10.3 Hash lookup with sandbox

Request

Value

Method

GET

URL

https://api.metadefender.com/v4/hash/:hash/sandbox

Summary

This endpoint retrieves the last dynamic analysis for the file identified by the parameter hash.

Request

URL Parameters

 

Description

Example

:hash

MD5, SHA1, or SHA256 of a file

AAA1C1CF2E78F64C0894EBC568B145039BB06DC3

Header Parameters

 

Description

Allowed Values

Required

apikey

Identifies and authorizes the user (API Authentication Mechanisms)

apikey

YES

Response

HTTP Status Codes

Please refer to Status Codes for more information.

Body

Example of a successful request:

{
"sandbox_version": "2",
"sandbox_id": "5f1eaba199b7af3a34940c0b",
"rescan_available": true,
"md5": "327E6A67F7A09A084910B857447CFE22",
"sha1": "C84BA172A2EC25C8CAB6301E0C17FA2259268BD9",
"sha256": "C995CEA2F55CEC1243344560BC896B4845A2EEB6463CBA0DA224FC56B2C30CD3",
"data_id": "bzIwMDcyNF93LVpqLWRtX0V5VE1DWnNBTmQ",
"request_time": "2020-07-27T10:25:37.733Z",
"details": {
"data": {
"mutex": [
{
"d": {
"status": 3221225524,
"op": "EventOpen",
"event": "HookSwitchHookEnabledEvent",
"proc": 66
},
"n": "windows.event"
},
{
"d": {
"status": 1073741824,
"op": "MutantCreate",
"mutant": "Local\\SessionImmersiveColorMutex",
"proc": 66
},
"n": "windows.mutant"
}
],
"processes": [
{
"name": "smss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 348,
"cmd": "\\SystemRoot\\System32\\smss.exe",
"image": "C:\\Windows\\System32\\smss.exe",
"kind": "Existing",
"time": 78,
"proc": 1
},
"n": "windows.proc.create"
},
{
"name": "csrss.exe",
"d": {
"status": 0,
"orig": true,
"pid": 428,
"cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024",
"image": "C:\\Windows\\system32\\csrss.exe",
"kind": "Existing",
"time": 78,
"proc": 2
},
"n": "windows.proc.create"
}
],
"network": [
{
"d": {
"remote_port": "53",
"remote_addr": "8.8.8.8",
"local_port": "49319",
"local_addr": "10.0.0.65",
"proto": "udp",
"time": 8301,
"flow": 1
},
"n": "net.flow.start"
},
{
"d": {
"query": [
{
"type": "A",
"domain": "ctldl.windowsupdate.com"
}
],
"time": 0,
"flow": 1
},
"n": "net.dns.req"
}
],
"registry": [
{
"d": {
"path": "HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\ZoomInstaller.exe",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
},
{
"d": {
"path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\ZoomInstaller",
"status": 3221225524,
"op": "QueryValueKey",
"proc": 66
},
"n": "windows.reg.read"
}
],
"files": [
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Windows",
"proc": 66
},
"n": "windows.file.read"
},
{
"d": {
"status": 0,
"op": "Unknown",
"path": "C:\\Users\\Admin\\AppData\\Local\\Temp",
"proc": 66
},
"n": "windows.file.read"
}
]
}
},
"summary": {
"ttp": [
"T1012",
"T1112",
"T1130"
],
"dumped": [
{
"kind": "martian",
"name": "files/0x000400000001490c-0.dat",
"path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe",
"procid": 67,
"pid": 3628,
"at": 469
},
{
"kind": "martian",
"name": "files/0x0004000000014928-1.dat",
"path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Zoom.msi",
"procid": 67,
"pid": 3628,
"at": 1656
}
],
"network": {
"requests": [
{
"dns_request": {
"domains": [
"ctldl.windowsupdate.com"
]
},
"flow": 1
},
{
"dns_request": {
"domains": [
"ctldl.windowsupdate.com"
]
},
"flow": 1
}
],
"flows": [
{
"tx_packets": 5,
"tx_bytes": 415,
"last_seen": 16332,
"first_seen": 8301,
"pid": 1536,
"proto": "udp",
"dst": "8.8.8.8:53",
"src": "10.0.0.65:49319",
"id": 1
},
{
"tx_packets": 5,
"tx_bytes": 380,
"last_seen": 28363,
"first_seen": 20335,
"procid": 30,
"pid": 1536,
"proto": "udp",
"dst": "8.8.8.8:53",
"src": "10.0.0.65:62567",
"id": 2
}
]
},
"signatures": [
{
"indicators": [
{
"procid": 67,
"description": "Set value (int)",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\Policy = 3"
}
],
"tags": [
"adware",
"spyware"
],
"ttp": [
"T1112"
],
"name": "Modifies Internet Explorer settings"
},
{
"indicators": [
{
"procid": 67,
"description": "Key created",
"ioc": "\\REGISTRY\\USER\\S-1-5-21-269145824-1088426278-2636963486-1000_Classes\\ZoomRecording\\shell"
}
],
"name": "Modifies registry class",
"label": "reg_software_classes"
},
{
"indicators": [
{
"procid": 69,
"description": "Set value (data)",
"ioc": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates"
}
],
"tags": [
"evasion",
"spyware",
"trojan"
],
"ttp": [
"T1130",
"T1112"
],
"score": 6,
"name": "Modifies system certificate store"
},
{
"indicators": [
{
"procid": 67,
"pid": 3628
}
],
"score": 8,
"name": "Executes dropped EXE"
},
{
"indicators": [
{
"procid": 69,
"pid": 3592
},
{
"procid": 69,
"pid": 3592
}
],
"name": "Suspicious use of FindShellTrayWindow"
},
{
"indicators": [
{
"procid": 69,
"pid": 3592
},
{
"procid": 69,
"pid": 3592
}
],
"name": "Suspicious use of SendNotifyMessage"
},
{
"indicators": [
{
"procid": 67,
"description": "Set value (str)",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\Uninstall\\ZoomUMX\\DisplayName = Zoom"
},
{
"procid": 67,
"description": "Key opened",
"ioc": "\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
}
],
"tags": [
"discovery"
],
"ttp": [
"T1012"
],
"score": 6,
"name": "Checks for installed software on the system"
},
{
"indicators": [
{
"procid_target": 67,
"procid": 66,
"pid": 3216,
"description": "PID 3216 wrote to memory of 3628"
},
{
"procid_target": 67,
"procid": 66,
"pid": 3216,
"description": "PID 3216 wrote to memory of 3628"
}
],
"name": "Suspicious use of WriteProcessMemory"
}
],
"processes": [
{
"terminated": 3328,
"started": 3078,
"orig": false,
"image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe",
"cmd": "C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe /addfwexception --bin_home=C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin",
"ppid": 3628,
"pid": 3856,
"procid_parent": 67,
"procid": 68
},
{
"started": 4078,
"orig": false,
"image": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
"cmd": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
"ppid": 3628,
"pid": 3592,
"procid_parent": 67,
"procid": 69
},
{
"started": 34609,
"orig": false,
"image": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe",
"cmd": "C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe --action=preload --runaszvideo=TRUE",
"ppid": 3592,
"pid": 3832,
"procid_parent": 69,
"procid": 73
}
]
},
"scan_results": {
"scan_all_result_a": "Infected",
"scan_all_result_i": 1,
"infection_score": 8
}
}

Example of a failed request:

{
"error": {
"code": 400064,
"messages": [
"The hash value is not valid"
]
}
}

Response description:

sandbox_id

The unique sandbox scan that can be used to retrieve this exact scan version

rescan_available

Whether a rescan request can be submitted

md5

The hash of the file

sha1

The hash of the file

sha256

The hash of the file

request_time

Timestamp when the dynamic analysis was initiated

scan_results.infection_score

A number from 1 to 10:

  • 1: low probability of infection

  • 10: high probability of infections

summary.ttp

MITRE tactic, technique or procedure. See this reference.

summary.network

A summary of the network activity recorded by the sandbox

summary.signatures

A summary of the signatures detected based on the behavior

summary.processes

A summary of the process activity recorded by the sandbox

Errors

Please refer to Errors for more information.

Sample code (Node.js)

var http = require("https");
 
var options = {
"method": "GET",
"hostname": [
"api",
"metadefender",
"com"
],
"path": [
"v4",
"hash",
"AAA1C1CF2E78F64C0894EBC568B145039BB06DC3",
"sandbox"
],
"headers": {
"apikey": process.env.APIKEY
}
};
 
var req = http.request(options, function (res) {
var chunks = [];
 
res.on("data", function (chunk) {
chunks.push(chunk);
});
 
res.on("end", function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
 
req.end();

Sample code (cURL)

curl -X GET \
https://api.metadefender.com/v4/hash/AAA1C1CF2E78F64C0894EBC568B145039BB06DC3/sandbox \
-H "apikey: ${APIKEY}"