Sandboxing€¦ · Sandboxing TheSandboxReportshowstheresultsofthefileanalysisintheTalosvirtualsandboxingenvironment ...

Sandboxing

The Sandbox Report shows the results of the file analysis in the Talos virtual sandboxing environment.Cumulative analysis and information about the files collected from the greater community are also sharedthrough the report.

• Overview, on page 1• Startup, on page 1• Dropped, on page 1• Domains/IPs, on page 2• Static, on page 2• Network, on page 2• Behavior, on page 2

OverviewTheGeneral Information section contains information about the sandbox instance that executed the analyzedfile.

The Signature Overview section contains behaviors that were observed in the analyzed binary. The behaviorsare stack-ranked and color-coded. Each section also displays a color-coded rating scale to represent themaliciousness. At the left end of the rating scale, green indicates benign. On the right end, red indicatesmalicious. These ratings can be used at-a-glance to determine if the analyzed file is relatively benign, suspicious,or malicious. Use this high-level information to assign degrees of urgency which help you decide the orderin which incidents are investigated.

StartupThe Startup section contains a list of files that execute during startup, while the cleanup section contains alist of files that execute during shutdown.

DroppedThe Created/Dropped Files section contains a list of files that were created by the sample under analysisand dropped in the sandbox while the file was being analyzed.

Sandboxing1

Domains/IPsTheContacted Domains andContacted IPs list domains and IP addresses that were involved during analysis.

StaticThe Static File Information section contains information about the file that was uploaded, prior to executionin the virtual sandboxing environment. This information is collected by parsing the file on disk and can beused to search other threat intelligence sources for additional details.

The Static PE information section describes the portable executable file and can be used to get a quickunderstanding of the properties of the application. For example:

• The Entrypoint field in the General section can be used to determine if the file is packed.

• The Resources, Imports, and Exports can sometimes give you a general understanding of what theexecutable does. However, note that this information can be obfuscated if the file is packed, leaving onlythe Resources, Imports, and Exports of the packer exposed until the file is unpacked or executed.

• The Version Info and Possible Origin can sometimes be used to tell when the file was compiled andon what language version of operating system the file was compiled. This can give you hints about theorigin of the attack. However, note that this information can be obfuscated or spoofed.

NetworkTheNetwork Behavior section contains a summary of all of the interesting network traffic that was generatedwhile analyzing the file.

TCP Packets and UDP Packets list all of the TCP/UDP traffic observed while analyzing the file. The IP addressand port information can be used to create rudimentary rules on a firewall to restrict ingress/egress activityto certain IP addresses and ports that are known to be associated with malicious code.

DNSQueries lists all of the DNS transactions that were observedwhile analyzing the file. The query informationcan be used to detect hosts that are infected on your network, or as a guideline on what domain names needto be blocked in order to control an infection on your network.

HTTP subsections contain HTTP traffic that was observed while analyzing the file. The HTTP informationcan be used to write network IDS signatures or to block communication with these hosts at the networkperimeter.

BehaviorThe System Behavior section lists the activities observed while analyzing the file. You can also show or hidethe windows behavior details.

Sandboxing2

SandboxingDomains/IPs