The Cuckoo Sandbox is a malware analysis system that automates many of the tasks associated with malware analysis. This open source application has the ability to analyse a variety of suspected malicious files such as Windows executables, documents and Java applets all within a virtualized environment. This analysis includes network traffic and memory analysis utilizing Volatility.

In addition to a local version of Cuckoo Sandbox, analysts can make use of a web-based version. The site https://malwr.com/ is a free service that allows analysts to upload a copy of the malware and have the site conduct a dynamic analysis. From here, the site will produce a report that can be reviewed. In the following example, malwr.com will be utilized to conduct a review of the Loki Bot Malspam that was previously analyzed with Pestudio.

1. Navigate to the site http://malwr.com and click Submit in the upper left hand corner. This will open the following window:

2. Click Select File and then navigate to the malware file to be analyzed. Malwr.com allows the analyst to share the sample of malware with the community or not. In this case, as the malware being tested is known, this is not selected. Finally, complete the equation and click Analyze. The following window will appear.

3. Depending on the type of malware and its size, it may take a few minutes for Malwr to analyze. During that time, the following window will appear:

4. Once the analysis is complete, a window will open with the analysis results. The analysis results include static and dynamic analysis elements such as behavioral and network elements for review.

5. Click on Static Analysis. From here, the analyst can view specific elements including strings and what elements are imported as part of the DLL file which, in this case is the MSVBVM60.dll.

6. While in the Static Analysis section, click on Antivirus. This provides the analysts with a breakdown of VirusTotal results for the sample uploaded.

7. Next, click Behavioral Analysis. From here, specific file behaviors are outlined. There are charts that break down the sequence of events that transpired after the malware was executed. This allows analysts to view the specific elements in greater detail.

8. Often malware drops other files as part of the infection. Malwr also allows the analyst to see these files as well. Click on Dropped Files. Malwr indicates that there were two files that were dropped via this malware.

There is good deal more information that can be obtained via Malwr including examining network activity and comments provided by the Malwr community. One key consideration does need to be made when examining this platform against a local solution. Malware coders do pay attention to community boards and VirusTotal to see if a hash or the actual file has been uploaded. If the malware is specific to a single organization such as government entity or large retailer, they will know that incident response analysts have discovered their creation.Incident response teams need to balance the speed and ease of this technique with the possibility that their efforts might be discovered.