Spectra Core - Static Analysis Results
The Spectra Core page visualizes the static analysis report for every sample. The information is organized into sections which can be expanded using the accordion menus. The amount of information and the available sections vary based on file type.
File information and statistics
The Info section displays basic information such as file type, predicted filename (if it exists), file size, and entropy; file validation; the set of hashes computed for the sample; as well as statistics about other files contained within the original sample.
If there are any errors or warnings detected during sample analysis, they are listed as individual entries in this section.
File type-specific information
This section contains detailed information about the sample based on the metadata extracted by Spectra Core. As the name implies, the information in this section depends on the file type of the sample.
In the example of an Application (Portable Executable), the following information may be included:
Identity
Application identity takes whitelisting and certificates into consideration and labels applications with their correct software versions. It removes the ambiguity left by source and certificate whitelisting as it can pinpoint the exact software release. Furthermore, it can identify the correct identity for software that isn’t typically signed or published on a reputable source.
Capabilities
Capabilities are actions the sample can perform without executing an application. Insight into capabilities is obtained exclusively through static analysis of the sample.
To find samples that exhibit specific capabilities, use the tag keyword in Advanced Search. For example, tag:capability-cryptography will find samples that can encrypt data. Consult the full list of supported tags.
Analysis
Shows the security grade and detected security issues for the analyzed sample. Depending on the security issues, the sample can get one of the following grades:
- Grade A. Best security grade. The application follows the latest standards and policies.
- Grade B. Good security grade. The application has sufficient security mechanisms implemented, but does not have all the latest features enabled.
- Grade C. Minor security issues detected. The application has some security mechanisms implemented, but is not considered safe to use in all environments.
- Grade D. Major security issues detected. The application should only be executed in secured environments.
- Grade E. Major security issues detected. The application should only be executed in highly secured environments.
- Grade F. Major security issues detected. Consider the application unsafe to run.
DOS Header
Historical header that serves as a pointer to the File Header through e_lfanew entry.
File Header
Important entries in the File Header include:
- Machine - target architecture for which the PE file was compiled
- Time Date Stamp - date when the PE file was compiled
- Characteristics – PE file attributes
- Number of Sections, Number of Symbols
Optional Header
Describes elements such as import and export directories that make it possible to locate and link DLL libraries. Other entries provide structural information about the layout of the file, such as the alignment of its sections.
Sections
Describes each of the sections making up the file. Sections can contain code, initialized and uninitialized data, resources and any other data.
The following information may be of particular interest to malware analysts:
- Flags show whether the section contains executable code, can be read from, written to or has other properties
- Hashes can be used to correlate with other files
- Entropy can show if a section is encrypted or compressed
Imports
Contains an array of import directory entries; one entry for each DLL to which the file refers. Every entry can be expanded to reveal the list of symbols that are being imported.
Resources
Indicates what resources the file contains, together with all the details about them (such as type, language, and whole resource data hashes).
The language can be an indicator of the machine locale settings used by the person who developed and/or compiled the file. Hashes can be used to look up and correlate which files contain the same resources.
Additional information can include version info, dynamic libraries, symbols, segments, and more, depending on the file type.
If the sample is an email message, the sections can include information about from, sender, and reply-to email addresses, email message subject and headers, as well as attachments (if there are any).
If the sample is an image, EXIF metadata will be extracted and included in the sections (for example, camera make and model).
For mobile applications, the sections can include information about the application package, activities, services, receivers, and permissions. Currently supported mobile platforms are iOS, Android, and Windows Phone.
Software Packages
Relevant information for files recognized as software packages, which are archive files containing an assortment of individual files or resources and related metadata (such as name, vendor, version number, version number) that work together to provide users with a particular functionality.
For the full list of supported package formats, refer to this article.
Signatures
The Signatures section contains tabbed information about signatures, digital certificates and their validation states reported by the Spectra Core engine, including the certificate trust chain with signer and counter-signer details. The chain of trust starts with a certificate authority and ends with the signer. Clicking any of the individual elements in the signer/counter signer chains will show more detailed information below. In case there are multiple signatures found, results will be paginated.
Spectra Core supports classifying samples based on digital certificate blacklists and whitelists. By default, it provides more than 300 CA (Certificate Authority) certificates in its certificate store. The certificate store is a set of trusted CA certificates imported from sources such as Microsoft Windows, Mozilla Firefox, and Apple, which are included in Spectra Core and, by extension, in the Spectra Analyze system.
Samples classified on the basis of their certificates receive the “Classified by Digital Certificate” threat description.
Spectra Analyze also provides information about certificate status. Check the Sample Details > Static Analysis > Info > Validation section to see how Spectra Core validated the certificate(s) for a sample.
| Certificate Status | Detailed Status Description |
|---|---|
| Valid certificate | Any certificate with an intact digital certificate chain that confirms the integrity of the signed file. The hash within Signer Info matches the hash of the file contents. |
| Invalid certificate | Any certificate with an intact digital certificate chain, but for which the certificate chain validation failed due to other reasons (e.g. because of attribute checks). Without a valid digital certificate chain, the integrity of the signed file cannot be validated. |
| Bad checksum | The integrity of the signed file could not be verified, because the hash within Signer Info does not match the hash of the file contents. |
| Bad signature | Any certificate with an intact digital certificate chain, but for which the signature validation failed. Without a valid signature, the integrity of the signed file cannot be validated. |
| Malformed certificate | Any certificate that does not have an intact digital certificate chain. The digital certificate is corrupted or incomplete, but that doesn’t mean the file is also corrupted. Without a valid digital certificate chain, the integrity of the signed file cannot be validated. |
| Self-signed certificate | A self-signed certificate is a certificate that is signed by the same entity whose identity it certifies. In other words, this is a certificate that is used to sign a file, but is its own CA (certificate authority), and doesn’t have a CA that issued it. If CA information is present, but not found within the Spectra Core certificate store, the CA will be considered plausible and files signed with it will be declared valid (i.e., they will not be considered as self-signed). |
| Impersonation attempt | Any self-signed certificate is a candidate for an impersonation check. Impersonation means that the signer is trying to misrepresent itself as a trusted party, where “trusted party” is defined by the certificate whitelist. Any self-signed certificate that matches the common name of another certificate on the Spectra Core whitelist is marked as an impersonation attempt. |
| Expired certificate | Any certificate with signing time information is checked for expiration. When the time on the local machine indicates that the certificate has passed its “valid to” date and time, the certificate is considered expired. The “Expired” certificate status is merely informative, and expired certificates cannot influence certificate classification. |
| Untrusted certificate | Any valid certificate for which the digital certificate chain cannot be validated against a trusted CA. Untrusted certificates are valid certificates, but they cannot be whitelisted because their chain does not terminate with a CA in the Spectra Core certificate store. |
To find samples by their certificate status, use the tag keyword in Advanced Search. For example, tag:cert-invalid will find samples signed with invalid certificates. Consult the full list of supported tags.
Indicators
Indicators are extracted by Spectra Core during static analysis and displayed as human-readable descriptions of sample behavior. There are many indicators that are common in regular applications, like opening files, writing to files, and so on. The full list of indicator IDs and their descriptions can be found here. The Indicators section shows what a sample is capable of doing, with more significant indicators listed first.
If static analysis indicates that an application contains an encrypted executable or that it is capable of accessing passwords, those indicators will get much higher priority than if the application can just open files. The former indicators are more important in this context and not common at all in legitimate applications. Therefore, they will be listed before other indicators.
Spectra Analyze displays special icons next to indicators that contributed to the final classification by a Machine Learning model. This applies only when Machine Learning is among the engines that classified the file, and is limited to Worm, Ransomware, Keylogger, and Backdoor (RAT) malware types. This indicator is not be displayed if classification is propagated, or if Machine Learning is not on the list of engines used to classify the sample.
To find samples with specific indicators, use the tag keyword in Advanced Search. For example, tag:indicator-macro will find samples that contain or execute macros. Consult the full list of supported tags.
ATT&CK
The ATT&CK section maps indicators detected by Spectra Core to MITRE threat IDs. This section can be displayed for all samples regardless of their classification status (malicious/suspicious/known/unknown) as long as they have indicators that can be appropriately mapped to the ATT&CK framework. Samples without indicators will not have this section on their Sample Details page at all.
MITRE tactics are listed as table columns, and MITRE techniques are grouped under each tactic. Every technique can be clicked to show Spectra Core indicators mapped to it.
The same technique can be listed under multiple different tactics.
The mapping is limited to indicators that Spectra Core can detect with static analysis, so it does not cover the full range of MITRE tactics and techniques, but only a subset of it.
Buttons above the table can be used to filter Techniques to only those that were triggered, and to show or hide technique IDs.
Classification
If the sample has been classified, this section shows its status and a list of scanners that determined the classification.
If the sample has been classified by a YARA rule, this section contains the relevant YARA ruleset metadata.
More information on sample classification can be found on the Sample Details Summary page.
To find out more about classification methods and reasons, consult the Threat Classification Descriptions chapter.
Protection
Shows the protection features with which this file was compiled, and other protection mechanisms that were detected while analyzing the file (such as cryptographic or compression algorithms).
Strings and Interesting strings
Spectra Analyze extracts all strings from samples and separates Interesting strings into their own section. Strings are considered interesting if they contain information related to network resources and addresses (for example IP addresses, HTTP, HTTPS, FTP or SSH). Interesting strings are usually found in binary files, documents and text files.
If available, reputation statistics are displayed next to URIs in the Interesting strings section.
In both sections related to strings, results can be searched with regular expression patterns and filtered by string length for more dynamic hunting.
Additionally, Interesting Strings can be filtered by category (all, http, https) and by classification (all, malicious, suspicious, goodware, unknown).
Strings can be filtered by their origin.
- CARVED - String is generically extracted from the file.
- TABLE - String is found within a file format specific strings table.
- DEEP - String is found within a compressed part of the file or a non-offset accessible location.
Any of these strings can be deemed human readable by a ML model. This filter is available as a separate button.
Very long strings can exceed the display length and appear as if they are cut off. To see the entire string, click the Show more button.