Interactive Malware Sandbox in Your Security System

Written by

The number of sophisticated cyber-attacks increased by 32% in the second quarter of 2022 compared to the same period in 2021, according to Check Point Research.

Cyber-criminals carry out complex attacks by using different techniques and entry points to penetrate the victim's system. Traditional antiviruses are usually unable to cope with such threats.

We will discuss how companies can solve this problem by using an interactive service as an example of the ANY.RUN online malware sandbox.

The role of a malware sandbox in security

To identify an infected program, it must be downloaded and activated. This can be performed in a virtual machine on a working PC, but you need the experience to set it up. If you do it incorrectly, the threat may extend beyond the test environment. For example, polymorphic trojans spread to other machines via the internal network.

Sandboxes solve this problem. It is a virtual environment where you can upload suspicious files to safely activate malware, analyze its behavior and collect artifacts and indicators of compromise (IOCs). This data can be used to build defenses.

Malware sandboxes can be two types: automatic and interactive. Automated sandboxes perform analysis autonomously. After uploading samples and starting the analysis, we have no control over the emulation process. The sandbox tries to activate the malware itself and reports back to us after some time.

The problem with this approach is that some samples detonate upon certain user actions or system settings. This is where interactive type comes in, allowing specialists to work with the system directly and simulate user actions.

Benefits of an interactive malware sandbox

Automatic and interactive sandboxes are not interchangeable tools. In a complete security system, they each have their own role. For example, an analyst inspects and identifies many files in an automated sandbox, and analyze them in an interactive service to quickly find hidden IOCs.

Interactive malware sandboxes are a better solution when you need to detect malware without waiting for a report or while working with complex samples.

The advantages include:

  • The ability to influence the analysis process. Specialists can interact with the virtual environment as they do with a PC: reset the system, click on files, open them in Word and do all the things as a victim of an actual cyber attack would.

  • Flexible customization. Change the system language, currency or region easily. Certain locale settings activate some malware types, and you must go through several settings combinations to find them. It helps to detonate complex patterns that slip past the automatic sandboxes.

  • Instant access to IOCs. The VM launches immediately, and analysts see the processes generated by the malware after the research has started. This allows conclusions to be drawn before the analysis is complete. Automatic sandboxes only show results after emulation, and usually, this process takes a few minutes.

Use cases with an interactive malware sandbox

Let's examine a few examples of real-world tasks from the ANY.RUN online malware sandbox.

  • Incident response

If there is an attack, every second counts. In the task, we analyze an infected file with Agent Tesla. It is a trojan that steals credentials.

In this scenario, we understand that an infection has occurred, but we don't know what malicious software has infiltrated the system. Because the VM runs instantly, malware analysts could identify Agent Tesla in just 10 seconds using ANY.RUN. With this, the cybersecurity specialist protected the system before sensitive data was leaked.

  • System Restart

Some malware only starts executing malicious code after the system reboot. This is how they hide from automatic sandboxes. In ANY.RUN, an expert can download a file with such a program, restart the OS, and then collect IOCs. This entire process takes only a few minutes.

  • Locale setup

There are malicious programs that target specific regions. They may check what OS language is set or what keyboard layout is used on the computer before executing. To identify such complex malware, it is essential to be able to change these settings easily. 

We encountered a suspicious file in the task, but the initial analysis revealed no malicious activity. Using an automated sandbox, this file would have passed inspection. However, after changing the locale, the malware activated, and the analyst identified it as Raccoon Stealer, a program that steals confidential information.

Cyber-attacks are common but they are not inevitable. These threats could have been prevented with the proper measures and technologies. Using advanced tools like interactive malware sandboxes can help analyze, detect and prevent even the most evasive and dangerous attacks.


Use the promo code to run all files and links in ANY.RUN online malware sandbox and uncover advanced threats: 
Write the “Infosec” promo code to support@any.run using your business email address and get 14 days of ANY.RUN premium subscription for free. 

Brought to you by

What’s hot on Infosecurity Magazine?