Wednesday, July 17, 2019

, , , , , ,

VirusTotal MultiSandbox += SNDBOX

Today, VirusTotal is happy to welcome SNDBOX to the Multi-sandbox project. SNDBOX is a cloud based automated malware analysis platform. SNDBOX advanced dynamic analysis capabilities gives additional insights and visibility intro a variety of file-types.

In their own words:
  • SNDBOX malware research platform developed by researchers for researchers and provides static, dynamic and network analysis. 
  • SNDBOX is the first malware research solution to leverage multiple AI detection vectors and undetectable kernel driver analysis. 
  • SNDBOX kernel agent is located between the user mode and kernel mode. The agent has the ability to detect all malicious activities going from the running application to its execution in the operating system.
  • SNDBOX technology delivers in-depth results, quickly while providing AI and big data insights necessary for comprehensive malware research and false positive rate reduction.

Highlighting some examples

Detecting ZBOT variant, with high visibility to “Process Hollowing” and “Process Injection” techniques used by the malware.

On the SNDBOX site you can see malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.

For VirusTotal Enterprise users, you may click on the mutex, to search for other samples with this same mutex. 

This links to a search of behavior:"7EF531C0" which will lead you to other behaviour reports with the same mutex name.

Revealing malicious network domains, as well as enabling next stage file analysis of dropped files found in analysis.


On VirusTotal take note of the DNS resolutions, and dropped files.  Dropped files are defined as the interesting files that are written to disk by the sample under analysis. 

Pykspa variant, network activity detected with Suricata and dropped files being sent for second stage analysis & detection:

Within the “Registry Keys Set” section we find that the sample is set to RunOnce on next startup, possibly a method to achieve persistence. 

VT Enterprise customers can click on the registry value which uses the “behavior_registry” search modifier  to search for other files that also use the same registry value:  behavior_registry:"nrsyjl"  

Bancteian variant data stealer caught and detected by SNDBOX's signatures:

Within the SNDBOX report check out the detections: