Sandboxes are a powerful tool for automated (or semi-automated) analysis of malware or suspected malware. Sandboxes are used for several purposes: Automated analysis of unknown files to determine if a file is malicious or not; Behavioral analysis of known malware, for example to get a detailed description of its behavior; Malware classification to cluster similar malware together for the purpose of creating generic/heuristic detection rules; and automated generation of detection rules that can be used by antivirus (AV) programs to detect the analyzed malware.
One of the limitations of sandboxes is that they can be evaded. It is becoming more and more common for malicious programs to detect if they are being run in a sandbox, and then alter their behavior accordingly. This alteration might include disabling some or all of the malicious activity, modifying it so that in-sandbox behavior is significantly different from real-world behavior, or initiating multi-stage attacks that take a long time to execute and are thus not observed within the timeframe of the analysis.
Running suspected malware in another sandbox is a possible option however; such an approach is very resource intensive and cumbersome and is complicated by various factors: sandboxes are different, and may not all detect the same set of actions, even if every effort is made to configure the sandbox environment identically; one sandbox may miss something another sandbox detects; the analysis syntax of each sandbox is different; and some sandboxes create complex reports based on the observed malware while others only provide raw output files.
In addition to a sandbox, other analysis tools can be provide further analysis of the threat or can provide further information about data observed by the sandbox. However, this data must be manually transferred to these analysis tools and there is no way to holistically assess the original threat taking into account both the sandbox output as well as the output of these other tools.
It would therefore be advantageous to have a threat analysis system that was completely automated, with the ability to circumvent evasion techniques and provide a holistic analysis of the threat based on different analysis systems while at the same time making efficient use of computing resources.