Report Format¶

Some components of an analysis report apply to multiple report formats. Each individual report format can extend this information with additional data, but follows the basic concepts described below.

Examples of such shared components is are the representation of analysis subjects or file metadata.

Analysis Subject Format¶

The analysis engine will monitor all analysis subjects, such as the originally started program and all child processes or processes that a monitored program interacts with, and then list any security relevant data.

Analysis subject contents

overview.

Type: Dictionary.

Overview of the analysis subject.

id.

Type: Integer.

Example: 2.

Identifier of the analysis subject within the analysis report.

parent_id: (optional).

Type: Integer.

Example: 2.

Identifier that indicates which analysis subject is responsible for the execution of the current analysis subject; If not present, it indicates that the monitoring of the current analysis subject did not depend on any other analysis subject (for example, the originally started program does not include this field). If present, it identifies an analysis subject within the report. For example, if parent_id is equal to 2, it means that the current analysis subject was monitored because it was started or interacted with the analysis subject whose identifier (as specified by the id field) has value 2.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static information on the analyzed file.

Static File Information¶

The analysis engine extracts static file information for most files manipulated during the analysis run and associates this information with all files in the report.

File information contents

md5: (optional).

Type: Hexadecimal string.

Example: “748cb82987899a164c2f6e7985fffec5”.

A md5 hash of a file content.

sha1: (optional).

Type: Hexadecimal string.

Example: “066e791be6fb28063fc643cea658bf70d193b895”.

A sha1 hash of a file content.

file_info: (optional).

Type: String.

Example: “MS Windows shortcut”.

A text description of file type.

size: (optional).

Type: Integer.

Example: 1233.

A file size in bytes.

Analysis Metadata Format¶

During the analysis run, the analysis engine extracts the metadata that is available for download.

Metadata contents

metadata_type.

Type: String.

Example: “screenshot”.

Example: “traffic_capture”.

Example: “generated_file”.

Example: “memory_dump”.

Example: “process_dump”.

Example: “analysis_subject”.

Example: “extracted_file”.

Type of metadata.

delete_date: (optional).

Type: Date-Time.

Example: “2013-10-05 14:22:02”.

Analysis metadata is deleted according to data-retention policies. If a metadata file becomes unavailable, this field contains the delete date.

analysis_subject_id: (optional).

Type: Integer.

Example: 2.

Index of the analysis subject that metadata is associated with. Applies to metadata_types “memory_dump”, “analysis_subject”, and “process_dump”.

yara_signature_hits: (optional).

Type: List of strings.

Example: “SignatureName1”, “SignatureName2”

Yara signatures that matched on the analysis metadata. Applies to metadata_types “memory_dump”, “generated_file”, “analysis_subject”, and “process_dump”.

description: (optional).

Type: String.

Example: “Memory snapshot of 32-bit process”

Short description of the analysis metadata. Applies to metadata_types “memory_dump”, “generated_file”, “analysis_subject”, and “process_dump”.

embedded_shellcode: (optional).

Type: Boolean.

True if the buffer contains shellcode. Applies to metadata_type “memory_dump”.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static file information. Applies to metadata_type “analysis_subject”.

timestamp: (optional).

Type: Integer.

Example: 50.

Number of seconds after start of analysis run at which the screenshot was taken. Applies to metadata_type “screenshot”.

Network Traffic Format¶

During the analysis run, the analysis engine extracts information about network connections observed during the analysis. The report will distinguish between different protocols and extract protocol-specific information.

Examples for supported protocols are TCP, UDP, HTTP, or SMTP.

Network connection contents

Network connections using a protocol that is not parsed into a more specific protocol type.

protocol: (optional).

Type: String.

Example: “TCP”.

Name of highest-level protocol recognized.

src_ip.

Type: IP address.

Example: “192.168.0.2”.

Source IP address of the connection.

src_port: (optional).

Type: Integer.

Example: 1036.

Source port of the connection, applies only to protocols using ports (such as “TCP” or “UDP”).

dst_ip.

Type: IP address.

Example: “2.2.2.2”.

Destination IP address of the connection.

dst_port: (optional).

Type: Integer.

Example: 80.

Destination port of the connection, applies only to protocols using ports (such as “TCP” or “UDP”).

type.

Type: String.

Example: “outgoing”.

Direction of the connection establishment. “incoming” or “listening”.

conversation: (optional).

Type: List of communication tuples; see below.

Example: (“message1”,”answer1”),(“”, “answer2”).

List of tuples containing incoming and outgoing message data.

HTTP connection contents

Network connections identified to use the HTTP protocol. This type extends the network connection type.

url.

Type: String.

Example: “GET /search?q=0 HTTP/1.0”.

Request line sent to server.

response_headers: (optional).

Type: Key-value storage.

Example: “type”=”HTTP Response”.

Each element corresponds to an HTTP header (name and value) sent to the server.

response_protocol_version: (optional).

Type: String.

Example: “1.1”.

Protocol version used in the server’s response.

response_status: (optional).

Type: String.

Example: “200”.

HTTP status code returned by the server.

IRC connection contents

Network connections identified to use the IRC protocol. This type extends the network connection type.

irc_channel: (optional).

Type: String.

Example: “channel1”.

IRC channel used in the communication.

channel_password: (optional).

Type: String.

Example: “channel_password1”.

Channel-password used for authenticating to the IRC channel.

irc_user: (optional).

Type: String.

Example: “user1”.

User used for authenticating the communication.

irc_password: (optional).

Type: String.

Example: “password1”.

Password used for authenticating the communication.

irc_nick: (optional).

Type: String.

Example: “nick1”.

IRC nick(name) used in the communication.

FTP connection contents

Network connections identified to use the FTP protocol. This type extends the network connection type.

ftp_login: (optional).

Type: String.

Example: “credentials1”.

FTP credentials used in the communication.

DNS query contents

hostname.

Type: String.

Example: “www.example.com”.

Name of host in query.

results: (optional).

Type: List of IP addresses.

Example: “1.1.1.1”, “2.2.2.2”.

IP address returned in result (if any).

response_flags: (optional).

Type: List of strings.

Example: “nxdomain”.

DNS flags set in the response.

SMTP connection contents

Network connections identified to use the SMTP protocol. This type extends the network connection type.

email_subject: (optional).

Type: String.

Example: “Email Subject”.

Email subject of a sent message in the SMTP conversation.

sender: (optional).

Type: String.

Example: “john.doe@example.com”.

Sender email address of a sent message in the SMTP conversation.

recipients: (optional).

Type: String.

Example: “Jane <jane.doe@example.com>”.

Sender recipient addresses of a sent message in the SMTP conversation.

Address scan contents

Network address scans.

subnet: (optional).

Type: String.

Example: “192.168.0.0/16.

Network targeted by the network address scan.

remote_port: (optional).

Type: Integer.

Example: 80.

Destination port used in the network address scan.

Report Format¶

Analysis Subject Format¶

Static File Information¶

Analysis Metadata Format¶

Network Traffic Format¶

Table Of Contents

Previous topic

Next topic