ScanFalconSandbox
Sends files to Falcon Sandbox.
Attributes:
api_key: API key used for authenticating to Falcon Sandbox. This is loaded
from the scanner options or the environment variable
'FS_API_KEY'.
api_secret: API secret key used for authenticating to Falcon Sandbox. This is loaded
from the scanner options or the environment variable
'FS_API_SECKEY'.
lib: URL of the Falcon Sandbox API inteface.
auth_check: Boolean that determines if the username and password were
previously checked. This ensures that the username and password
are only checked once per worker.
Options
depth: Recursion depth for file submission to Falcon Sandbox.
Defaults to 0.
env_id: List of sandbox environments to submit sample to.
Public Sandbox environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)',
200: 'Android Static Analysis’,
160: 'Windows 10 64 bit’,
110: 'Windows 7 64 bit’,
100: ‘Windows 7 32 bit’
Defaults to [100]
Source code in strelka/src/python/strelka/scanners/scan_falcon_sandbox.py
| class ScanFalconSandbox(strelka.Scanner):
"""Sends files to Falcon Sandbox.
Attributes:
api_key: API key used for authenticating to Falcon Sandbox. This is loaded
from the scanner options or the environment variable
'FS_API_KEY'.
api_secret: API secret key used for authenticating to Falcon Sandbox. This is loaded
from the scanner options or the environment variable
'FS_API_SECKEY'.
lib: URL of the Falcon Sandbox API inteface.
auth_check: Boolean that determines if the username and password were
previously checked. This ensures that the username and password
are only checked once per worker.
Options:
depth: Recursion depth for file submission to Falcon Sandbox.
Defaults to 0.
env_id: List of sandbox environments to submit sample to.
Public Sandbox environments ID: 300: 'Linux (Ubuntu 16.04, 64 bit)',
200: 'Android Static Analysis’,
160: 'Windows 10 64 bit’,
110: 'Windows 7 64 bit’,
100: ‘Windows 7 32 bit’
Defaults to [100]
"""
def init(self):
self.api_key = None
self.api_secret = None
self.server = ""
self.auth_check = False
self.depth = 0
self.env_id = [100]
def submit_file(self, file, env_id):
url = self.server + "/api/submit"
# TODO data is never referenced so this will crash
files = {"file": None} # data
data = {"nosharevt": 1, "environmentId": env_id, "allowCommunityAccess": 1}
try:
response = requests.post(
url,
data=data,
params={},
verify=False,
files=files,
timeout=self.timeout,
headers={"User-Agent": "VxApi CLI Connector"},
auth=(HTTPBasicAuth(self.api_key, self.api_secret)),
)
if response.status_code == 200 and response.json()["response_code"] == 0:
sha256 = response.json()["response"][
"sha256"
] # Successfully submitted file
self.event["sha256"] = sha256
elif response.status_code == 200 and response.json()["response_code"] == -1:
self.flags.append(
"duplicate_submission"
) # Submission Failed - duplicate
else:
self.flags.append("upload_failed") # Upload Failed
except requests.exceptions.ConnectTimeout:
self.flags.append("connect_timeout")
return
def scan(self, data, file, options, expire_at):
self.depth = options.get("depth", 0)
if file.depth > self.depth:
self.flags.append("file_depth_exceeded")
return
self.server = options.get("server", "")
self.priority = options.get("priority", 3)
self.timeout = options.get("timeout", 60)
self.env_id = options.get("env_id", [100])
if not self.auth_check:
self.api_key = options.get("api_key", None) or os.environ.get("FS_API_KEY")
self.api_secret = options.get("api_secret", None) or os.environ.get(
"FS_API_SECKEY"
)
self.auth_check = True
# Allow submission to multiple environments (e.g. 32-bit and 64-bit)
for env in self.env_id:
self.submit_file(file, env)
|
Features
The features of this scanner are detailed below. These features represent the capabilities and the type of analysis the scanner can perform. This may include support for Indicators of Compromise (IOC), the ability to emit files for further analysis, and the presence of extended documentation for complex analysis techniques.
| Feature |
Support |
IOC Support |
|
Emit Files |
|
Extended Docs |
|
Malware Scanner |
|
Image Thumbnails |
|
Tastes
Strelka's file distribution system assigns scanners to files based on 'flavors' and 'tastes'. Flavors describe the type of file, typically determined by MIME types from libmagic, matches from YARA rules, or characteristics of parent files. Tastes are the criteria used within Strelka to determine which scanners are applied to which files, with positive and negative tastes defining files to be included or excluded respectively.
| Source Filetype |
Include / Exclude |
|
|
Scanner Fields
This section provides a list of fields that are extracted from the files processed by this scanner. These fields include the data elements that the scanner extracts from each file, representing the analytical results produced by the scanner. If the test file is missing or cannot be parsed, this section will not contain any data.
Failure
No fields to display. The test file may not exist or could not be processed.
Sample Event
Below is a sample event generated by this scanner, demonstrating the kind of output that can be expected when it processes a file. This sample is derived from a mock scan event configured in the scanner's test file. If no test file is available, this section will not display a sample event.
Failure
Test file not found for scanner falcon_sandbox