Report Format ll-osx-timeline-based

This analysis report format applies to a dynamic analysis run on a OSX platform. Differently from Report Format ll-int-osx, this report focuses on the timeline of different actions and exposes behavior as a series of events associated with the timestamp when each event was observed.

In addition to the report fields that all report formats share (see Analysis Report Format), the report contains a number of different fields with details about the analysis run.

Report contents

  • remarks: (optional).

    Type: Dictionary.

    • info (optional).

      Type: List of strings.

      Example: “Text1”,”Text2”.

      A list of information strings concerning the analysis run.

    • warning (optional).

      Type: List of strings.

      Example: “Text1”,”Text2”.

      A list of warning strings concerning the analysis run.

  • overview.

    Type: Dictionary.

    • analysis_engine.

      Type: String.

      Example: “LLama - OSX”.

      Name of the analysis engine used for generating the result.

    • analysis_engine_version.

      Type: String.

      Example: “1.2.4”.

      Version of the analysis engine used for generating the result.

    • analysis_start.

      Type: Date-Time.

      Example: “2013-10-05 14:21:01.928894”.

      Start timestamp of the analysis run.

    • analysis_end.

      Type: Date-Time.

      Example: “2013-10-05 14:22:02.935794”.

      End timestamp of the analysis run.

  • analysis_subjects.

    Type: List of analysis subjects; see OSX Analysis Subject Format.

    A list of programs monitored during the analysis run.

  • files.

    Type: List of files; see below.

    • file_id.

      Type: Integer.

      Example: “1”.

      ID used to identify the file.

    • filename.

      Type: String.

      Example: “foo”.

      A file name. Could be absolute or relative path.

    • abs_path: (optional).

      Type: String.

      Example: “/tmp/foo”.

      An absolute file path.

    • ext_info: (optional).

      Type: File-Info; see Static File Information.

      Static file information.

  • analysis_metadata: (optional).

    Type: List of analysis metadata; see OSX Analysis Metadata Format.

    A list of artifacts generated during the analysis run. See get_result_artifact() for retrieving this metadata.

  • url_summary: (optional).

    Type: List of strings.

    Example: “http://www.example1.com”,”http://www.example2.com”.

    Network summary of contacted URLs during analysis run.

OSX Analysis Subject Format

The analysis engine will monitor all analysis subjects, such as the originally started program and all child processes or processes that a monitored program interacts with, and then list any security relevant data.

This type extends the Analysis Subject Format type with additional information on OSX analysis subjects.

Analysis subject contents

  • overview.

    Type: Dictionary.

    Overview of the analysis subject. In addition to the base format contents, the following elements are extracted:

    • process.

      Type: Process; see OSX Process.

      Information on the OSX process.

    • ext_info: (optional).

      Type: File-Info; see Static File Information.

      Static information on the process image.

  • console_output: (optional).

    Type: Dictionary.

    Console output of the program.

    • stdout: (optional).

      Type: String.

      Example: “text written to stdout”.

      Program output written to default console.

    • stderr: (optional).

      Type: String.

      Example: “text written to error console”.

      Program output written to error console.

  • opened_windows: (optional).

    Type: List of GUI-windows; see below.

    A list of GUI windows opened by the analysis subject.

    • title:

      Type: String.

      Example: “Mac Viewer”.

      Window title content.

    • text:

      Type: String.

      Example: “FolderView”.

      Window text content.

  • loaded_libraries: (optional).

    Type: List of libraries; see below.

    List of library files loaded by the analysis subject.

    • filename:

      Type: String.

      Example: “/tmp/bar.so”.

      Path to the library loaded by the analysis subject.

  • actions:

    Type: List of actions; see below.

    List of actions performed by the analysis subject with timeline information; see below.

    • id: (optional).

      type: integer.

      example: 1.

      unique id of the action within the analysis report.

    • action_name:

      Type: String.

      Example: “FileWrite”.

      Name of the action performed by the analysis_subject

    • action_type: (optional).

      Type: String

      Example: “write”.

      Define the type of action that is performed on the resource.

    • resource_type: (optional).

      Type: String

      Example: “file_resource”.

      Define the type of resource (if any) associated with this action.

    • timestamp:

      Type: Date-Time.

      Example: “2013-10-05 14:21:01.928894”.

      Timestamp when the action happened.

    • thread_id: (optional)

      Type: Integer.

      Example: 1020.

      Thread ID (within the analysis subject) that executed the action.

    • stack_depth: (optional)

      Type: Integer.

      Example: 2.

      Inform how many calls we are away from the first call

    • last_timestamp: (optional)

      Type: Date-Time.

      Example: “2013-10-05 14:21:01.928894”.

      Timestamp when the action was last repeated.

    • resource: (optional).

      Type: Resource; see Action Resources.

      Information on action resource. Name of the resource will match the name passed in resource_type.

  • http_conversations: (optional).

    Type: List of HTTP connections; see HTTP connection.

    List of network connections identified to use the HTTP protocol done by the analysis subject.

  • irc_conversations: (optional).

    Type: List of IRC connections; see IRC connection.

    List of network connections identified to use the IRC protocol done by the analysis subject.

  • ftp_conversations: (optional).

    Type: List of FTP connections; see FTP connection.

    List of network connections identified to use the FTP protocol done by the analysis subject.

  • smtp_conversations: (optional).

    Type: List of SMTP connections; see SMTP connection.

    List of network connections identified to use the SMTP protocol done by the analysis subject.

  • address_scans: (optional).

    Type: List of network address scans; see address scan.

    List of network address scans done by the analysis subject.

  • downloaded_files: (optional).

    Type: List of file-download tuples; see below.

    List of files that were downloaded using the OSX file-download API functions. Each element is a tuple of file-origin URL and a File element (see file_reads).

    Note: This list does not contain files downloaded using other mechanisms or protocol (such as HTTP). Those are listed in the corresponding network section.

  • frequent_api_calls: (optional).

    Type: List of the frequent API calls; see below.

    A list of the frequent API calls.

    • name: (optional).

      Type: String.

      Example: “open”.

      A name of the API function which was frequently called.

    • count: (optional).

      Type: String.

      Example: 31440.

      A number of times the API function was called.

    • pid: (optional).

      Type: Integer.

      Example: 145.

      OSX process identifier (PID) of the calling process.

    • tid: (optional).

      Type: Integer.

      Example: 167.

      OSX thread identifier (TID) of the calling thread.

  • yara_signatures: (optional).

    Type: List of the Yara signatures; see below.

    A list of the Yara signatures which hit on the analysis subject.

    • name: (optional).

      Type: String.

      Example: “apt_osx_generic_imageStego”.

      A name of the Yara signatures.

    • score: (optional).

      Type: Integer.

      Example: 75.

      A score which defines how dangerous the analysis subject according to the Yara signature. Possible range from 0 (benign) to 100 (malicious).

    • internal: (optional).

      Type: Boolean.

      If true the signature is only for an internal usage.

Action Resources

Information about action resource types

Action resource contents

  • file_resource:

    Type: List with file information attributes.

    File resource information

    • file_id.

      Type: Integer

      Example: 1.

      An identifier for the file resource used, see files.

  • process_resource:

    Type: Process information

    A Process used by the analysis subject; see process.

  • search_resource:

    Type: List with file search information.

    Search made by the analysis subject.

    • searched_data: (optional).

      Type: List of data searched

      Example: “/tmp/foo”,”/tmp/.*”.

      A list of strings containing the searched information.

  • network_resource:

    Type: A network connection see; network connection.

    Network connection done by the analysis subject using a protocol that is not parsed into a more specific network action type.

  • dns_resource:

    Type: DNS query; see DNS query.

    DNS query done by the analysis subject.

OSX Process

Information on an OSX process.

OSX process contents

  • process_id.

    Type: String.

    Example: “1376”.

    OSX process identifier (PID).

  • executable: (optional).

    Type: File; see file_reads.

    Process image information.

  • arguments: (optional).

    Type: String.

    Example: “/tmp/test arg1 arg2”.

    Full command line used to start the analysis subject.

  • analysis_subject_id: (optional).

    Type: Integer.

    Example: 2.

    Identifier of the analysis subject within the analysis report if the process belongs to an analysis subject monitored in the analysis run.