What is the difference between Threatray and a sandbox?
What sets Threatray apart from traditional sandboxes is its unique position at the intersection of sandboxing, malware intelligence, and code analysis, creating a new category in the field of malware analysis automation. Frequently dubbed a ‘next-generation sandbox’ by some customers, our platform offers a distinctive set of features that go beyond traditional sandbox capabilities.
While Threatray does include basic sandboxing features, such as dynamic processes and artifact (IPs, domains, mutexes, etc.) information, our differentiators lie in the realms of malware tracking, identification, and detection, coupled with intelligence analysis and data-driven malware reverse engineering. These capabilities are powered by our innovative code attribution and search technology. While traditional sandboxes provide malware identification and detection, Threatray surpasses them in both breadth (covering numerous malware families and components) and depth (resilience to various malware versions, transparent non-black box verdicts, and user-enabled tracking of new malware families). Our malware intelligence and reverse engineering capabilities are exclusive to Threatray, setting us apart from traditional sandboxes and other products.
There are also features commonly found in sandboxes, such as behavior detection scores and detailed behavior insights, that are not present in Threatray.
Technologically, Threatray is built on innovative code analysis capabilities, leveraging static AI models for binary code in conjunction with code detection and search technology. Unlike sandboxes that specialize in dynamic analysis, Threatray focuses on code analysis, using basic sandboxing and dynamic analysis as a means to an end—unpacking and detonating code to recover malware stages. Notably, sandboxing and dynamic analysis are optional in Threatray, allowing for the analysis of code dumped from process memory or shellcode that may not run and thus cannot be assessed in traditional sandboxes
Threatray features deep dive
Malware tracking and detection. We offer advanced capabilities for tracking and detecting malware families. Threatray reliably identifies thousands of malware families, ranging from cybercrime to APTs, surpassing the capabilities of other technologies. Notably, our identification is resilient against code mutations and versions that bypass traditional methods. Unlike black-box solutions, our attribution verdicts are open for verification by users, ensuring trust and accountability. Additionally, users have the autonomy to independently add tracking for new malware families.
Threat reports. Uncovering threat reports from OSINT (Open Source Intelligence) sources related to a malware sample is pivotal for many investigations. Conventional search methods often fall short in retrieving relevant threat reports. Our approach involves indexing the actual binary code of malware referenced in threat reports, enabling us to conduct searches based on code similarities. This method proves especially effective in locating pertinent threat reports linked to previously unknown samples—information that may elude current technologies.
Instantaneous malware variant discovery / retro-hunting. Uncovering different versions of malware is crucial for pivoting from a malware sample to related samples, facilitating case correlation, and more. With our point-and-click retro-hunt, Threatray enables users to swiftly discover malware versions at scale within seconds. Our point and click capabilities eliminate the need for laborious tasks like YARA rule creation or pattern extraction.
Intelligence enabled malware reverse engineering. We transform in-depth malware analysis into an intelligence-driven discipline, providing analysts with unique insights not attainable through conventional means. Our capabilities are at the granularity familiar to reverse engineers, operating at a per-function level. We provide function-level hunting and function-level attribution to malware families. By dissecting malware at the function level, our platform unveils a detailed understanding that goes beyond traditional approaches. Furthermore, our clustering capabilities swiftly identify commonalities and novel functions within sets of malware.