Recorded Future Sandbox - Sample Submission

Recorded Future's malware analysis sandbox has high-volume capability and allows you to quickly analyze malware in a safe, customizable environment. It supports malware configuration extraction, automatically enriching analysis with threat intelligence so you can quickly detect and take action against threats.

Overview

• 3x faster than previous malware analysis capabilities
• File, URL, and code analysis for Windows, Linux, Android, and macOS
• Support for large file and archives analysis
• Network simulation options
• API access to automate submissions at scale

Technical Features

• Family classification for more than 350 common families
• Custom x86 static emulation
• TLS/SSL decryption
• Access to PCAPs, dropped files, and memory dumps
• Support for user-submitted YARA rules
• Live VM interaction

Usage Limits

There is a limit of 1,000 malware sandbox submissions per day. This daily quota is enforced on a monthly basis, with a grace of 10% overage on the month. Service is not suspended unless your usage extends beyond the 10% allowed monthly overage, and you are not automatically billed for overages.

Recorded Future Sandbox Portal

You can access the Recorded Future Sandbox in the top menu of the Recorded Future portal.

Submit a file for analysis

Click on the submit option from the Sandbox dashboard:

Click Browse and select a file via the system file browser or drag and drop a file into the dedicated section:

Once the file has been selected you are presented with the option of providing a password, which will be used by the analysis engine to access the file content if it is password protected.

Click “Submit” to finalize the submission process or “Clear” to cancel the process.

Once the operation is complete and the file is uploaded, you can configure the analysis:

There are several options available at this step:

File tree - listing of all the files uploaded in the previous step, including the contents of archives. Select all the files you want to include in the analysis. There is a limit of maximum 32 files that can be selected for one analysis job. More information about all supported file types can be found here.

Add command line arguments - Lets you execute/run each one of the files available for analysis, together with command line arguments. To enable this option click on the “Add command line” button. (Note: command line arguments may differ based on the Operating System that is used for the dynamic analysis).

Profiles - listing of all profiles available for analysis including the "Automatic" profile which let's the platform decide what settings to be used for the malware analysis.

Static - Lets you pivot toward the screen that presents the static analysis results for the submitted file:

Select the "Customize" tab from the upper right corner of the screen enable a full configuration of the environment in which the dynamic analysis will be performed.

This news settings screen provides the following options:

• Platforms - provides a listing of all Operating Systems that can be selected for running the dynamic analysis. By default the “Automatic” option is selected, which enables the system to automatically identify the best suited Operating System for performing the analysis. Obs. in some cases the sandbox might run the dynamic analysis on multiple Operating Systems when the “Automatic” option is selected.
• Languages - Enables the selection of the default language and keyboard that will be used for the Operating System on which the dynamic analysis will be performed.
• Timeout - Sets the duration of the analysis. By default the Timeout is set to 2.5 minutes.
• Browser - Provides a listing of all the browsers that can be selected for the dynamic analysis: Google Chrome, Mozilla Firefox, Internet Explorer 11, Microsoft Edge. There is also the option (pre-selected by default) of running the analysis with the default browser of the Operating System that was chosen in the previous section.
• Internet Access - sets the type of internet connection/access of the Operating System on which the dynamic analysis will be performed. The following options are available:
  • ON - Full Internet Access is provided during the dynamic analysis
  • OFF - No Internet Access is provided during the dynamic analysis
  • Tor - The Internet Access, during the dynamic analysis, will be routed through the Tor Network
  • 200 - Any connection to the internet during the dynamic analysis will be replied with a 200 (OK) status code indicating that the request has succeeded 
  • 404 - Any connection to the internet during the dynamic analysis will be replied with a 404 (Not Found) status code indicating that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists
  • DNS Disabled - Internet Access is provided during the dynamic analysis but the DNS is disabled. This disables the resolution of domain names and enables access over the internet only based on IP addressing.
  • VPN - Select this to enable geolocation selection using the map below this option. Allows routing all traffic from the analysis VM out of a different region than where the sandbox is hosted. Currently support EU and US endpoints.

Once you configure the environment, including leaving the default settings unchanged, click the “Analyze” button to start the dynamic analysis.

Immediately after pressing the “Analyze” button you will be redirected to the Live Monitor session in which you can watch live and interact with the analysis running in the Operating Systems that were selected (manually or automatically).

If multiple sessions were started (for example by the automated option that ran the analysis in multiple Operating Systems), you have the ability to cycle in between the active sessions by clicking any of the active sessions listed on the left side of the screen or on the tabs corresponding to each active session from the right upper corner.

For each session the portal presents information about the session length, Operating System that was provided for the session and the type of task (Ex: behavioral refers to the session performing a dynamic analysis or the sample behavior)

While the sessions are active (time depends on the selection made during the configuration of the analysis task) you can perform the following actions:

• Extend analysis - extends the time allocated to the analysis by adding increments of 1 minute

• Terminate - terminates the behavioral/dynamic analysis task

• Simulate Mouse - Simulates mouse interactions inside the Operating System during the dynamic/behavioral analysis task

Once the analysis task is completed you are presented with the option of accessing the analysis reports.

Submit a URL for analysis

From the sandbox portal dashboard click on the submit option:

Input/Paste the URL in the dedicated section:

Once you add the URL you can choose the following options:

• URL: Directly analyze a URL that will be opened in the browser (shown in this example)
• Fetch: Fetch a file and execute the file in the sandbox.
   
  • Note: Fetch only works if it can directly download the file from the address; it will not work if there are any redirects, etc.
• Import From Public: Perform an analysis based on a sample ID or tria.ge link.

Before starting the full analysis, you'll see a preview of the static analysis results (including score and tags) and the options to start or delete the analysis using the buttons shown in the screenshot below.

In the same window, you can customize the virtual machine in which the analysis will be performed:

The following customization options are available:

• Platforms - A list of all Operating Systems you can select to run the dynamic analysis. The default selection is “Automatic,” which enables the system to automatically identify the best suited Operating System for performing the analysis. In some cases, the sandbox might run the dynamic analysis on multiple Operating Systems when the “Automatic” option is selected.
• Languages - Select the default language and keyboard to use for the Operating System on which the dynamic analysis will be performed.
• Internet Access - Type of internet connection/access of the Operating System on which the dynamic analysis will be performed. The following options are available:
  • ON - Full Internet Access is provided during the dynamic analysis
  • OFF - No Internet Access is provided during the dynamic analysis
  • Tor - The Internet Access, during the dynamic analysis, will be routed through the Tor Network
  • 200 - Any connection to the internet during the dynamic analysis will be replied with a 200 (OK) status code indicating that the request has succeeded 
  • 404 - Any connection to the internet during the dynamic analysis will be replied with a 404 (Not Found) status code indicating that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists
  • DNS Disabled - Internet Access is provided during the dynamic analysis but the DNS is disabled. This disables the resolution of domain names and enables access over the internet only based on IP addressing.
• Timeout - Sets the duration of the analysis. The default Timeout is 2.5 minutes.
• Browser - A listing of all the browsers you can select for the dynamic analysis: Google Chrome, Mozilla Firefox, Internet Explorer 11, Microsoft Edge. There is also the option (pre-selected by default) to run the analysis with the default browser of the Operating System that was chosen in the previous section.

Once you have performed the configuration, including leaving the default settings unchanged, you can click the "Analyze" button to start the dynamic analysis.

Immediately after pressing the “Analyze” button you will be redirected to the Live Monitor session, where you can watch and interact with the analysis running in the selected Operating System(s).

If you start multiple sessions (e.g., by the automated option that ran the analysis in multiple Operating Systems), you can cycle between the active sessions by clicking on 1) any of the active sessions listed on the left side of the screen or 2) the tabs corresponding to each active session in the right upper corner.

For each session the portal presents information about the session length, Operating System for the session, and the type of task (e.g., behavioral refers to the session performing a dynamic analysis or the sample behavior).

You can perform the following actions while the sessions are active:

• Extend analysis - Extends the time allocated to the analysis in 1 minute increments

• Terminate - Terminate the behavioral/dynamic analysis task

• Simulate Mouse - Simulate mouse interactions inside the Operating System during the task

Once the analysis task is complete you can access the analysis reports. Find details on how to read the reports in this article.