SNDBOX

Use the SNDBOX integration to detect and analyze potentially malicious files.

SNDBOX Playbook

  • Detonate File - SNDBOX

Use Cases

  • Sample a file.
  • Get information on an old analysis.

Supported File Types

SNDBOX supports the following file types:

  • Microsoft (2003 and earlier): doc, dot, xls, csv, xlt, xlm, ppt, pot, pps
  • Microsoft (2007 and later): docx, docm, dotx, dotm, dotm, xlsx, xlsm, xltx, xltm, xlsb, xla, xlam, iqy, pptx, pptm, potx, ppsx, xml
  • Other: pe32, rtf, pdf, vbs, vbe, ps1, js, lnk, html, bat

Configure SNDBOX on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for SNDBOX.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Use Public API Key. (By approving SNDBOX public API you are accepting SNDBOX TOS @ https://app.sndbox.com/tos). Public submissions are shared with the community
    • Private API Key
    • Use system proxy settings
    • Trust any certificate (not secure)
    • Max. Polling Time (in seconds):
    • Verbose (show log in case of error)
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check SNDBOX status: sndbox-is-online
  2. Get information for an analysis: sndbox-analysis-info
  3. Submit a sample for analysis: sndbox-analysis-submit-sample
  4. Download a report resource: sndbox-download-report
  5. (Deprecated) Detonate a report: sndbox-detonate-file
  6. Download a file sample of an analysis: sndbox-download-sample

1. Check SNDBOX status


Checks if SNDBOX is online or in maintenance mode.

Base Command

sndbox-is-online

Input

There is no input for this command.

Context Output

There is no context output for this command.

2. Get information for an analysis


Show information about an analysis.

Base Command

sndbox-analysis-info

Input
Argument Name Description Required
analysis_id Analysis IDs, supports CSV arrays Required
Context Output
Path Type Description
SNDBOX.Analysis.ID string Analysis ID
SNDBOX.Analysis.SampleName string Sample data
SNDBOX.Analysis.Status string Analysis status
SNDBOX.Analysis.Time date Submitted time
SNDBOX.Analysis.Score float Analysis score
SNDBOX.Analysis.Result string Analysis results
SNDBOX.Analysis.Errors unknown Raised errors during sampling
SNDBOX.Analysis.Link string Analysis link
SNDBOX.Analysis.MD5 string MD5 of analysis sample
SNDBOX.Analysis.SHA1 string SHA-1 of analysis sample
SNDBOX.Analysis.SHA256 string SHA-256 of analysis sample
DBotScore.Vendor string Vendor name: SNDBOX
DBotScore.Indicator unknown The name of the sample file
DBotScore.Type string File type
DBotScore.Score number The actual score
DBotScore.Malicious.Vendor string Vendor name: SNDBOX
DBotScore.Malicious.Detections string The sub-analysis detection statuses
DBotScore.Malicious.SHA1 string SHA-1 of the file
Command Example
!sndbox-analysis-info analysis_id="65577395-48d8-4d51-bc97-bc2486f49ca0"
Context Example

image

Human Readable Output

image

3. Submit a sample for analysis


Submit a sample for analysis.

Base Command

sndbox-analysis-submit-sample

Input
Argument Name Description Required
file_id War Room entry of a file, e.g., 3245@4 Optional
should_wait Should the command poll for the result of the analysis Optional
Context Output
Path Type Description
SNDBOX.Analysis.ID string Analysis ID
SNDBOX.Analysis.SampleName string Sample data, (file name or URL)
SNDBOX.Analysis.Status string Analysis status
SNDBOX.Analysis.Time date Submitted time
SNDBOX.Analysis.Result string Analysis results
SNDBOX.Analysis.Errors unknown Raised errors during sampling
SNDBOX.Analysis.Link string Analysis Link
SNDBOX.Analysis.MD5 string MD5 of analysis sample
SNDBOX.Analysis.SHA1 string SHA-1 of analysis sample
SNDBOX.Analysis.SHA256 string SHA-256 of analysis sample
DBotScore.Vendor string Vendor name: SNDBOX
DBotScore.Indicator unknown The name of the sample file or URL
DBotScore.Type string 'url' for url samples, otherwise 'file'
DBotScore.Score number The actual score
DBotScore.Malicious.Vendor string Vendor name: SNDBOX
DBotScore.Malicious.SHA1 string SHA-1 of the file
Command Example
!sndbox-analysis-submit-sample file_id="288@670"
Context Example

image

Human Readable Output

image

4. Download a report resource


Download a resource belonging to a report. This can be the full report, dropped binaries, etc.

Base Command

sndbox-download-report

Input
Argument Name Description Required
analysis_id Analysis ID Required
type The resource type to download. Default is JSON. Optional
Context Output
Path Type Description
InfoFile.Name string File name
InfoFile.EntryID string The EntryID of the report
InfoFile.Size number File size
InfoFile.Type string File type, e.g., "PE"
InfoFile.Info string Basic information of the file
InfoFile.Extension string File extension
Command Example
!sndbox-download-report analysis_id=65577395-48d8-4d51-bc97-bc2486f49ca0 type=json
Context Example

image

Human Readable Output

image

5. (Deprecated) Detonate a file


Submit a sample for detonation. This command is deprecated.

Base Command

sndbox-detonate-file

Input
Argument Name Description Required
file_id War Room entry of a file, e.g., 3245@4 Optional
Context Output
Path Type Description
SNDBOX.Analysis.ID string Analysis ID
SNDBOX.Analysis.SampleName string Sample data (file name or URL)
SNDBOX.Analysis.Status string Analysis status
SNDBOX.Analysis.Time date Submitted time
SNDBOX.Analysis.Result string Analysis results
SNDBOX.Analysis.Errors unknown Raised errors during sampling
SNDBOX.Analysis.Link string Analysis link
SNDBOX.Analysis.MD5 string MD5 of analysis sample
SNDBOX.Analysis.SHA1 string SHA-1 of analysis sample
SNDBOX.Analysis.SHA256 string SHA-256 of analysis sample
DBotScore.Vendor string Vendor name: SNDBOX
DBotScore.Indicator unknown The name of the sample file or URL
DBotScore.Type string File
DBotScore.Score number The actual score
DBotScore.Malicious.Vendor string Vendor name: SNDBOX
DBotScore.Malicious.Detections string The sub-analysis detection statuses
DBotScore.Malicious.SHA1 string SHA-1 of the file

6. Download the sample file of an analysis


Download the sample file of an analysis. For security reasons, the file extension will be .dontrun.

Base Command

sndbox-download-sample

Input
Argument Name Description Required
analysis_id Analysis ID Required
Context Output
Path Type Description
File.Size number File size
File.SHA1 string SHA-1 hash of the file
File.SHA256 string SHA-256 hash of the file
File.Name string The sample name
File.SSDeep string SSDeep hash of the file
File.EntryID string War Room entry ID of the file
File.Info string Basic information of the file
File.Type string File type, e.g., "PE"
File MD5 string MD5 hash of the file
File.Extension string File extension
Command Example
!sndbox-download-sample analysis_id=65577395-48d8-4d51-bc97-bc2486f49ca0
Context Example

image