1
00:00:00,580 --> 00:00:06,940
In this lesson, we will take a look at how most of the companies do malware analysis in recent days,

2
00:00:07,420 --> 00:00:10,840
that is automated dynamic malware analysis.

3
00:00:11,800 --> 00:00:17,460
In this method, we submit the malware sample to an automated malware analysis sandbox.

4
00:00:18,310 --> 00:00:20,310
Now, who builds the sandbox?

5
00:00:20,920 --> 00:00:28,060
There are quite a few commercials sandbox like McAfee, advance threat defence, FireEye, the model number

6
00:00:28,060 --> 00:00:33,640
AX 5550, paloalto's Wildfire, etc..

7
00:00:34,650 --> 00:00:40,660
We also have an open source, sandbox that one can deploy in their environment called cuckoo.

8
00:00:42,520 --> 00:00:45,280
The working principle of the sandbox is the same.

9
00:00:47,590 --> 00:00:51,830
they spin-up one or more virtual machines with different operating system.

10
00:00:52,150 --> 00:00:57,790
Usually a company would spin up all the different operating system and different versions of operating

11
00:00:57,790 --> 00:00:59,970
system they use in their real network.

12
00:01:00,460 --> 00:01:07,390
For example, Windows 10, Windows 10 at a different patch level or service pack level, Windows 2016,

13
00:01:07,390 --> 00:01:09,310
Windows 2019 etc..

14
00:01:10,710 --> 00:01:18,330
They install most of the usual applications like Acrobat Reader, MS office, browsers like Chrome,

15
00:01:18,330 --> 00:01:23,270
Firefox and media players like VLC or quick time, etc..

16
00:01:24,230 --> 00:01:32,900
This is to ensure we create a near real replica of what our users use in everyday work so that if the

17
00:01:32,900 --> 00:01:39,380
malware is taking advantage of a vulnerability in VLC media player, it will run and be able to do its

18
00:01:39,380 --> 00:01:39,730
job.

19
00:01:41,450 --> 00:01:48,650
After building the required virtual machines within the sandbox environment, a administrator or a malware

20
00:01:48,650 --> 00:01:55,190
analyst can submit the samples to these operating systems and sandbox gets into action of analysing

21
00:01:55,190 --> 00:01:56,210
the behavior.

22
00:01:58,100 --> 00:02:02,330
Typically, these sandboxes will look for behaviors like.

23
00:02:03,540 --> 00:02:12,390
When a word file is open, it should only spin up one process that is word dot exe but if it spins

24
00:02:12,390 --> 00:02:16,890
additional processes, then the score is assigned to this sample.

25
00:02:17,850 --> 00:02:23,670
Similarly, Ms word file should not initiate any network activity automatically.

26
00:02:24,560 --> 00:02:29,690
But if network activity is seen after opening the file, the score goes up.

27
00:02:31,380 --> 00:02:37,980
Another behaviour may be opening a legitimate MS word file does not create new files in the operating

28
00:02:37,980 --> 00:02:38,390
system.

29
00:02:39,210 --> 00:02:41,860
If it does, the score goes up again.

30
00:02:42,900 --> 00:02:49,260
Finally, all the scores, due to various activities are added up and given a final score, some vendors

31
00:02:49,260 --> 00:02:54,630
prefer to do it from 0 to 10, and some vendor do it from 0 to 100.

32
00:02:55,680 --> 00:03:01,290
Usually the admin will have the option to configure what to do with the file based on the score.

33
00:03:01,330 --> 00:03:09,420
For example, if the score is less than three mark it as clean file, if the score is between three and

34
00:03:09,420 --> 00:03:12,010
six market as suspicious file.

35
00:03:12,570 --> 00:03:17,760
And if the score is more than six, consider it to be malicious file.

36
00:03:19,150 --> 00:03:23,670
Now, isn't that something sweet, the machine's doing all the hard work for us.

37
00:03:25,340 --> 00:03:32,690
Even though automated sandbox can make the process of malware analysis easy, building a sandbox itself

38
00:03:32,690 --> 00:03:33,750
is very expensive.

39
00:03:34,130 --> 00:03:40,700
When we choose the commercial sandbox options or very tedious process when opted for open source

40
00:03:40,760 --> 00:03:41,860
sandbox like cuckoo.

41
00:03:43,260 --> 00:03:49,680
So in the recent days, piggybacking on the cloud trend, several vendors have taken their sandbox to

42
00:03:49,680 --> 00:03:50,010
cloud.

43
00:03:51,110 --> 00:03:59,420
Few of the popular cloud based sandbox include Any.Run, hybrid-analysis.com, Joesandbox.com,

44
00:03:59,420 --> 00:04:02,150
PaloAlto wildfire.

45
00:04:03,320 --> 00:04:08,870
In case of a cloud based sandbox, all you need is to subscribe to the service and right away you can

46
00:04:08,870 --> 00:04:13,430
start submitting the samples without having to deal with building your own sandbox.

47
00:04:14,590 --> 00:04:21,130
In the next lesson, we will take a look at demonstration of Any.Run sandbox.