Submitting Malware to the Virtual Machine for Analysis

After you have configured the sandbox or live malware analysis settings, you are ready to submit malware to the virtual machine for analysis on the Analysis page. After you submit a malware sample to the Malware Analysis appliance, it is assigned a system-generated Malware ID. You can use this identifier to check the status of the submission.

Fields for the malware analysis submission are described in the following table.

Field

Description

Live

Run a live malware analysis job.

Sandbox

Run a sandbox malware analysis job.

Timeout

(Optional) Timeout value, in seconds, after which the malware analysis times out if the analysis is not complete. The range is 30—3600 seconds. The default value is 500 seconds. Analysts might want to define a longer timeout value to track delayed malware executions. Some malware can analyze local information locally for days or weeks before contacting the command and control (CnC) server.

Set the timeout value to at least 30 seconds to allow malware to run completely.

Priority

(Optional) Priority setting for the current analysis if you add multiple analysis jobs at the same time to the MVX engine queue. The default priority is normal.

Profile

(Optional) Guest image profile that the MVX engine can use for the current malware analysis job.

The Profile list is empty until you install guest images on the MVX engine.

applications

(Optional) Application that is used to test submitted content. Choose an application or use the default application configured for the guest image. The available applications are specific to the guest image selected from the Profile drop-down list.

Force

(Optional) Force the Malware Analysis appliance to perform the submitted analysis even if it matches a previous submission for which forensic results have been generated. Usually, it is not necessary to reanalyze confirmed malware.
Enable VNC (Optional) Select this checkbox to enable VNC to the VM during this analysis. See Using the Malware Analysis Web UI as a VNC Client.
Enable prefetch

Available only if live malware analysis is selected.

Select this checkbox to enable the prefetch option in live malware analysis.

By default, this checkbox is selected. To disable the prefetch option, clear this checkbox.

URL

Single URL of the malware sample. For example, http://www.badtv.net/badscript.php?download=badfile .exe
File Single file of the malware sample to be analyzed and uploaded from your local machine For example, file:malware.exe. If this file is encrypted, use the Password field to provide a way for AX to unencrypt the file.
List

Text file (such as file:urls.txt) that contains the list of malicious URLs, as shown in the following example:

http://1.2.3.4/1.exe

http://1.2.3.4/2.exe

http://1.2.3.4/3.exe

This file is uploaded from your local machine.
Password (Optional) Password for unencrypting a file being submitted for analysis.

Params

(Optional) File type of the malware that is analyzed by the appliance. The Malware Analysis appliance analyzes DLLs or other file types that might be a malware dropper. DLL file types are the default. Prefetch must be enabled when submitting DLLs or other files with parameters for analysis.

You can specify a function name (such as an entry point) and the file to be opened as part of the DLL parameter definition. For example, you can enter mshtml.dll, OpenAs_RunDLL htmlfile.html.

Note

(Optional) Text description about the malware analysis submission. Notes are shared with the Dynamic Threat Intelligence (DTI) Cloud.

Prerequisites

Before you can submit malware to the virtual machine for analysis, ensure that the following prerequisites are met:

  • Configure the settings for the correct type of analysis.
  • Obtain malicious URLs and save them in a .txt file to your local machine, single malicious URL per line, as shown in the following example:

    • http://172.16.146.53/AllObjects/doc_1370846

    http://172.16.146.53/AllObjects/doc_3429086

    http://172.16.146.53/AllObjects/doc_3523707

To submit a single URL, file, or a list of malicious URLs in a text file for analysis:

  1. In the Web UI, click the Analysis tab.
  2. Select the type of malware analysis job.
    • Live
    • Sandbox
  1. (Optional) Enter the value in seconds in the Timeout box.
  2. (Optional) Select the priority for this analysis using the Priority drop-down list.
    • Normal
    • Urgent
  3. (Optional) Select the guest image profile using the Profile drop-down list.
  4. (Optional) Select the available application to test submitted content using the applications drop-down list.
  5. (Optional) Select the Force checkbox to make the Malware Analysis appliance perform the submitted analysis even if it matches a previous submission.
  6. (Optional) Select the Enable VNC checkbox to allow you to interact with the VM during analysis.

    7. To VNC to the VM, you will need the IP address of your Malware Analysis appliance, as well as the port number. The VNC port number can be obtained when submitted content is still running or from the CLI. The VNC access and port number are only valid for the duration of this analysis.

  7. Assign a single URL, single file, or list of URLs for analysis using the drop-down list:
    • URL
    • File
    • List

    To upload the relevant file, click Choose File.

  8. (Optional) Enter a description about the malware analysis submission in the Note box.
  9. (Optional) Enter the file type to analyze in the Params box.
  10. Click Submit Analysis.