Recorded Future Sandbox - Analysis Report Dissemination

Secops_threat.pngA malware analysis sandbox with high-volume capability and malware configuration extraction, automatically enriching analysis with threat intelligence so you quickly detect and take action against threats.

  • Quickly Analyze Malware in a Safe, Customizable Environment
  • Bigger, Faster, more customizable
  • Enhances collection, IOCs, and context, enriching functionality of the modules and curated intelligence made by the Intelligence Graph

Overview

  • 3x faster than existing malware analysis 
  • File, URL, and code analysis for Windows, Linux, Android, and macOS
  • Support for large file and archives analysis
  • Network simulation options
  • API access to automate submissions at scale

Technical Features

  • Family classification for over 350 common families
  • Custom x86 static emulation
  • TLS/SSL decryption
  • Access to PCAPs, dropped files, and memory dumps
  • Support for user-submitted YARA rules
  • Live VM interaction

Recorded Future Sandbox Portal

Accessing the Recorded Future Sandbox portal is a very easy process, enabled via the dedicated link available in the Recorded Future portal

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination1.png

 

Analysis reports

All the reports associated with previously analysis tasks are listed by accessing the “Reports” section:

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination2.png

Once the Reports section is accessed you have the options of reaching:

  • My Samples - a listing of all samples submitted by the current user
  • Organization Samples - a listing of all samples submitted by any user of the organization
  • Search - enables searching capability, based on hases, malware families, tags, URLs, Wallets and Emails together with using operators (AND, OR, NOT). More details are provided in the Search dedicated section

Selecting any report will redirect you towards the “Overview” page of the report together with presenting the tabs for accessing any of the static or dynamic/behavioral reports that were included in the analysis.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination3.png

Report overview

Every analysis report will contain an overview section, accessible from the “Overview” tab entry:

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination4.png

In the Overview section of the analysis report you will find the following sections:

General

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination5.png

Contains a listing of file size, sample ID (that can be used for identifying the sample report and searching in the platform) and various types of hashes (MD5, SHA1, SHA256 and SHA512) of the submitted file.

The general section also presents the score associated with the sample and various tags according to the results and verdicts from the analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.

Malware Config

For 150 families of malware, Recorded Future Sandbox is capable of extracting full configurations that are presented in this section of the report.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination6.png

Based on this capability the section presents several elements found in the malware configuration, including when several families are identified in the submissions. Examples of these elements are:

  • Attributes like ransomware note, file extension for encryption, 
  • Command and controls
  • Botnet IDs
  • Versions of the malware
  • Public keys
  • Other IDs

Targets

In this section, the Overview Report presents for each one of the samples (identified via its various hashes and size) the verdicts and signatures that matched the sample behavior and which contributed to the verdict and scoring. Each one of the signatures presents the associated tag related to the detection (Ex: trojan, redline) or type of activity that is performed (Ex: collection, discovery)

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination7.png

MITRE ATT&CK Matrix

Section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination8.png

Tasks

Section presents all tasks that were run against the sample. These can be static or behavioral analysis tasks. Each task is presented together with the scores and verdicts as tags that were identified in each. Clicking on one of the entries will enable the user to pivot to each one of the corresponding reports.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination9.png

Side menu

In the side menu the Overview Report is enabling the users to:

  • Resubmit the sample for another analysis
  • Download the sample (only available inside the same organization)
  • Provide feedback
  • Delete the analysis

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination10.png

Static analysis report

Every submitted sample will have a static analysis performed on it and the Static analysis report will be made available. To access the Static Analysis Report you need to click on the dedicated “Static” tab from the analysis report.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination11.png

In the Static analysis report you will find the following sections:

General

Presents the sample SHA256 hash, size of the file and static analysis score

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination12.png

Malware Config

Presents the malware configuration details in case there are available directly via a static analysis, which is very rare.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination13.png

Signatures

Presents all signatures that matched during the static analysis of the sample

Files

List all files that were part of the static analysis with associated type, operating system and architecture type.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination14.png

Side menu

In the side menu the Overview Report is enabling the users to:

  • Resubmit the sample for another analysis
  • Download the sample (only available inside the same organization)
  • Provide feedback
  • Delete the analysis

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination15.png

Dynamic/behavioral analysis report

If the sample was submitted for dynamic/behavioral analysis the associated report will be generated and made available for the sample. If the submitter selected or the automated submission process identifies multiple operating systems that the samples need to be analyzed in, multiple reports will be made available. 

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination16.png

In the report tab of the dynamic report, multiple sections are presented.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination17.png

General

Contains a listing of file size, sample ID (that can be used for identifying the sample report and searching in the platform) and various types of hashes (MD5, SHA1, SHA256 and SHA512) of the submitted file.

The general section also presents the score associated with the sample and various tags according to the results and verdicts from the dynamic analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination18.png

Malware Config

If the dynamic analysis enabled the identification and extraction of a config that will be presented in this section

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination19.png

Signatures

In this section, the Dynamic Analysis Report presents the verdicts and signatures that matched the sample behavior together with the associated score, which contributes to the final verdict and scoring. Each one of the signatures presents the associated tag related to the detection (Ex: trojan, redline) or type of activity that is performed (Ex: collection, discovery)

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination20.png

Processes

Presents a listing of the processes that were identified as presenting some level of risk together with a local score that is aggregated to the overall score of the analysis.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination21.png

Network

The section will present all domain requests and all TCP and UDP connections that were made during the Dynamic analysis together with plotting the distribution of associated countries on the world map.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination22.png

MITRE ATT&CK Matrix

Section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination23.png

Replay Monitor

Section presents to the user a reply of the dynamic analysis as seen via the display of the virtual machine together with some interaction buttons: Frame Backwards, Play/Pause, Frame Forward and Full Screen.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination24.png

Downloads

Section will enable the user to download or submit for additional analysis all files that were generated during the dynamic analysis.

An additional very important feature is that users are enabled to download the memory dumps generated by the Sandbox associated to the system on which the dynamic analysis was performed.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination25.pngRecorded_Future_Sandbox_-_Analysis_Report_Dissemination26.png

Side menu

In the side menu the Overview Report is enabling the users to:

  • Resubmit the sample for another analysis
  • Download the sample (only available inside the same organization)
  • Download PCAP and PCAPNG associated with the dynamic analysis
  • Provide feedback
  • Delete the analysis

The section also presents some details about the dynamic analysis like the duration of analysis, platform, image name and submission times.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination27.png

The dynamic report also contains additional tabs that enable users to access additional information from the behavioural analysis.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination41.png

These tabs are:

  • Files - Lists all files and corresponding actions that were performed against them during the analysis
  • Registry - Lists all registry entries and corresponding actions that were performed against them during the analysis
  • Network - Lists all network activities and related details about processes that performed them together with the related flow information
  • Processes - Lista all actions related to processes (Ex: process creation, process termination) and additional details of the process
  • Mutex - Lists al mutex related activities and associated metadata
  • Misc - Lists all other activities that were recorded during the analysis but not fitting the other categories

URLScan

Every submitted URL will have a URLScan analysis performed on it and associated report will be made available. To access the URLScan Analysis Report you need to click on the dedicated “URLScan” tab from the analysis report.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination28.png

In the URLScan analysis report you will find the following sections:

URLScan

The section presents the overall verdicts, scores and tags from various perspectives.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination29.png

A link to the full report on URLScan is presented as well.

Screenshot

Section presents the screenshot take during the process of accessing the URL in the browser.

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination30.png

Side menu

In the side menu the URLScan report is enabling the users to:

  • Resubmit the URL for another analysis
  • See the submission on URLScan portal
  • Provide feedback
  • Delete the analysis

Recorded_Future_Sandbox_-_Analysis_Report_Dissemination31.png

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 2 found this helpful

Articles in this section

See more