Recorded Future Sandbox - Sample Submission

Secops_threat.pngRecorded Future's malware analysis sandbox has high-volume capability and supports malware configuration extraction, automatically enriching analysis with threat intelligence so you can quickly detect and take action against threats.

  • Quickly analyze malware in a safe, customizable environment
  • Bigger, faster, more customizable
  • Enhances collection, IOCs, and context, enriching functionality of the modules and curated intelligence made by the Intelligence Graph

Overview

  • 3x faster than previous malware analysis capabilities
  • File, URL, and code analysis for Windows, Linux, Android, and macOS
  • Support for large file and archives analysis
  • Network simulation options
  • API access to automate submissions at scale

Technical Features

  • Family classification for over 350 common families
  • Custom x86 static emulation
  • TLS/SSL decryption
  • Access to PCAPs, dropped files, and memory dumps
  • Support for user-submitted YARA rules
  • Live VM interaction

Usage Limits

There is a limit of 1,000 malware sandbox submissions per day. This daily quota is enforced on a monthly basis, with a grace of 10% overage on the month. Service is not suspended unless your usage extends beyond the 10% allowed monthly overage, and customers are not automatically billed for overages.

Recorded Future Sandbox Portal

Accessing the Recorded Future Sandbox portal is a very easy process, enabled via the dedicated link available in the Recorded Future portal menu

Capture.PNG

or the dedicated banner

mceclip0.png

Submitting a file for analysis

From the sandbox portal dashboard click on the submit option:

mceclip0.png

Click on Browse and select a file via the system file browser or drag and drop a file into the dedicated section:

mceclip1.png

Once the file has been selected you are presented with the option of providing a password, which will be used by the analysis engine to access the file content in case it is password protected.

mceclip2.png

Click “Submit” in order to finalize the submission process or “Clear” to cancel the process.

Once the operation is completed and the file uploaded you will be presented with the analysis configuration screen:

mceclip3.png

There are several options available at this step:

File tree - provides a listing of all the files uploaded in the previous step, including the contents of archives. Select all the files you want to include in the analysis. There is a limit of maximum 32 files that can be selected for one analysis job. More information about all supported file types can be found here.

Add command line arguments - enables the possibility of executing/running each one of the files available for analysis, together with command line arguments. To enable this option click on the “Add command line” button. (Note: command line arguments may differ based on the Operating System that is used for the dynamic analysis).

Recorded_Future_Sandbox_-_Sample_Submission_-_5.png

Profiles - provides a listing of all profiles available for analysis including the "Automatic" profile which let's the platform decide what settings to be used for the malware analysis.

Static - enables the pivoting towards the screen that presents the static analysis results for the submitted file:

mceclip5.png

Users can select the "Customize" tab from the upper right corner of the screen to enable the view that allows them to perform a full configuration of the environment in which the dynamic analysis will be performed.

mceclip4.png

This news settings screen provides the following options:

Platforms - provides a listing of all Operating Systems that can be selected for running the dynamic analysis. By default the “Automatic” option is selected, which enables the system to automatically identify the best suited Operating System for performing the analysis. Obs. in some cases the sandbox might run the dynamic analysis on multiple Operating Systems when the “Automatic” option is selected.

Languages - Enables the selection of the default language and keyboard that will be used for the Operating System on which the dynamic analysis will be performed.

Internet Access - sets the type of internet connection/access of the Operating System on which the dynamic analysis will be performed. The following options are available:

  • ON - Full Internet Access is provided during the dynamic analysis
  • OFF - No Internet Access is provided during the dynamic analysis
  • Tor - The Internet Access, during the dynamic analysis, will be routed through the Tor Network
  • 200 - Any connection to the internet during the dynamic analysis will be replied with a 200 (OK) status code indicating that the request has succeeded 
  • 404 - Any connection to the internet during the dynamic analysis will be replied with a 404 (Not Found) status code indicating that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists
  • DNS Disabled - Internet Access is provided during the dynamic analysis but the DNS is disabled. This disables the resolution of domain names and enables access over the internet only based on IP addressing.

Timeout - Sets the duration of the analysis. By default the Timeout is set to 2.5 minutes.

Browser - Provides a listing of all the browsers that can be selected for the dynamic analysis: Google Chrome, Mozilla Firefox, Internet Explorer 11, Microsoft Edge. There is also the option (pre-selected by default) of running the analysis with the default browser of the Operating System that was chosen in the previous section.

 

Once the configuration has been performed, including leaving the default settings unchanged, the dynamic analysis can be started by clicking on the “Analyze” button.

Immediately after pressing the “Analyze” button you will be redirected to the Live Monitor session in which you can watch live and interact with the analysis running in the Operating Systems that were selected (manually or automatically).

mceclip6.png

If multiple sessions were started (for example by the automated option that ran the analysis in multiple Operating Systems), you have the ability to cycle in between the active sessions by clicking any of the active sessions listed on the left side of the screen or on the tabs corresponding to each active session from the right upper corner.

For each session the portal presents information about the session length, Operating System that was provided for the session and the type of task (Ex: behavioral refers to the session performing a dynamic analysis or the sample behavior)

 

While the sessions are active (time depends on the selection made during the configuration of the analysis task) you can perform the following actions:

  • Extend analysis - extends the time allocated to the analysis by adding increments of 1 minute

Recorded_Future_Sandbox_-_Sample_Submission_-_7.png

  • Terminate - terminates the behavioral/dynamic analysis task

Recorded_Future_Sandbox_-_Sample_Submission_-_8.png

  • Simulate Mouse - Simulates mouse interactions inside the Operating System during the dynamic/behavioral analysis task

Recorded_Future_Sandbox_-_Sample_Submission_-_9.png

Once the analysis task is completed you are presented with the option of accessing the analysis reports.

mceclip7.png

Submitting an URL for analysis

From the sandbox portal dashboard click on the submit option:

mceclip0.png

Input/Paste the URL in the dedicated section:

Recorded_Future_Sandbox_-_Sample_Submission_-_11.png

Once the URL has been inserted you have the possibility of clicking on the following options:

  • URL: This is to directly analyse a URL that will be opened in the browser.
  • Fetch: This fetches a file and executes the file in the sandbox.
  • Import From Public: With this you can do an analysis based on a sample ID or tria.ge link.

Considering that we are looking to analyse the previously inserted URL, click on the URL button.

Before starting the full analysis, a preview of the static analysis results (including score and tags) is presented together with the option of starting the analysis (by pressing the “Analyze” button) or deleting the analysis (by pressing the “Delete analysis” button).

Recorded_Future_Sandbox_-_Sample_Submission_-_12.png

In the same windows the user is presented with the option for customizing the virtual machine in which the analysis will be performed:

Recorded_Future_Sandbox_-_Sample_Submission_-_13.png

There are several options available at this step:

Platforms - provides a listing of all Operating Systems that can be selected for running the dynamic analysis. By default the “Automatic” option is selected, which enables the system to automatically identify the best suited Operating System for performing the analysis. Obs. in some cases the sandbox might run the dynamic analysis on multiple Operating Systems when the “Automatic” option is selected.

Languages - Enables the selection of the default language and keyboard that will be used for the Operating System on which the dynamic analysis will be performed.

Internet Access - sets the type of internet connection/access of the Operating System on which the dynamic analysis will be performed. The following options are available:

  • ON - Full Internet Access is provided during the dynamic analysis
  • OFF - No Internet Access is provided during the dynamic analysis
  • Tor - The Internet Access, during the dynamic analysis, will be routed through the Tor Network
  • 200 - Any connection to the internet during the dynamic analysis will be replied with a 200 (OK) status code indicating that the request has succeeded 
  • 404 - Any connection to the internet during the dynamic analysis will be replied with a 404 (Not Found) status code indicating that the origin server did not find a current representation for the target resource or is not willing to disclose that one exists
  • DNS Disabled - Internet Access is provided during the dynamic analysis but the DNS is disabled. This disables the resolution of domain names and enables access over the internet only based on IP addressing.

Timeout - Sets the duration of the analysis. By default the Timeout is set to 2.5 minutes.

Browser - Provides a listing of all the browsers that can be selected for the dynamic analysis: Google Chrome, Mozilla Firefox, Internet Explorer 11, Microsoft Edge. There is also the option (pre-selected by default) of running the analysis with the default browser of the Operating System that was chosen in the previous section.

 

Once the configuration has been performed, including leaving the default settings unchanged, the dynamic analysis can be started by clicking on the “Analyze” button.

Immediately after pressing the “Analyze” button you will be redirected to the Live Monitor session in which you can watch live and interact with the analysis running in the Operating Systems that were selected (manually or automatically).

Recorded_Future_Sandbox_-_Sample_Submission_-_14.png

If multiple sessions were started (for example by the automated option that ran the analysis in multiple Operating Systems), you have the ability to cycle in between the active sessions by clicking any of the active sessions listed on the left side of the screen or on the tabs corresponding to each active session from the right upper corner.

For each session the portal presents information about the session length, Operating System that was provided for the session and the type of task (Ex: behavioral refers to the session performing a dynamic analysis or the sample behavior)

 

While the sessions are active (time depends on the selection made during the configuration of the analysis task) you can perform the following actions:

  • Extend analysis - extends the time allocated to the analysis by adding increments of 1 minute

Recorded_Future_Sandbox_-_Sample_Submission_-_7.png

  • Terminate - terminates the behavioral/dynamic analysis task

Recorded_Future_Sandbox_-_Sample_Submission_-_8.png

  • Simulate Mouse - Simulates mouse interactions inside the Operating System during the dynamic/behavioral analysis task

Recorded_Future_Sandbox_-_Sample_Submission_-_9.png

Once the analysis task is completed you are presented with the option of accessing the analysis reports. Details on how to read the reports can be found in this article.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
4 out of 4 found this helpful

Articles in this section

See more