Sandboxes

any.run & Joe's Sandbox

Author: Stefan Waldvogel

Overview about professional sandboxes

What do you do if you have a piece of code and want to know what it is doing? You can spin up a lab, or you can use pre-built systems.
This small article will introduce you to two popular sandboxes (any.run and Joe's Sandbox).

any.run
You find the website here:
app.any.run/
You do not need an account for this website, and you get a Win 7 VM for free. This approach is not very realistic, but it is free.
You can create a new task or use an older job to see what happened.

Here, I loaded a random malicious file, and you see the connections and the behavior. On the right side, you can create reports.

Things to know:
If you use any.run, everything is public. You upload your resume... everyone can see it. Do not use the free version for business needs.

Joe's Sandbox
Joe's Sandbox is less known but more powerful. The disadvantage is, you need a business email. Your Gmail address does not work, but this works if you have a *.edu email. You find Joe's here:
www.joesandbox.com/
If you upload a file, it could look like this (www.joesandbox.com/analysis/391256/0/html):

The report is massive, and you get all the data, including dropped files and what the program is doing. If you upload a PowerShell, you get all processes and much more.

If you are new to Cybersecurity, you might know the MIRE Attack framework. With Joe's Sandbox, you can see all matched activities:

This example is ursnif, a banking Trojan, and this Trojan does a lot of activities, including process injection and software discovery.
This part is interactive, and you can learn more about it if you click one example.
I like this because you can learn a lot about a specific program and see it in pieces.

Next: Joe's Sandbox