Sandbox
On the Sandbox page in the PolySwarm UI, we support Sandboxing Files directly, and managing current submissions.
To use Sandboxing functionality, you must have this paid feature enabled on your Plan, you can check your Usage page to see if you have this.
Submit to Sandbox
The Submit to Sandbox button offers the ability to submit new Artifacts or Artifacts already in PolySwarm to be detonated on the Sandboxes by a chosen Sandbox provider. Sandbox Analysis will take around 2-5 minutes before the results can be accessed.
This is a direct Sandbox submission, meaning the artifact will go directly to the sandbox and not for Scanning by the AV Engines, if you want to Scan a file then you need to upload the file via the Scanning upload. Alternatively, once the file has been Sandboxed you will have the ability to "Rescan" the artifact by the AV Engines.
If you are using the Public Community, the default is that Sandboxed Artifacts will be detonated on the Sandbox with Internet Outreach. If you are using the Private Community, the default is that Sandboxed Artifacts will be detonated on the Sandbox without Internet Outreach.
The Submit to Sandbox
button presents a popup with the following options:
- File, Select a local artifact to be uploaded to PolySwarm for Sandboxing
- Hash, Search for a artifact already in PolySwarm by hash value
-
URL, Paste in the URL that you wish to Sandbox
- Choose which Sandbox Provider and detonation VM image to use, currently PolySwarm offers
Cape
andTriage
providers with different detonation images for each.
- Choose which Sandbox Provider and detonation VM image to use, currently PolySwarm offers
- QR Code, Select a local qr code image to be uploaded to PolySwarm for Sandboxing
Provide the artifact or hash, select the Sandbox provider, and select the detonation VM, then click the Submit
button to schedule the Sandboxing detonation task. Once submitted, you will return to the My Sandbox
page where you can monitor the status of the task.
Sandboxes have multiple returned statuses, these are listed below.
Status | What is it for? |
---|---|
Success |
Finished processing correctly |
Started |
Sandbox session has started. |
Collecting Data |
Sandbox session has been successful and data is being collected. |
Failed |
Sandbox session has failed, this can be due to many reasons. |
Pending |
Sandbox session is queued up and ready to start. |
Delayed |
Sandbox session has been delayed and will start soon. |
Failed with Quota Reimbursement |
Finished processing but failed, quota will be reimbursed. |
Timed out with Quota Reimbursement |
Delayed in the queue for too long, got timed out and then reimbursement. |
Supported File Types
The PolySwarm Sandboxes support many file types, these are listed below.
Type | Extensions | Sandbox Provider |
---|---|---|
Executable | .dll |
Triage, Cape |
Executable | .upx |
Cape |
Executable | .exe |
Triage, Cape |
Executable | .msi |
Triage |
Document | .chm |
Triage, Cape |
Document | .hta |
Triage, Cape |
Document | .iqy |
Triage |
Document | .doc |
Cape |
Document | .docx |
Cape |
Document | .xls |
Cape |
Document | .xlsx |
Cape |
Document | .ppt |
Cape |
Document | .pptx |
Cape |
Document | .pub |
Cape |
Document | .pub2016 |
Cape |
Document | .one |
Cape |
Document | .mht |
Cape |
Document | .hwp |
Cape |
Document | .ich |
Cape |
Document | .inp |
Cape |
Document | .pdf |
Triage |
Document | .rtf |
Triage |
Document | .slk |
Triage |
Document | .swf |
Triage |
Document | .html |
Triage, Cape |
Scripting | .bat |
Triage, Cape |
Scripting | .ps1 |
Triage, Cape |
Scripting | .js |
Triage, Cape |
Scripting | .jse |
Triage, Cape |
Scripting | .vbe |
Triage, Cape |
Scripting | .pl |
Triage |
Scripting | .py |
Cape |
Scripting | .vbs |
Triage, Cape |
Scripting | .wsf |
Triage, Cape |
Android | .apk |
Triage |
Android | .dex |
Triage |
Other | .jar |
Triage |
Other | .lnk |
Triage, Cape |
Other | .url |
Triage |
Other | .jnlp |
Triage |
Other | .reg |
Cape |
Other | .xslt |
Cape |
Other | .xps |
Cape |
32MB is the default "max" file submission size, this is a per-account setting, so it is possible for some users/teams to have a higher limit, if you wish to increase this limit please contact [email protected]
.zip
file formats are currently not supported by either Sandboxes.
My Sandboxing
The My Sandbox tab shows you Artifacts that you and everyone in your team has Sandboxed, and the status of these submissions.
The table of submissions displays the following information:
Column | What is it for? |
---|---|
Sandboxed On | Date and Time that the Artifact was Sandboxed on. |
Sandboxed ID | Each Sandboxed Artifact has a Unique Sandboxed ID. |
SHA-256 | The sha256 of the Artifact that has been Sandboxed. |
Sandbox Provider | Name of the sandbox provider and the detonation VM used. |
Status | The status of the Sandbox submission is color coded. The statuses can be: Success , Pending , Collecting Data , Started , Delayed , Failed Reimbursed , Timeout Reimbursed or Failed |
Triggered By | Name of the PolySwarm User account that triggered the Sandboxing. |
Actions | Single Action button will open the Sandbox Results Summary page for that Artifact once the Status has changed to Success . |
Filtering
The Filter
button at the top right of My Sandbox page provides the ability to Filter the results being seen. The following filter options are available:
- Status - Status of the Sandbox submission and can be:
Success
,Pending
,Collecting Data
,Started
,Delayed
,Failed Reimbursed
,Timeout Reimbursed
orFailed
- Sandbox Provider - Name of the Sandbox provider.
- SHA256 - Specific sha256 value of the Sandboxing submission.
- Date Range - Start and End Date for the Sandboxing submission.
At the bottom of the My Sandbox page you can navigate to the next page if further results exist.
All Sandboxing
The All Sandboxing tab allows you to search by sha256 hash to get a list of every time that artifact was Sandboxed, by any user.
Once you have searched for a Hash value, the table of submissions provides the following information:
Column | What is it for? |
---|---|
Sandboxed On | Date and Time that the Artifact was Sandboxed on. |
Sandboxed ID | Each Sandboxed Artifact has a Unique Sandboxed ID. |
Sandbox Provider | Name of the sandbox provider and the detonation VM used. |
Status | The status of the Sandbox submission is color coded. The statuses can be: Success , Pending , Collecting Data , Started , Delayed , Failed Reimbursed , Timeout Reimbursed or Failed |
Actions | Single Action button will open the Sandbox Results Summary page for that Artifact once the Status has changed to Success . |
Filtering
The Filter
button at the top right of All Sandboxing page provides the ability to Filter the results being seen. The following filter options are available:
- Status - Status of the Sandbox submission and can be:
Success
,Pending
,Collecting Data
,Started
,Delayed
,Failed Reimbursed
,Timeout Reimbursed
orFailed
- Sandbox Provider - Name of the Sandbox provider.
- Date Range - Start and End Date for the Sandboxing submission.
At the bottom of the My Sandbox page you can navigate to the next page if further results exist.
Sandbox Results Summary
This Sandbox Results Summary page provides the view of the latest Sandboxing Results for the Artifact for Cape and Triage.
The page can be accessed from the Action button on the My Sandbox and All Sandboxing pages as well as the Latest Sandbox Results
button on the Scan Summary Page for the Artifact.
To view the latest Scan results page for this Artifact you can use the Latest Scan Results
button in the top right, then use the Latest Sandbox Results
button to navigate back to the Sandboxing detonation results.
Summary Pane
The left Summary pane provides access to either the latest Cape or Triage Sandbox detonation, clicking on either will change the data in the main page body. This section lists the Sandbox ID, sha256, file or url, sandbox score and verdict and the Malware Family.
Below the Summary Pane is the Action Pane with Several buttons:
Button | What is it for? |
---|---|
Re-Sandbox | Re-Submit the Artifact to be Sandboxed. |
Share | Share a link to these sandbox results page on social media. |
Pivot | Enable/Disable the pivoting feature. |
History | See all Sandboxing history, brings you to the All Sandboxing page. |
Generate Report | Generates either a PDF or HTML report on demand, you will be able to choose sections to include. |
Sandbox Tabs
The Sandbox Results Summary page has tabs that contain the information from the Sandboxing. This is only a small sample of the data available, to see the fill content download the Full (RAW) JSON for the Sandbox Detonation.
Each Tab has shortcut boxes present, these will be greyed out if the metadata does not exist, click on these to quickly jump to the subsection in the relevant tab.
Extracted Config
This tab contains fields relating to Malware config
, Processes
and Encryption Keys
. Items like Campaign information, Install paths, Access Types and Encryption Key values may be present if the Sandbox has this information. This section can include details from parsers on the sandbox like the CobaltStrike parser.
Dropped Files
This tab contains information related to the Dropped Files from the Malware detonation. This tab will display information like File Name, Size, Type and multiple hash values of each dropped file.
Note if you want the dropped file to be detonated in the Sandboxes, perform a Hash Search to lookup that file. On the Hash Search listing, view the Scan results for that file. On that page, you can select the "Sandbox" icon in the Actions Pane to submit it for Sandboxing.
Network Tab
This tab contains information on IPs, SMTP, Domains and JARM details relating to the Sandboxed Artifact. If no data is present then there is no network information available from the Sandbox for this detonation.
HTTP Transaction Tab
This tab contains information HTTP Transactions, this view is only available for Triage Sandboxing sessions.
Analysis Tab
This tab contains information on MITRE TTPs used, OS Autorun, Signatures that have been triggered on the Sandbox and Processes. If no data is present then there is no information available for Analysis from the Sandbox for this detonation.
JSON Tab
This tab provides access to the JSON object in relation to the Sandbox detonation, the search field can be used to find specific values and keys. The JSON can be downloaded from this page to be stored locally.
This JSON is the Summary JSON file for the Sandboxing, to download the Full JSON see the
raw
report in the download tab.
Download Results Tab
This tab allows you to download the Sandbox artifacts. These files can be the JARM file, PCAP Files, full JSON Reports and all dropped artifacts. The dropped files will always be downloaded as an encrypted zip file to prevent trigger your local AV engine.
Each of these files can be downloaded as a single zip by using the zip
tick box at the bottom of the page.
The
raw
json is the full report created by the Sandbox, while the regular report is the summarized version used to populate the JSON tab.