Top Banner
Sandboxing The Sandbox Report shows the results of the file analysis in the Talos virtual sandboxing environment. Cumulative analysis and information about the files collected from the greater community are also shared through the report. Overview, on page 1 Startup, on page 1 Dropped, on page 1 Domains/IPs, on page 2 Static, on page 2 Network, on page 2 Behavior, on page 2 Overview The General Information section contains information about the sandbox instance that executed the analyzed file. The Signature Overview section contains behaviors that were observed in the analyzed binary. The behaviors are stack-ranked and color-coded. Each section also displays a color-coded rating scale to represent the maliciousness. At the left end of the rating scale, green indicates benign. On the right end, red indicates malicious. These ratings can be used at-a-glance to determine if the analyzed file is relatively benign, suspicious, or malicious. Use this high-level information to assign degrees of urgency which help you decide the order in which incidents are investigated. Startup The Startup section contains a list of files that execute during startup, while the cleanup section contains a list of files that execute during shutdown. Dropped The Created/Dropped Files section contains a list of files that were created by the sample under analysis and dropped in the sandbox while the file was being analyzed. Sandboxing 1
2

Sandboxing€¦ · Sandboxing TheSandboxReportshowstheresultsofthefileanalysisintheTalosvirtualsandboxingenvironment ...

Aug 03, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Sandboxing€¦ · Sandboxing TheSandboxReportshowstheresultsofthefileanalysisintheTalosvirtualsandboxingenvironment ...

Sandboxing

The Sandbox Report shows the results of the file analysis in the Talos virtual sandboxing environment.Cumulative analysis and information about the files collected from the greater community are also sharedthrough the report.

• Overview, on page 1• Startup, on page 1• Dropped, on page 1• Domains/IPs, on page 2• Static, on page 2• Network, on page 2• Behavior, on page 2

OverviewTheGeneral Information section contains information about the sandbox instance that executed the analyzedfile.

The Signature Overview section contains behaviors that were observed in the analyzed binary. The behaviorsare stack-ranked and color-coded. Each section also displays a color-coded rating scale to represent themaliciousness. At the left end of the rating scale, green indicates benign. On the right end, red indicatesmalicious. These ratings can be used at-a-glance to determine if the analyzed file is relatively benign, suspicious,or malicious. Use this high-level information to assign degrees of urgency which help you decide the orderin which incidents are investigated.

StartupThe Startup section contains a list of files that execute during startup, while the cleanup section contains alist of files that execute during shutdown.

DroppedThe Created/Dropped Files section contains a list of files that were created by the sample under analysisand dropped in the sandbox while the file was being analyzed.

Sandboxing1

Page 2: Sandboxing€¦ · Sandboxing TheSandboxReportshowstheresultsofthefileanalysisintheTalosvirtualsandboxingenvironment ...

Domains/IPsTheContacted Domains andContacted IPs list domains and IP addresses that were involved during analysis.

StaticThe Static File Information section contains information about the file that was uploaded, prior to executionin the virtual sandboxing environment. This information is collected by parsing the file on disk and can beused to search other threat intelligence sources for additional details.

The Static PE information section describes the portable executable file and can be used to get a quickunderstanding of the properties of the application. For example:

• The Entrypoint field in the General section can be used to determine if the file is packed.

• The Resources, Imports, and Exports can sometimes give you a general understanding of what theexecutable does. However, note that this information can be obfuscated if the file is packed, leaving onlythe Resources, Imports, and Exports of the packer exposed until the file is unpacked or executed.

• The Version Info and Possible Origin can sometimes be used to tell when the file was compiled andon what language version of operating system the file was compiled. This can give you hints about theorigin of the attack. However, note that this information can be obfuscated or spoofed.

NetworkTheNetwork Behavior section contains a summary of all of the interesting network traffic that was generatedwhile analyzing the file.

TCP Packets and UDP Packets list all of the TCP/UDP traffic observed while analyzing the file. The IP addressand port information can be used to create rudimentary rules on a firewall to restrict ingress/egress activityto certain IP addresses and ports that are known to be associated with malicious code.

DNSQueries lists all of the DNS transactions that were observedwhile analyzing the file. The query informationcan be used to detect hosts that are infected on your network, or as a guideline on what domain names needto be blocked in order to control an infection on your network.

HTTP subsections contain HTTP traffic that was observed while analyzing the file. The HTTP informationcan be used to write network IDS signatures or to block communication with these hosts at the networkperimeter.

BehaviorThe System Behavior section lists the activities observed while analyzing the file. You can also show or hidethe windows behavior details.

Sandboxing2

SandboxingDomains/IPs