Advanced scan
Info
For this option, you need to specify at least one sandbox in the config.
Quick start
# "-t" is the time of behavioral analysissandbox-cli scanner scan-new -t 120 malware
[INFO] Using key: name=escdev max_workers=8
[DONE] [win10-22H2-x64] • malware • https://sandbox.example.com/tasks/eafc5f87-ffac-11ef-96ad-72ab1bd29c47
[INFO] Using key: name=escdev max_workers=8
[DONE] [win10-22H2-x64] • malware • https://sandbox.example.com/tasks/eafc5f87-ffac-11ef-96ad-72ab1bd29c47
Note
At startup, a progress bar will be launched with waiting, but this is not shown here.
Options
Download options
The options allow you to additionally configure which files will be downloaded from the task.
| Option | Description | Default |
|---|---|---|
--all / -a |
Enables all of the following options. | False |
--debug / -d |
All debug files will be downloaded. | False |
--artifacts / -A |
All created artifacts (files and process dumps) will be downloaded. Combines -f and -p. |
False |
--files / -f |
All files extracted during the analysis will be downloaded. | False |
--crashdumps / -c |
A special file that is created during the BSOD. By default, this file is not generated by the sandbox. |
False |
--procdumps / -p |
All process dumps during the analysis will be downloaded. | False |
Parameters
| Option | Description | Default |
|---|---|---|
--rules / -r |
The path to your own rules. | None |
--out / -o |
The path where the analysis results will be saved. | ./sandbox |
--local / -l |
Compile rules locally or on the server. I guess you can just ignore this option. |
False |
--upload-timeout / -T |
This option allows you to increase the file upload timeout. For example, if you are uploading a large file with a slow internet . |
300 in seconds |
--unpack / -U |
The downloaded logs will be automatically converted. Learn more in Analyzing logs. |
False |
--decompress / -D |
Since process dumps are downloaded in a compressed format, this option allows them to be decompressed automatically. | False |
Sandbox Options
| Option | Description | Default |
|---|---|---|
--image / -i |
The image on which the behavioral analysis will be performed. | None |
--key / -k |
The name of the key for accessing a specific sandbox. | None |
--name / -n |
The name of the file that will be in the sandbox. | {filename} |
--timeout / -t |
Analysis duration. | 300 in seconds |
--syscall-hooks / -s |
Read more about it in py-ptsandbox. | None |
--dll-hooks-dir / -dll |
Read more about it in py-ptsandbox. | None |
--cmd |
Read more about it in py-ptsandbox. | None |
--priority / -pr |
Read more about it in py-ptsandbox. | 3 |
--procdump-new-processes-on-finish / -P |
Read more about it in py-ptsandbox. | False |
--bootkitmon / -b |
Read more about it in py-ptsandbox. | False |
--bootkitmon-duration / -bd |
Read more about it in py-ptsandbox. | 60 |
--mitm-disabled / -M |
Read more about it in py-ptsandbox. | False |
--disable-clicker / -dc |
Read more about it in py-ptsandbox. | False |
--skip-sample-run / -S |
Read more about it in py-ptsandbox. | False |
--vnc-mode / -V |
Read more about it in py-ptsandbox. | disabled |
--extra-files / -e |
Read more about it in py-ptsandbox. | None |
Tip
You can specify several images, for example:
Tip
You can specify several extra files, for example:
Cookbook
Starting a manual analysis
# -V full - a task will be created in a special mode with support for manual analysis# -dc - disabling the clicker to control the mouse yourself# -i - selecting a scan image# -t 300 - behavioral analysis time (5 min)sandbox-cli scanner scan-new -V full -dc -i ubuntu-jammy-x64 -t 300 malware.elf
Scan the sample on all available windows images
For example, there are only three Windows images available on the stand, and analysis will be launched on all of them.
sandbox-cli scanner scan-new -i windows -t 120 malware.elf
[INFO] Using key: name=test-1 max_workers=8
[INFO] Scanning on: win10-22H2-x64, win10-1803-x64, win11-23H2-x64
...
[INFO] Using key: name=test-1 max_workers=8
[INFO] Scanning on: win10-22H2-x64, win10-1803-x64, win11-23H2-x64
...
Tip
Change -i windows to -i linux if you need to scan on all available linux images.
Scanning a large amount of samples at a time
# -U - automatic unpacking of logssandbox-cli scanner scan-new -U -i win11-23H2-x64 -t 120 samples/*.exe
Help
sandbox-cli scanner scan-new --help
Usage: sandbox-cli scanner scan-new [ARGS] [OPTIONS]
Send files to scan with the sandbox (advanced scan).
╭─ Arguments ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * FILES Path to the files or folders to scan [required] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Download options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --all -a Download all artifacts [default: False] │
│ --debug -d Download debug artifacts [default: False] │
│ --artifacts -A Download artifacts [default: False] │
│ --files -f Download files [default: False] │
│ --crashdumps -c Download crashdumps (maybe be more 1GB) [default: False] │
│ --procdumps -p Download procdumps [default: False] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Parameters ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --rules -r The path to the folder with the rules or the default rules from the sandbox │
│ --out -o The path where to save the results [default: sandbox] │
│ --local -l The rules will be compiled locally using Docker (unix only) [default: False] │
│ --upload-timeout -T Upload timeout in seconds (increase if upload big files) [default: 300] │
│ --unpack -U Unpack downloaded files [default: False] │
│ --decompress -D Decompress downloaded files [default: False] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Sandbox Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --image -i The name of the image to scan (don't mix different platforms) │
│ │
│ • altworkstation-10-x64 │
│ • astralinux-smolensk-x64 │
│ • redos-8-x64 │
│ • redos-murom-x64 │
│ • ubuntu-jammy-x64 │
│ • win10-1803-x64 │
│ • win10-22H2-x64 │
│ • win11-23H2-x64 │
│ • win7-sp1-x64 │
│ • win7-sp1-x64-ics │
│ • win8.1-update1-x64 │
│ • winserv2016-1198-x64 │
│ • winserv2019-1879-x64 │
│ • linux │
│ • windows │
│ --key -k The key to access the sandbox test-1,test-2,test-3 [default: test-1] │
│ --name -n Fake name for the sandbox (if specified more than one file will be applied to all │
│ files) │
│ --timeout -t Analysis duration in seconds [default: 300] │
│ --syscall-hooks -s Path to files with syscall hooks (file with syscall names splitted by newline) │
│ --dll-hooks-dir -dll Path to directory with dll hooks │
│ --cmd Command line for file execution rundll32.exe {file},#1 │
│ --priority -pr Priority of the scan (1-4) [default: 3] │
│ --procdump-new-processes-on-finish -P Collect dumps for all created and not finished processes [default: False] │
│ --bootkitmon -b Enable bootkitmon [default: False] │
│ --bootkitmon-duration -bd Bootkitmon duration in seconds [default: 60] │
│ --mitm-disabled -M Disable MITM [default: False] │
│ --disable-clicker -dc Disable clicker [default: False] │
│ --skip-sample-run -S Skip sample run [default: False] │
│ --vnc-mode -V VNC mode [choices: disabled, full, read-only] [default: disabled] │
│ --extra-files -e Extra files to upload │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Usage: sandbox-cli scanner scan-new [ARGS] [OPTIONS]
Send files to scan with the sandbox (advanced scan).
╭─ Arguments ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ * FILES Path to the files or folders to scan [required] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Download options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --all -a Download all artifacts [default: False] │
│ --debug -d Download debug artifacts [default: False] │
│ --artifacts -A Download artifacts [default: False] │
│ --files -f Download files [default: False] │
│ --crashdumps -c Download crashdumps (maybe be more 1GB) [default: False] │
│ --procdumps -p Download procdumps [default: False] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Parameters ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --rules -r The path to the folder with the rules or the default rules from the sandbox │
│ --out -o The path where to save the results [default: sandbox] │
│ --local -l The rules will be compiled locally using Docker (unix only) [default: False] │
│ --upload-timeout -T Upload timeout in seconds (increase if upload big files) [default: 300] │
│ --unpack -U Unpack downloaded files [default: False] │
│ --decompress -D Decompress downloaded files [default: False] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─ Sandbox Options ───────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ --image -i The name of the image to scan (don't mix different platforms) │
│ │
│ • altworkstation-10-x64 │
│ • astralinux-smolensk-x64 │
│ • redos-8-x64 │
│ • redos-murom-x64 │
│ • ubuntu-jammy-x64 │
│ • win10-1803-x64 │
│ • win10-22H2-x64 │
│ • win11-23H2-x64 │
│ • win7-sp1-x64 │
│ • win7-sp1-x64-ics │
│ • win8.1-update1-x64 │
│ • winserv2016-1198-x64 │
│ • winserv2019-1879-x64 │
│ • linux │
│ • windows │
│ --key -k The key to access the sandbox test-1,test-2,test-3 [default: test-1] │
│ --name -n Fake name for the sandbox (if specified more than one file will be applied to all │
│ files) │
│ --timeout -t Analysis duration in seconds [default: 300] │
│ --syscall-hooks -s Path to files with syscall hooks (file with syscall names splitted by newline) │
│ --dll-hooks-dir -dll Path to directory with dll hooks │
│ --cmd Command line for file execution rundll32.exe {file},#1 │
│ --priority -pr Priority of the scan (1-4) [default: 3] │
│ --procdump-new-processes-on-finish -P Collect dumps for all created and not finished processes [default: False] │
│ --bootkitmon -b Enable bootkitmon [default: False] │
│ --bootkitmon-duration -bd Bootkitmon duration in seconds [default: 60] │
│ --mitm-disabled -M Disable MITM [default: False] │
│ --disable-clicker -dc Disable clicker [default: False] │
│ --skip-sample-run -S Skip sample run [default: False] │
│ --vnc-mode -V VNC mode [choices: disabled, full, read-only] [default: disabled] │
│ --extra-files -e Extra files to upload │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Info
The utility has a fairly extensive list of images, but this doesn't mean that they are all available or will be available.
But in general, if you are interested in some of the images, then I think you can find out more information from the manager.