Skip to main content

Cyware Threat Intelligence eXchange

Sandbox

Use Sandbox to analyze suspicious files and URLs in isolated virtual environments. This enables the detection of malicious behavior, extraction of indicators, and generation of actionable threat intelligence without exposing live systems.

Before you Start

Ensure that your user group has the following permissions:

  • View Sandbox Records

  • Create Sandbox Records

Steps

To perform a sandbox analysis, follow these steps:

  1. Go to the Main Menu and select Sandbox under Analysis

  2. In the Sandbox tab, choose one of the following submission types: 

    • Upload File: Click the Drag & Drop or Browse area to select a file from your system. For more information on supported file formats and size limits, see Supported File Types and Size .

    • Enter URL: Paste the URL into the input field. 

  3. Provide the following details: 

    • Community: The destination for your submission. Only private communities are currently supported, meaning access is limited to specific organizations or user groups.

    • Sandbox Provider: Select one of the following: 

      • CAPE: Execute the file or URL in a Windows 10 virtual environment win-10-build-19041

      • Triage: Offers multiple environments, including Windows, Linux, and Android.

        Note

        The environments available during analysis depend on the type of file or URL submitted.

    • Internet Access: Choose whether the sandbox environment has internet connectivity. When enabled (default), the sample can connect to external servers, fetch payloads, and trigger behaviors that require internet access. Disable it to run the analysis in a fully isolated environment.

  4. Click Submit.

After submission, the file or URL appears in the Sandbox listing table with the corresponding analysis status.

Supported Actions

After the analysis is complete, you can take the following actions:

  • View Reports: Review the results and behavioral analysis.

  • Download Report: Save the full report in HTML format for offline use.

  • Create Intel: Generate threat intelligence from the analyzed data. For more information, see Create Intel from Sandbox.

These actions help you quickly pivot from sandbox analysis to threat investigation and intelligence creation.

View Sandbox Submissions

The Sandbox table displays all your submissions with key information for quick reference. Each row includes the following details:

Field

Description

Title

Name of the submitted file or the full URL.

Sandbox Provider

Sandbox engine and the selected virtual machine environment used for analysis. For example, CAPE – win-10-build-19041.

Status

Indicates the current sandox status: In Progress, Completed, or Failed.

Malicious Score

Numerical score representing the threat level of the submitted file or URL.

Verdict

Outcome of the analysis, such as Malicious, Suspicious, or Benign.

Type

Type of submission: FILE or URL.

Submitted By

Email ID of the user who submitted the artifact.

Submitted On

Date and time when the analysis was completed.

You can also search and sort records using filters and column headers to efficiently locate specific sandboxed records.

View Sandbox Report

Open any record with a success status to view the sandbox report. It includes the following sections:

IOCs

This tab lists threat data identified during the analysis.

Field

Description

Type

Type of threat indicator or STIX object. For example, Attack Pattern, SHA256.

Value

Extracted IOC value. For example, T1057, file hash.

Risk Score

Threat score associated with the IOC, if available.

You can view the full details of an IOC by opening the corresponding threat data object in the Threat Data module.

Analysis Report

This tab provides technical insights from the sandbox provider. The information is organized into the following sections:

  • Environment: Displays the provider name and the virtual machine used for analysis. For example, CAPE: Microsoft Windows 10 Pro.

  • Network: Lists any network activity observed during execution, such as contacted domains, IP addresses, or DNS queries.

  • Dropped Files: Shows files created or downloaded by the submitted sample during analysis.

  • Analysis: Includes detailed behavioral observations and technical logs captured during the execution.

Verdict Types

After a file or URL is sandboxed, a verdict is generated to indicate the outcome of the analysis. The following table lists the possible verdicts and their descriptions.

Verdict Types

Description

Malicious

Confirms the presence of harmful behavior or known malicious indicators.

Suspicious

Indicates behavior that may be harmful but lacks definitive evidence.

Benign

Confirms the content is safe and does not exhibit malicious.

Unknown

Indicates that a conclusive determination could not be made due to insufficient evidence or limited observed activity.

Not Applicable

The analysis could not be completed or was skipped based on the configuration.

Supported File Types and Size 

Artifact Type 

Supported Formats

Size

Files

.dll, .upx, .exe, .msi, .chm, .hta, .iqy, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pub, .pub2016, .zip, .one, .mht, .hwp, .ich, .inp, .pdf, .rtf, .slk, .swf, .html, .bat, .ps1, .js, .jse, .vbe, .pl, .py, .vbs, .wsf, .apk, .dex, .jar, .lnk, .url, .jnlp, .reg, .xslt, .xps.

32 MB

URLs

Must begin with http://, https://, or www.

-