Custom Malware Analysis Sandbox (Building)

Before searching for malware, every researcher needs to find a way to analyze it. There are so many ways to do it: one which is building your own environment or using third-party solutions. Today we will take you through all the steps of creating a custom malware Analysis sandbox where you can perform a proper analysis without corrupting your computer. And then compare it with a ready-made service.

photo credits: Hacker News;

Why you need a Custom Malware Analysis Sandbox

A sandbox allows the detection of cyber threats and analyzing them safely. All information remains secure, and an unsafe file cannot have access to the system. You can safely monitor malware processes, identify their patterns and investigate their behavior.

Before setting up a sandbox, you should have a clear goal of what you want to achieve through the lab.

There are two main ways to organize your working space for analysis:

  • Custom Malware Analysis Sandbox. Made from scratch by an analyst on their own, specifically for their needs.
  • A turnkey solution. A versatile service with a range of configurations to meet your demands.

How to make your own malware sandbox

Let\’s take you through all steps that you need to set up the simple environment for malware research:1 — Install a virtual machine

  1. Install a Virtual Machine

Running malware should happen in an isolated environment to avoid infection of a host operating system. It\’s better to have an isolated computer to install the Malware Analysis Sandbox. There are a bunch of VMs presented in the market: VMWare, VirtualBox, KVM, Oracle VM VirtualBox, Microsoft Hyper-V, Parallels, or Xen.2 — Check artifact

2. Check artifacts

Modern malware is sensitive– it knows whether it\’s run on the virtual machine or not. That is why it\’s essential to get rid of artifacts. Check code, remove detection, and others.

3 — Use a different network

Another precaution to prevent Malware is to use a different network system. Preventing the corruption of other computers on your network is important. Get a VPN service and set it up correctly. This is a very important precaution in building a Custom Malware Analysis Sandbox

4 — Assign a realistic amount of resources

In order to make your system look as authentic as possible to trick any Malware into executing. Make sure that you assign a realistic amount of resources: more than 4 Gb of RAM, a minimum of 4 cores, and disk space of 100 Gb and more. That is a basic requirement to pretend as a legit system.

5 — Install popular software

If you install Windows and leave it as is, a malicious object will get that it is analyzed.

Install a few applications, like Word, browsers, and other programs that all users usually have. This is a Basic method for building your Custom Malware Analysis Sandbox

6 — Open several files

We need to be sure that it is a real computer that belongs to someone. Open a few documents to accumulate logs and a few temp files. Several types of viruses check this. When building a Custom Malware Analysis Sandbox, this is a smart move. Note that these programs can be detected by malware when it is running.

7 — Imitate a network connection

Some mischievous types of malware check if they can connect to websites like Google. How do you trick a malicious program into thinking that it\’s online? Utilities like INetSim and the FakeNet tool imitate a real Internet connection and allow us to intercept the requests that malware is making. Try to check network protocols between a malicious object and its host server. But beforehand, find out what the analyzed sample is connecting with using WireShark. And it takes some effort not to give up this tool to the malware, be careful, especially during your Custom Malware Analysis

8 — Install analysis tools

Prepare the tools you\’ll use for analysis and ensure that you know how to use them. You can go with Flare VM tools or make use of these programs:

  • Debuggers: x64dbg investigates malicious code by executing it.
  • Disassemblers: Ghidra makes reverse engineering easier, with access to the decompiler\’s output. It also can be used as a debugger.
  • Traffic analyzers: Wireshark checks network communication that malware requests.
  • File analyzers: Process Monitor, ProcDOT aim to monitor and understand how processes deal with files.
  • Process monitors: Process Explorer, Process Hacker help to watch malware behavior.

9 — Update your system to the latest version

Your system should be up-to-date as well as all software. Filter out the regular Windows changes that are happening quite often. However, your experiment may require a different version, such as how malware exploits some OS errors. In this scenario, choose and get the necessary version set up.10 — Turn off Windows Defender and Windows firewall.

Is there a more efficient option to analyze malware?

All these steps take a lot of time and preparation. And still, there is a chance that your sandbox will not be secure enough, invisible for malware, and provide the necessary information. So, what is a better solution? Here comes the second option – use a ready-made solution. Let\’s take a look at ANY.RUN.

ANY.RUN is an online malware sandbox that you can use for detection, monitoring, and analyzing threats. The best part of it is time and convenience:

  1. It takes only a few minutes to complete an analysis of a malicious sample.
  2. Most of the tools are ready for you, just choose what you need and start the task.
  3. Your files, system, and network are completely safe.
  4. The interface is simple enough even for junior analysts.

It\’s still can be customizable – select an operating system, software set, localization, and other details for your purposes. But the perk is that you don\’t need to install anything! Take your computer, and you are all set.

Leave a Comment

Your email address will not be published. Required fields are marked *