Hello,
I have collected a list of online malware analysis services and have decided to share this collection with you. These services can assist you if you need results to a sample (static/dynamic or both) and do not have the time to manually analyse the sample, or if you become stuck whilst analysing a sample and want to check the results of an online service to explore something in the sample.
If you are not aware about how these services work, these services allow you to upload the file of your choice and this file is then submitted to their server. On their side the file (e.g. Portable Executable) is executed in an isolated environment where all its behaviour is monitored. Eventually the analysis will end and this could be due to the submitted executable crashing, terminating itself (finished executing) or if the service has a time-out to end the analysis session after a certain period of time to prevent the analysis going on forever and never ending. Once the analysis of the submission has successfully completed you will be presented the logged results of the analysis which will tell you how the sample behaved whilst within the isolated environment (the different activities it attempted to carry out). Most of the time these services include results for static analysis also, such as imported functions and which libraries they are from, if the sample has been found to be packed, and so on.
Before I list a bunch of services, I should put a few warnings in place for those who are not already aware:
Services which support PE files (Portable Executables):
Malwr - Malware Analysis by Cuckoo Sandbox
Free Automated Malware Analysis Service - powered by VxStream Sandbox
Deepviz - Analyze
Automated Malware Analysis - Joe Sandbox Cloud
Cuckoo Sandbox supports executables, document exploits, Java applets, etc. Therefore, they should work for submissions with any service which uses Cuckoo as its method of isolation (since not all services may necessarily have their own sandbox but may use a third-party sandbox which is open source… Like Cuckoo).
Services which support APK files (Android applications):
SandDroid
Free Automated Malware Analysis - APK Analyzer
If you wish to analyse documents only (e.g. MS Office documents or Adobe documents) then you can try to use this service: Free Automated Malware Analysis - Document Analyzer (also by Joe Sandbox Cloud which was referenced above a few times for the PE/APK analysis).
For online automated analysis of Linux binaries you can try to use this service: detux - The Linux Sandbox
If you are getting a large amount of sample submissions on a regular basis, then it may not be practical to go through and analyse every single one of those samples manually. Therefore, in this scenario you can attempt to use online malware analysis automated services to help you! This is not a bad thing to do and in no way does it make you “silly”, even security vendors like Avira use automated analysis to help them! If you do not believe me then feel free to check this post on their blog which was published back in 2014: Cuckoo Sandbox vs. Reality - Avira Blog
Thank you for reading and hopefully this can be helpful for you.
Wave.
I have collected a list of online malware analysis services and have decided to share this collection with you. These services can assist you if you need results to a sample (static/dynamic or both) and do not have the time to manually analyse the sample, or if you become stuck whilst analysing a sample and want to check the results of an online service to explore something in the sample.
If you are not aware about how these services work, these services allow you to upload the file of your choice and this file is then submitted to their server. On their side the file (e.g. Portable Executable) is executed in an isolated environment where all its behaviour is monitored. Eventually the analysis will end and this could be due to the submitted executable crashing, terminating itself (finished executing) or if the service has a time-out to end the analysis session after a certain period of time to prevent the analysis going on forever and never ending. Once the analysis of the submission has successfully completed you will be presented the logged results of the analysis which will tell you how the sample behaved whilst within the isolated environment (the different activities it attempted to carry out). Most of the time these services include results for static analysis also, such as imported functions and which libraries they are from, if the sample has been found to be packed, and so on.
Usually (at least on services like malwr) it will pin-point suspicious activity which it finds key to malicious activity. To explain this better, malwr service works via sandboxing the submission with the Cuckoo sandbox. Therefore, if the sample checks if it’s being isolated within Cuckoo and attempts to escape the sandbox power then malwr will note this activity occurred clearly on the analysis results, which is definitely an example of something which an honest and clean application shouldn’t be doing.
Before I list a bunch of services, I should put a few warnings in place for those who are not already aware:
- Some malware analysis services (such as malwr.com) will allow you to download samples uploaded by other people. I highly recommend that you do not do this unless you know what you are doing since you can end up infecting yourself if you accidentally execute the sample on your host system (assuming the sample is malicious and not just a safe submission someone wanted analysis on).
- A lot of malware is capable of detecting when they are being executed within an isolated environment (e.g. being executed within a sandbox where the actions are being controlled to restrict it). A lot of online virtualisation services will be able to identify when a sample is checking for virtualisation/sandbox presence and will log for the final results however new methods for anti-vm/anti-sandbox are being created all the time by malware authors and it is technically possible for an online service to fail to detect the behaviour in some situations. Therefore, keep an open eye out!
- If you do decide to download a sample someone else had submitted if the service you are using allows you to do this for analysis purposes, make sure that you are protected when you perform analysis on the sample (I am referring to dynamic analysis). By the use of “protected” I am referring to using a proper set-up analysis environment so your host OS doesn’t become compromised, and also making sure other protection is setup. For example, to prevent your real IP being leaked in the case of the sample opening connections to a host, use VPN (Virtual Private Network) – the last thing you want is a malware author obtaining your real IP address!
Services which support PE files (Portable Executables):
Malwr - Malware Analysis by Cuckoo Sandbox
Free Automated Malware Analysis Service - powered by VxStream Sandbox
Deepviz - Analyze
Automated Malware Analysis - Joe Sandbox Cloud
Cuckoo Sandbox supports executables, document exploits, Java applets, etc. Therefore, they should work for submissions with any service which uses Cuckoo as its method of isolation (since not all services may necessarily have their own sandbox but may use a third-party sandbox which is open source… Like Cuckoo).
Services which support APK files (Android applications):
SandDroid
Free Automated Malware Analysis - APK Analyzer
If you wish to analyse documents only (e.g. MS Office documents or Adobe documents) then you can try to use this service: Free Automated Malware Analysis - Document Analyzer (also by Joe Sandbox Cloud which was referenced above a few times for the PE/APK analysis).
For online automated analysis of Linux binaries you can try to use this service: detux - The Linux Sandbox
If you are getting a large amount of sample submissions on a regular basis, then it may not be practical to go through and analyse every single one of those samples manually. Therefore, in this scenario you can attempt to use online malware analysis automated services to help you! This is not a bad thing to do and in no way does it make you “silly”, even security vendors like Avira use automated analysis to help them! If you do not believe me then feel free to check this post on their blog which was published back in 2014: Cuckoo Sandbox vs. Reality - Avira Blog
Thank you for reading and hopefully this can be helpful for you.
Wave.
Last edited by a moderator:
