Recorded Future Sandbox is a malware analysis sandbox with high-volume capability and malware configuration extraction that automatically enriches analysis with threat intelligence so you can quickly detect and take action against threats.
Technical Features
- Family classification for over 350 common families
- Custom x86 static emulation
- TLS/SSL decryption
- Access to PCAPs, dropped files, and memory dumps
- Support for user-submitted YARA rules
- Live VM interaction
Recorded Future Sandbox Portal
You can access the Recorded Future Sandbox in the top menu, shown below.
Analysis reports
All the reports associated with previous analysis tasks are listed by accessing the “Reports” section:
Once the Reports section is accessed you have the options of reaching:
- My Samples - a listing of all samples submitted by the current user
- Organization Samples - a listing of all samples submitted by any user of the organization
- Search - enables searching capability, based on hashes, malware families, tags, URLs, Wallets and Emails together with using operators (AND, OR, NOT). More details are provided in the Search dedicated section
Selecting any report will redirect you towards the “Overview” page of the report together with presenting the tabs for accessing any of the static or dynamic/behavioral reports that were included in the analysis.
Overview Report
Every analysis report will contain an Overview tab that includes General Information, Malware Config, Targets, MITRE ATT&CK Matrix, and Tasks. Descriptions of each section are included below.
General
The general section presents the score associated with the sample and various tags according to the results and verdicts from the analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.
It also includes the target URL and sample ID (that can be used for identifying the sample report and searching in the platform) of the submitted file.
Malware Config
For 150 families of malware, Recorded Future Sandbox is capable of extracting full configurations that are presented in this section of the report.
Based on this capability the section presents several elements found in the malware configuration, including when several families are identified in the submissions. Examples of these elements are:
- Attributes like ransomware note, file extension for encryption,
- Command and controls
- Botnet IDs
- Versions of the malware
- Public keys
- Other IDs
Targets
In this section, the Overview Report presents for each one of the samples (identified via its various hashes and size) the verdicts and signatures that matched the sample behavior and which contributed to the verdict and scoring. Each one of the signatures presents the associated tag related to the detection (Ex: trojan, redline) or type of activity that is performed (Ex: collection, discovery)
MITRE ATT&CK Matrix
Section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.
Tasks
Section presents all tasks that were run against the sample. These can be static or behavioral analysis tasks. Each task is presented together with the scores and verdicts as tags that were identified in each. Clicking on one of the entries will enable the user to pivot to each one of the corresponding reports.
Side menu
In the side menu the Overview Report is enabling the users to:
- Resubmit the sample for another analysis
- Download the sample (only available inside the same organization)
- Provide feedback
- Print to PDF
-
Pivot to Malware Intelligence
requires a Threat Intelligence license - Delete the analysis
Static analysis report
Every submitted sample will have a static analysis performed on it and the Static analysis report will be made available. Click the “Static” tab in the top navigation to open the report.
In the Static analysis report you will find the following sections:
General
Presents the sample SHA256 hash, size of the file and static analysis score
Malware Config
Presents the malware configuration details if there are available directly via a static analysis, which is rare.
Signatures
Presents all signatures that matched during the static analysis of the sample.
File Explorer
List all files that were part of the static analysis with associated type, operating system and architecture type.
Side menu
The side menu of the Static Report allows you to:
- Resubmit the sample for another analysis
- Download the sample (only available inside the same organization)
- Provide feedback
- Delete the analysis
Dynamic/behavioral analysis report
If the sample was submitted for dynamic/behavioral analysis, the associated report will be generated and made available for the sample. If you selected or the automated submission process identified multiple operating systems that the samples need to be analyzed in, multiple reports will be available.
The Report tab of the dynamic report presents multiple sections.
General
Contains a listing of file size, sample ID (that can be used for identifying the sample report and searching in the platform) and various types of hashes (MD5, SHA1, SHA256 and SHA512) of the submitted file.
The general section also presents the score associated with the sample and various tags according to the results and verdicts from the dynamic analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.
Malware Config
If the dynamic analysis enabled the identification and extraction of a config, that will be presented in this section.
Signatures
This section includes the verdicts and signatures that matched the sample behavior together with the associated score, which contributes to the final verdict and scoring. Each one of the signatures presents the associated tag related to the detection (e.g.,: trojan, redline) or type of activity that is performed (e.g.,: collection, discovery).
Processes
Presents a listing of the processes that were identified as presenting some level of risk together with a local score that is aggregated to the overall score of the analysis. Hover over the Process ID to copy and Share a link to the process or view the Analysis Logs.
Network
The section presents all domain requests and all TCP and UDP connections that were made during the dynamic analysis. It also plots the distribution of associated countries on the world map.
MITRE ATT&CK Enterprise
This section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.
Replay Monitor
This presents a replay of the dynamic analysis as seen via the display of the virtual machine, together with some interaction buttons: Frame Backwards, Play/Pause, Frame Forward and Full Screen.
Downloads
Download or submit for additional analysis any files that were generated during the dynamic analysis.
You can also download memory dumps generated by the Sandbox associated with the system on which the dynamic analysis was performed.
Side menu
The side menu of the Dynamic Analysis Report allows you to:
- Resubmit the sample for another analysis
- Provide feedback
- Print to PDF
- Download the PCAPNG associated with the dynamic analysis
- Delete the analysis
The section also presents some details about the dynamic analysis like the duration of analysis, platform, image name and submission times.
URLScan
Every submitted URL has a URLScan analysis and associated report. Click the URLScan tab from the analysis report.
URLScan
The section includes the overall verdicts, scores and tags from various perspectives.
You can also click on the included link to view the original report.
Screenshots
Any screenshots taken during the process of accessing the URL in the browser are included here.
Side menu
In the side menu the URLScan report allows you to:
- Resubmit the URL for another analysis
- See the submission on urlscan.io
- Provide feedback
- Print to PDF
- Delete the analysis