In-house Sandboxes - behavioural analysis products

Google Threat Intelligence detonates files in virtual controlled environments to trace their activities and communications, producing detailed reports including opened, created and written files, created mutexes, registry keys set, contacted domains, URL lookups, etc. This execution activity is indexed in a faceted fashion in order to allow for instantaneous lookups.

Dynamic analysis capabilities do not only focus on execution traces but also on running static+dynamic analysis plugins to decode RAT malware configs and extract network infrastructure that may have not been observed during real time execution.

Google Threat Intelligence integrates external behavioural engines sandboxes. The list of external partners can be found here.

Find below a description about our in-house sandboxes:

Box Of Apples

MacOS x86 sandbox hooking system calls.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
MacOSMachO, DMG, PKG,  ISO, shell scripts, apple script, Zipped APPYesYesYesNoNoNoDirect, No Internet

OS X Sandbox

MacOS x86 11.6 Sandbox.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
MacOS 11.6MachO, DMG, PKG, ISOYesYesYesNoYesNoDirect, No Internet

VirusTotal Droidy

Google Threat Intelligence Android Sandbox. The API logging is inspired by droidmon.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Android 4.4Android application (APK)NoYesYesNoNoNoDirect, No Internet

VirusTotal Jujubox

Windows dynamic analysis sandbox. Frida is used for hooking and tracking Windows API calls.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows 7EXE, DLL, MSI, CHM, BAT,  CRX, PDF,  VBS, MS Office Documents, PowershellYesYesYesNoNoYesDirect, No Internet

VirusTotal Observer

Windows sysmon based sandbox.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows 7EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, PowershellNoNoNoNoNoNoDirect, No Internet

VirusTotal R2DBox

R2DBox is an Android 8 sandbox which uses Frida to make the hooks. It  runs on GCE machines.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Android 8Android application (APK)YesYesYesNoNoNoDirect, No Internet

Zenbox

Windows 11 Sandbox. It provides MITRE matrix, signature detection and memory dumps. Runs on GC VmwareEngine.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows 11EXE, DLL, MSI, CHM, BAT, CRX, PDF, LNK, SVG, VBS, MS Office Documents, Powershell, VHDXYesYesYesYesYesYesDirect, No Internet

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only if  the password is "infected".

Zenbox Android

Supports APKs up to Android 13 (SDK 33).

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Android 13Android application (APK)YesYesYesNoYesNoDirect, No Internet

Zenbox Linux

Supports X86,  X86_64, ARM, MIPS.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Ubuntu 20.04ELF, Scripts, DEB, JAR, ZIP (if inside executable)YesYesYesNoYesNoDirect, No Internet

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only if  the password is "infected".

Zenbox macOS

MacOS Sandbox. Supports X86,  X86_64, ARM.

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
MacOS 13MachO, APPLESCRIPT, DMG, PKG, Scripts, ZIPYesYesYesNoYesNoDirect, No Internet

CAPA

Extraction of behaviour capabilities with Mandiant CAPA

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows/LinuxEXE, ELF, DLLSNoYesNoNoYesNoN/A

CAPE Sandbox

Windows Sandbox using CAPEv2

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows 10EXE, DLL, MSI, CHM, BAT,  CRX, PDF,  VBS, MS Office Documents, LibreOffice Documents, PowershellYes (with TLSdump)YesYesYesYesYesDirect, No Internet, Simulated, VPN, Country change

CAPE Linux

Linux Sandbox using CAPEv2

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesSysmon LogsNetwork Capabilities
Ubuntu 22.04ELF, Scripts, JAR, DEB, PYTHON_WHLYesYesYesYesYesYesDirect, No Internet, Simulated, VPN, Country change

Cuckoofork

Windows XP Sandbox. (This feature is deprecated. No new behavior reports will be generated. Existing reports will remain available.)

Operating SystemType of filePcapHTML ReportScreenshotsMemory DumpsMITRE SignaturesEvent Logs (EVTX)Network Capabilities
Windows XPEXE, DLL, MSI, CHM, BAT,  CRX, PDF,  VBS, MS Office Documents, PowershellYesNoNoNoNoNoN/A