The Timeout option allows you to specify the duration of analysis for files within the sandbox environment. This option determines how long the sandbox will spend analyzing each file for potential threats.

Setting the Timeout

To set the timeout value, modify the configuration of your sandbox environment and adjust the timeout option according to your analysis requirements. The timeout value determines how long the sandbox will dedicate to analyzing each file's behavior and characteristics.

Considerations and Recommendations

Ensure that you balance the need for comprehensive analysis with the resources available and the desired speed of processing.

Setting the VM Template

To set the VM template, modify the configuration of your sandbox environment and adjust the vm option according to your desired operating system template. The chosen template will determine the environment's underlying OS.

Considerations and Recommendations

Choose the VM template that aligns with your project's objectives and software requirements.

The Custom Password option allows you to specify a password to use for decrypting submitted archive files within the sandbox environment. This option is used to unlock encrypted archive files that are submitted for analysis.

Setting the Custom Password

To set the custom password, modify the configuration of your sandbox environment and adjust the custom_password option according to the password you want to use for decrypting submitted archive files.

Considerations and Recommendations

Choose a password that balances security and usability for decrypting archive files within the sandbox environment.

The Use VNC option allows you to enable or disable direct interaction with the virtual machine (VM) during analysis within the sandbox environment. When this option is enabled, you can interact with the VM using VNC (Virtual Network Computing) technology, providing a graphical interface for control.

Enabling or Disabling Use VNC

To enable or disable the use of VNC, modify the configuration of your sandbox environment and adjust the use_vnc option according to your requirements. Enabling VNC allows you to interact with the VM's graphical interface.

Considerations and Recommendations

Direct Interaction: Enabling VNC can be useful for troubleshooting, interacting with the environment, and observing the behavior of files within the sandbox in real-time.

Security: Consider the security implications of allowing direct interaction with the VM. Ensure that proper security measures are in place to prevent unauthorized access.

The Free Mode option allows you to enable or disable the ability for users to set up their own environment in the virtual machine (VM) before the analysis starts within the sandbox environment. When this option is enabled, users can customize the VM's environment to their needs.

Enabling or Disabling Free Mode

To enable or disable Free Mode, modify the configuration of your sandbox environment and adjust the free_mode option according to your requirements. Enabling Free Mode allows users to customize the VM's environment before analysis.

Considerations and Recommendations

Customization: Enabling Free Mode can be useful for tailoring the analysis environment to specific needs or configurations that are relevant to the analysis being performed.

Security: Consider the security implications of allowing users to set up their own environment. Ensure that proper security measures are in place to prevent unauthorized actions.

Example Use Case

Consider a scenario where a user needs to test a piece of software in a specific configuration that is not covered by the default sandbox environment. By enabling Free Mode, the user can install and configure the required software components, libraries, and settings in the VM before starting the analysis. This allows for more accurate testing and analysis in a controlled environment tailored to the user's needs.

The Light Mode option allows you to enable or disable a streamlined analysis mode to make the analysis faster and lighter. When this option is enabled, certain hooks are deactivated, resulting in a quicker analysis process. Additionally, dumps are not retrieved as part of the analysis.

Enabling or Disabling Light Mode

To enable or disable Light Mode, modify the configuration of your sandbox environment and adjust the light option according to your requirements. Enabling Light Mode deactivates certain hooks and skips retrieving dumps for a quicker analysis.

Considerations and Recommendations

Speed: Enabling Light Mode can significantly reduce the analysis time, which is beneficial for quick assessments or when large numbers of files need to be processed.

Detailed Analysis: Keep in mind that Light Mode sacrifices some depth of analysis for speed. Use this mode when a high-level overview is sufficient.

Example Use Case

Imagine a situation where you have a large number of files to analyze, and you're primarily interested in identifying obvious threats without the need for an exhaustive analysis. By enabling Light Mode, you can quickly process the files, getting a general understanding of their behavior without the overhead of detailed analysis.

The Auto Start Upload option allows you to enable or disable the automatic initiation of analysis as soon as a sample is uploaded to the sandbox environment. When this option is enabled, the analysis will start without requiring manual intervention after the sample upload is complete.

Enabling or Disabling Auto Start Upload

To enable or disable Auto Start Upload, modify the configuration of your sandbox environment and adjust the auto_start option according to your requirements. Enabling this option streamlines the analysis process, starting it immediately upon sample upload.

Considerations and Recommendations

Efficiency: Enabling Auto Start Upload can simplify the analysis workflow, especially when multiple samples need to be processed quickly.

Control: Be cautious when enabling this option, as it reduces the opportunity to review and adjust analysis settings before starting the process.

Example Use Case

Consider a situation where you are dealing with a high volume of incoming samples that require rapid analysis. By enabling Auto Start Upload, you can ensure that analysis begins immediately upon uploading a sample, allowing for a more streamlined and efficient workflow.

The Use Banker Environment option allows you to specify the browser to be launched for analyzing various types of content, including URLs and other supported formats that can be opened with a browser. When this option is set, the specified browser will be used to open and analyze content for analysis.

Setting the Browser for Content Analysis

To set the browser for analyzing various types of content, including URLs and other supported formats, modify the configuration of your sandbox environment and adjust the use_banker_environment option according to the desired browser. The specified browser will be used to open and analyze supported content.

Considerations and Recommendations

Browser Relevance: Use this option to consistently analyze various types of content, such as URLs and supported formats, with the same browser to ensure accurate behavior simulation.

Content Compatibility: Ensure that the chosen browser is capable of opening and accurately simulating the behavior of the content types you intend to analyze.

Example Use Case

Imagine you need to evaluate the behavior of URLs, PDFs, and other supported content types using a specific browser for consistent analysis. By setting the use_banker_environment option to chrome, you can ensure that Google Chrome is consistently used to open and analyze various types of content, providing unified behavior simulation for accurate testing and assessment.

Enabling or Disabling Public Analysis

To enable or disable the Public option, modify the configuration of your sandbox environment and adjust the public option according to your requirements. Enabling this option makes the analysis results accessible to all users.

Considerations and Recommendations

Sharing: Use this option when you want to share analysis results with a broader audience for collaboration or transparency purposes.

Privacy: Be cautious when enabling this option, as it makes the analysis results available to all users, potentially including sensitive information.

Example Use Case

Consider a scenario where a security researcher wants to collaborate with others to analyze a complex threat. By enabling the public option, the researcher can share the analysis results with the broader security community, fostering collaboration and knowledge sharing.

Enabling or Disabling Shared Analysis

To enable or disable the Shared option, modify the configuration of your sandbox environment and adjust the shared option according to your requirements. Enabling this option provides a shared link that users can use to share the analysis results.

Considerations and Recommendations

Collaboration: Use this option when you want to allow users to easily share analysis results with others, facilitating collaboration and communication.

Control: Ensure that sensitive information is not inadvertently shared when enabling this option, as the shared link may be accessible to unauthorized individuals.

Example Use Case

Imagine a situation where a security team needs to collaborate with external stakeholders on analyzing a suspicious file. By enabling the shared option, the team can generate a shared link and provide it to the stakeholders, allowing them to access the analysis results and contribute insights.

Enabling or Disabling Confined Mode

To enable or disable Confined Mode, modify the configuration of your sandbox environment and adjust the confined_mode option according to your requirements. Enabling this option allows for simulating an internet connection within a confined environment, even when the client is offline.

Considerations and Recommendations

Offline Testing: Use this option when you need to test internet-related functionality within the sandbox environment, even if the client machine is offline.

Isolation: Ensure that the sandbox environment is adequately isolated to prevent unintended access to external resources while simulating an internet connection.

Example Use Case

Consider a scenario where a software application needs to be tested for its behavior in an environment with a simulated internet connection. By enabling the confined_mode option, you can accurately simulate internet-related interactions even when the client machine is not connected to the internet.

Enabling or Disabling Tor Mode

The Tor Mode option enables you to route all internet connections through the Tor network, enhancing privacy and anonymity during analysis. To enable or disable Tor Mode, modify the configuration of your sandbox environment and adjust the tor_mode option according to your requirements.

How Tor Mode Works

When tor_mode is enabled, all internet traffic from the sandboxed environment is redirected through the Tor network, a distributed network of volunteer-operated servers that help protect users' privacy and anonymity. The Tor exit node, which serves as the final destination for internet traffic leaving the Tor network, will be located in the country specified by the 'targeted_country' option.

The Importance of Targeted Country

The 'targeted_country' option is crucial when using Tor Mode. By specifying the desired country, you can accurately control the geographic location of the Tor exit node. This is particularly important for assessing geolocation-based behaviors and interactions within your analysis. For example, if you're evaluating the response of a web service that behaves differently based on the user's location, setting the 'targeted_country' ensures that your analysis closely mimics real-world scenarios.

Considerations and Recommendations

Anonymity and Privacy: Use Tor Mode when you need to conduct analyses while maintaining a higher level of privacy and anonymity for both incoming and outgoing internet traffic.

Geolocation Testing: Ensure that the 'targeted_country' option is configured accurately to align with your testing needs. This allows you to simulate internet connections originating from the desired country and analyze the behavior under different geolocation scenarios.

Example Use Case

Suppose you are assessing the behavior of a software application that interacts with servers in specific geographic regions. Enabling tor_mode and configuring the 'targeted_country' option to the relevant country allows you to simulate connections from that country, enabling comprehensive testing of geolocation-based behavior and interactions with privacy-enhanced routing through the Tor network.

The Targeted Country option allows you to specify the country for the Tor exit node when the 'tor_mode' option is enabled. This option not only affects the geographic location of the Tor exit node but also sets the language keyboard for the analysis environment.

Setting the Targeted Country

To set the targeted country for the Tor exit node, adjust the targetted_country option according to your analysis requirements. This will ensure that the Tor exit node is located in the specified country, influencing geolocation-based behavior.

Language and Geolocation

The 'targetted_country' option not only affects the geographical location of the Tor exit node but also configures the analysis environment's language keyboard to match the selected country.

Example Use Case

Consider a situation where you need to assess a web service's behavior in Germany. By enabling 'tor_mode' and setting targetted_country to 1031 (Germany), you can simulate an internet connection routed through the German Tor exit node, ensuring accurate geolocation-based testing with the appropriate language keyboard setting.

The Force System Time option allows you to specify a new date and time for the system clock within the virtual machine environment. This can be useful for simulating specific time-based scenarios during analysis.

Setting the New System Time

To set a new system date and time, modify the configuration of your sandbox environment and adjust the time_system_new_date option according to the desired integer timestamp. This will force the system time within the virtual machine to the specified date and time (see https://www.timestamp.fr/? or https://www.epochconverter.com/).

Usage Scenarios

Time-Based Testing: Use this option when you need to analyze how a system or application behaves under specific date and time conditions, such as different moments in time or time zones.

Scenario Simulation: Simulate scenarios where time-sensitive events, scheduled tasks, or behaviors are dependent on specific timestamps, allowing you to evaluate the application's response.

Example Use Case

Imagine you are testing a financial software application that generates time-stamped transaction records. By setting time_system_new_date to a specific integer timestamp, such as 1678915200 (representing January 14, 2023), you can force the system time to that moment and analyze how the application handles transaction processing and reporting based on the simulated time.

The Auto-Trigger Scheduled Tasks option allows you to control the behavior of scheduled tasks within the virtual machine environment. When enabled, this option triggers scheduled tasks immediately upon encountering a system event that would normally activate the task.

Configuring Auto-Trigger Behavior

To configure the auto-trigger behavior for scheduled tasks, modify the configuration of your sandbox environment and adjust the time_autotrigger_scheduled_tasks option. By default, tasks will be run immediately upon system events that activate them when this option is enabled.

Enhancing Malware Analysis

Malware Detection: This option can be valuable for analyzing malware behavior. If malware schedules tasks to run at specific times, enabling auto-triggering helps in identifying and monitoring these potentially malicious activities as they occur.

Dynamic Analysis: Use this feature to study the real-time impact of scheduled tasks initiated by malware, allowing you to gather insights into how the malware interacts with the system and what activities it performs.

Example Use Case

Imagine you are analyzing a piece of malware that is known to schedule tasks to execute certain actions at specific intervals. By enabling time_autotrigger_scheduled_tasks, you can proactively track and observe the scheduled tasks triggered by the malware in a controlled environment. This enables you to monitor its behavior, interactions, and potential effects on the system as part of your malware analysis process.

To use the time acceleration factor, modify the configuration of your sandbox environment and adjust the time_acceleration_factor option based on the acceleration level you desire. Larger values accelerate time more aggressively, while smaller values provide a milder acceleration effect.

Counteracting Malware Techniques

Mitigating Anti-Sandbox Measures: Increase the time acceleration factor to disrupt time-based delays employed by malware, forcing them to execute their malicious code more rapidly.

Dynamic Analysis: Use this feature to study malwares with time-based anti-analysis tactics under accelerated time conditions, allowing you to observe their behavior and interactions in a shorter time frame.

Example Use Case

For malware that introduces time-based delays before launching malicious activities, adjusting time_acceleration_factor can hasten the execution of the malware's code, enabling you to observe its behavior and effects without prolonged waits during analysis.

To configure rulesets, modify the configuration of your sandbox environment and adjust the rulesets option based on your analysis requirements. By selecting appropriate rulesets, you enhance the effectiveness of both static and dynamic analysis processes.

Rule-Based Analysis

Choose suitable rulesets to improve the detection of security threats, vulnerabilities, and suspicious behaviors within applications or files undergoing analysis.

The provided OCD (OrangeCyberDefense) rules, developed by OrangeCyberDefense, include a combination of static and dynamic rules that identify coding patterns, behaviors, and runtime activities indicative of malware presence or code anomalies.

Example Use Case

Consider the analysis of a potentially malicious executable. By enabling the rulesets option and selecting the OCD rules, you can apply a comprehensive set of rules for both static and dynamic analysis. This enables you to identify suspicious code patterns, runtime behaviors, and potential malware activities to ensure a thorough analysis process.