In this blog post we are going to outline a new and exciting technology we have built some time ago and have extended over time. The technology enables analysts to directly interact with the analyzer and in addition get live data on detection rules, verdicts, IOCs etc.
Joe Sandbox features various technologies to automate user behavior. Here is a good example:
Full Analysis Report: https://www.joesandbox.com/analysis/288399/0/html#overview
This is a multi stage phisher. The sample URL points to a downloadable PDF. The PDF file itself contains another link which points to the final phishing page. Joe Sandbox is able to automate all the user behavior actions such as downloading the PDF file, clicking on the link, browse the page etc. However user behavior automation has its limit. Please check out the following analysis:
Full Analysis Report: https://www.joesandbox.com/analysis/617931/0/html#overview
The phishing page starts with a real legit CAPTCHA. A CAPTCHA's purpose is to "tell Humans and Computers Apart Automatically". Joe Sandbox (Computer) cannot solve CAPTCHAs. Here Live Interaction and Results comes into play. The analyst can directly solve the CAPTCHA manually:
Full Analysis Report: https://www.joesandbox.com/analysis/618889/0/html
And successfully reaches the final phishing page!
Besides manual phishing analysis, analysts have the full freedom to do any other manual task including:
Live Interaction and Results provides analysts a wide range of dynamic data and the option to write and upload custom detection rules for that data. Most important are Yara, Sigma and Snort rules. Analysts can upload their rules in the corresponding editors:
The uploaded rules are directly applied to live Results during Live Interaction:
Yara rules are applied to all dropped files, memory dumps, the DOM tree, unpacked PE files etc.
Snort rules are applied to the entire network traffic including the decrypted network traffic. Sigma rules are applied to various behavior indicators such as created processes, files etc.
Thanks to custom detection rules analysts can easily develop new rules and enhance the overall detection.
With Live Interaction and Results, analysts get forensic malware analysis results in near real-time. Traditional sandboxes detonate samples initially for a default time of one or two minutes. In the next step, analytics are run on the gathered dynamic data, resulting in the final reports displayed to the analysts.
So the analyst has to wait a couple of minutes until he receives the verdict as well as IOCs. As you know during an active investigation every minute counts!