Skip to main content

Upload and analyse malware to Zynap sandbox

Upload and analyse malware to Zynap sandbox

Overview

This workflow automates comprehensive malware analysis by uploading suspicious files to the Zynap sandbox environment and performing detailed behavioral analysis on Windows 7 and 10 systems. It processes malware samples through multiple analysis stages, extracts critical threat intelligence data, and generates structured reports for security investigation and threat response activities.

How It Works

  1. File Input Processing: Accepts malware samples or suspicious files through the input node for analysis preparation and validation.

  2. Base64 File Encoding: Executes script to convert input files to base64 format required for secure API transmission to the sandbox environment.

  3. Sandbox Upload Initiation: Submits the encoded malware sample to Zynap's malware analysis API to begin dynamic analysis in isolated sandbox environments.

  4. Parallel Analysis Processing: Splits the workflow into two concurrent analysis branches for comprehensive threat assessment:

    Branch A - Entity ID Tracking:

    • Entity ID Extraction: Processes the upload response to extract unique entity_id for job tracking and status monitoring
    • Analysis Status Monitoring: Continuously queries the malware API using entity_id to track analysis progress until completion
    • Hash Generation: Retrieves and processes the SHA256 hash of the analyzed file for detailed report correlation

    Branch B - Direct Hash Analysis:

    • Hash Extraction: Directly extracts SHA256 hash from the uploaded file for immediate analysis initiation
    • Results Retrieval: Queries the malware analysis service using the hash to fetch existing or concurrent analysis results
    • Analysis Trigger: Initiates additional analysis processes if needed for comprehensive coverage

  5. Analysis Convergence: Both branches converge to ensure complete analysis coverage and data correlation between tracking methods.

  6. Final Hash Processing: Executes final hash extraction and validation to prepare for comprehensive report generation.

  7. Detailed Report Compilation: Queries the malware analysis API using the validated hash to retrieve complete behavioral analysis results, including network activity, file system changes, registry modifications, and threat classifications.

Who is this for?

  • Malware analysts investigating suspicious file samples and unknown executables
  • Security researchers conducting threat intelligence analysis and malware family classification
  • Incident response teams requiring detailed behavioral analysis for security incidents
  • SOC analysts processing file-based security alerts and investigating potential threats
  • Forensic investigators analyzing suspicious files discovered during digital investigations

What problem does this workflow solve?

  • Eliminates manual malware submission and analysis tracking by automating the complete sandbox analysis lifecycle from upload to detailed reporting
  • Provides dual-path analysis verification through parallel entity ID tracking and direct hash analysis, ensuring comprehensive coverage and data correlation
  • Reduces analysis time from hours to minutes by automating status monitoring, hash extraction, and report retrieval processes
  • Standardizes malware analysis procedures across different Windows environments (7 and 10) for consistent threat assessment
  • Delivers structured threat intelligence data that can be immediately integrated into security tools and incident response workflows for rapid threat mitigation