OrangeCyberDefense Sandbox (P2A) P2A Sandbox Doc Reference

Artifacts

  • dump_enable_file_dumps: Extract file artifacts
      If set, interacted files will be extracted
      default: True
    • More details

      Using Enable File Artifacts Extraction

      The dump_enable_file_dumps option controls whether interacted files will be extracted during analysis. When enabled, p2a will extract files that are interacted with during the execution of the sample being analyzed.

      Considerations and Recommendations

      When using the dump_enable_file_dumps option:

    • File Extraction: Enabling this option allows you to retrieve files that are accessed, created, or manipulated by the sample during execution.
    • Storage Impact: Extracting files can lead to an increase in storage requirements, especially if the sample interacts with numerous files.

      • For optimal results:

    • Enable this option when you need to inspect the files that the sample interacts with to understand its behavior and potential impact.
    • Monitor the storage usage and manage available space, especially when analyzing samples that generate a large number of files.

      • Example Use Case

      Imagine you are analyzing a suspicious executable that is suspected of dropping additional files onto the system. By enabling the dump_enable_file_dumps option, you can ensure that p2a extracts and saves any files that the executable interacts with during its execution. This allows you to review and analyze the extracted files to identify any potentially malicious or unauthorized activities performed by the executable.

  • dump_enable_network_dumps: Extract network dumps
      If set, network packets will be extracted
      default: True
    • More details

      Using Enable Network Packet Extraction

      The dump_enable_network_dumps option controls whether network packets will be extracted during analysis. When enabled, p2a will capture and save network packets that are exchanged during the execution of the sample being analyzed.

      Considerations and Recommendations

      When using the dump_enable_network_dumps option:

    • Network Packet Capture: Enabling this option allows you to observe and analyze network communication between the sample and external entities.
    • Privacy and Data: Be mindful of potential sensitive information contained in network traffic, especially if personal or confidential data is involved.

      • For optimal results:

    • Enable this option when you need to monitor and analyze the network behavior of the sample to understand its communication patterns and potential network-based threats.
    • Ensure that capturing network packets aligns with legal and ethical considerations, especially when dealing with private or sensitive information.

      • Example Use Case

      Suppose you are analyzing a suspicious executable that is suspected of establishing network connections to external servers. By enabling the dump_enable_network_dumps option, you can capture and save the network packets exchanged between the executable and the external servers. This enables you to inspect the contents of the network communication, identify potential command and control activities, and gain insights into the data being transmitted.

  • dump_enable_registry_dumps: Extract registry dumps
      If set, interacted registry keys will be extracted
      default: True
    • More details

      Using Enable Registry Key Extraction

      The dump_enable_registry_dumps option controls whether interacted registry keys will be extracted during analysis. When enabled, p2a will extract and save registry keys that are accessed, modified, or created by the sample being analyzed.

      Considerations and Recommendations

      When using the dump_enable_registry_dumps option:

    • Registry Key Extraction: Enabling this option allows you to capture and analyze changes to the Windows registry made by the sample during its execution.
    • Registry Impact: Be cautious of potential impact on the system's registry due to the extraction of keys, especially when analyzing potentially malicious samples.

      • For optimal results:

    • Enable this option when you need to understand the sample's interaction with the Windows registry, as it can provide insights into its behavior and system modifications.
    • Monitor the changes to the system's registry to ensure that the analysis process does not negatively affect the system's stability.

      • Example Use Case

      Imagine you are analyzing a suspicious executable that is suspected of making unauthorized modifications to the Windows registry. By enabling the dump_enable_registry_dumps option, you can capture and save registry keys that the executable interacts with during its execution. This allows you to review the changes made to the registry and assess whether they are legitimate or potentially malicious.

  • dump_enable_crypto_dumps: Extract cryptographic buffers
      If set, decrypted data will be extracted
      default: True
    • More details

      Using Cryptographic Dumps

      To enable the extraction of decrypted cryptographic buffer data, modify the configuration of your sandbox environment and adjust the dump_enable_crypto_dumps option. Enabling this option allows decrypted data to be captured and extracted during the analysis process.

      Cryptographic Buffer Extraction

      Enhancing Analysis: By enabling cryptographic dumps, you can capture and analyze the decrypted data generated by the analyzed program, providing insights into its cryptographic operations.

      Relevance to Malware Packers

      Decrypting Packed Malware: Many malware packers use encryption techniques to obfuscate the payload. By enabling dump_enable_crypto_dumps, you can capture and extract the decrypted content, revealing the original malicious payload hidden behind the packer's encryption.

      Packing and Unpacking: Analyzing cryptographic dumps becomes essential in understanding how malware packers encrypt and decrypt their payloads during runtime, shedding light on their packing and unpacking mechanisms.

      Considerations and Recommendations

      When using the dump_enable_crypto_dumps option:

    • Cryptographic Data Extraction: Enabling this option allows you to capture decrypted data and cryptographic buffers, which can provide insights into the encryption and decryption activities of the sample.
    • Data Sensitivity: Be cautious of potential sensitive information contained in decrypted data, as it may include confidential or private content.

      • For optimal results:

    • Enable this option when you need to analyze the cryptographic operations performed by the sample, such as encryption and decryption of data.
    • Exercise caution when analyzing samples that involve sensitive information, and ensure compliance with data protection regulations.

      • Example Use Case

      Consider the analysis of a malware sample known to employ a sophisticated packing technique involving encryption. By enabling the dump_enable_crypto_dumps option, you can capture and extract the decrypted payload, allowing you to analyze the unpacked malware and gain insights into its behavior and potential threats.

  • dump_enables_screen_dumps: Take screenshots
      If set, virtual machine screenshots will be taken at certain moments
      default: True
    • More details

      Using Enable Screenshots Extraction

      The dump_enables_screen_dumps option controls whether virtual machine screenshots will be taken at certain moments during analysis. When enabled, p2a will capture and save screenshots of the virtual machine's display to provide visual insights into the sample's behavior.

      Considerations and Recommendations

      When using the dump_enables_screen_dumps option:

    • Screenshot Capture: Enabling this option allows you to visually observe the activities and changes on the virtual machine's display during the sample's execution.
    • Storage Impact: Be mindful of the storage impact, as capturing numerous screenshots can result in larger storage requirements.

      • For optimal results:

    • Enable this option when you need to visually inspect the behavior of the sample and observe its interactions with the virtual environment.
    • Monitor the storage usage and manage available space, especially when capturing frequent screenshots.

      • Example Use Case

      Imagine you are analyzing a suspicious executable that is suspected of performing changes to the virtual environment, such as modifying the desktop or opening certain windows. By enabling the dump_enables_screen_dumps option, you can capture and save screenshots at various moments during the execution of the sample. This enables you to visually assess the sample's impact on the virtual environment and verify any visual changes it makes.

  • dump_screen_y_resolution: Screenshots vertical resolution
      sets the vertical resolution of taken screenshots
      default: 600
      range: [100, 1200]
    • More details

      Setting Screenshots Vertical Resolution

      The dump_screen_y_resolution option allows you to set the vertical resolution of the screenshots that p2a captures during analysis. This determines the quality and clarity of the screenshots saved.

      Considerations and Recommendations

      When using the dump_screen_y_resolution option:

    • Screenshot Quality: Higher resolution values provide clearer and more detailed screenshots, but they may also require more storage space.
    • Storage Impact: Be aware that increasing the resolution can result in larger screenshot files and affect storage usage.

      • For optimal results:

    • Choose a resolution value that balances the need for visual clarity with storage efficiency.
    • Consider the available storage space and the frequency of screenshot captures when selecting a resolution value.

      • Example Use Case

      Suppose you want to capture detailed screenshots of a suspected malware's interactions with the virtual environment. By setting a higher dump_screen_y_resolution value, you can ensure that the captured screenshots are clear and provide valuable insights into the sample's behavior. However, keep in mind that higher resolution screenshots will consume more storage space, so ensure that your storage resources are sufficient.

Process dumps

  • dump_enable_image_dumps: Enable PE image dumps
      If et, extract in-memory images (pe imaes for windws os)
      default: True
    • More details

      Using Enable PE Image Extraction

      The dump_enable_image_dumps option controls whether in-memory PE images will be extracted during analysis. When enabled, p2a will extract and save in-memory Portable Executable (PE) images generated by the sample being analyzed.

      Considerations and Recommendations

      When using the dump_enable_image_dumps option:

    • PE Image Extraction: Enabling this option allows you to capture and analyze the in-memory executable images, which can provide insights into the sample's runtime behavior and activities.
    • Storage Impact: Be mindful of the storage impact, especially if the sample generates multiple in-memory PE images.

      • For optimal results:

    • Enable this option when you need to analyze the in-memory executable images that the sample generates, such as dynamically loaded modules.
    • Monitor the storage usage and manage available space, especially when analyzing samples that generate a significant number of in-memory PE images.

      • Example Use Case

      Suppose you are analyzing a suspicious executable that is known to dynamically load additional modules during its execution. By enabling the dump_enable_image_dumps option, you can capture and save the in-memory PE images that the executable generates. This allows you to analyze the content and behavior of these images, helping you understand the additional code that the executable introduces into the process space.

  • dump_enable_memory_dumps: Enable memory dumps
      If set, extract in-memory images and process runtime memory data
      default: True
    • More details

      Using Memory Dumps

      To enable the extraction of in-memory images and process runtime memory data, modify the configuration of your sandbox environment and adjust the dump_enable_memory_dumps option. Enabling this option allows you to capture in-memory images of PE (Portable Executable) files, analyze runtime memory (including heap and stack), and extract found DLLs.

      In-Memory Image Extraction, Runtime Memory Analysis, and DLL Extraction

      Enhancing Analysis: By enabling memory dumps, you can:

    • Capture in-memory PE images of executed files.
    • Analyze the runtime memory of processes, including heap and stack.
    • Extract DLLs found in the process memory.

      • Example Use Case

      Consider analyzing a suspicious executable that dynamically loads additional modules in memory. By enabling the dump_enable_memory_dumps option, you can:

    • Capture in-memory PE images of loaded modules to understand their contents.
    • Analyze the runtime memory of processes to uncover memory manipulations and interactions.
    • Extract DLLs from the process memory to identify loaded libraries and their potential implications.

      • This comprehensive memory analysis helps you gain insights into the program's execution, memory usage, and potential malicious activities.

  • dump_enable_memory_dumps_url_analysis: Enable memory dumps for url analysis
      same as 'dump_enable_memory_dumps' except that it is only for url analysis.
      default: True
    • More details

      Using Memory Dumps for URL Analysis

      To enable the extraction of in-memory images and process runtime memory data specifically for URL analysis, modify the configuration of your sandbox environment and adjust the dump_enable_memory_dumps_url_analysis option. Enabling this option allows you to capture in-memory images of PE (Portable Executable) files, analyze runtime memory (including heap and stack), and extract found DLLs during URL analysis.

      In-Memory Image Extraction, Runtime Memory Analysis, and DLL Extraction for URL Analysis

      Enhancing URL Analysis: Similar to the general memory dumps option, enabling memory dumps for URL analysis allows you to:

    • Capture in-memory PE images of executed files.
    • Analyze the runtime memory of processes, including heap and stack.
    • Extract DLLs found in the process memory.

      • Example Use Case

      Imagine you are analyzing a suspicious URL that leads to the execution of a potentially malicious executable. By enabling the dump_enable_memory_dumps_url_analysis option, you can:

    • Capture in-memory PE images of loaded modules to understand their contents.
    • Analyze the runtime memory of processes to uncover memory manipulations and interactions.
    • Extract DLLs from the process memory to identify loaded libraries and their potential implications.

      • These memory analysis capabilities provide deeper insights into the behavior and potential threats associated with the analyzed URL.

  • dump_memory_scan_for_subobjects: Scan memory dumps for embedded PE objects
      If set, will exctract any in-memory executable image found in process space
      default: True
    • More details

      Using Memory Dumps Subobject Scanning

      The dump_memory_scan_for_subobjects option controls whether p2a will scan memory dumps for embedded Portable Executable (PE) objects during analysis. When enabled, p2a will extract and save any in-memory executable images found within the process space.

      Considerations and Recommendations

      When using the dump_memory_scan_for_subobjects option:

    • PE Object Detection: Enabling this option allows you to detect and analyze in-memory PE objects that may be embedded within a process's memory space.
    • Resource Efficiency: Be aware that scanning for subobjects may impact analysis performance and memory usage.

      • For optimal results:

    • Enable this option when you suspect that the sample may hide executable code within its memory space, such as by using process hollowing techniques.
    • Monitor the analysis performance and resource usage to ensure that scanning for subobjects does not significantly impact the analysis environment.

      • Example Use Case

      Suppose you are analyzing a malware sample that is suspected of using process hollowing to hide its malicious activities within a legitimate process. By enabling the dump_memory_scan_for_subobjects option, you can scan the memory dumps for any in-memory executable images that may have been injected into the process's memory space. This enables you to identify and analyze hidden PE objects, providing insights into the sample's code injection and runtime behavior.

  • dump_image_apis_resolve_iat: IAT reconstruction for PE image dumps
      Enables Import Address Table reconstruction for in-memory executable images
      Should be one of the followings:
    • 0 : No IAT recons.
    • 1 : Resolve back names
    • 2 : Resolve all refs
      • default: 0 (No IAT recons.)
    • More details

      Using IAT Reconstruction for PE Image Dumps

      The dump_image_apis_resolve_iat option controls the level of Import Address Table (IAT) reconstruction for in-memory executable images during analysis. The IAT is an essential component of a PE image that maps imported functions to their corresponding addresses. This option determines how extensively the IAT will be reconstructed for in-memory PE image dumps.

      Valid Values

    • 0: No IAT reconstruction. The original IAT is not reconstructed.
    • 1: Resolve back names. Imported function names are resolved to their original names.
    • 2: Resolve all refs. All references to imported functions are resolved.

      • Considerations and Recommendations

      When using the dump_image_apis_resolve_iat option:

    • IAT Reconstruction: Enabling this option can provide more accurate information about imported functions and their usage within the in-memory PE images.
    • Resource Usage: Be aware that more extensive IAT reconstruction may impact analysis performance and memory usage.

      • For optimal results:

    • Choose the appropriate level of IAT reconstruction based on your analysis goals. More extensive reconstruction may yield better insights into the functionality of the in-memory PE image.
    • Monitor the analysis environment to ensure that the chosen IAT reconstruction level does not significantly impact resource usage.

      • Example Use Case

      Imagine you are analyzing a malware sample that heavily relies on imported functions to perform its malicious activities. By setting the dump_image_apis_resolve_iat option to 2, you can ensure that all references to imported functions are resolved in the reconstructed IAT of the in-memory PE images. This allows you to accurately trace the execution flow and interactions of the imported functions within the sample, helping you understand its behavior more comprehensively.

  • dump_memory_apis_resolve_iat: IAT reconstruction for memory dumps
      Enables Import Address Table reconstruction for all memory dumps
      Should be one of the followings:
    • 0 : No IAT recons.
    • 1 : Resolve back names
    • 2 : Resolve all refs
      • default: 0 (No IAT recons.)
    • More details

      Using IAT Reconstruction for Memory Dumps

      The dump_memory_apis_resolve_iat option controls the level of Import Address Table (IAT) reconstruction for all memory dumps during analysis. The IAT is an essential component of a PE image that maps imported functions to their corresponding addresses. This option determines how extensively the IAT will be reconstructed for memory dumps.

      Valid Values

    • 0: No IAT reconstruction. The original IAT is not reconstructed.
    • 1: Resolve back names. Imported function names are resolved to their original names.
    • 2: Resolve all refs. All references to imported functions are resolved.

      • Considerations and Recommendations

      When using the dump_memory_apis_resolve_iat option:

    • IAT Reconstruction: Enabling this option can provide more accurate information about imported functions and their usage within the memory dumps.
    • Resource Usage: Be aware that more extensive IAT reconstruction may impact analysis performance and memory usage.

      • For optimal results:

    • Choose the appropriate level of IAT reconstruction based on your analysis goals. More extensive reconstruction may yield better insights into the functionality of the memory dumps.
    • Monitor the analysis environment to ensure that the chosen IAT reconstruction level does not significantly impact resource usage.

      • Example Use Case

      Imagine you are analyzing a malware sample that uses dynamic function resolution techniques to obfuscate its imported functions. By setting the dump_memory_apis_resolve_iat option to 2, you can ensure that all references to imported functions are resolved in the reconstructed IAT of the memory dumps. This allows you to accurately trace the execution flow and interactions of the imported functions within the sample, helping you uncover its obfuscation techniques and behavior.

  • dump_maximum_size_single: Maximum size of a single dump (MB)
      default: 80000000
      range: [1000000, 1000000000]
    • More details

      Using Maximum Size of Single Dump

      The dump_maximum_size_single option controls the maximum size of a single dump that p2a can generate during analysis. This option is especially useful for managing the size of individual memory or file dumps extracted from the analysis environment.

      Range and Default Value

    • Default Value: 80000000 (80 MB)
    • Range: [1000000, 1000000000] (1 MB to 1 GB)

      • Considerations and Recommendations

      When using the dump_maximum_size_single option:

    • Size Management: Adjust the maximum size value based on your analysis needs and available storage resources.
    • Impact on Analysis: Smaller maximum sizes can help reduce the impact on analysis performance and storage usage.

      • For optimal results:

    • Set the maximum size value according to the expected size of individual dumps and the available storage capacity.
    • Monitor the storage usage and adjust the maximum size if you encounter frequent cases where dumps exceed the specified limit.

      • Example Use Case

      Suppose you are analyzing a malware sample that generates large memory dumps during its execution. By setting the dump_maximum_size_single option to a value of 100000000 (100 MB), you can ensure that each individual memory dump extracted from the sample does not exceed 100 MB. This helps manage storage usage and prevents individual dumps from consuming excessive space, while still allowing you to capture relevant memory content for analysis.

  • dump_maximum_size_per_process: Maximum cumulated size of all dumps for a single process (MB)
      default: 160000000
      range: [10000000, 1000000000]
    • More details

      Using Maximum Cumulated Size of Dumps per Process

      The dump_maximum_size_per_process option controls the maximum cumulated size of all dumps generated for a single process during p2a analysis. This option helps manage the total size of dumps associated with a particular process and prevents excessive storage usage.

      Range and Default Value

    • Default Value: 160000000 (160 MB)
    • Range: [10000000, 1000000000] (10 MB to 1 GB)

      • Considerations and Recommendations

      When using the dump_maximum_size_per_process option:

    • Process Dumps: Use this option to manage the total size of dumps associated with a single process during analysis.
    • Optimal Value: Adjust the maximum size according to your analysis needs and storage capacity to strike a balance between capturing relevant information and controlling storage usage.

      • For optimal results:

    • Set the maximum size value based on the expected size of dumps for individual processes and the available storage capacity.
    • Monitor the storage usage and adjust the maximum size if you find that dumps for a specific process are exceeding the limit frequently.

      • Example Use Case

      Imagine you are analyzing a malware sample that creates multiple instances of the same process and generates substantial memory dumps for each instance. By setting the dump_maximum_size_per_process option to 50000000 (50 MB), you can ensure that the cumulated size of all dumps generated for a single process instance does not exceed 50 MB. This allows you to manage storage usage while still capturing relevant information about each process's behavior.

  • dump_maximum_size_total: Maximum cumulated size of all dumps (MB)
      default: 300000000
      range: [10000000, 1000000000]
    • More details

      Using Maximum Cumulated Size of All Dumps

      The dump_maximum_size_total option controls the maximum cumulated size of all dumps generated during p2a analysis. This option helps manage the total storage usage for dumps across all processes and aspects of analysis.

      Range and Default Value

    • Default Value: 300000000 (300 MB)
    • Range: [10000000, 1000000000] (10 MB to 1 GB)

      • Considerations and Recommendations

      When using the dump_maximum_size_total option:

    • Total Storage Usage: Use this option to set an upper limit on the total size of all dumps generated during analysis.
    • Optimal Value: Adjust the maximum size based on your available storage capacity and the level of detail required for analysis.

      • For optimal results:

    • Set the maximum size value considering the expected storage requirements for the cumulative dumps across all aspects of analysis.
    • Regularly monitor the storage usage to ensure that the cumulative size of all dumps does not exceed the specified limit.

      • Example Use Case

      Suppose you are analyzing a complex malware sample that generates a substantial amount of memory and file dumps across various processes and analysis aspects. By setting the dump_maximum_size_total option to 500000000 (500 MB), you can ensure that the total cumulated size of all dumps does not exceed 500 MB. This helps you manage storage usage while retaining sufficient data to analyze the sample's behavior and interactions.

  • dump_discard_if_delta_under_permillion: Discard dumps if less than this many % different bytes
      Specifies the number of different bytes in a dump, per-million, obove which such dump won't be extracted.
      default: 10000
      range: [0, 330000]
    • More details

      Using Discard Dumps Based on Difference Percentage

      The dump_discard_if_delta_under_permillion option controls whether dumps with a low percentage of different bytes will be discarded during p2a analysis. This option helps manage the extraction of relevant dumps by filtering out those with minimal differences from a reference.

      Range and Default Value

    • Default Value: 10000 (0.01%)
    • Range: [0, 330000] (0% to 33%)

      • Considerations and Recommendations

      When using the dump_discard_if_delta_under_permillion option:

    • Dump Relevance: Consider the desired sensitivity in determining which dumps are considered relevant based on differences from a reference.
    • Optimal Value: Adjust the value based on your analysis goals and the level of noise or variation you expect in dumps.

      • For optimal results:

    • Set the value considering the expected amount of differences you are interested in capturing in dumps.
    • Monitor analysis results to ensure that relevant dumps are not being discarded due to overly strict settings.

      • Example Use Case

      Imagine you are analyzing a sample that generates numerous memory dumps with slight variations due to runtime conditions. By setting the dump_discard_if_delta_under_permillion option to 5000, you can ensure that dumps with less than 0.005% different bytes from a reference are discarded. This helps filter out dumps that are likely to be noise or variations from the analysis, allowing you to focus on dumps with more significant differences.