10.2 Sandbox lookup

Request

Value

Method

GET

URL

https://api.metadefender.com/v4/sandbox/:sandboxId

Summary

Retrieve the sandbox entry for the :sandboxId. Can be polled to get the result of the sandbox scan. If the response contains sandbox_response, the scan has finished.

Request

URL Parameters

 

Description

Example

:sandboxId

the "_id" field received when scanning a file with the sandbox

5c6be85931fa55001e5e194d

Header Parameters

 

Description

Allowed Values

Required

apikey

Identifies and authorizes the user (API Authentication Mechanisms)

apikey

YES

Response

HTTP Status Codes

Please refer to Status Codes for more information.

Body

Example of a successful request:

{
"sandbox_version": "2",
"sandbox_id": "5f1eaba199b7af3a34940c0b",
"rescan_available": true,
"md5": "327E6A67F7A09A084910B857447CFE22",
"sha1": "C84BA172A2EC25C8CAB6301E0C17FA2259268BD9",
"sha256": "C995CEA2F55CEC1243344560BC896B4845A2EEB6463CBA0DA224FC56B2C30CD3",
"data_id": "bzIwMDcyNF93LVpqLWRtX0V5VE1DWnNBTmQ",
"request_time": "2020-07-27T10:25:37.733Z",
"details": {
"data": {
"mutex": [
{
"d": {
"status": 3221225524,
"op": "EventOpen",
"event": "HookSwitchHookEnabledEvent",
"proc": 66
},
"n": "windows.event"
},
{
"d": {
"status": 1073741824,
"op": "MutantCreate",
"mutant": "Local\\SessionImmersiveColorMutex",
"proc": 66
},
"n": "windows.mutant"
}
],
"processes": [
{
"name": "smss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 348,
"cmd": "\\SystemRoot\\System32\\smss.exe",
"image": "C:\\Windows\\System32\\smss.exe",
"kind": "Existing",
"time": 78,
"proc": 1
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 428,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 78,
"proc": 2
},
"n": "windows.proc.create"
}
],
"network": [
{
"d": {
"remote_port": "53",
"remote_addr": "8.8.8.8",
"local_port": "49319",
"local_addr": "10.0.0.65",
"proto": "udp",
"time": 8301,
"flow": 1
},
"n": "net.flow.start"
},
{
"d": {
"query": [
{
"type": "A",
"domain": "ctldl.windowsupdate.com"
}
],
"time": 0,
"flow": 1
},
"n": "net.dns.req"
}
],
"registry": [
{
"d": {
"path": "HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\ZoomInstaller.exe",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
},
{
"d": {
"path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Compatibility32\\ZoomInstaller",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
}
],
"files": [
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Windows",
"proc": 66
},
"n": "windows.file.read"
},
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Users\\Local\\Temp\\",
"proc": 66
},
"n": "windows.file.read"
}
]
}
},
"summary": {
"ttp": [
"T1012",
"T1112",
"T1130"
],
"dumped": [
{
"kind": "martian",
"name": "files/0x000400000001490c-0.dat",
"path": "C:\\Users\\Local\\Temp\\7zS09C1F770\\Installer.exe",
"procid": 67,
"pid": 3628,
"at": 469
},
{
"kind": "martian",
"name": "files/0x0004000000014928-1.dat",
"path": "C:\\Users\\Local\\Temp\\7zS09C1F770\\Zoom.msi",
"procid": 67,
"pid": 3628,
"at": 1656
}
],
"network": {
"requests": [
{
"dns_request": {
"domains": [
"ctldl.windowsupdate.com"
]
},
"flow": 1
},
{
"dns_request": {
"domains": [
"ctldl.windowsupdate.com"
]
},
"flow": 1
}
],
"flows": [
{
"tx_packets": 5,
"tx_bytes": 415,
"last_seen": 16332,
"first_seen": 8301,
"pid": 1536,
"proto": "udp",
"dst": "8.8.8.8:53",
"src": "10.0.0.65:49319",
"id": 1
},
{
"tx_packets": 5,
"tx_bytes": 380,
"last_seen": 28363,
"first_seen": 20335,
"procid": 30,
"pid": 1536,
"proto": "udp",
"dst": "8.8.8.8:53",
"src": "10.0.0.65:62567",
"id": 2
}
]
},
"signatures": [
{
"indicators": [
{
"procid": 67,
"description": "Set value (int)",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\Policy = \"3\""
}
],
"tags": [
"adware",
"spyware"
],
"ttp": [
"T1112"
],
"name": "Modifies Internet Explorer settings"
},
{
"indicators": [
{
"procid": 67,
"description": "Key created",
"ioc": "\\REGISTRY\\USER\\ZoomRecording\\shell"
}
],
"name": "Modifies registry class",
"label": "reg_software_classes"
},
{
"indicators": [
{
"procid": 69,
"description": "Set value (data)",
"ioc": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates"
}
],
"tags": [
"evasion",
"spyware",
"trojan"
],
"ttp": [
"T1130",
"T1112"
],
"score": 6,
"name": "Modifies system certificate store"
},
{
"indicators": [
{
"procid": 67,
"pid": 3628
}
],
"score": 8,
"name": "Executes dropped EXE"
},
{
"indicators": [
{
"procid": 69,
"pid": 3592
},
{
"procid": 69,
"pid": 3592
}
],
"name": "Suspicious use of FindShellTrayWindow"
},
{
"indicators": [
{
"procid": 69,
"pid": 3592
},
{
"procid": 69,
"pid": 3592
}
],
"name": "Suspicious use of SendNotifyMessage"
},
{
"indicators": [
{
"procid": 67,
"description": "Set value (str)",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\ZoomUMX\\DisplayName = \"Zoom\""
},
{
"procid": 67,
"description": "Key opened",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
}
],
"tags": [
"discovery"
],
"ttp": [
"T1012"
],
"score": 6,
"name": "Checks for installed software on the system"
},
{
"indicators": [
{
"procid_target": 67,
"procid": 66,
"pid": 3216,
"description": "PID 3216 wrote to memory of 3628"
},
{
"procid_target": 67,
"procid": 66,
"pid": 3216,
"description": "PID 3216 wrote to memory of 3628"
}
],
"name": "Suspicious use of WriteProcessMemory"
},
{
"indicators": [
{
"procid": 67,
"pid": 3628
}
],
"name": "Suspicious behavior: EnumeratesProcesses"
},
{
"indicators": [
{
"procid": 67,
"pid": 3628
},
{
"procid": 67,
"pid": 3628
}
],
"score": 7,
"name": "Loads dropped DLL"
},
{
"indicators": [
{
"procid": 69,
"pid": 3592
},
{
"procid": 73,
"pid": 3832
}
],
"name": "Suspicious use of SetWindowsHookEx"
}
],
"processes": [
{
"terminated": 3328,
"started": 3078,
"orig": false,
"image": "C:\\Users\\Local\\Temp\\7zS09C1F770\\Installer.exe",
"cmd": "\"C:\\Users\\Local\\Temp\\7zS09C1F770\\Installer.exe\" /addfwexception --bin_home=\"C:\\Users\\Roaming\\Zoom\\bin\"",
"ppid": 3628,
"pid": 3856,
"procid_parent": 67,
"procid": 68
},
{
"started": 4078,
"orig": false,
"image": "C:\\Users\\Roaming\\Zoom\\bin\\Zoom.exe",
"cmd": "\"C:\\Users\\Roaming\\Zoom\\bin\\Zoom.exe\" C:\\Users\\Roaming\\Zoom\\bin\\Zoom.exe",
"ppid": 3628,
"pid": 3592,
"procid_parent": 67,
"procid": 69
},
{
"started": 34609,
"orig": false,
"image": "C:\\Users\\Roaming\\Zoom\\bin\\Zoom.exe",
"cmd": "C:\\Users\\Roaming\\Zoom\\bin\\Zoom.exe --action=preload --runaszvideo=TRUE ",
"ppid": 3592,
"pid": 3832,
"procid_parent": 69,
"procid": 73
}
]
},
"scan_results": {
"scan_all_result_a": "Infected",
"scan_all_result_i": 1,
"infection_score": 8
}
}

Example of a failed request:

{
"error": {
"code": 404001,
"messages": [
"Entity was not found"
]
}
}

Response description:

See 10.3 Hash lookup with sandbox

Errors

Please refer to Errors for more information.

Sample code (Node.js)

var http = require("https");
 
var options = {
"method": "GET",
"hostname": [
"api",
"metadefender",
"com"
],
"path": [
"v4",
"sandbox",
"5c6be85931fa55001e5e194d"
],
"headers": {
"apikey": process.env.APIKEY
}
};
 
var req = http.request(options, function (res) {
var chunks = [];
 
res.on("data", function (chunk) {
chunks.push(chunk);
});
 
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
 
req.end();

Sample code (cURL)

curl -X GET \
https://api.metadefender.com/v4/sandbox/5c6be85931fa55001e5e194d \
-H "apikey: ${APIKEY}"