Once the attachment(s) have been fully processed you will be shown a brief scan result with the option to View Results, i.e. Sandbox Analysis Report. This report gives insight to what occurred during the sandbox process and the signatures that lead to its scan result. Each part of the analysis process is broken down into sections:
Once the attachment(s) have been fully processed you will be shown a brief scan result with the option to View Results, i.e. Sandbox Analysis Report.
Basic Information to help understand each part of your Sandbox Analysis Report.
At the top of every report is an Overview with file details and basic information about the sandbox used during the process. File details include size, type, MD5, SHA1, SHA256, and CRC32 – this is the attachments identity.
The Process Tree logs, in order of occurrence, all processes that took place during the Sandbox Analysis.
Screenshots of the sandbox environment during the analysis process, i.e. Visual of how the sandbox was affected.
Signatures are the significant aspects that lead to the scan result. e.g. Network connections, downloads, creating files, modifying system files, etc. Signature have brief description, are color coordinated, and are places in order of severity.
Common procedures or connections that are expected, process crashes, system lookups, etc. e.g. Checking the amount of memory in system, this could be used to identify a virtual system.
Processes, connections, and other behaviors that are suspicious and possibly dangerous. e.g. URL downloaded by PowerShell script and PowerShell is sending data to a remote host.
Malicious processes, connections, and behaviors generally seen when executing malware/viruses. e.g. Checking for ant-virus software and dropping a binary file and executing it.
A basic breakdown of any files created during after the file was executed, these can be simple log files or a ransomwares at work. The created files details include filename, path, size, type, MD5, SHA1, SHA256, and CRC32.
Details on any HTTP & HTTPS Request that were attempted or made during the testing. Details include information over requested URL, what was requested, and the response. These connections could be used to download or send data.
Details over any DNS records requested during the process, such as A record.
Internet Control Message Protocol (ICMP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.
Transmission Control Protocol (TCP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.
User Datagram Protocol (UDP) traffic details, including Source IP, Source Port, Dest IP, & Dest Port.