10.3 Hash lookup with sandbox
Request |
Value |
Method |
GET |
URL |
https://api.metadefender.com/v4/hash/:hash/sandbox |
Summary
This endpoint retrieves the last dynamic analysis for the file identified by the parameter hash.
Request
URL Parameters
|
Description |
Example |
:hash |
MD5, SHA1, or SHA256 of a file |
AAA1C1CF2E78F64C0894EBC568B145039BB06DC3 |
Header Parameters
|
Description |
Allowed Values |
Required |
apikey |
Identifies and authorizes the user (API Authentication Mechanisms) |
apikey |
YES |
Response
HTTP Status Codes
Please refer to Status Codes for more information.
Body
Example of a successful request:
{
"sandbox_version"
:
"2"
,
"sandbox_id"
:
"5f1eaba199b7af3a34940c0b"
,
"rescan_available"
:
true
,
"md5"
:
"327E6A67F7A09A084910B857447CFE22"
,
"sha1"
:
"C84BA172A2EC25C8CAB6301E0C17FA2259268BD9"
,
"sha256"
:
"C995CEA2F55CEC1243344560BC896B4845A2EEB6463CBA0DA224FC56B2C30CD3"
,
"data_id"
:
"bzIwMDcyNF93LVpqLWRtX0V5VE1DWnNBTmQ"
,
"request_time"
:
"2020-07-27T10:25:37.733Z"
,
"details"
: {
"data"
: {
"mutex"
: [
{
"d"
: {
"status"
: 3221225524,
"op"
:
"EventOpen"
,
"event"
:
"HookSwitchHookEnabledEvent"
,
"proc"
: 66
},
"n"
:
"windows.event"
},
{
"d"
: {
"status"
: 1073741824,
"op"
:
"MutantCreate"
,
"mutant"
:
"Local\\SessionImmersiveColorMutex"
,
"proc"
: 66
},
"n"
:
"windows.mutant"
}
],
"processes"
: [
{
"name"
:
"smss.exe"
,
"d"
: {
"status"
: 0,
"orig"
:
true
,
"pid"
: 348,
"cmd"
:
"\\SystemRoot\\System32\\smss.exe"
,
"image"
:
"C:\\Windows\\System32\\smss.exe"
,
"kind"
:
"Existing"
,
"time"
: 78,
"proc"
: 1
},
"n"
:
"windows.proc.create"
},
{
"name"
:
"csrss.exe"
,
"d"
: {
"status"
: 0,
"orig"
:
true
,
"pid"
: 428,
"cmd"
:
"%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024"
,
"image"
:
"C:\\Windows\\system32\\csrss.exe"
,
"kind"
:
"Existing"
,
"time"
: 78,
"proc"
: 2
},
"n"
:
"windows.proc.create"
}
],
"network"
: [
{
"d"
: {
"remote_port"
:
"53"
,
"remote_addr"
:
"8.8.8.8"
,
"local_port"
:
"49319"
,
"local_addr"
:
"10.0.0.65"
,
"proto"
:
"udp"
,
"time"
: 8301,
"flow"
: 1
},
"n"
:
"net.flow.start"
},
{
"d"
: {
"query"
: [
{
"type"
:
"A"
,
"domain"
:
"ctldl.windowsupdate.com"
}
],
"time"
: 0,
"flow"
: 1
},
"n"
:
"net.dns.req"
}
],
"registry"
: [
{
"d"
: {
"path"
:
"HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\ZoomInstaller.exe"
,
"status"
: 3221225524,
"op"
:
"QueryValueKey"
,
"proc"
: 66
},
"n"
:
"windows.reg.read"
},
{
"d"
: {
"path"
:
"HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\ZoomInstaller"
,
"status"
: 3221225524,
"op"
:
"QueryValueKey"
,
"proc"
: 66
},
"n"
:
"windows.reg.read"
}
],
"files"
: [
{
"d"
: {
"status"
: 0,
"op"
:
"Unknown"
,
"path"
:
"C:\\Windows"
,
"proc"
: 66
},
"n"
:
"windows.file.read"
},
{
"d"
: {
"status"
: 0,
"op"
:
"Unknown"
,
"path"
:
"C:\\Users\\Admin\\AppData\\Local\\Temp"
,
"proc"
: 66
},
"n"
:
"windows.file.read"
}
]
}
},
"summary"
: {
"ttp"
: [
"T1012"
,
"T1112"
,
"T1130"
],
"dumped"
: [
{
"kind"
:
"martian"
,
"name"
:
"files/0x000400000001490c-0.dat"
,
"path"
:
"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe"
,
"procid"
: 67,
"pid"
: 3628,
"at"
: 469
},
{
"kind"
:
"martian"
,
"name"
:
"files/0x0004000000014928-1.dat"
,
"path"
:
"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Zoom.msi"
,
"procid"
: 67,
"pid"
: 3628,
"at"
: 1656
}
],
"network"
: {
"requests"
: [
{
"dns_request"
: {
"domains"
: [
"ctldl.windowsupdate.com"
]
},
"flow"
: 1
},
{
"dns_request"
: {
"domains"
: [
"ctldl.windowsupdate.com"
]
},
"flow"
: 1
}
],
"flows"
: [
{
"tx_packets"
: 5,
"tx_bytes"
: 415,
"last_seen"
: 16332,
"first_seen"
: 8301,
"pid"
: 1536,
"proto"
:
"udp"
,
"dst"
:
"8.8.8.8:53"
,
"src"
:
"10.0.0.65:49319"
,
"id"
: 1
},
{
"tx_packets"
: 5,
"tx_bytes"
: 380,
"last_seen"
: 28363,
"first_seen"
: 20335,
"procid"
: 30,
"pid"
: 1536,
"proto"
:
"udp"
,
"dst"
:
"8.8.8.8:53"
,
"src"
:
"10.0.0.65:62567"
,
"id"
: 2
}
]
},
"signatures"
: [
{
"indicators"
: [
{
"procid"
: 67,
"description"
:
"Set value (int)"
,
"ioc"
:
"\\REGISTRY\\USER\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\Policy = 3"
}
],
"tags"
: [
"adware"
,
"spyware"
],
"ttp"
: [
"T1112"
],
"name"
:
"Modifies Internet Explorer settings"
},
{
"indicators"
: [
{
"procid"
: 67,
"description"
:
"Key created"
,
"ioc"
:
"\\REGISTRY\\USER\\S-1-5-21-269145824-1088426278-2636963486-1000_Classes\\ZoomRecording\\shell"
}
],
"name"
:
"Modifies registry class"
,
"label"
:
"reg_software_classes"
},
{
"indicators"
: [
{
"procid"
: 69,
"description"
:
"Set value (data)"
,
"ioc"
:
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates"
}
],
"tags"
: [
"evasion"
,
"spyware"
,
"trojan"
],
"ttp"
: [
"T1130"
,
"T1112"
],
"score"
: 6,
"name"
:
"Modifies system certificate store"
},
{
"indicators"
: [
{
"procid"
: 67,
"pid"
: 3628
}
],
"score"
: 8,
"name"
:
"Executes dropped EXE"
},
{
"indicators"
: [
{
"procid"
: 69,
"pid"
: 3592
},
{
"procid"
: 69,
"pid"
: 3592
}
],
"name"
:
"Suspicious use of FindShellTrayWindow"
},
{
"indicators"
: [
{
"procid"
: 69,
"pid"
: 3592
},
{
"procid"
: 69,
"pid"
: 3592
}
],
"name"
:
"Suspicious use of SendNotifyMessage"
},
{
"indicators"
: [
{
"procid"
: 67,
"description"
:
"Set value (str)"
,
"ioc"
:
"\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\Uninstall\\ZoomUMX\\DisplayName = Zoom"
},
{
"procid"
: 67,
"description"
:
"Key opened"
,
"ioc"
:
"\\REGISTRY\\USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
}
],
"tags"
: [
"discovery"
],
"ttp"
: [
"T1012"
],
"score"
: 6,
"name"
:
"Checks for installed software on the system"
},
{
"indicators"
: [
{
"procid_target"
: 67,
"procid"
: 66,
"pid"
: 3216,
"description"
:
"PID 3216 wrote to memory of 3628"
},
{
"procid_target"
: 67,
"procid"
: 66,
"pid"
: 3216,
"description"
:
"PID 3216 wrote to memory of 3628"
}
],
"name"
:
"Suspicious use of WriteProcessMemory"
}
],
"processes"
: [
{
"terminated"
: 3328,
"started"
: 3078,
"orig"
:
false
,
"image"
:
"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe"
,
"cmd"
:
"C:\\Users\\Admin\\AppData\\Local\\Temp\\7zS09C1F770\\Installer.exe /addfwexception --bin_home=C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin"
,
"ppid"
: 3628,
"pid"
: 3856,
"procid_parent"
: 67,
"procid"
: 68
},
{
"started"
: 4078,
"orig"
:
false
,
"image"
:
"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe"
,
"cmd"
:
"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe"
,
"ppid"
: 3628,
"pid"
: 3592,
"procid_parent"
: 67,
"procid"
: 69
},
{
"started"
: 34609,
"orig"
:
false
,
"image"
:
"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe"
,
"cmd"
:
"C:\\Users\\Admin\\AppData\\Roaming\\Zoom\\bin\\Zoom.exe --action=preload --runaszvideo=TRUE"
,
"ppid"
: 3592,
"pid"
: 3832,
"procid_parent"
: 69,
"procid"
: 73
}
]
},
"scan_results"
: {
"scan_all_result_a"
:
"Infected"
,
"scan_all_result_i"
: 1,
"infection_score"
: 8
}
}
Example of a failed request:
{
"error"
: {
"code"
:
400064
,
"messages"
: [
"The hash value is not valid"
]
}
}
Response description:
sandbox_id |
The unique sandbox scan that can be used to retrieve this exact scan version |
rescan_available |
Whether a rescan request can be submitted |
md5 |
The hash of the file |
sha1 |
The hash of the file |
sha256 |
The hash of the file |
request_time |
Timestamp when the dynamic analysis was initiated |
scan_results.infection_score |
A number from 1 to 10:
|
summary.ttp |
MITRE tactic, technique or procedure. See this reference. |
summary.network |
A summary of the network activity recorded by the sandbox |
summary.signatures |
A summary of the signatures detected based on the behavior |
summary.processes |
A summary of the process activity recorded by the sandbox |
Sample code (Node.js)
var http = require(
"https"
);
var options = {
"method"
:
"GET"
,
"hostname"
: [
"api"
,
"metadefender"
,
"com"
],
"path"
: [
"v4"
,
"hash"
,
"AAA1C1CF2E78F64C0894EBC568B145039BB06DC3"
,
"sandbox"
],
"headers"
: {
"apikey"
: process.env.APIKEY
}
};
var req = http.request(options, function (res) {
var chunks = [];
res.on(
"data"
, function (chunk) {
chunks.push(chunk);
});
res.on(
"end"
, function () {
var body = Buffer.concat(chunks);
console.log(body.toString());
});
});
req.end();
Sample code (cURL)
curl -X GET \
https:
//api.metadefender.com/v4/hash/AAA1C1CF2E78F64C0894EBC568B145039BB06DC3/sandbox \
-H
"apikey: ${APIKEY}"