A malware analysis sandbox with high-volume capability and malware configuration extraction, automatically enriching analysis with threat intelligence so you quickly detect and take action against threats.
- Quickly Analyze Malware in a Safe, Customizable Environment
- Bigger, Faster, more customizable
- Enhances collection, IOCs, and context, enriching functionality of the modules and curated intelligence made by the Intelligence Graph
Overview
- 3x faster than existing malware analysis
- File, URL, and code analysis for Windows, Linux, Android, and macOS
- Support for large file and archives analysis
- Network simulation options
- API access to automate submissions at scale
Technical Features
- Family classification for over 350 common families
- Custom x86 static emulation
- TLS/SSL decryption
- Access to PCAPs, dropped files, and memory dumps
- Support for user-submitted YARA rules
- Live VM interaction
Recorded Future Sandbox Portal
Accessing the Recorded Future Sandbox portal is a very easy process, enabled via the dedicated link available in the Recorded Future portal
Analysis reports
All the reports associated with previously analysis tasks are listed by accessing the “Reports” section:
Once the Reports section is accessed you have the options of reaching:
- My Samples - a listing of all samples submitted by the current user
- Organization Samples - a listing of all samples submitted by any user of the organization
- Search - enables searching capability, based on hases, malware families, tags, URLs, Wallets and Emails together with using operators (AND, OR, NOT). More details are provided in the Search dedicated section
Selecting any report will redirect you towards the “Overview” page of the report together with presenting the tabs for accessing any of the static or dynamic/behavioral reports that were included in the analysis.
Report overview
Every analysis report will contain an overview section, accessible from the “Overview” tab entry:
In the Overview section of the analysis report you will find the following sections:
General
Contains a listing of file size, sample ID (that can be used for identifying the sample report and searching in the platform) and various types of hashes (MD5, SHA1, SHA256 and SHA512) of the submitted file.
The general section also presents the score associated with the sample and various tags according to the results and verdicts from the analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.
Malware Config
For 150 families of malware, Recorded Future Sandbox is capable of extracting full configurations that are presented in this section of the report.
Based on this capability the section presents several elements found in the malware configuration, including when several families are identified in the submissions. Examples of these elements are:
- Attributes like ransomware note, file extension for encryption,
- Command and controls
- Botnet IDs
- Versions of the malware
- Public keys
- Other IDs
Targets
In this section, the Overview Report presents for each one of the samples (identified via its various hashes and size) the verdicts and signatures that matched the sample behavior and which contributed to the verdict and scoring. Each one of the signatures presents the associated tag related to the detection (Ex: trojan, redline) or type of activity that is performed (Ex: collection, discovery)
MITRE ATT&CK Matrix
Section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.
Tasks
Section presents all tasks that were run against the sample. These can be static or behavioral analysis tasks. Each task is presented together with the scores and verdicts as tags that were identified in each. Clicking on one of the entries will enable the user to pivot to each one of the corresponding reports.
Side menu
In the side menu the Overview Report is enabling the users to:
- Resubmit the sample for another analysis
- Download the sample (only available inside the same organization)
- Provide feedback
- Delete the analysis
Static analysis report
Every submitted sample will have a static analysis performed on it and the Static analysis report will be made available. To access the Static Analysis Report you need to click on the dedicated “Static” tab from the analysis report.
In the Static analysis report you will find the following sections:
General
Presents the sample SHA256 hash, size of the file and static analysis score
Malware Config
Presents the malware configuration details in case there are available directly via a static analysis, which is very rare.
Signatures
Presents all signatures that matched during the static analysis of the sample
Files
List all files that were part of the static analysis with associated type, operating system and architecture type.
Side menu
In the side menu the Overview Report is enabling the users to:
- Resubmit the sample for another analysis
- Download the sample (only available inside the same organization)
- Provide feedback
- Delete the analysis
Dynamic/behavioral analysis report
If the sample was submitted for dynamic/behavioral analysis the associated report will be generated and made available for the sample. If the submitter selected or the automated submission process identifies multiple operating systems that the samples need to be analyzed in, multiple reports will be made available.
In the report tab of the dynamic report, multiple sections are presented.
General
Contains a listing of file size, sample ID (that can be used for identifying the sample report and searching in the platform) and various types of hashes (MD5, SHA1, SHA256 and SHA512) of the submitted file.
The general section also presents the score associated with the sample and various tags according to the results and verdicts from the dynamic analysis. Recorded Future Sandbox recognizes around 350 families of malware for which tags are assigned when identified.
Malware Config
If the dynamic analysis enabled the identification and extraction of a config that will be presented in this section
Signatures
In this section, the Dynamic Analysis Report presents the verdicts and signatures that matched the sample behavior together with the associated score, which contributes to the final verdict and scoring. Each one of the signatures presents the associated tag related to the detection (Ex: trojan, redline) or type of activity that is performed (Ex: collection, discovery)
Processes
Presents a listing of the processes that were identified as presenting some level of risk together with a local score that is aggregated to the overall score of the analysis.
Network
The section will present all domain requests and all TCP and UDP connections that were made during the Dynamic analysis together with plotting the distribution of associated countries on the world map.
MITRE ATT&CK Matrix
Section presents all techniques together with their associated tactics based on the MITRE ATT&CK framework. Each one of the techniques can be clicked in order to pivot to the description from MITRE website.
Replay Monitor
Section presents to the user a reply of the dynamic analysis as seen via the display of the virtual machine together with some interaction buttons: Frame Backwards, Play/Pause, Frame Forward and Full Screen.
Downloads
Section will enable the user to download or submit for additional analysis all files that were generated during the dynamic analysis.
An additional very important feature is that users are enabled to download the memory dumps generated by the Sandbox associated to the system on which the dynamic analysis was performed.
Side menu
In the side menu the Overview Report is enabling the users to:
- Resubmit the sample for another analysis
- Download the sample (only available inside the same organization)
- Download PCAP and PCAPNG associated with the dynamic analysis
- Provide feedback
- Delete the analysis
The section also presents some details about the dynamic analysis like the duration of analysis, platform, image name and submission times.
The dynamic report also contains additional tabs that enable users to access additional information from the behavioural analysis.
These tabs are:
- Files - Lists all files and corresponding actions that were performed against them during the analysis
- Registry - Lists all registry entries and corresponding actions that were performed against them during the analysis
- Network - Lists all network activities and related details about processes that performed them together with the related flow information
- Processes - Lista all actions related to processes (Ex: process creation, process termination) and additional details of the process
- Mutex - Lists al mutex related activities and associated metadata
- Misc - Lists all other activities that were recorded during the analysis but not fitting the other categories
URLScan
Every submitted URL will have a URLScan analysis performed on it and associated report will be made available. To access the URLScan Analysis Report you need to click on the dedicated “URLScan” tab from the analysis report.
In the URLScan analysis report you will find the following sections:
URLScan
The section presents the overall verdicts, scores and tags from various perspectives.
A link to the full report on URLScan is presented as well.
Screenshot
Section presents the screenshot take during the process of accessing the URL in the browser.
Side menu
In the side menu the URLScan report is enabling the users to:
- Resubmit the URL for another analysis
- See the submission on URLScan portal
- Provide feedback
- Delete the analysis