Lab 7: MA with CWSandbox,

Anubis
I

Because teaching teaches

teachers to teach
 MA with CWSandbox, Anubis
2

 CWSandbox
 Anubis

2
 CWSandbox
3

 While VirusTotalcan give you assessment is file a

known malware, they do nothing for unknown one,
running software in sandboxed environment is best
way to get details on actions program performs.
 CWSandbox allows to submit files (up to 16MB) and
ZIP archives (with up to 50 files) through simple
browser upload.

3
 CWSandbox
4

 Analysis runs for two minutes and during that time

all file, registry and networkactivity that comes from
app is logged.
 Strong features
 much safer than own sandbox
 thorough analysis
 report in multiply formats

4
 CWSandbox
5

 Download a sample malware on

https://wildfire.paloaltonetworks.com/publicapi/tes
t/pe
 Upload http://www.cwsandbox.org/

5
CWSandbox
6

6
 Anubis
7

 Anubis is developed by the International Secure

Systems Lab and analyzes both files and URLs. It
supports Windows executable files and Android
APKs
 It gives you access to everything that you need to
know. The reports can be downloaded as HTML,
XML, PDF or text.
 You can download the network captures in pcap
format, but you cannot download the samples.
Anubis reports also tell you if the malware
communicated with specific device paths.

7
 Anubis
8

 Download a sample malware on

https://wildfire.paloaltonetworks.com/publicapi/tes
t/pe
 Upload Anubis

8
 Anubis
9

 Unfortunately, we do not have the resources to

maintain these tools and improve them to match an
ever-changing malware landscape.
 If you have any questions, please send an
emailto wepawet@cs.ucsb.edu or anubis@cs.ucsb.ed
u.

9
 Q&A

10