Report Format ll-win-timeline-based¶

This analysis report format applies to a dynamic analysis run on a Microsoft Windows platform. Differently from Report Format ll-int-win, this report focuses on the timeline of different actions and exposes behavior as a series of events associated with the timestamp when each event was observed.

In addition to the report fields that all report formats share (see Analysis Report Format), the report contains a number of different fields with details about the analysis run.

Report contents

remarks: (optional).

Type: Dictionary.

info (optional).

Type: List of strings.

Example: “Text1”,”Text2”.

A list of information strings concerning the analysis run.

warning (optional).

Type: List of strings.

Example: “Text1”,”Text2”.

A list of warning strings concerning the analysis run.

overview.

Type: Dictionary.

analysis_engine.

Type: String.

Example: “LLama - WindowsXP”.

Name of the analysis engine used for generating the result.

analysis_engine_version.

Type: String.

Example: “1.2.4”.

Version of the analysis engine used for generating the result.

analysis_start.

Type: Date-Time.

Example: “2013-10-05 14:21:01.928894”.

Start timestamp of the analysis run.

analysis_end.

Type: Date-Time.

Example: “2013-10-05 14:22:02.935794”.

End timestamp of the analysis run.

analysis_subjects.

Type: List of analysis subjects; see Windows Analysis Subject Format.

A list of programs monitored during the analysis run.

files.

Type: List of files; see below.

file_id.

Type: Integer.

Example: “1”.

ID used to identify the file.

filename.

Type: String.

Example: “desktop.ini”.

A file name. Could be absolute or relative path.

abs_path: (optional).

Type: String.

Example: “C:\Users\desktop.ini”.

An absolute file path.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static file information.

analysis_metadata: (optional).

Type: List of analysis metadata; see Windows Analysis Metadata Format.

A list of artifacts generated during the analysis run. See get_result_artifact() for retrieving this metadata.

randomized_registry_values: (optional).

Type: List of registry keys; see registry_reads.

A list of Microsoft Windows Registry values that the analysis engine randomized during the analysis run to avoid detection by the analysis subject. For the format of each value, refer to registry_reads.

url_summary: (optional).

Type: List of strings.

Example: “http://www.example1.com”,”http://www.example2.com”.

Network summary of contacted URLs during analysis run.

PE Stats information¶

The analysis engine extracts statistic file information for most PE files manipulated during the analysis run.

PE Stats information contents

size.

Type: Integer.

Example: 1.

Size of the PE.

histogram.

Type: List.

Example: “[{‘byte’: 0, frequency: 1.0}]”.

A list with dicts representing the histogram of byte frequency in the PE.

entropy.

Type: Floating-point number.

Example: 1.5.

An entropy of the PE data.

average.

Type: Floating-point number.

Example: 1.5.

Average of all byte values in the PE file.

variance.

Type: Floating-point number.

Variance of the byte values in the PE file.

autocorrelation_1.

Type: Floating-point number.

Autocorrelation (lag=1) of byte values in the PE data.

block_average.

Type: List.

A list with the average of byte values in data blocks of 1024 bytes.

PE Resource Stats information¶

The analysis engine extracts statistic information about the resources in a PE file for most PE files manipulated during the analysis run.

PE Resource Stats information contents

name:

Type: String.

Example: “RT_MANIFEST”.

The name of the PE Resource.

lang.

Type: String.

Example: “LANG_ENGLISH”.

Primary language identifier for the resource.

sublang:.

Type: String.

Example: “SUBLANG_ENGLISH_US”.

Sublanguage identifier for the resource.

stats:.

Type: PE Stats; see PE Stats information.

PE Resource statistic information.

Windows Analysis Subject Format¶

The analysis engine will monitor all analysis subjects, such as the originally started program and all child processes or processes that a monitored program interacts with, and then list any security relevant data.

This type extends the Analysis Subject Format type with additional information on Windows analysis subjects.

Analysis subject contents

overview.

Type: Dictionary.

Overview of the analysis subject. In addition to the base format contents, the following elements are extracted:

process.

Type: Process; see Windows Process.

Information on the Windows process.

ext_info: (optional).

Type: File-Info; see Static File Information.

Static information on the process image.

console_output: (optional).

Type: Dictionary.

Console output of the program.

stdout: (optional).

Type: String.

Example: “text written to stdout”.

Program output written to default console.

stderr: (optional).

Type: String.

Example: “text written to error console”.

Program output written to error console.

opened_windows: (optional).

Type: List of GUI-windows; see below.

A list of GUI windows opened by the analysis subject.

title:

Type: String.

Example: “Documents and Settings”.

Window title content.

text:

Type: String.

Example: “FolderView”.

Window text content.

loaded_libraries: (optional).

Type: List of libraries; see below.

List of library files loaded by the analysis subject.

filename:

Type: String.

Example: “C:\windows\syswow64\ole32.dll”.

Path to the library loaded by the analysis subject.

actions:

Type: List of actions; see below.

List of actions performed by the analysis subject with timeline information; see below.

id: (optional).

type: integer.

example: 1.

unique id of the action within the analysis report.

action_name:

Type: String.

Example: “FileWrite”.

Name of the action performed by the analysis_subject

action_type: (optional).

Type: String

Example: “write”.

Define the type of action that is performed on the resource.

resource_type: (optional).

Type: String

Example: “file_resource”.

Define the type of resource (if any) associated with this action.

timestamp:

Type: Date-Time.

Example: “2013-10-05 14:21:01.928894”.

Timestamp when the action happened.

thread_id: (optional)

Type: Integer.

Example: 1020.

Thread ID (within the analysis subject) that executed the action.

stack_depth: (optional)

Type: Integer.

Example: 2.

Inform how many calls we are away from the first call

last_timestamp: (optional)

Type: Date-Time.

Example: “2013-10-05 14:21:01.928894”.

Timestamp when the action was last repeated.

resource: (optional).

Type: Resource; see Action Resources.

Information on action resource. Name of the resource will match the name passed in resource_type.

http_conversations: (optional).

Type: List of HTTP connections; see HTTP connection.

List of network connections identified to use the HTTP protocol done by the analysis subject.

irc_conversations: (optional).

Type: List of IRC connections; see IRC connection.

List of network connections identified to use the IRC protocol done by the analysis subject.

ftp_conversations: (optional).

Type: List of FTP connections; see FTP connection.

List of network connections identified to use the FTP protocol done by the analysis subject.

smtp_conversations: (optional).

Type: List of SMTP connections; see SMTP connection.

List of network connections identified to use the SMTP protocol done by the analysis subject.

address_scans: (optional).

Type: List of network address scans; see address scan.

List of network address scans done by the analysis subject.

downloaded_files: (optional).

Type: List of file-download tuples; see below.

List of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element (see file_reads).

Note: This list does not contain files downloaded using other mechanisms or protocol (such as HTTP). Those are listed in the corresponding network section.

pe_images: (optional).

Type: List of PE images; see below.

A list of PE images found in the memory of the analysis subject.

image.

Type: PE image; see Portable Executable Image.

Process image information extracted when included in the analysis.

image_diff: (optional).

Type: PE image; see Portable Executable Image.

Process image information extracted at program termination or analysis end.

memory_blocks: (optional).

Type: List of memory-blocks; see below.

A list of allocated memory regions found in the memory of the analysis subject.

name: (optional).

Type: String.

Example: “mem_b67f3190f04083ac1e0189307f4d64d4”.

A name of the memory block. Format: mem_<md5>.

size: (optional).

Type: Integer.

A size of the memory block in bytes.

start_va: (optional).

Type: Integer.

A VA to where the memory block starts.

end_va: (optional).

Type: Integer.

A VA to where the memory block ends.

access: (optional).

Type: Hexadecimal string.

A set of flags that indicate the memory block’s attributes (such as code/data, readable, or writable).

number_of_executed_pages: (optional).

Type: Integer.

A number of executed pages in the memory block.

executed_pages: (optional).

Type: List of integers.

A list of VA of executed pages.

dist_bytes_vector: (optional).

Type: Hexadecimal string.

An internal field used by an analysis engine.

average_bytes: (optional).

Type: Hexadecimal string.

An internal field used by an analysis engine.

autocorrelation: (optional).

Type: Floating-point number.

An autocorrelation of the memory block data.

entropy: (optional).

Type: Floating-point number.

An entropy of the memory block data.

embedded_pe_header.

Type: Boolean.

True if we recognized a PE image header in the memory block.

number_of_strings: (optional).

Type: Integer.

A number of found strings in the memory block.

strings: (optional).

Type: List of strings.

Example: “SSP3FR.DLL”,”ROOF",”Help Button”.

A list of strings found in the memory block.

md5.

Type: Hexadecimal string.

A md5 hash of a content.

strings_lists: (optional).

Type: List of named strings-lists; see below.

A list of named strings-lists. The name identifies a type of the strings in the list.

name: (optional).

Type: String.

Example: “heap_strings”.

A name of the string list.

strings: (optional).

Type: List of strings.

Example: “ProgramData=C:\ProgramData”,”NUMBER_OF_PROCESSORS=1”,”ncacn_ip_tcp”.

A list of strings.

patched_sleeps: (optional).

Type: List of patched sleep values; see below.

A list of patched sleep values. It is an anti-evasion technique which changes a waiting period (if it is too long) for a sleep function and timers.

count: (optional).

Type: Integer.

Example: 1.

A number of times the sleep function was called.

new_value: (optional).

Type: Integer.

Example: 5.

A new value of the waiting period in seconds.

old_value: (optional).

Type: Integer.

Example: 3600.

A old value of the waiting period in seconds.

frequent_api_calls: (optional).

Type: List of the frequent API calls; see below.

A list of the frequent API calls.

name: (optional).

Type: String.

Example: “NtOpenThreadToken”.

A name of the API function which was frequently called.

count: (optional).

Type: String.

Example: 31440.

A number of times the API function was called.

pid: (optional).

Type: Integer.

Example: 145.

Windows process identifier (TID) of the calling process.

tid: (optional).

Type: Integer.

Example: 167.

Windows thread identifier (TID) of the calling thread.

yara_signatures: (optional).

Type: List of the Yara signatures; see below.

A list of the Yara signatures which hit on the analysis subject.

name: (optional).

Type: String.

Example: “apt_win_generic_imageStego”.

A name of the Yara signatures.

score: (optional).

Type: Integer.

Example: 75.

A score which defines how dangerous the analysis subject according to the Yara signature. Possible range from 0 (benign) to 100 (malicious).

internal: (optional).

Type: Boolean.

If true the signature is only for an internal usage.

flirt_signatures: (optional).

Type: List of the Yara signatures; see below.

A list of the flirt signatures which hit on the analysis subject. The flirt signatures recognize a known functions.

name: (optional).

Type: String.

Example: “___ascii_strnicmp”

Name of the signature.

keyboard_capture: (optional).

Type: List of keyboard actions captured; see below.

A list of keyboard actions sent during the analysis which were seen on the behavior.

word: (optional).

Type: String.

Example: “8989-8408-5161-4765”

Word captured by sample during analysis.

word_type: (optional).

Type: String.

Example: “Credit Card”

Type of word that was captured.

Action Resources¶

Information about action resource types

Action resource contents

file_resource:

Type: List with file information attributes.

File resource information

file_id.

Type: Integer

Example: 1.

An identifier for the file resource used, see files.

status. (optional)

Type: String

Example: “STATUS_UNKNOWN”.

Return value for a file operation.

file_attributes. (optional)

Type: List of Strings

Example: “FILE_ATTRIBUTE_ARCHIVE”, “FILE_ATTRIBUTE_HIDDEN”.

Attributes of the file.

iostatus. (optional)

Type: List of strings

Example: “FILE_CREATED”, “FILE_OPENED”

Completion status of the file operation.

pe_resources. (optional)

Type: List.

List of resources in the PE, see pe-resources.

pe_overlay_stats. (optional)

Type: Dictionary

Statistics about the file (if it is a PE), see pe-stats.

disposition. (optional)

Type: List of strings

Example: “FILE_OVERWRITE_IF”, “FILE_OPEN”.

How to proceed when opening the file.

options. (optional)

Type: List of strings

Example: “FILE_NON_DIRECTORY_FILE”, “FILE_SYNCHRONOUS_IO_NONALERT”.

Creation options for the file.

registry_resource:

Type: List with registry key information.

A registry key used by the analysis subject.

key.

Type: String.

Example: “HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\DRIVERS32”.

A registry key.

value: (optional).

Type: String.

Example: “wave9”.

A registry value.

data: (optional).

Type: String or Integer.

Example: 1, “mso.dll”.

A data of registry value.

mutex_resource:

Type: List with mutex information.

Mutex information from a mutex used by the analysis subject.

mutex_name:

Type: String.

Example: “Mutex1”.

Name of the mutex synchronization object.

error_resource:

Type: List with system error information.

An exceptions raised by the analysis subject.

addr: (optional).

Type: Hexadecimal number.

Example: 0x7c832297.

Instruction address raising the exception.

code: (optional).

Type: Hexadecimal number.

Example: 0xc0000005.

Microsoft Windows exception code.

name: (optional).

Type: String.

Example: “STATUS_ACCESS_VIOLATION”.

Microsoft Windows exception name.

exception_name: (optional).

Type: String.

Example: “Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c832297 (subject_id: 2)”.

Full exception information.

exception_count: (optional).

Type: Integer.

Example: 1.

Number of exception occurrences.

errors: (optional).

Type: List.

Example: “SEM_NOOPENFILEERRORBOX”, “SEM_FAILCRITICALERRORS”.

Microsoft Windows process error modes.

process_resource:

Type: Process information

A Process used by the analysis subject; see process.

hook_resource:

Type: List with hook information.

A Hook set by the analysis subject.

hooks:

Type: List of hooks set in the system

Example: “WH_KEYBOARD_LL”,”WH_KEYBOARD”,”WH_MOUSE”.

A list of strings containing the hooks set in system.

service_resource:

Type: List with service information.

An service used by the analysis subject.

service_file: (optional).

Type: Integer

Example: 1.

File ID. see files.

service_name: (optional).

Type: String.

Example: “WNKiserv”

A display name to be used by user interface programs to identify the service.

start_type: (optional).

Type: Integer.

Example: 0x00000002 (SERVICE_FILE_SYSTEM_DRIVER)

change: (optional).

Type: String.

A change of the service made by the analysis subject.

search_resource:

Type: List with file search information.

Search made by the analysis subject.

searched_data: (optional).

Type: List of data searched

Example: “C:\TEST.DLL”,”D:\*”,”C:\WINDOWS".

A list of strings containing the searched information.

network_resource:

Type: A network connection see; network connection.

Network connection done by the analysis subject using a protocol that is not parsed into a more specific network action type.

dns_resource:

Type: DNS query; see DNS query.

DNS query done by the analysis subject.

string_cmp_resource:

Type: List with string comparison attributes.

A string comparison.

name: (optional).

Type: String.

Example: “shlwapi.dll.StrStr_generic”.

A possible name of the string comparison function. Usually defined by a flirt signature flirt_signatures.

src_string: (optional).

Type: String.

Example: “C:\Users\Public\Desktop”.

A comparable string 1.

dst_string: (optional).

Type: String.

Example: “%SYSTEMROOT%”.

A comparable string 2.

src_sources: (optional).

Type: List of strings.

Example: “\Registry\Machine\Software\Classes.dot\Icon”,”Command line”.

A a list of possible sources (from where this string could be read) for string 1.

dst_sources: (optional).

Type: List of strings.

Example: “\Registry\Machine\Software\Classes.dot\Icon”,”Command line”.

A a list of possible sources (from where this string could be read) for string 2.

Windows Process¶

Information on a Windows process.

Windows process contents

process_id.

Type: String.

Example: “1376”.

Windows process identifier (PID).

executable: (optional).

Type: File; see file_reads.

Process image information.

arguments: (optional).

Type: String.

Example: “C:\subject.exe arg1 arg2”.

Full command line used to start the analysis subject.

bitsize: (optional).

Type: Integer.

Example: 32.

Process bit-size (32bit or 64bit process).

analysis_subject_id: (optional).

Type: Integer.

Example: 2.

Identifier of the analysis subject within the analysis report if the process belongs to an analysis subject monitored in the analysis run.

Report Format ll-win-timeline-based¶

PE Stats information¶

PE Resource Stats information¶

Windows Analysis Subject Format¶

Action Resources¶

Windows Process¶

Table Of Contents

Previous topic

Next topic