Tuesday, June 8, 2021

Public Service Announcement: Retiring Falcon Sandbox Public API V1 Starting August 3, 2021

We are announcing the sunset of  Falcon Sandbox Public API v1, which will reach end of life as of August 3, 2021, 12:00 PM EST. After this date, the Falcon Sandbox Public API v1 will stop responding altogether.

Here at Hybrid Analysis, we are dedicated to enabling our community to leverage a unified platform for automated malware forensics by concentrating our efforts on improving our systems to deliver the best experience, performance, features, and tools to enrich malware analysis.


Anyone visiting the Hybrid Analysis homepage has probably already seen the banner about retiring the Falcon Sandbox Public API v1, and we have already started notifying API connectors authors about version removal.

Falcon Sandbox Public API v2 has been in use for more than a year, and we’ve made great efforts to integrate existing API v1 features into API v2, while also expanding on them.


Who is Impacted?

This change impacts everyone that has been using the Falcon Sandbox Public API v1. Starting today June 8, 2021, the Falcon Sandbox Public API v1 has entered the sunset period, leading to deprecation beginning August 3, 2021,12:00 PM EST.

Anyone using the VxWebService Python API Connector v2 with the Falcon Sandbox Public API v2 will not be impacted and the code that resides in the master branch of that repository supports API v2. 

As a reminder, the legacy VxWebService app utilising API v1 is not supported anymore, but still available in the v1 branch.

Why the Change to Falcon Sandbox Public API v2?

As some of you have already noticed when using the API v2, one of the major benefits involves using OpenAPI and Swagger Docs, which have become the world standard for defining RESTful interfaces.


Data security and privacy are also something we take seriously, so the fact that Falcon Sandbox Public API v2 is also SOC II compliant is all the more critical. This means the API v2 is built around the five “trust service principles” involving security, availability, processing integrity, confidentiality and privacy.


But most importantly, with Falcon Sandbox Public API v2 we can readily and constantly roll out new features that can help you, the research community, expand on analysis capabilities while offering a reliable API standard that’s easy to use.

For a complete list of features and functionalities we have added over time into the Falcon Sandbox Public API v2, check out our API v2 changelog section (here)

How to Successfully Migrate to Falcon Sandbox Public API v2?

Throughout the sunsetting phase, those who still use the API v1 are encouraged to switch to the API v2 by following the instructions we have put together (here).


If you have any automation dependencies running on Falcon Sandbox Public API v1, please make the necessary changes and switch to Falcon Sandbox Public API v2 using the available documentation.


We hope this graceful transition will not bring too much disruption to your activities. If you experience any issues with the migration process or if you have suggestions on new features that you would like to have available, please let us know.

Happy Hunting!

Wednesday, April 7, 2021

Upcoming Maintenance - April 7th, 2021 2AM EST - 3AM EST

Hello again HA Community! The CrowdStrike Falcon Sandbox team hopes you are doing well, and staying safe during these unprecedented times. As always, thank you for being a part of the biggest community-focused sandbox service! Our goal is to continually enhance your experience by not only delivering new and useful features to assist in malware analysis, but also by maintaining a stable and efficient platform.

As such, we have scheduled a brief downtime window from 2AM - 3AM EST on April 7th, 2021 to perform critical maintenance. During this downtime the site will be unavailable. We appreciate your patience during this brief interruption and look forward to seeing you back!

Happy Hunting!

Thursday, December 3, 2020

Network Simulation now live on Hybrid-Analysis!

We are proud to announce the availability of Network Simulation for file and URL detonations on Hybrid-Analysis.com! 

Network Simulation will block internet-bound traffic from reaching its destination, instead routing all traffic to an internal endpoint which responds to those outbound requests (DNS/HTTP(s)/etc...). This allows the submitter to collect crucial indicators and detonation details without ever directly contacting attacker-controlled infrastructure. 

To utilize this new feature, submit a new file or URL for analysis and expand "Runtime Options" found within the environment selector section:

Then select "Simulate Network Traffic" when customizing your detonation parameters:

That's it! When your sample is submitted, all traffic destined for the internet will be safely routed internally to feign internet availability. 

Happy Hunting!

Wednesday, August 12, 2020

New and Improved Threat Score!

Greetings from Sandboxland! From all of us at Hybrid Analysis, we hope this message finds you healthy and well. It’s been quite a long time since our last blog post… we’ve been busy working on platform enhancements and introducing new features to further improve your sandbox experience. One of the most exciting new features is the integration of a machine-learning powered threat score!

With this new feature, the sample and pertinent sandbox data will be scrutinized by a machine-learning model developed with CrowdStrike’s proven machine-learning technology, returning a threat score and associated verdict.  The objective of this undertaking was to achieve greater sensitivity and specificity while computing threat scores.  Initial analysis from a data set consisting of ~40K samples shows the new methodology to be quite effective, with a significant decrease in the False Positive Rate (FPR), while simultaneously increasing the True Positive Rate (TPR).  This feature is initially limited to non-URL submissions detonated in our Windows detonation environments with plans for further expansion as the model develops and matures.

Thursday, June 6, 2019

New Feature: Upload your Collections of Files

As security researchers, we often need to share sets of samples with our peers. Frequently files are part of the same campaign or by the same threat actor, often we need files from the same malware family, and in other cases it’s just a matter of sharing samples in a broader context. To facilitate this type of sharing, we now support File Collections on Hybrid Analysis — give it a shot!

The new Files Collection tab on the upload screen allows for drag and drop functionality for multiple files, or you can use batch file selection by clicking the upload area.

The new bulk upload dialog lets you name the collection, provide comments, and even add hashtags to associate your file collection with a specific topic.

Lastly, the new collections overview page shows you details for all files in the collection, including current detection status. As an example, here’s a collection of samples that are part of the Ryuk family. From here, you can also select individual files to see their details or to run them through the sandbox for further analysis.

We hope you will find this new feature useful!

Tuesday, August 21, 2018

CrowdStrike donates Falcon MalQuery for rapid YARA hunts to the HA Community

We all know that YARA rules are the pattern matching swiss knife in many ways and have become the de-facto standard when it comes to detection and attributing new malware variants to previously known threats. One great example of this is WannaCry. Within days of that outbreak last year, Google’s Neel Mehta [1] was able to find code similarities between WannaCry code and previously attributed North Korean malware.

Over the past year, the HA community platform has not only been growing at an incredible rate, but also accumulated an amazing collective knowledge (on a side note: thank you, everyone!) due to Falcon Sandbox and many integrations extracting more IOCs than any other community service. Futhermore, to make it easier to help grow the collective community database, we published a new APIv2 with a modern tooling page that acknowledges privacy concerns and is state of the art.

With a growing set of data, having a technology to quickly and accurately search through this data turns a swiss knife to life. Let's imagine we could take any YARA rule or string/binary pattern and scan through petabytes of data within minutes vs. having to wait multiple hours on a batch job to complete? Let's imagine the search results could be downloaded, shared and used to easily determine efficacy and attribution? All within an open and transparent environment that benefits the whole community? Wait, what? This seems too good to be true.

Sometimes dreams come true. ;) Today, we are announcing a revoluationary new search capability to our Hybrid Analysis community platform, which has been implemented as part of a powerful new YARA hunt and binary pattern search capability. Including custom search filters (e.g. date ranges) and efficacy evaluation over petabytes of data. In order to facilitate this type of research by the security community, CrowdStrike has donated Falcon MalQuery, its rapid malware search engine technology, to the community.

Real World YARA Hunting

Let's take a look at how we can utilize the new feature. Let's take a look at the new front page of HA, which contains two new tabs "YARA Search" and "String Search" (for string/binary patterns):-

At this point, you can either navigate directly to the "Advanced Search" form (using the button), drag & drop a YARA rule (from a text file) or paste (CTRL-V) clipboard text containing a YARA rule.

Providing a valid YARA rule takes the user to the following search form/page:-

At this page, it is possible to "refine" the search through a variety of criterias, e.g. the file type(s) to require (in the search result set), as well as date and file size ranges.

After performing the hunt (in this case a RAT of the Lazarus Group), a list of matched HA Community Files is presented, including links to the respective reports and a collective IOC download (via CSV):-

Happy hunting!

Source: https://www.hybrid-analysis.com/string-search/results/3530edadd82a867e3a35f4b26d8f85b5e82eb67d4b759cc1f77d2f499571cf59

[1] https://twitter.com/neelmehta/status/864164081116225536?s=21

Tuesday, December 20, 2016

Introducing A Unique Script Logging Engine

One advantage of being an exposed software vendor (we operate a popular free public malware analysis service) is that we constantly get challenged with latest malware samples and have a vivid feedback loop. IT-Security professionals and researchers from all around the world upload what they get in touch with at a daily basis. As we are quite dedicated about what we do here at Payload Security, we monitor the webservice closely and enjoy in doing so.

We have been observing that during the past months usage script languages as an entrypoint stage has been growing quite popular among cybercriminals. Often, it is not a single-layer approach, but the actual malicious script is downloaded by a "pre-stage" VBA script or other intermediate stages. That is, we have been seeing multi-layered dropper scripts. In general, one could say that mixing all kind of script formats, including javascript, powershell, vbs, wrappers (wsf/hta), encoded formats (jse, vbe) and other variants has become a standard toolset of the delivery process. Taking a look at the statistics page of the webservice underlines the growing popularity of using scripts (and not even counting AutoIT compiled to PEs, etc.):

A brief look around quickly revealed that other AV vendors have noticed scripts being a popular vehical to deliver trojans, ransomware, RATs, etc. As most of these scripts are not sandbox environment aware, it is our personal speculation that the current increase in complexity of malware delivery has mostly been implemented to bypass endpoint protection solutions, which often also rely on parsing the input file and the commandline pre-execution. Nevertheless, there is sandbox evasive mechanisms built into scripts that are interesting to investigate, as well.

In order to better understand malicious script activity, we have implemented a generic script logging engine (hint: we are still thinking of a fancy/fluffy marketing name) that is quite powerful and intercepts various external script calls (JS/VBS/VBA). It is a technology that we are still building upon, which has been turned on at the public webservice for a few weeks now. As we are quite excited about it already, we decided to push forward the news with this blogpost.

Multi-Layered Cerber Delivery

The new Cerber variant we will be looking at right now uses a typical social engineering technique to try to lure receivers into enabling macros and execute the payload:

In general, reports of VxStream Sandbox always contain a variety of indicators that allow quick assessment of macro codes and whether or not they are most likely malicious (e.g. detecting obfuscation, suspicious keywords, auto-execute functionality, etc.):

In general the macro indicators are not useful beyond determining general malicious intentions. This is where the new script logging engine comes into play, which adds some forensic flavor and allows extracting more artifacts. In order to access the script engine output, one must go to the 'Hybrid Analysis' process details section and click on a process that has the "Logged Script Calls" cog icon next to it:

In this specific case, clicking on the process will take you directly to the "Script calls" tab:

As we can see, the obfuscated VBA code is actually unwrapping a piece of javascript, which in turn is downloading (and verifying) the next stage, which ends up being a PE file encrypting the machine:

As this is happening within the VBA engine, neither classic API call monitoring nor instruction based tracing (as implemented by some "next generation" solutions) will easily yield this depth and clarity.

Link to the report: https://www.vxstream-sandbox.com/sample/3004c162dc360c97aefc7828ca175e65583b972c9a7444d4f0e05d7bc4dc71f9?environmentId=100

Another beautiful example of the new script engine is the following Nemucod trojan delivering a malicious javascript as a Windows Script File (WSF). It is deeply layered involving multiple stages, including WScript.Shell and PHP code, as can be seen quite nicely by the process tree and the "Script calls" tab:

Link to the report: https://www.vxstream-sandbox.com/sample/b9618fd0f7dcfc47ea725c817abee20fde0298ee64783565766b38b53d5a0869?environmentId=100


As discussed, we believe there is a trend towards mainstream malware using more complex delivery methods that involve multi-layered scripts. For us at Payload Security one answer to the ever-changing IT-security threat landscape is to try out novel ideas, not being "scared" of field tests with in-the-wild malware, being transparent about technology (we do not believe in security through obscurity) while keeping a focus on implementing solid solutions that bring business value to the end user.

Did we get your interest? Try out the new script logging engine at https://www.hybrid-analysis.com/ or follow us on Twitter at https://twitter.com/payloadsecurity