Google Threat Intelligence detonates files in virtual controlled environments to trace their activities and communications, producing detailed reports including opened, created and written files, created mutexes, registry keys set, contacted domains, URL lookups, etc. This execution activity is indexed in a faceted fashion in order to allow for instantaneous lookups.

Dynamic analysis capabilities do not only focus on execution traces but also on running static+dynamic analysis plugins to decode RAT malware configs and extract network infrastructure that may have not been observed during real time execution.

Google Threat Intelligence integrates external behavioural engines sandboxes. The list of external partners can be found here.

Find below a description about our in-house sandboxes:

Box Of Apples

MacOS x86 sandbox hooking system calls.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
MacOS	MachO, DMG, PKG, ISO, shell scripts, apple script, Zipped APP	Yes	Yes	Yes	No	No	No	Direct, No Internet

OS X Sandbox

MacOS x86 11.6 Sandbox.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
MacOS 11.6	MachO, DMG, PKG, ISO	Yes	Yes	Yes	No	Yes	No	Direct, No Internet

VirusTotal Droidy

Google Threat Intelligence Android Sandbox. The API logging is inspired by droidmon.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Android 4.4	Android application (APK)	No	Yes	Yes	No	No	No	Direct, No Internet

VirusTotal Jujubox

Windows dynamic analysis sandbox. Frida is used for hooking and tracking Windows API calls.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows 7	EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, Powershell	Yes	Yes	Yes	No	No	Yes	Direct, No Internet

VirusTotal Observer

Windows sysmon based sandbox.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows 7	EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, Powershell	No	No	No	No	No	No	Direct, No Internet

VirusTotal R2DBox

R2DBox is an Android 8 sandbox which uses Frida to make the hooks. It runs on GCE machines.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Android 8	Android application (APK)	Yes	Yes	Yes	No	No	No	Direct, No Internet

Zenbox

Windows 11 Sandbox. It provides MITRE matrix, signature detection and memory dumps. Runs on GC VmwareEngine.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows 11	EXE, DLL, MSI, CHM, BAT, CRX, PDF, LNK, SVG, VBS, MS Office Documents, Powershell, VHDX	Yes	Yes	Yes	Yes	Yes	Yes	Direct, No Internet

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only if the password is "infected".

Zenbox Android

Supports APKs up to Android 13 (SDK 33).

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Android 13	Android application (APK)	Yes	Yes	Yes	No	Yes	No	Direct, No Internet

Zenbox Linux

Supports X86, X86_64, ARM, MIPS.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Ubuntu 20.04	ELF, Scripts, DEB, JAR, ZIP (if inside executable)	Yes	Yes	Yes	No	Yes	No	Direct, No Internet

ZIP files without password will be processed executing the first binary found within the ZIP.

ZIP files with password will be processed only if the password is "infected".

Zenbox macOS

MacOS Sandbox. Supports X86, X86_64, ARM.

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
MacOS 13	MachO, APPLESCRIPT, DMG, PKG, Scripts, ZIP	Yes	Yes	Yes	No	Yes	No	Direct, No Internet

CAPA

Extraction of behaviour capabilities with Mandiant CAPA

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows/Linux	EXE, ELF, DLLS	No	Yes	No	No	Yes	No	N/A

CAPE Sandbox

Windows Sandbox using CAPEv2

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows 10	EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, LibreOffice Documents, Powershell	Yes (with TLSdump)	Yes	Yes	Yes	Yes	Yes	Direct, No Internet, Simulated, VPN, Country change

CAPE Linux

Linux Sandbox using CAPEv2

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Sysmon Logs	Network Capabilities
Ubuntu 22.04	ELF, Scripts, JAR, DEB, PYTHON_WHL	Yes	Yes	Yes	Yes	Yes	Yes	Direct, No Internet, Simulated, VPN, Country change

Cuckoofork

Windows XP Sandbox. (This feature is deprecated. No new behavior reports will be generated. Existing reports will remain available.)

Operating System	Type of file	Pcap	HTML Report	Screenshots	Memory Dumps	MITRE Signatures	Event Logs (EVTX)	Network Capabilities
Windows XP	EXE, DLL, MSI, CHM, BAT, CRX, PDF, VBS, MS Office Documents, Powershell	Yes	No	No	No	No	No	N/A