In-house Sandboxes - behavioural analysis products

VirusTotal detonates files in virtual controlled environments to trace their activities and communications, producing detailed reports including opened, created and written files, created mutexes, registry keys set, contacted domains, URL lookups, etc. This execution activity is indexed in a faceted fashion in order to allow for instantaneous lookups.

Dynamic analysis capabilities do not only focus on execution traces but also on running static+dynamic analysis plugins to decode RAT malware configs and extract network infrastructure that may have not been observed during real time execution.

VirusTotal integrates external behavioural engines sandboxes. The list of external partners can be found here.

Find below a description about our in-house sandboxes:

Box Of Apples

MacOS sandbox hooking system calls.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
MacOSMachO, DMG, PKG,Β  ISO, shell scripts, apple script, Zipped APPYesYesYesNoNoNo

OS X Sandbox

MacOS 11.6 Sandbox.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
MacOS 11.6MachO, DMG, PKG, ISOYesYesYesNoYesNo

VirusTotal Droidy

VirusTotal Android Sandbox. The API logging is inspired by droidmon.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Android 4.4Android application (APK)NoYesYesNoNoNo

VirusTotal Jujubox

Windows dynamic analysis sandbox. Frida is used for hooking and tracking Windows API calls.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows 7EXE, DLL, MSI, CHM, BAT,Β  CRX, PDF,Β  VBS, MS Office Documents, PowershellYesYesYesNoNoYes

VirusTotal Observer

Windows sysmon based sandbox.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows 7EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, PowershellNoNoNoNoNoNo

VirusTotal R2DBox

R2DBox is an Android 8 sandbox which uses Frida to make the hooks. ItΒ  runs on GCE machines.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Android 8Android application (APK)YesYesYesNoNoNo

Zenbox

Windows 10 Sandbox. It provides MITRE matrix, signature detection and memory dumps. Runs on GC VmwareEngine.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows 10EXE, DLL, MSI, CHM, BAT,Β  CRX, PDF,Β  VBS, MS Office Documents, PowershellYesYesYesYesYesYes

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only ifΒ  the password is "infected".

Zenbox Android

Supports APKs up to Android 12 (SDK 30).

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Android 12Android applicationΒ (APK)YesYesYesNoYesNo

Zenbox Linux

Supports X86,Β  X86_64, ARM, MIPS.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Ubuntu 20.04ELF, Scripts, DEBYesYesYesNoYesNo

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only ifΒ  the password is "infected".

Zenbox macOS

MacOS ARM Sandbox.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
MacOS 13MachO, DMG, PKGYesYesYesNoYesNo

CAPA

Extraction of behaviour capabilities with Mandiant CAPA

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows/LinuxEXE, ELF, DLLSNoYesNoNoYesNo

CAPE Sandbox

Windows Sandbox using CAPEv2

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows 10EXE, DLL, MSI, CHM, BAT,Β  CRX, PDF,Β  VBS, MS Office Documents, PowershellYes (with TLSdump)YesYesYesYesYes

CAPE Linux

Linux Sandbox using CAPEv2

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesSysmon Logs
Ubuntu 22.04ELF, ScriptsYesYesYesYesYesYes

Cuckoofork

Windows XP Sandbox.

Operating SystemType of filePcapHTMLΒ ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)
Windows XPEXE, DLL, MSI, CHM, BAT,Β  CRX, PDF,Β  VBS, MS Office Documents, PowershellYesNoNoNoNoNo