Sandbox Online Analyzer

Product description

Overview

The Norman SandBox Online Analyzer is a web-based alternative to those who do not need the full Norman SandBox Analyzer tool. SandBox Online Analyzer satisfies additional requirements for the following:

  • Customers not requiring unlimited analysis capabilities of the SandBox Analyzer.
  • Analysts frequently away from designated malware analysis lab locations. 
  • Customers who do not have a dedicated virus analysis lab and wish to let Norman supply the processing power

Like SandBox Analyzer, SandBox Online Analyzer enables users to analyze file behavior, actual actions performed by the file and even extracts files created on the “SandBox HD" by the analyzed file in a much faster and more effective way than ever before. The need for manpower and actual time needed to analyze the suspicious files are thereby reduced considerably.

When purchasing SandBox Online Analyzer you will get a number of files that can be analysed corresponding to your purchase.
You may also purchase access to various types of statistics and historical trends for malicious techniques used in the malware that is analysed by Norman SandBox.

Norman SandBox Online Analyzer is available as a web-based interface with easy access to your account. You may upload files to be analysed and view your previous analyses and statistics from anywhere in the world.

How does it work?

The service allows the customer to upload suspicious executable files to Norman’s dedicated servers which will then supply a comprehensive analysis of the files' action. After a file has been processed reports with in-depth description of file's actions in an API log view and a summary report are available in a web interface.

The summary report includes the following information blocks:

  • File/Malware categories, i.e. W32/Backdoor, W32/Worm, W32/Downloader, etc. 
  • Changes to the computers file system. 
  • Changes in the registry and system settings. 
  • Network Services details 
  • Processor and window information

Norman SandBox Online Analyzer in more detail

Operation

The us of Norman SandBox Online Analyzer is amazingly easy, and managed to a web based interface. After purchasing you will get your own user name and password, which give you access to you own account in Norman SandBox Online Analyzer.

After logging in you may - if you have purchased the online analyse module - be able to upload files for analysis, as well as study your previous analyses. You can also download the analyses for more in-dept detail yourself.

The statistics module gives you access to lots of statistical material, including trends in the techniques used by the authors of malicious software.

The report

The Norman SandBox Online Analyzer summary is a description of the files behavior and action performed in the target victim’s object and elements setup to enable external communication.

This report is a subset of the API log that generates a detailed overview of the files action command by command.

Example of a NSA summary

D:VIRUSMYTEST.EX_ : W32/Backdoor
====> Sandbox output:
[ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO -
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* Display message box (sample) : sample, te amo!.
* Display message box (KERN32) : KERN32, te amo!.
* File length: 58368 bytes.
* MD5 hash: 60a8d2e41147f48364e1eb3729ac53fb.

[ Changes to filesystem ]
* Deletes file C:WINDOWSSYSTEM32kern32.exe.
* Creates file C:WINDOWSSYSTEM32kern32.exe.

[ Changes to registry ]
* Creates key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".
* Sets value "kernel32"="C:WINDOWSSYSTEM32kern32.exe -sys" in key "HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce".

[ Changes to system settings ]
* Creates WindowsHook monitoring keyboard activity.

[ Network services ]
* Connects to "200.223.3.130" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname CurrentUser[FRK][19].
* IRC: Uses username SErVERINO.
* IRC: Joins channel #Sl4cK_r0oT.

[ Process/window information ]
* Creates a mutex ZZM9H9YY.
* Creates a mutex SrVFrK.

This is a short example of an API log

If you look closely you will see that the API log is from the same file as the SandBox summary above.

KERNEL32!CopyFileA ("C:WINDOWSSYSTEM32KERN32.EXE",
   "C:WINDOWSSYSTEM32kern32.exe",0x00000000)
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!GetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe")
KERNEL32!CreateFileA ("C:WINDOWSSYSTEM32KERN32.EXE",0x80000000,
   0x00000000,0x00000000,0x00000003,0x00000000,0x00000000)
KERNEL32!SetFileAttributesA ("C:WINDOWSSYSTEM32kern32.exe",0x00000006)
ADVAPI32!RegCreateKeyExA (0x80000002,"SoftwareMicrosoftWindows
   CurrentVersionRunOnce",0x00000000,NULL,0x00000000,0x000F003F,0x00000000,
   0x4FD01154,0x00000000)
ADVAPI32!RegSetValueExA (0x7200214B,"kernel32",0x00000000,0x00000001,
   "C:WINDOWSSYSTEM32kern32.exe -sys",0x00000023)
ADVAPI32!RegCloseKey (0x7200214B)
KERNEL32!CreateMutexA (0x00000000,0x00000000,"SrVFrK")
KERNEL32!GetLastError ()
KERNEL32!CreateThread (0x00000000,0x00000000,0x004027B9,0x74116F00,
   0x00000004,0x74116F00)

More information - testing or purchasing the product

Click here and fill in the form to purchase or test the product, or to request more information.