ANY.RUN vs. Joe Sandbox: Malware analysis tools comparison

Image: iStockphoto/ukushusha

What is a sandbox, and why do you need it for malware analysis?

A sandbox is a separate computer and network environment designed to analyze the behavior of software. This type of environment is typically designed to run risky files and determine whether those files represent a malware threat. Some sandboxes are even designed to check URLs to see if they are suspicious and lead to malware infections. Modern sandboxes allow companies or individuals to examine any type of file, including Microsoft Office files, PDF files, and any executable file.

To avoid malware infection, every file received by corporations must be actually checked into a sandbox before it is distributed to the user. Sandbox solutions can be plugged in anywhere in a corporate IT environment: checking email attachments, file downloads, and more.

See: NIST Cyber ​​Security Framework: A Cheat Sheet for Professionals (Free PDF)

What are the limitations of sandbox?

Sandboxes have limitations for various reasons.

Most sandboxes run as virtual machines trying to mimic real legitimate machines. There are dozens of ways to pretend not to have virtual machines in an efficient sandbox, but cybercriminals are always trying to find new ways to detect them. In most cases, when malware detects that it runs in a test environment, it stops executing in an effort to go undetected.

Sandboxes may not be helpful for malware targeting particular environments. A sandbox that only plays files on the Windows 8.1 operating system may not see the same file behavior as files running on Windows 10 for example. Also, some malware can check the language of the operating system and run only on specified languages. Therefore some sandboxes offer to launch files in many different operating systems with different configurations.

Let’s look at two sandboxes with excellent reputation: Any.RUN and Joe Sandbox.

What is Any.RUN Sandbox?

Anyone run
Image: any. Run

Any. Run Sandbox allows public submissions to be parsed. This way, an analyst can first look for any known indicators of compromise (IoC) and malware in the database, to see if it has been publicly analyzed, and get the results. It contains millions of public submissions and this huge malware database is updated daily.

    Any.RUN public result parsing page.
Any.RUN public result parsing page. Image: any. Run

Any.RUN allows those using the free version to send files or URLs to a Windows 7 32-bit virtual machine, while the paid version allows them to send files to Windows Vista, Windows 8 and Windows 10.

The greatest functionality of Any.RUN lies in the possibility to interact in real time with the virtual environment that plays the suspicious file or URL. Once a file is submitted, the user can interact with the entire environment for 60 seconds (or more on paid plans). This is an unreliable feature when analyzing malware that waits for specific actions to be performed by the user before running any payloads. Imagine a malware that silently waits for the user to start a specific application (e.g., a browser) or waits for the user to click on a dialog box. That’s where this sandbox becomes really easy and powerful.

Public sample: Any.RUN result page.
Public sample: Any.RUN result page. Image: Run Anybody
Sample text report summary.
Sample text report summary. Image: any. Run

What is Joe Sandbox?

Joe Sandbox Lead Image.
Image: Joe Sandbox

Joe Sandbox Also allows the user to parse millions of public results from the sandbox.

Which sandbox summary results.
which sandbox public result parsing page. Image: Joe Sandbox

The free version of Joe Sandbox enables users to send files, browse URLs, download and execute files, or submit commands from the command line. It works for Windows operating systems, macOS, Android, Linux and iOS, making it a complete solution for customers across a large variety of operating systems in the IT infrastructure.

    public sample: which sandbox summary results page.
public sample: which sandbox summary results page. Image: Joe Sandbox

The only Windows systems available in the free version are Windows 7 64-bit virtual machines and Windows 10 64-bit physical machines. Other systems are available in the Cloud Pro service. Many sandboxes do not provide the possibility to play files in the actual physical system, which is one of the biggest features of sandboxes.

Any.RUN vs Joe Sandbox: General Functionality

Both sandboxes only allow submissions to be private, and are therefore not available to any other user in their paid versions. Other than that, both do a great job of showing all the behavior of sandbox launched files. All activities that occur after the suspicious file’s execution are logged and exposed: files access, windows registry access, network communication.

In addition, both sandboxes contain signatures and rules, which allow easy and fast triage of files.

MITER Att&ck Matrix Both are also included in the sandbox, which makes it easy to compare different malware samples based on their strategy and get faster knowledge of the threat.

Any.RUN vs Joe Sandbox: Which Malware Analysis Sandbox Should You Choose?

Of the two solutions, Joe Sandbox is the one where you need to checkout files for many different operating systems and devices, while Any.RUN only covers Windows systems. Joe Sandbox also lets you use real physical machines in addition to virtual machines, which is a terrific feature when testing your environment to find out that they don’t run in a sandbox.

Nevertheless Any.RUN sandbox is a good choice if you need real-time interaction with the environment in which suspicious files are running. This is an invaluable feature for analyzing threats that require a few clicks or user interaction before launching their payloads.

While both sandboxes have REST API possibilities on the paid plans, that sandbox also comes with on-premises plans and a tool that can be highly appreciated by companies seeking privacy.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Stay Connected With Us On Social Media Platforms For Instant Updates Click Here To Connect With Us TeaveterAnd Facebook

Source link

Leave a Comment