rundll32.exe [filename.dll],#1 depending on the type of content the sandbox detects in the file.

However there are some cases, especially for DLLs, where using a default entry point like this will not be able to run the file. If a file is intended as a 2nd stage payload deployed by a dropper it may have custom options which the sandbox cannot predict automatically so it is important to provide flexibility to modify these command-lines to your own needs.

There are 2 main ways to use this feature within the sandbox:

1. Add parameters to default options

If plain text strings are added to the command-line arguments field these will be appended to the end of the default command used by the sandbox. This can be useful when an executable file requires a specific parameter to make it run properly - for example the Royal ransomware that popped up in 2022 will only carry out encryption if it is provided with the parameter -id followed by a 32 digit value. The image below shows the difference in the behavioral signatures triggered with (on the left) and without (on the right) these arguments.

2. Override default options

There will sometimes be a need to completely override the default options rather than just adding additional arguments to the end of the existing command. For example with a DLL if a different entry point needs to be used then just adding a string as shown above will not work.

In order to support this the sandbox has a variable which represents the filepath within the VM for the sample that has been submitted - %PAYLOAD%. When used in combination with a valid Windows DLL handler it will override the default settings completely and use the new command-line when launching the file, i.e.:

rundll32.exe %PAYLOAD%,entryPoint

As an example, a DLL highlighted by Google’s Threat Analysis Group in 2021 as part of a North Korean campaign targeting security researchers has some specific requirements which combine both of the approaches we’ve covered in this article. When running it in the sandbox without any arguments at all the file sees no behavior and receives a 1/10 score (link to report):

However if we look into the file a bit and work out the actual entry point we end up with a command-line argument that looks like this at submission, with an entry point of “CMS_dataFinal” and an additional argument which needs to be provided as well:

This results in a lot more activity and takes the result up to an 8/10 instead of 1/10 - you can see in the screenshot below how the %PAYLOAD% variable expands to be the full path to the target sample file as stored on the virtual machine (link to report).

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more