10.3 Hash lookup with sandbox
|
Request |
Value |
|
Method |
GET |
|
URL |
https://api.metadefender.com/v4/hash/:hash/sandbox |
Summary
This endpoint retrieves the last dynamic analysis for the file identified by the hash parameter.
Request
URL Parameters
|
|
Description |
Example |
|
:hash |
MD5, SHA1, or SHA256 of a file |
511884530114A95F24461FBAD1014271FFE95A3DD7F39D4085E86AF7515A926D |
Header Parameters
|
|
Description |
Allowed Values |
Required |
|
apikey |
Identifies and authorizes the user (API Authentication Mechanisms) |
apikey |
YES |
Response
HTTP Status Codes
Please refer to Status Codes for more information.
Body
Example of a successful request:
{ "md5": "1E5CF9095D05553E7860020736538639", "sha1": "1F20AE619063EC0647571BC7CBCFB2D07E3A4DA2", "sha256": "511884530114A95F24461FBAD1014271FFE95A3DD7F39D4085E86AF7515A926D", "data_id": "bzIxMDExMW5PNTdWY09xQXNSb085WkNLVA", "request_time": "2021-04-07T08:12:17.123Z", "browser": "os_default", "timeout": "short", "scan_results": { "scan_all_result_a": "Infected", "scan_all_result_i": 1, "progress_percentage": 100, "infection_score": 8 }, "system": "windows10", "details": { "procLabels": [ { "name": "smss.exe", "d": { "status": 0, "orig": true, "pid": 336, "cmd": "\\SystemRoot\\System32\\smss.exe", "image": "C:\\Windows\\System32\\smss.exe", "kind": "Existing", "time": 94, "proc": 1 }, "n": "windows.proc.create" }, { "name": "csrss.exe", "d": { "status": 0, "orig": true, "pid": 420, "cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "image": "C:\\Windows\\system32\\csrss.exe", "kind": "Existing", "time": 94, "proc": 2 }, "n": "windows.proc.create" }, { "name": "csrss.exe", "d": { "status": 0, "orig": true, "pid": 492, "cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "image": "C:\\Windows\\system32\\csrss.exe", "kind": "Existing", "time": 94, "proc": 3 }, "n": "windows.proc.create" } ], "flowLabels": [ { "d": { "remote_port": "138", "remote_addr": "10.0.0.255", "local_port": "138", "local_addr": "10.0.0.71", "proto": "udp", "time": 0, "flow": 1 }, "n": "net.flow.start" }, { "d": { "remote_port": "53", "remote_addr": "8.8.8.8", "local_port": "54089", "local_addr": "10.0.0.71", "proto": "udp", "time": 3286, "flow": 2 }, "n": "net.flow.start" }, { "d": { "remote_port": "1900", "remote_addr": "239.255.255.250", "local_port": "54092", "local_addr": "10.0.0.71", "proto": "udp", "time": 3991, "flow": 3 }, "n": "net.flow.start" } ], "data": { "search": [], "mutex": [ { "d": { "status": 3221225524, "op": "EventOpen", "event": "HookSwitchHookEnabledEvent", "proc": 66 }, "n": "windows.event" }, { "d": { "status": 3221225524, "op": "EventOpen", "event": "HookSwitchHookEnabledEvent", "proc": 70 }, "n": "windows.event" }, { "d": { "status": 1073741824, "op": "MutantCreate", "mutant": "Local\\SessionImmersiveColorMutex", "proc": 70 }, "n": "windows.mutant" } ], "processes": [ { "name": "smss.exe", "d": { "status": 0, "orig": true, "pid": 336, "cmd": "\\SystemRoot\\System32\\smss.exe", "image": "C:\\Windows\\System32\\smss.exe", "kind": "Existing", "time": 94, "proc": 1 }, "n": "windows.proc.create" }, { "name": "csrss.exe", "d": { "status": 0, "orig": true, "pid": 420, "cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "image": "C:\\Windows\\system32\\csrss.exe", "kind": "Existing", "time": 94, "proc": 2 }, "n": "windows.proc.create" }, { "name": "csrss.exe", "d": { "status": 0, "orig": true, "pid": 492, "cmd": "%SystemRoot%\\system32\\csrss.exe ObjectDirectory=\\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16", "image": "C:\\Windows\\system32\\csrss.exe", "kind": "Existing", "time": 94, "proc": 3 }, "n": "windows.proc.create" } ], "misc": [ { "d": { "platform": "windows10_x64", "resource": "win10x64_2", "backend": "sandbox-production", "task": "210407-jjjlm1rz7x-behavioral1", "sample": "210407-jjjlm1rz7x", "version": "0.2" }, "n": "analog.header" } ], "network": [ { "d": { "flow": 2, "time": 828, "proc": 33 }, "n": "net.flow.proc" }, { "d": { "flow": 3, "time": 1531, "proc": 71 }, "n": "net.flow.proc" }, { "d": { "flow": 5, "time": 1531, "proc": 71 }, "n": "net.flow.proc" } ], "registry": [ { "d": { "path": "HKLM\\SOFTWARE\\Microsoft\\Wow64\\x86\\youtube_downloader_hd.exe", "status": 3221225524, "op": "QueryValueKey", "proc": 66 }, "n": "windows.reg.read" }, { "d": { "path": "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Compatibility32\\youtube_downloader_hd", "status": 3221225524, "op": "QueryValueKey", "proc": 66 }, "n": "windows.reg.read" }, { "d": { "path": "HKLM", "status": 0, "op": "QueryKey", "proc": 66 }, "n": "windows.reg.read" } ], "files": [ { "d": { "status": 0, "op": "Unknown", "path": "C:\\Windows", "proc": 66 }, "n": "windows.file.read" }, { "d": { "status": 0, "op": "OpenRead", "path": "C:\\Windows", "proc": 66 }, "n": "windows.file.read" }, { "d": { "status": 0, "op": "Unknown", "path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\", "proc": 66 }, "n": "windows.file.read" } ] } }, "summary": { "dumped": [ { "kind": "3", "name": "memory/196-0-0x0000000000000000-mapping.dmp", "procid": 70, "pid": 196, "at": 875 }, { "kind": "martian", "name": "files/0x0005000000014927-1.dat", "path": "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp", "procid": 70, "pid": 196, "at": 906 } ], "network": {}, "signatures": [ { "indicators": [ { "procid": 70, "pid": 196 } ], "score": 8, "name": "Executes dropped EXE" }, { "indicators": [ { "procid_target": 70, "procid": 66, "pid": 1776, "description": "PID 1776 wrote to memory of 196" } ], "name": "Suspicious use of WriteProcessMemory" } ], "processes": [ { "started": 235, "orig": false, "image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe", "cmd": "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe\"", "ppid": 2996, "pid": 1776, "procid_parent": 55, "procid": 66 }, { "started": 750, "orig": false, "image": "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp", "cmd": "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-LG89R.tmp\\youtube_downloader_hd.tmp\" /SL5=\"$201F2,18793909,423424,C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube_downloader_hd.exe\" ", "ppid": 1776, "pid": 196, "procid_parent": 66, "procid": 70 } ] }, "sandbox_version": "2", "sandbox_id": "606d69618104a46c24cc44e6", "rescan_available": true}Example of a failed request:
{ "error": { "code": 400064, "messages": [ "The hash value is not valid" ] }}Response description:
|
md5 |
The hash of the file |
|
sha1 |
The hash of the file |
|
sha256 |
The hash of the file |
|
data_id |
The generated id of the file |
|
request_time |
Timestamp when the dynamic analysis was initiated |
|
browser |
Browser used in the scanning process |
|
timeout |
Analysis timeout profile |
|
system |
The sandbox type used for analysis |
|
scan_results.scan_all_result_a |
A string status code of the analysis. Possible values: "No threat detected", "Infected", "Suspicious" |
|
scan_results.scan_all_result_i |
A status code for the analysis (the numeric version of "scan_results.scan_all_result_a". Possible values: 0,1,2 |
|
scan_results.progress_percentage |
Shows the progress on the analysis (1-100). |
|
scan_results.infection_score |
A number from 1 to 10:
|
|
details |
Detailed analysis information |
|
details.procLabels |
Recorded processes detailed data |
|
details.flowLabels |
Recorded network flow detailed data |
|
details.data |
Detailed analysis information data |
|
details.data.search |
Detailed search activity |
|
details.data.mutex |
Detailed mutex activity |
|
details.data.processes |
Detailed processes activity |
|
details.data.misc |
Detailed miscellaneous activity |
|
details.data.network |
Detailed network activity |
|
details.data.registry |
Detailed registry key activity |
|
details.data.files |
Detailed filesystem activity |
|
summary |
A short reference of the analysis highlights |
|
summary.dumped |
A summary of the dumped data activity recorded by the sandbox |
|
summary.network |
A summary of the network activity recorded by the sandbox |
|
summary.signatures |
A summary of the signatures detected based on the behavior |
|
summary.processes |
A summary of the process activity recorded by the sandbox |
|
summary.ttp |
MITRE tactic, technique or procedure. See this reference. |
|
sandbox_version |
Version of the sandbox used |
|
sandbox_id |
The unique sandbox scan ID that can be used to retrieve this exact scan version |
|
rescan_available |
Whether a rescan request can be submitted |
Errors
Please refer to Errors for more information.
Sample code (Node.js)
var http = require("https");var options = { "method": "GET", "hostname": [ "api", "metadefender", "com" ], "path": [ "v4", "hash", "AAA1C1CF2E78F64C0894EBC568B145039BB06DC3", "sandbox" ], "headers": { "apikey": process.env.APIKEY }};var req = http.request(options, function (res) { var chunks = []; res.on("data", function (chunk) { chunks.push(chunk); }); res.on("end", function () { var body = Buffer.concat(chunks); console.log(body.toString()); });});req.end();Sample code (cURL)
curl -X GET \ https://api.metadefender.com/v4/hash/AAA1C1CF2E78F64C0894EBC568B145039BB06DC3/sandbox \ -H "apikey: ${APIKEY}"