Report Format ll-int-osx¶

This analysis report format applies to a dynamic analysis run on an OSX platform.

In addition to the report fields that all report formats share (see Analysis Report Format), the report contains a number of different fields with details about the analysis run.

Report contents

remarks: (optional).

Type: Dictionary.

info (optional).

Type: List of strings.

Example: “Text1”,”Text2”.

A list of information strings concerning the analysis run.

warning (optional).

Type: List of strings.

Example: “Text1”,”Text2”.

A list of warning strings concerning the analysis run.

overview.

Type: Dictionary.

analysis_engine.

Type: String.

Example: “LLama - OSX”.

Name of the analysis engine used for generating the result.

analysis_engine_version.

Type: String.

Example: “1.2.4”.

Version of the analysis engine used for generating the result.

analysis_start.

Type: Date-Time.

Example: “2013-10-05 14:21:01.928894”.

Start timestamp of the analysis run.

analysis_end.

Type: Date-Time.

Example: “2013-10-05 14:22:02.935794”.

End timestamp of the analysis run.

analysis_subjects.

Type: List of analysis subjects; see OSX Analysis Subject Format.

A list of programs monitored during the analysis run.

analysis_metadata: (optional).

Type: List of analysis metadata; see OSX Analysis Metadata Format.

A list of artifacts generated during the analysis run. See get_result_artifact() for retrieving this metadata.

url_summary: (optional).

Type: List of strings.

Example: “http://www.example1.com”,”http://www.example2.com”.

Network summary of contacted URLs during analysis run.

OSX Analysis Subject Format¶

The analysis engine will monitor all analysis subjects, such as the originally started program and all child processes or processes that a monitored program interacts with, and then list any security relevant data.

This type extends the format_ll_osx_analysis_subject type with additional information on OSX analysis subjects.

Analysis subject contents

overview.

Type: Dictionary.

Overview of the analysis subject. In addition to the base format contents, the following elements are extracted:

process.

Type: Process; see OSX Process.

Information on the OSX process.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static information on the process image.

console_output: (optional).

Type: Dictionary.

Console output of the program.

stdout: (optional).

Type: String.

Example: “text written to stdout”.

Program output written to default console.

stderr: (optional).

Type: String.

Example: “text written to error console”.

Program output written to error console.

opened_windows: (optional).

Type: List of GUI-windows; see below.

A list of GUI windows opened by the analysis subject.

title:

Type: String.

Example: “Mac Viewer”.

Window title content.

text:

Type: String.

Example: “FolderView”.

Window text content.

loaded_libraries: (optional).

Type: List of libraries; see below.

List of library files loaded by the analysis subject.

filename:

Type: String.

Example: “/tmp/foo.so”.

Path to the library loaded by the analysis subject.

file_reads: (optional).

Type: List of files; see below.

A list of files read by the analysis subject

filename.

Type: String.

Example: “test”.

A file name. Could be absolute or relative path.

abs_path: (optional).

Type: String.

Example: “/tmp/test”.

An absolute path the file.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static file information.

file_writes: (optional).

Type: List of files; see file_reads.

A list of files written by the analysis subject.

file_deletes: (optional).

Type: List of files; see file_reads.

A list of files deleted by the analysis subject.

file_searches: (optional).

Type: List of strings.

A list of files searched for by the analysis subject.

process_interactions: (optional).

Type: List of process-interactions; see below.

A list of processes the analysis subject interacts with.

In addition to the fields of type OSX Process, each element contains the operation(s) performed:

operations:

Type: List of strings.

Example: “create_thread”,”write_mem”.

The type of operations performed on the remote process. Possible values are:

“create_process”: Create a process.

“terminate_process”: Terminate a process.

“create_thread”: Create a thread.

“terminate_thread”: Terminate a thread.

dns_queries: (optional).

Type: List of DNS queries; see DNS query.

List of DNS queries done by the analysis subject.

network_connections: (optional).

Type: List of network connections; see network connection.

List of network connections done by the analysis subject using a protocol that is not parsed into a more specific protocol type.

http_conversations: (optional).

Type: List of HTTP connections; see HTTP connection.

List of network connections identified to use the HTTP protocol done by the analysis subject.

irc_conversations: (optional).

Type: List of IRC connections; see IRC connection.

List of network connections identified to use the IRC protocol done by the analysis subject.

ftp_conversations: (optional).

Type: List of FTP connections; see FTP connection.

List of network connections identified to use the FTP protocol done by the analysis subject.

smtp_conversations: (optional).

Type: List of SMTP connections; see SMTP connection.

List of network connections identified to use the SMTP protocol done by the analysis subject.

address_scans: (optional).

Type: List of network address scans; see address scan.

List of network address scans done by the analysis subject.

downloaded_files: (optional).

Type: List of file-download tuples; see below.

List of files that were downloaded using the OSX file-download API functions. Each element is a tuple of file-origin URL and a File element (see file_reads).

Note: This list does not contain files downloaded using other mechanisms or protocol (such as HTTP). Those are listed in the corresponding network section.

frequent_api_calls: (optional).

Type: List of the frequent API calls; see below.

A list of the frequent API calls.

name: (optional).

Type: String.

Example: “open”.

A name of the API function which was frequently called.

count: (optional).

Type: String.

Example: 31440.

A number of times the API function was called.

pid: (optional).

Type: Integer.

Example: 145.

OSX process identifier (TID) of the calling process.

tid: (optional).

Type: Integer.

Example: 167.

OSX thread identifier (TID) of the calling thread.

yara_signatures: (optional).

Type: List of the Yara signatures; see below.

A list of the Yara signatures which hit on the analysis subject.

name: (optional).

Type: String.

Example: “apt_osx_generic_imageStego”.

A name of the Yara signatures.

score: (optional).

Type: Integer.

Example: 75.

A score which defines how dangerous the analysis subject according to the Yara signature. Possible range from 0 (benign) to 100 (malicious).

internal: (optional).

Type: Boolean.

If true the signature is only for an internal usage.

OSX Process¶

Information on an OSX process.

OSX process contents

process_id.

Type: String.

Example: “1376”.

OSX process identifier (PID).

executable: (optional).

Type: File; see file_reads.

Process image information.

arguments: (optional).

Type: String.

Example: “/test arg1 arg2”.

Full command line used to start the analysis subject.

analysis_subject_id: (optional).

Type: Integer.

Example: 2.

Identifier of the analysis subject within the analysis report if the process belongs to an analysis subject monitored in the analysis run.

OSX Analysis Metadata Format¶

During the analysis run, the analysis engine extracts the metadata that is available for download. This type extends the Analysis Metadata Format type.

Metadata contents

file: (optional).

Type: File; see file_reads.

Name of the file generated during the analysis run. Applies to metadata_type “generated_file”.

Report Format ll-int-osx¶

OSX Analysis Subject Format¶

OSX Process¶

OSX Analysis Metadata Format¶

Table Of Contents

Previous topic

Next topic