Page 206 - Cyber Defense eMagazine August 2024
P. 206
● Packet Capture and Inspection: Logging network traffic and allowing the user to view its
contents offers an in-depth view of the interactions between the malware and other systems.
This includes information such as the source and destination IP addresses, the ports used,
the protocols involved, and the timestamps of the communications. This can reveal if the
malware is attempting to communicate with a command and control (C&C) server, scan for
vulnerable systems, or perform other malicious activities.
● Encrypted Traffic Analysis: As more and more network traffic becomes encrypted, the ability
to analyze it has become increasingly important. Sandboxes using built-in tools like MITM
proxy make it possible to decrypt HTTPS traffic and thus identify malicious activity.
Suricata detection of AgentTesla’s exfiltration activity in ANY.RUN
● Network Threat Detection: For sandboxes, it is also important to not only give access to the
network traffic, but also automatically detect potential threats based on predefined signatures
or anomalies. Solutions like Suricata IDS can be used to enhance the network analysis
capabilities of a malware sandbox and flag suspicious network activities.
3. Static Analysis
Although sandboxes are usually used for dynamic analysis, they can be equally helpful in static analysis:
● Analyzing Files: Sandboxes can offer a static overview of various file types, such as PDFs,
LNK files, and Microsoft Office documents. For instance, malicious PDFs can be analyzed to
detect suspicious URLs, while LNK files can be inspected for embedded commands and
scripts. Microsoft Office documents can be examined for malicious macros, images, QR
codes, etc.
Cyber Defense eMagazine – August 2024 Edition 206
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
