Sandbox
10 min
sandbox and file analysis is an isolated, in platform environment for safely inspecting suspicious files and urls it is available as an add on to the cti module when you submit a file or url, it is analyzed inside a private virtual machine flare generates an analysis report covering execution behavior, process activity, file system changes, network activity, evasion techniques, extracted iocs, and a mitre att\&ck mapping the sandbox is powered by vmray and uses hypervisor based analysis key features in platform virtual machine files and urls are analyzed inside an isolated vm within flare no risk to corporate machines no need to export files to an external service the vm is spun up per submission and discarded after analysis automated analysis report each submission produces a structured report covering, execution behavior, process activity, file system changes, network activity (dns requests, http calls, c2 connections), evasion techniques attempted, and mitre att\&ck mapping of observed behaviors ioc extraction the analysis report automatically extracts network artifacts from the detonation c2 domains, dns requests, contacted urls, and file hashes these can be pushed into feeds for distribution to your siem, edr, or firewall — from sandbox submission to active blocking, without manual steps evasion resistant analysis vmray's hypervisor sits beneath the operating system the malware runs in an environment with, no monitoring hooks to detect, no agents inside the os, no virtual machine fingerprints to identify the malware cannot tell it is being analyzed, so it behaves naturally this is why the sandbox catches samples that hook based alternatives miss url analysis complete behavioral analysis of url submissions, covering phishing pages and credential harvesters with the same depth as file based malware private by design submissions are not shared with the broader community, vmray's research team, other flare customers, any external partner results are visible only to the submitting tenant access to this feature requires an add on please reach out to your csm for more information using the sandbox click through the following product tour to learn how to use the sandbox submit a file or url navigate to the sandbox in flare and submit the file or url you want to analyze select the target operating system if relevant to your investigation monitor the analysis the file or url is investigated in an isolated virtual machine you can monitor progress in real time review the analysis report once complete, the report presents findings organized by type execution behavior, network activity, iocs, and mitre att\&ck mappings use the severity ratings to prioritize what to act on first operationalize extracted iocs extracted iocs from the report (c2 domains, hashes, network artifacts) can be operationalized through feeds into your detection stack this closes the loop from submission to active blocking pivot to the intelligence browser if the analysis identifies an actor, malware family, or domain you want to research further, pivot to the intelligence browser to pull the full entity profile, attribution, and relationship context analyzing a file or url the sandbox offers two analysis modes interactive analysis this will boot up a virtual machine where you can interact with the file sample, which is useful for evaluating the specific actions a file takes when executed flare automatically selects the operating system that best fits the file type and boots the matching virtual machine the virtual machine is permanently deleted after the session, so you can safely execute the file and let it perform malicious operations static analysis this runs in the background and does not let you interact with the file there are three ways to submit something for analysis upload a file in the sandbox, select analyze file or url in the top right corner, then drag and drop a file or use the upload button to add one from your computer analyze a file already in flare when viewing a stealer log, select the download button, then choose the option to analyze in the sandbox flare sends the files to the sandbox automatically and analysis begins analyze a url in the sandbox, select analyze file or url in the top right corner, then enter a url static and interactive analysis are both available for urls, so you can also browse the website note the sandbox does not currently support browsing onion links by default, they are labeled as suspicious analysis results for an interactive analysis, close the virtual machine after completing the investigation the analysis then processes in the background to generate a report, which can take up to 10 minutes when it completes, the verdict for the file appears in the list next to the file/url name select the filename to open the report in flare there you can review the verdict, any matched yara rules, mitre ttps, and more to download the reports, use the three dot menu the sandbox provides two reports sample report a streamlined report showing the verdict and selected iocs analysis report a detailed report covering the processes, registry keys, websites, and other activity associated with the sample types of indicators of compromise flare's sandbox can return the following types of indicators of compromise (ioc) files filenames domains email addresses emails urls ips processes mutexes registry entries (including registry key types if available) to download the associated ioc file expande the menu on the right of each entry, and download iocs as csv this will return the iocs in sha256 faqs what file types does the sandbox support? the sandbox supports the following files types sample type generic category target environment typical extensions supported version apple script macos scripts macos applescript, command, osascript, scpt archive static analysis with recursive dynamic detonations zip, 7z, tar, cab, rar, wim cfb file windows cfb custom windows various email (eml) email static analysis with recursive dynamic detonations eml email (msg) email static analysis with recursive dynamic detonations msg excel document microsoft office document windows xls, xlsx, xlsm, xlt, xltx, xltm, xltx, xlb, xlsb, iqy, slk, xml ms office >= 2007 html application html application windows hta13 html application (shell link) html application windows lnk3 html document html document windows htm, html iso disk images11 windows iso jscript windows javascript file windows js, jse jscript (shell link) shell link windows js, jse java archive java file windows, macos jar java class java file windows, macos class linux elf executable (x86 64) elf files linux elf, axf, bin, o, prx, puff, ko, mod, so macos app macos mach o macos app (must be submitted in a zip) macos dmg disk images11 macos dmg macos executable macos mach o macos none macos pkg macos pkg mhtml document html documents windows mht, mhtml microsoft access database microsoft office documents windows accdb, adn, accdr, accdt, accda, mdw, accde, ade, mdb, mda ms office >= 2007 microsoft onenote document microsoft office documents static analysis with recursive dynamic detonations one ms office >= 2010 microsoft project document microsoft office documents windows mpp2,4 ms office >= 2007 microsoft publisher document microsoft office documents windows pub, puz ms office >= 2007 microsoft visio document microsoft office documents windows vsd, vtx, vsdx, vsdm, vssx, vssm, vstx, vstm, vss, vsw ms office >= 2007 msi setup windows msi pdf document windows pdf adobe reader >= 6, up to and including dc powershell script powershell scripts windows ps1 powershell script (shell link) powershell scripts windows lnk3 powerpoint document microsoft office documents windows ppt, pptx, pptm, pot, potx, potm, ppa, ppam, pps, ppsm, ppsx ms office >= 2007 python script macos scripts macos py, command rtf document microsoft office documents windows rtf ms office >= 2007 shell script macos scripts macos sh, bash, zsh, command, csh, ksh, tclsh, tcsh svg svg image windows svg udf disk images11 windows udf unknown static analysis various url windows url vbscript windows script files windows vbs, vbe vbscript (shell link) shell link windows vbs, vbe url windows url windows batch file windows batch file windows bat, cmd windows batch file (shell link) windows batch file windows lnk3 windows dll (x86 32) windows pe (x86 32) windows dll windows dll (x86 64) windows pe (x86 64) windows dll windows driver (x86 32) windows pe (x86 32) windows sys windows driver (x86 64) windows pe (x86 64) windows sys windows exe (shell link) windows pe (x86) windows lnk3 windows exe (x86 32) windows pe (x86 32) windows lnk3 windows exe (x86 64) windows pe (x86 64) windows exe, scr windows help file windows chm windows installer patch windows msp7 windows script file windows script files windows wsf, wsc, ws, sct12 windows script file (shell link) shell link windows wsf, wsc, ws, sct12 word document microsoft office documents windows doc, docx, docm, dot, dotx, dotm, xml ms office >= 2007 is the sandbox included by default in the cti module? no, the sandbox is available as an add on to the cti module contact your customer success manager for more details