These services will execute malware in a monitored environment so that you don’t risk your own system while performing behavior analysis. It will verify all changes in the file system, registry keys, and all network traffic during the execution. Next it will provide users a report with different information regarding the malicious file.
Threat expert is a public sandbox that will execute the malicious file in a virtual environment and provides users the change made in file system, registry keys, and all network traffic, it will take a snapshot before the execution and compare it to another one after malware execution. Briefly ThreatExpert report the following:
- File ,processes, registry keys created by executing the malware
- IP addresses that are contacted by executing the malware
- Possible country originated for this malware
- Screenshots if there are pop-ups or new window in browser opened.
- Provides information about the category of this malware.
What we can add to all previous malware analyzing tools is WinMHR by Team Cymru (pronounced kum-ree).MHR is a free online service that will give you a result by comparing the suspicious file to search for malware based on MD5 or SHA1 hashes. You can install it on your computer or use the Firefox plugin that will help in checking any downloaded file before the execution. MHR helps identify known problems so you can take action at an early stage.
CWSandbox is another public sandbox but it works by DLL code injection, the injected DLL will hook Windows API functions to record malware behavior during the analyses. This provides good results but if a malware bypass the hook and directly call kernel code this can make the malware not monitored. But if we will look at most malwares we will have no issue in using CWSandbox.
The online free interface in CWSandbox allows submitting Windows PE files while if you are looking for more flexibility to submit files, URLs, BHOs, zipped files you need to use the commercial version. The commercial version lets you submit files via e-mail, nepenthes honeypots, or server folder.
No comments:
Post a Comment