10.3 Hash lookup with sandbox
|
Request |
Value |
|
Method |
GET |
|
URL |
https://api.metadefender.com/v4/hash/:hash/sandbox |
Summary
This endpoint retrieves the last dynamic analysis for the file identified by the parameter hash.
Request
URL Parameters
|
|
Description |
Example |
|
:hash |
MD5, SHA1, or SHA256 of a file |
AAA1C1CF2E78F64C0894EBC568B145039BB06DC3 |
Header Parameters
|
|
Description |
Allowed Values |
Required |
|
apikey |
Identifies and authorizes the user (API Authentication Mechanisms) |
apikey |
YES |
Response
HTTP Status Codes
Please refer to Status Codes for more information.
Body
Example of a successful request:
{ "sandbox_version": "2", "sandbox_id": "5f1eaba199b7af3a34940c0b", "rescan_available": true, "md5": "327E6A67F7A09A084910B857447CFE22", "sha1": "C84BA172A2EC25C8CAB6301E0C17FA2259268BD9", "sha256": "C995CEA2F55CEC1243344560BC896B4845A2EEB6463CBA0DA224FC56B2C30CD3", "data_id": "bzIwMDcyNF93LVpqLWRtX0V5VE1DWnNBTmQ", "request_time": "2020-07-27T10:25:37.733Z", "details": { "data": { "mutex": [ { "d": { "status": 3221225524, "op": "EventOpen", "event": "HookSwitchHookEnabledEvent", "proc": 66 }, "n": "windows.event" }, { "d": { "status": 1073741824, "op": "MutantCreate", "mutant": "Local\\SessionImmersiveColorMutex", "proc": 66 }, "n": "windows.mutant" } ], "processes": [ { "name": "smss.exe", "d": { "status": 0, "orig": true, "pid": 348, "cmd": "\\SystemRoot\\System32\\smss.exe", "image": "C:\\Windows\\System32\\smss.exe", "kind": "Existing", "time": 78, "proc": 1 }, "n": "windows.proc.create" }, { "name": "csrss.exe", "d": { "status": 0, "orig": true, "pid": 428, "cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024", "image": "C:\\Windows\\system32\\csrss.exe", "kind": "Existing", "time": 78, "proc": 2 }, "n": "windows.proc.create" } ], "network": [ { "d": { "remote_port": "53", "remote_addr": "8.8.8.8", "local_port": "49319", "local_addr": "10.0.0.65", "proto": "udp", "time": 8301, "flow": 1 }, "n": "net.flow.start" }, { "d": { "query": [ { "type": "A", "domain": "ctldl.windowsupdate.com" } ], "time": 0, "flow": 1 }, "n": "net.dns.req" } ], "registry": [ { "d": { "path": "HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\ZoomInstaller.exe", "status": 3221225524, "op": "QueryValueKey", "proc": 66 }, "n": "windows.reg.read" }, { "d": { "path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\ZoomInstaller", "status": 3221225524, "op": "QueryValueKey", "proc": 66 }, "n": "windows.reg.read" } ], "files": [ { "d": { "status": 0, "op": "Unknown", "path": "C:\\Windows", "proc": 66 }, "n": "windows.file.read" }, { "d": { "status": 0, "op": "Unknown", "path": "C:\\Users\\Admin\\AppData\\Local\\Temp", "proc": 66 }, "n": "windows.file.read" } ] } }, "summary": { "ttp": [ "T1012", "T1112", "T1130" ], "dumped": [ { "kind": "martian", "name": "files/0x000400000001490c-0.dat", "path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe", "procid": 67, "pid": 3628, "at": 469 }, { "kind": "martian", "name": "files/0x0004000000014928-1.dat", "path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Zoom.msi", "procid": 67, "pid": 3628, "at": 1656 } ], "network": { "requests": [ { "dns_request": { "domains": [ "ctldl.windowsupdate.com" ] }, "flow": 1 }, { "dns_request": { "domains": [ "ctldl.windowsupdate.com" ] }, "flow": 1 } ], "flows": [ { "tx_packets": 5, "tx_bytes": 415, "last_seen": 16332, "first_seen": 8301, "pid": 1536, "proto": "udp", "dst": "8.8.8.8:53", "src": "10.0.0.65:49319", "id": 1 }, { "tx_packets": 5, "tx_bytes": 380, "last_seen": 28363, "first_seen": 20335, "procid": 30, "pid": 1536, "proto": "udp", "dst": "8.8.8.8:53", "src": "10.0.0.65:62567", "id": 2 } ] }, "signatures": [ { "indicators": [ { "procid": 67, "description": "Set value (int)", "ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\Policy = 3" } ], "tags": [ "adware", "spyware" ], "ttp": [ "T1112" ], "name": "Modifies Internet Explorer settings" }, { "indicators": [ { "procid": 67, "description": "Key created", "ioc": "\\REGISTRY\\USER\\S-1-5-21-269145824-1088426278-2636963486-1000_Classes\\ZoomRecording\\shell" } ], "name": "Modifies registry class", "label": "reg_software_classes" }, { "indicators": [ { "procid": 69, "description": "Set value (data)", "ioc": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates" } ], "tags": [ "evasion", "spyware", "trojan" ], "ttp": [ "T1130", "T1112" ], "score": 6, "name": "Modifies system certificate store" }, { "indicators": [ { "procid": 67, "pid": 3628 } ], "score": 8, "name": "Executes dropped EXE" }, { "indicators": [ { "procid": 69, "pid": 3592 }, { "procid": 69, "pid": 3592 } ], "name": "Suspicious use of FindShellTrayWindow" }, { "indicators": [ { "procid": 69, "pid": 3592 }, { "procid": 69, "pid": 3592 } ], "name": "Suspicious use of SendNotifyMessage" }, { "indicators": [ { "procid": 67, "description": "Set value (str)", "ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\Uninstall\\ZoomUMX\\DisplayName = Zoom" }, { "procid": 67, "description": "Key opened", "ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall" } ], "tags": [ "discovery" ], "ttp": [ "T1012" ], "score": 6, "name": "Checks for installed software on the system" }, { "indicators": [ { "procid_target": 67, "procid": 66, "pid": 3216, "description": "PID 3216 wrote to memory of 3628" }, { "procid_target": 67, "procid": 66, "pid": 3216, "description": "PID 3216 wrote to memory of 3628" } ], "name": "Suspicious use of WriteProcessMemory" } ], "processes": [ { "terminated": 3328, "started": 3078, "orig": false, "image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe", "cmd": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe /addfwexception --bin_home=C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin", "ppid": 3628, "pid": 3856, "procid_parent": 67, "procid": 68 }, { "started": 4078, "orig": false, "image": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", "cmd": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", "ppid": 3628, "pid": 3592, "procid_parent": 67, "procid": 69 }, { "started": 34609, "orig": false, "image": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe", "cmd": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe --action=preload --runaszvideo=TRUE", "ppid": 3592, "pid": 3832, "procid_parent": 69, "procid": 73 } ] }, "scan_results": { "scan_all_result_a": "Infected", "scan_all_result_i": 1, "infection_score": 8 }}Example of a failed request:
{ "error": { "code": 400064, "messages": [ "The hash value is not valid" ] }}Response description:
|
sandbox_id |
The unique sandbox scan that can be used to retrieve this exact scan version |
|
rescan_available |
Whether a rescan request can be submitted |
|
md5 |
The hash of the file |
|
sha1 |
The hash of the file |
|
sha256 |
The hash of the file |
|
request_time |
Timestamp when the dynamic analysis was initiated |
|
scan_results.infection_score |
A number from 1 to 10:
|
|
summary.ttp |
MITRE tactic, technique or procedure. See this reference. |
|
summary.network |
A summary of the network activity recorded by the sandbox |
|
summary.signatures |
A summary of the signatures detected based on the behavior |
|
summary.processes |
A summary of the process activity recorded by the sandbox |
Sample code (Node.js)
var http = require("https");var options = { "method": "GET", "hostname": [ "api", "metadefender", "com" ], "path": [ "v4", "hash", "AAA1C1CF2E78F64C0894EBC568B145039BB06DC3", "sandbox" ], "headers": { "apikey": process.env.APIKEY }};var req = http.request(options, function (res) { var chunks = []; res.on("data", function (chunk) { chunks.push(chunk); }); res.on("end", function () { var body = Buffer.concat(chunks); console.log(body.toString()); });});req.end();Sample code (cURL)
curl -X GET \ https://api.metadefender.com/v4/hash/AAA1C1CF2E78F64C0894EBC568B145039BB06DC3/sandbox \ -H "apikey: ${APIKEY}"