I had posted about CWSandbox service that analyses behavior of files uploaded to it. ThreatExpert is essentially same type of service – feed it a file, get what file tries to do when launched.
It turned out to offer some different and unique features, comparing to other sandboxes I tried so far.
What it does
Site accepts files up to 5MB in size, uploaded through generic web form or using provided app. It urges you to register an account, but that is optional and providing email address is enough to run a scan.
threatexpert_report
There is no progress status on site, global server load or your request either. When it’s done you get email with archived copy of the report and link to online version. When I tried it took bit over six minutes to process file.
Strong features
Aside from generic file and memory information ThreatExpert provides two features I hadn’t seen in online sandboxes so far:
- screenshot of submitted app’s interface;
- probable country of origin.
Downsides
While report is neat and easy to understand I feel like there is not much info in it. Network activity (or lack of one) is not mentioned at all, memory information amounts to the fact of process created.
Aside from two abovementioned unique features there is not much to see in results.
Overall
Report by ThreatExpert is not too extensive, but it does cover core activity and offers some unique features on top. It won’t become single sandbox you need, but it does complement nicely other similar services.
Link http://www.threatexpert.com/
Jonny #
Rarst #