It’s Triage Thursday again, which means we have fresh updates from the Triage Sandbox over the past week. If you’re new here and want to learn about the latest malware families we’re working on and get the most out of our sandbox, you’ve come to the right place. In this series, we’ll update you on new malware families we’ve supported, updates for existing ones, and any exciting features that are expected to roll out soon.
Besides the usual detection improvements this week we’ve also got a couple of new features in the finished reports which should make your life with the sandbox a little easier! Let’s take a look.
Replay Monitor Updates
If you’re familiar with our reports you’ll be used to seeing this Replay section at the bottom of each task - it’s basically a video capture of the VM while it was running the analysis.
You might have noticed though that a few days ago some new things appeared along the bottom here. So what do these do?
Analyst Tip
The video replay is not a full video recording, but uses a format which only captures when there is change in the image. As such you will often see the timestamp jumping, or not be able to select a specific time in the playback. This is not a bug, but simply because nothing is happening at that time. Just scroll back to the last point before the jump, as the content will be exactly the same.**
Malware Event Timeline
First up you’ll notice a number of boxes hovering above the time bar. These are malware events recorded during the analysis, mapped to the view based on when they occurred.
Each box is coloured based on the signatures associated with that event, with grey being low severity/informational and red being high priority. You can click on any of the events to be immediately taken to the relevant entry in either the network or process lists to see a breakdown of the detections triggered.
Note that currently only process and network events are included here.
We hope this feature will help you build a coherent timeline of events during the analysis, removing some of the manual work comparing the different report sections. This is something that we’re going to be looking into more throughout the year so watch this space!
Take Screenshot from Video
The next feature has been widely requested in feedback forms - you can now capture screenshots from the video replay! Just pause where you want and hit the Camera icon in the bottom right. A Save As dialog will popup to let you choose the location for the image.
Now, onto the detection updates and additions for the week!
New Families This Week
- Added detection and extraction support for Qakbot version 5
- Added detection and extraction for FantasyMW Android banking trojan
- Added detection and extraction for Ghostlocker family
- Added detection for cross-platform MrAgent loader on Windows and Linux
Updates for Existing Families
- Updated GCleaner detection for undetected samples
- Updated detection for BunnyLoader latest versions
Updates for Existing Behavioral Signatures
- Added more MITRE ATT&CK TTPs for suspicious Android behaviors
As always if you have any feedback, questions, or issues about Triage feel free to reach out to us any time - we do our best to respond to all feedback but even if we can’t get back to you straight away your files will go into our list of things to review and help us prioritize tasks.
You can find us any time directly through the website, or using the Feedback option on an analysis report page.
Not signed up yet? Head over to tria.ge to register for a free account.