IBM Security QRadar SOAR

 View Only

SNDBOX and IBM Resilient Integrate to Fight Evasive Malware Innovation with AI Innovation

By Ran Dubin posted Wed August 07, 2019 02:12 PM


By: Dr. Ran Dubin and Ariel Koren

We are proud to announce the new integration between SNDBOX Malware Research Platform and IBM Resilient. This integration enables users of both platforms to enrich their incident response and security pipelines with unique kernel mode analysis technology and Artificial Intelligence (AI) malware detection.

The joint integration will boost incident responders abilities to detect the most evasive malware, reduce false positives and provide the highest visibility to make responder decisions easy and intuitive.

Benefits include

  • Detonate evasive malware using cutting edge kernel analysis technology.
  • Overcome anti-debug, anti-virtual machines and anti-sandbox malware evading techniques.
  • Analysis visibility includes: Static, Dynamic, image processing analysis and network analysis solutions.
  • Providing Static AI, Dynamic AI and image processing AI detection all are ensembled to a single detection score.
  • Available for all SNDBOX users: public (free) and premium (private) services.

How it Works
As part of the incident response cycle, a suspicious file or hash related to an incident is submitted as an artifact through IBM Resilient:



IBM Resilient will query SNDBOX for scanning the submitted artifacts in order to provide additional information about the suspected file or hash:



SNDBOX based on detonation of the file powered by static AI, dynamic AI, image and network analysis will provide a single detection score with the full visibility of all supporting vectors. The user will receive a notification in IBM Resilient (see screenshot below):


The hit will include a link to the full analysis located within the SNDBOX malware research platform, providing high visibility information that includes:


Dynamic Analysis: Providing full visibility of the evasive malware’s every move including all API information, signature evidence, process relations all in a clickable and easy to digest research platform.


Static Analysis: Header information, macro content and detected malicious indicators.


Image Preview Analysis: We apply our proprietary image processing technology to documents for detecting malicious one-days threats


Network Analysis: All network evidence including community network signatures.


All inputs are fed to our AI, which after considering all inputs provides the final verdict.


One of the most common attacks we see today is the use of known Microsoft Office equation exploit CVE-2017-11882. The following MD5: 9928d84505a8ea2ad2dc1d4d45a224bb was uploaded to our public malware research platform. After executing the exploit, the malware downloads a second step and executes an evasive attack using Process Hollowing to keep evading detection and to gain persistency in the infected computer.


Below is an example of SNDBOX analysis.

Drill down of the process tree:

Clicking on the Process Hollowing signature under the process relationships we can view all the API’s that explain the signature.


In the static analysis we provide an AI-based image preview detection (MD5: b7fbafe652f2228805904e6e924fc253):


You can see the image was identified based on the red indicator above it and we provide OCR text visibility (top right side) and highlight the malicious intentions of the file to speed up the incident responder investigation.


SNDBOX further automates the incident responders research by providing header information anomaly. VBA macro visibility as can be seen here:

Clicking on the red file indication in the right will open the VBA macro code:

Visibility, accuracy, analysis speed, scalability and low false positives are the needed building blocks for effective incident and response teams. SNDBOX enables researchers from all levels of expertise to swiftly gain insights and solve incidents by boosting and simplifying the research process.


The SNDBOX Malware Research Platform and IBM Resilient integration is available in the IBM Resilient App Exchange.


For more information please visit:

 or contact Please note that you need to be logged into the SNDBOX.COM malware research platform in order to view full integration details and download artifacts.

About Dr. Ran Dubin
Ran is SNDBOX co-founder and CEO. A leading expert in the field of network communication and cyber threat detection with a specialization in the application of deep learning algorithms to behavioral attack, Ran is responsible for SNDBOX AI detection algorithms. Ran holds BSc, MSc, and Ph.D. from the Department of Communication System Engineering (CSE) at Ben Gurion University, Israel. 


About Ariel Koren

A technology native, Ariel Koren is SNDBOX CTO and a well known cyber expert. He garnered extensive experience in penetration testing, malware reverse engineering, kernel driver development, and internal cyber security testing and solutions while serving in an elite technological unit in the Israeli Defense Forces (IDF).

Developed by researchers for researchers, SNDBOX is the first malware research solution that automates malware research by leveraging multidisciplinary approaches, AI detection vectors, and undetectable kernel driver analysis. SNDBOX technology delivers in-depth results, quickly while granting the AI and big data insights necessary for comprehensive malware research and the false positive rate reduction needed to speed up incident response research events.


For more information, visit