ANY.RUN vs Joe Sandbox | Comparison of malware analysis tools
Malware analysis sandboxes allow users to determine whether a file or URL is malicious, suspicious, or legitimate. For daily use, two good solutions are ANY.RUN and Joe Sandbox. Let’s compare their characteristics.
What is a sandbox and why do you need it for malware analysis?
A sandbox is an isolated computer and network environment designed to analyze the behavior of software. This type of environment is typically designed to run risky files and determine if those files pose a malware threat. Some sandboxes are also designed to check URLs to see if they are suspicious and lead to malware infection. Modern sandboxes allow businesses or individuals to verify any type of file, including Microsoft Office files, PDF files, and any executable file.
Every file received by the companies really needs to be sandbox checked before delivering it to the user, to avoid malware infections. Sandbox solutions can be connected anywhere in the corporate IT environment: checking email attachments, file downloads, etc.
SEE: NIST Cybersecurity Framework: A Cheat Sheet for Professionals (Free PDF) (TechRepublic)
What are the limits of sandboxes?
Sandboxes have limitations for a variety of reasons.
Most sandboxes work like virtual machines trying to imitate real, legitimate machines. Effective sandboxes have dozens of ways to pretend not to be virtual machines, but cybercriminals are always trying to find new ways to detect them. In most cases, when malware detects that it is running in a test environment, it stops running in an attempt to avoid detection.
Sandboxes may not be useful with malware targeting particular environments. A sandbox that only runs files on a Windows 8.1 operating system may not see the same file behavior as a file running on Windows 10, for example. Also, some malware can check the language of the operating system and run only in specified languages. This is why some sandboxes offer to launch files in several different operating systems with different configurations.
Let’s look at two sandboxes with excellent reputations: ANY.RUN and Joe Sandbox.
What is the ANY.RUN sandbox?
ANY.RUN sandbox allows analysis of public submissions. This way, an analyst can search the database for any known Indicators of Compromise (IOC) and malware first, to see if it has ever been publicly analyzed and get the results. It includes millions of public submissions and this huge malware database is updated daily.
ANY.RUN allows those using the free version to send files or URLs to a 32-bit Windows 7 virtual machine, while the paid version allows them to send files to Windows Vista, Windows 8, and Windows 10.
The greatest functionality of ANY.RUN is the ability to interact in real time with the virtual environment that is running the suspicious file or URL. Once a file is submitted, the user can interact with the entire environment for 60 seconds (or longer on paid plans). This is an amazing feature when scanning malware that waits for specific actions to be performed by the user before executing a payload. Imagine malware that silently waits for the user to start a specific application (eg a browser) or waits for the user to click on a dialog box. This is where this sandbox gets really handy and powerful.
What is Joe Sandbox?
Joe sandbox also allows the user to analyze millions of public results from the sandbox.
The free version of Joe Sandbox allows users to upload files, browse a URL, download and run a file, or submit a command line. It works for Windows, MacOS, Android, Linux and iOS operating systems, making it a complete solution for customers with a wide variety of operating systems in their IT infrastructure.
The only Windows systems accessible in the free version are a Windows 7 64-bit virtual machine and a Windows 10 64-bit physical machine. Other systems are available in the Cloud Pro service. Few sandboxes offer the ability to run files in an actual physical system, which is one of Joe Sandbox’s greatest features.
ANY.RUN vs. Joe Sandbox: Common Features
Both sandboxes only allow the submission to become private, and therefore unavailable to any other user, in their paid versions. Also, both sandboxes do a great job of showing all the behaviors of launched files. All activities following the execution of the suspicious file are logged and exposed: file access, Windows registry access, network communications.
Additionally, both sandboxes have signatures and rules, which allow for easier and faster file sorting.
the MITER att&ck matrix is also included in both sandboxes, which makes it easier to compare different malware samples based on their tactics and get quicker knowledge of the threat.
ANY.RUN vs. Joe Sandbox: Which Malware Scanning Sandbox Should You Choose?
Of the two solutions, Joe Sandbox is the one to go to if you need to verify files for multiple different operating systems and devices, while ANY.RUN only covers Windows systems. Joe Sandbox also lets you use real physical machines in addition to virtual machines, which is an awesome feature when dealing with evasive malware that tests its environment to make sure it doesn’t run. in a sandbox.
Still, ANY.RUN sandbox is a good choice if you need real-time interactions with the environment where suspicious files are running. This is an invaluable feature for analyzing threats that require a click or user interaction before launching their payload.
While both sandboxes have REST API capabilities on paid plans, Joe Sandbox also comes with on-premises and appliance plans, which can be appreciated by businesses that want extreme privacy.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.