Malware Sandbox Services and Software

Whether you are performing digital forensics, or just have an interest in malware, a sandbox environment is an essential part of your analysis program. Sandboxing services can save time and provide a quick and easy glimpse into a suspicious files behavior.  I received an email this morning from Jose' Nazario of Arbor Networks where he provided a link to a list made by Buster (author of Buster Sandbox Analyzer) of various sandboxing tools and services."  I decided to take that list, check out and update each of the links and provide a brief description of the various services. I also added a few other services that I'm aware of.

For this blog post, I'm not providing any opinions or reviews. I'm just listing the service, URL, and a basic description as quoted by the provider.

These are the malware analysis services and software that I am currently aware of from the Buster Sandbox link, or via other sources. If you know of any other good malware analysis services, please feel free to drop me an email and I will add it to the list.

Web Services

• ViCheck.ca

"We can accept any type of file including executables, documents, spreadsheets, presentations, compiled help files, database packages, PDF, images, emails, or archives. You can also submit a file from a remote web address."

• Malware Tracker

"View PDF objects as hex/text, PDF dissector and inspector, scan for known exploits"

• Joe Sandbox (formerly JoeBox)

"Joe Sandbox is a fully automated analysis system for trojans, viruses and rootkits (malware). It requests malicious executables such as PE, PDF (Acrobat Reader) or DOC (Microsoft Word) files as input and returns highly detailed reports describing the behavior of executables being executed"

Note:  Joe Sandbox has an online service with three account types. It is described more fully here: http://www.joesecurity.org/service.php

• Anubis

"Anubis is a service for analyzing malware. Submit your Windows executable and receive an analysis report telling you what it does. Alternatively, submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL"

• Wepawet

"Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files."

• Norman Sandbox

"Submit a Suspicious File for a FREE Malware Analysis"

• GFI SandBox (formerly Sunbelt CWSandbox)

"Due to heavy load, the public site does not support: URL or BHO analysis, zipped files or analysis of infected documents."

• ThreatExpert

"ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode."

• Comodo Instant Malware Analysis

• Panda Security Autovin Automated Tools for Virus Incidents

Accepts:
- Windows executable (exe,dll)
– Adobe PDF (Beta Testing)
– Zip file (with password “panda”)
– RAR compressed file (without password)
– 7zip Compressed file (without password)
– Autovin File Extractor compressed file

• BitBlaze Malware Analysis Service - Currently Offline

• Eureka Malware Analysis Internet Service

"Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic. "

• Xandora Online Binary Analyzer

"xandora.net is a tool for analyzing the behavior of Windows PE-executables with special focus on the analysis of malware. Execution of xandora.net results in the generation of a report file that contains enough information to give a human user a very good impression about the purpose and the actions of the analyzed binary.
The generated report includes detailed data about modifications made to the Windows registry or the file system or other processes and of course it logs all generated network traffic. The analysis is based on running the binary in an emulated environment and watching."

• MalBox Program Behavior Analysis System

"Submit your Windows executable(*.exe) and receive an analysis report telling you what it does,
or submit a suspicious URL and receive a report that shows you all the activities of the Internet Explorer process when visiting this URL."

• jsunpack 

A Generic JavaScript Unpacker. Enter a single URL (or paste JavaScript to decode). Upload a PDF, pcap, HTML, or JavaScript file.

Standalone Malware Sandboxing Software

• Cuckoo Sandbox

"An Open Source dynamic malware analysis system which allows you to get informations on suspicious files in a completely automated fashion.
Such results include:
    * Relevant Windows API calls tracing of all recursively spawned processes.
    * Network traffic dump generated during malware execution.
    * Files being downloaded and deleted during execution.
    * Screenshots taken during malware the whole analysis process."

• Minibis from CERT.at

"Software and tips to easily build up an automated malware analysis station based on a concept introduced in the paper Mass Malware Analysis: A Do-It-Yourself Kit."

• Zero Wine Malware Behavior Analysis

"Zero wine is an open source (GPL v2) research project to dynamically analyze the behavior of malware. Zero wine just runs the malware using WINE in a safe virtual sandbox (in an isolated environment) collecting information about the APIs called by the program. "

• Buster Sandbox Analyzer

"Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of processes and the changes made to system and then evaluate if they are malware suspicious.
The changes made to system can be of several types: file system changes, registry changes and port changes."https://vicheck.ca/

• PDF Stream Dumper

"This is a free tool for the analysis of malicious PDF documents. Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode."

• jsunpack -n

jsunpack-n emulates browser functionality when visiting a URL. It's purpose is to detect exploits that target browser and browser plug-in vulnerabilities. It accepts many different types of input:
PDF files - samples/sample-pdf.file
Packet Captures - samples/sample-http-exploit.pcap
HTML files
JavaScript files
SWF files
This project contains the source code which runs at the website http://jsunpack.jeek.org/.