GFI Sandbox™ (formerly CWSandbox) The Malware Analysis Tool v3.2 released

What is GFI Sandbox?

(Note: The academic CWSandbox website has been moved to: http://www.mwanalysis.org.)

Powerful Automated Malware and Threat Analysis
In a nutshell, it’s a flexible, scalable, fully automated malware analysis system for monitoring and reporting on the behavior of suspect samples. GFI Sandbox is a great malware analysis tool, especially for “first glance” analysis. You can automate bulk sample analysis, saving manpower and get faster results. You will be able to better identify threats and react accordingly.

Hacked websites, fake media players, malicious Office documents and social engineering are all part of the Internet threat landscape today. Only GFI’s Sandbox gives you a total view of every aspect and element of a threat, from infection vector to payload execution. And only the GFI Sandbox can intelligently, automatically identify malicious behavior through user interaction automation and our groundbreaking DBT™ (Digital Behavior Traits) technology.

“Sandbox is part of a larger research environment for HolisticInfoSec.org and is extremely useful during run-time and behavioral analysis for information security-related articles on malware, visulaization, and forensic analysis.” 

“When I’m conducting research for articles and blog posts I make regular use of Sandbox. It’s indispensable for thorough, detailed behavioral analysis and reporting. I also make use of database storage via the Sandbox web interface, allowing safe keeping and export as needed. Be it a need for details regarding network connections and related packet captures, file and registry changes, or elapsed activity event logging, no matter the attribute Sandbox will serve you well.”

Russ McRee,
holisticinfosec.org

GFI Sandbox is the industry’s leading dynamic malware analysis tool. Dynamic analysis shows how the applications are executed, what system changes are made, what network traffic is generated and the severity level of the threat all in a secure, controlled environment. GFI Sandbox also allows researchers to analyze the behavior of suspected viruses, trojans, and other malware by executing the code inside a controlled environment then recording all system changes and network traffic, such as any Windows API calls made.

By creating the appropriate sandboxed Windows environment, anything from infected Office documents to malicious URLs or scripts in Flash ads can be analyzed.

GFI Sandbox gives researchers the ability to compare multiple analyses for differences and similarities, and allows them to send malware samples to multiple sandbox configurations using different desktop images and centrally manage the process. Unlike other malware analysis tools on the market today, GFI Sandbox provides true automation that gives those on the front lines of cyber-defense and digital forensics the ability to analyze potential threats quickly, efficiently and in bulk; saving organizations valuable time and resources in the process.

Key Features

  • DBT™ (Digital Behavior Traits) intelligent behavior technology makes interpreting malware actions easy
  • Central management of multiple Sandbox configurations
  • Direct samples to one or many sandboxes for simultaneous analysis:
    • Produce more than 1 analysis for a single sample
    • Compare behavior of a sample across different versions of Windows and application combinations
    • Easy grouping of samples
    • Query by unique characteristics, hashes or behavior
  • Dynamic configuration parameters for each malware sample analyzed
  • Supports bulk sample submission via password-protected zip files
  • Samples and related data accessible through the web interface, XML data fully parsed in database for faster, more granular reporting
  • Bulk import analysis reports from our ThreatTrack data feeds.A fraction of the time of conventional research
    With the GFI Sandbox, the automatic malware analysis and classification of malware samples is conducted in a fraction of the time of conventional research. This research automation enables technology providers to build malware signatures more quickly and bring them to market faster. Additionally it gives enterprise service and security providers the ability to proactively protect against current and evolving malware threats that may present risks to their customers and end users.

    Emulate, automate user interaction
    By simulating how a user would interact when presented with a fake or rogue application, GFI Sandbox automates what up until now has been a manual process. Traditionally, a researcher needed to manually analyze each threat on a case-by-case basis. The automation functions of the GFI Sandbox engage with the application, infected file or compromised website exactly as the malware expects a user to do and logs and analyzes all the resulting activity without any manual intervention by the researcher.

    A fraction of the time of conventional research
    This end-to-end process automation enables security companies and enterprises concerned with targeted and/or socially engineered attacks to filter through potential threats in a consistent, automated manner, alleviating unnecessary demands on valuable resources.

    How the GFI Sandbox Works
    The GFI Sandbox leverages unique technology for the automatic behavior analysis of malware and other potential threats. GFI Sandbox provides fast, automated analysis of large volumes of malware samples in a short period of time. It facilitates the automatic collection of malware from different inputs including email, Nepenthes (a honeypot tool for automated collection of autonomously-spreading malware), a web server/interface, or a directory. Once a malware sample is dropped into the database, the sandbox starts its analysis. When enough information about the malware is collected, the GFI Sandbox terminates the malware application and analyzes the collected data.

    Monitoring
    In Windows, nearly all accesses to the system resources are done via the Windows API. The API offers functions to access the file system and the registry, to execute other applications or to install, start or stop Windows services. It also offers the WinSock functions, which are normally used to communicate via TCP/IP-networks, such as the Internet. The API is implemented by different DLLs, located in the Windows system directory. GFI Sandbox has been hardened to minimize detection so that malware doesn’t recognize it is being monitored. GFI Sandbox monitors the Windows system resources including the file system, registry and other applications with special attention to communication resources. GFI Sandbox logs and reports in extensive detail any network activity including HTTP, FTP, SMTP and IRC connections. In addition, packet-level detail of network traffic is available through the PCAP option. GFI Sandbox also creates memory dumps and logs screen shots of any user interaction screens generated (such as fake EULA acceptance screens).

    Analysis and Reporting
    After monitoring is complete, The GFI Sandbox performs a granular analysis to provide better readability of the data collected. The analysis captures resource events which include API calls, WinSock, packets, and more. Reports on the results of the analysis are written to XML files, with XSL templates provided to generate HTML or text reports. In addition, creating customized XSL templates to parse the data provides additional flexibility. The reports provide information on the list of newly created files and registry entries, as well as any processes that were launched by the malware application. Automatically email reports to the submitter or administrator, store them in the database, or present them in the Web console.

    GFI Sandbox not only analyzes a given malware, but also all other processes that are started or infected by the malware:

  • GFI Sandbox can optionally store all the files that are created by the malware, such as regular files, temporary files, or those downloaded from the Internet
  • GFI Sandbox can additionally create a “dump” file for each analyzed process for further investigation.
  • External debuggers can be linked in and the results integrated in the reports. In the same way, command line antivirus scanners, third party packet capture tools and more can be linked and integrated.The GFI Sandbox not only analyzes the given malware, but also all other processes that are started or infected by the malware. For example: a lot of malware creates a thread in the context of the Windows Explorer and then performs its malicious functions from within Windows Explorer, Word and other Office applications, or an Office document as the infection vector. These functions are provided for additional analysis in these scenarios:
    • GFI Sandbox can optionally store all the files that are created by the malware, such as regular files, temporary files, or those downloaded from the Internet.
    • GFI Sandbox can additionally create a “dump” file for each analyzed process for further investigation.
    • External debuggers can be linked in for memory dumps and the results integrated in the reports. In the same way, command line antivirus scanners, third party packet capture tools and more can be linked and integrated.

    ThreatTrack™ Data Feeds from GFI Advanced Technology Group
    As a complement to our GFI Sandbox automated malware analysis suite, SunbeltLabs provides to technology and business partners a comprehensive array of data feeds from our Labs. These ThreatTrack data feeds can be a valuable enhancement to your own resources for analyzing, blocking and remediating malware threats. See the Resources Tab for the ThreatTrack datasheet.

    See GFI Sandbox in Action
    First, you can see a SANS ‘Lunch and Learn’ presentation on the Sandbox by GFI’s (formerly Sunbelt Software) Lead Security Analyst Brian Jack, here at Vimeo.

    To see how the GFI Sandbox works, simply visit http://www.sunbeltsecurity.com to upload malware samples and receive the analysis results in minutes.*†

    • NJ Ouchn

    "Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"
    Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

    Strengthening Security: ToolsWatch Welcomes Dr. Magda Lilia Chelly and Vivek Ramachandran to Black Hat Arsenal’s Board of Review

    GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

    GISEC Armory Edition 1 Dubai 2024 – Call For Tools is Open

    Black Hat Arsenal 2024 Next Stop Singapore !

    Black Hat Arsenal 2024 Next Stop Singapore !

    ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

    ToolsWatch introducing Armory at Gisec 2024 in Dubai: A New Arena for Cybersecurity Open Source Tools Announced

    Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

    Unveiling the Awesome Lineup for Black Hat MEA Arsenal 2023 in Riyadh, KSA

    Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community

    Announcing the First Black Hat / ToolsWatch SecTor Toronto 2023 Arsenal Tools and Their Impact on the Community