today is a big release day with two new major features that we
worked on over the past 9-10 months, which are also available on
our online webservice at http://www.hybrid-analysis.com
right now.
Kernelmode Monitor
You can now chose a 'Stealthy Mode' environment, which is a
completely new monitoring technology that leaves the malware
sample untampered. Basically, a lot of sandbox systems and even AV products (see this blogpost: http://rce.co/why-usermode-hooking-sucks-bypassing-comodo-internet-security/)
rely on injecting and tampering with processes in userland. With
the new 'Stealthy Mode' of VxStream Sandbox the sample is executed
untampered and observed from the operating system level, which is
far less detectable. Our new technology is a milestone and takes
VxStream to a level that is only matched by very few competitors
on the market.
Note: choose the W7 32 bit 'Stealthy Mode' environment upon submission to try it out
Of course, we still do memory dumps of the analyzed
processes so that the reports benefit from Hybrid Analysis
technology. Essentially, you will not notice much difference
between the usermode and kernelmode monitor, except that certain
specific malware samples that are aware of their memory image
tampering will run a lot better under 'Stealthy Mode'. Also, the new kernelmode monitor comes with some basic anti-VM detection technology just like the usermode monitor.
The above picture is taken from a sample report running the known 'Pafish' benchmark (v0.4) with the new kernelmode monitor: https://www.hybrid-analysis.com/sample/bf0bbd28deed92fbd9f974e63336c2a4185a07ed19c578a37885d351134c0182/?environmentId=4
Single-File HTML Reports
It is now possible to 'persist' and download single-file HTML
reports for any analysis report generated as-of now. This is
another feature we have been working on and the HTML reports are
generated based off of the XML reports and completely separate
from the online reports (which are just a view on JSON documents
stored in a MongoDB). The HTML reports are nice, if you want to
share or keep a report. It is not as complete as the online
reports yet, but also contains a few other details (such as the
exact VT results).
Sample HTML report hosted at our company site: here
Corresponding Hybrid-Analysis.com report: here
Of course, we will be extending and working on both of these two
new code 'projects' over the coming months, so stay tuned.
// EOF
It is possible to license VxStream Sandbox and run it on-premise
If you are interested in licensing the full version of VxStream Sandbox
(includes the web application to run your own service, an API, the
runtime monitor, the load balancing controller, hybrid analysis
technology, report generator, all behavior signatures, scripts, etc.) or
have any questions, please use our contact form
and get in touch. We have a very simple licensing structure and
additional options. If you are interested in a demo, try out our free
malware analysis service at hybrid-analysis.com.
