Skip to main content
Version: Spectra Analyze 9.4.0

Analysis Service Integrations

The Spectra Analyze appliance supports optional integration with multiple first-party and third-party static and dynamic analysis services. First-party integrations are ReversingLabs Cloud Sandbox (dynamic analysis) and ReversingLabs Auxiliary Analysis (static analysis).

Through these integrations, samples can be automatically submitted for dynamic analysis or reanalyzed on demand using any of the supported services.

The ReversingLabs Cloud Sandbox can, optionally, be configured to affect the final sample classification. Other analysis results do not affect the overall final classification of the sample, but are, rather, another source of information for analysts.

Analysis services must be configured on the Administration > Integrations page by the appliance administrator. On that page, EDIT which file types you would like to analyze with each configured integration. The file types configured here apply only to files uploaded automatically. You can analyze any file type with any enabled dynamic analysis service when manually queueing a file to be reanalyzed (provided that the dynamic analysis service supports that file type).

The integrations work with samples submitted through the graphical user interface, as well as with those submitted via the Submissions API. Analysis results are displayed on the Sample Details page of each analyzed sample.

Some integrations have the option to submit only distinct files. When this option is enabled, if a file has already been submitted to Spectra Analyze and analyzed, it will not be sent for reanalysis when it is submitted again. This option applies to files submitted using the GUI and the API. It does not affect the Reanalysis feature - you can still submit files for reanalysis with any of the integrations even if the files have already been analyzed. By default, this option is disabled for every integration.

Dynamic Analysis

ReversingLabs Cloud Sandbox

Spectra Analyze is integrated with the ReversingLabs dynamic analysis API, providing historical information on all dynamic analyses performed on the detonated sample, with detected indicators of compromise available through Advanced Search (using the uri-dynamic and ipv4-dynamic keywords), as well as through sections on the Sample Summary page.

For this service to be available, the appliance has to be connected to Spectra Intelligence. If the service is enabled, historic dynamic analysis results are shown for all samples that have them.

Dynamic Analysis Reports

Full report details consist of:

  1. General file details
  2. A thumbnail of one of the screenshots generated during analysis. Clicking the screenshot opens a gallery of all collected screenshots, with the option to automatically advance through them in a slideshow. At the top of the gallery dialog, users can switch between different analyses to see the related screenshots.
  3. History of dynamic analysis results table with the option to download dropped files and other artifacts for every individual analysis. These files are available for download for 1 year. If the analyzed sample is an email, this table also contains expandable sections with analysis reports for attachments and URLs found within the analyzed email sample.
  4. Tabbed section with specific information obtained in dynamic analysis. This section can be filtered to show information from all performed analyses, or from a specific analysis. See the ReversingLabs Cloud Sandbox API reference for a detailed explanation of individual fields.

Actions menu: The report can be downloaded as HTML or PDF. When a PDF or HTML report is created, a new one cannot be created before 30 minutes have expired. If a new report export is necessary before this 30 minute period, use the Dynamic Analysis Report API. This menu also contains options to download latest dropped files or send them to static analysis.

Dynamic analysis report

Downloading Artifacts

After a dynamic analysis run is completed, the following artifacts are available for download:

  • screenshots
  • PCAP file
  • memstrings
  • dropped files

The artifacts depend on each dynamic analysis run and can be downloaded from the History table, while the dropped files are available for download in the Dropped Files tab. These files are available for download for 1 year, which is the standard retention period for the Cloud Sandbox. The artifacts are downloaded as 7zip archives and their password is infected.

Interactive Analysis

When submitting a file for dynamic analysis, users have the option to execute the sample and interact with it in an interactive session. This option is available through the Analyze/Reanalyze dialogs across the interface. If enabled, a new tab opens with the interactive session. Once the session expires or is stopped by the user, its results will be visible on the RL Cloud Sandbox analysis section of the Sample Details page.

Interactive dynamic analysis session

Using the Dynamic Analysis API

Downloading HTML or PDF reports for dynamic analysis is also possible via API and is described in the Dynamic Analysis API documentation. Downloading artifacts is possible only through the GUI.


The Spectra Analyze integration with the ReversingLabs Cloud Sandbox can be configured on the Administration > Integrations page. By default, Spectra Analyze will automatically retrieve existing ReversingLabs Cloud Sandbox reports for files submitted to the appliance.

If the file wasn’t scanned in the Cloud Sandbox before, it will not be scanned until it’s manually uploaded for dynamic analysis, except if Automatic Upload is enabled.

While the retrieval of existing reports is a basic Spectra Analyze feature, submitting files for dynamic analysis using the ReversingLabs Cloud Sandbox is available only as a feature preview with an upload limit of 5 samples per day. When the analysis quota is exceeded, the appliance will show a warning message whenever a new file is manually submitted for analysis. Full access to this feature is available at additional cost. For more information, please contact ReversingLabs Sales Support (

If the Automatic Download and Analysis option is enabled, all files dropped during dynamic analysis that are within configured file size limits will be downloaded to the appliance and analyzed locally.

To allow dynamic analysis results to affect the final sample classification, enable the Include in Classification option. If enabled, all future sample uploads, as well as any reanalyzed samples, may receive their final classification from the ReversingLabs Cloud Sandbox. Samples that already had a recent dynamic analysis classification before the option was enabled will update their classification once their Sample Summary page is opened, or during regular appliance synchronizations with Spectra Intelligence. This option is on by default.


If no file types are specified (the Selected file types list is empty), and the automatic upload of files is enabled, all files uploaded to the appliance will indiscriminately be submitted for dynamic analysis, regardless if their file type is supported or not.

The maximum supported file size of each individual sample submitted to the ReversingLabs Cloud Sandbox is 400 MB.

Up to 20 submissions can be simultaneously queued for analysis. Samples are considered queued if they are waiting for analysis (those already in a running or processing state do not count towards the limit). If the queue is full, the appliance will attempt to resubmit a sample up to 5 times, with a delay of 20 seconds between each attempt, before timing out. If it fails to resubmit the sample, that sample will no longer remain in the queue.

CAPE v2 Sandbox

Maximum supported file size400 MiB
Submitting only distinct filesSupported

Up to 60 submissions can be simultaneously queued for analysis on CAPE. Samples are considered as queued if they are waiting for analysis (those that are already in a running or processing state do not count towards the limit). If the queue is full, the appliance will attempt to resubmit a sample up to 5 times, with a delay of 20 seconds between each attempt, before timing out. If it fails to resubmit the sample, that sample will no longer remain in the queue.

CAPE analysis reports are added to the Sample Details page as a separate section accessible from the navigation sidebar. CAPE offers two types of analysis: Behavioral and Network. If enabled in the Administration > Integrations > CAPE integration dialog, there will also be a See Task on CAPE button at the top right of the section.

This button redirects to the CAPE web interface, where it is possible to see more information about the file, and compare it to other analysis results.

Cisco Secure Malware Analytics

Maximum supported file size250 MiB
Submitting only distinct filesNot Supported

New in version 8.4.1: Option to send files privately.

When Cisco Secure Malware Analytics finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed from the Sample Details page of the processed sample by clicking the link in the sidebar.

Available reports from this integration include:

  • Dropped files
  • Indicators of compromise
  • Networking

Cuckoo Sandbox

Maximum supported file size400 MiB
Submitting only distinct filesNot supported

Up to 60 submissions can be simultaneously queued for analysis on Cuckoo. Samples are considered as queued if they are waiting for analysis (those that are already in a running or processing state do not count towards the limit). If the queue is full, the appliance will attempt to resubmit a sample up to 5 times, with a delay of 20 seconds between each attempt, before timing out. If it fails to resubmit the sample, that sample will no longer remain in the queue.

Cuckoo reports are added to the Sample Details page as a separate section accessible from the navigation sidebar. Cuckoo offers two types of analysis: Behavioral and Network. If enabled in the Administration > Integrations > Cuckoo integration dialog, there will also be a See Task on Cuckoo button at the top right of the section.

Cuckoo results section with visible See Tasks on Cuckoo button

This button redirects to the Cuckoo interface, where it is possible to see more information about the file, and compare it to other analysis results.

Cuckoo Web application interface with analysis results

FireEye Integration

Maximum supported file size100 MiB
Submitting only distinct filesNot supported

The FireEye API version must be selected in the configuration dialog.

After modifying the required fields in the configuration dialog, click the Save button to confirm changes. The appliance will be restarted.

Once the integration has been properly configured, the Fetch profiles button will retrieve a list of profiles available on the FireEye instance. Supported file types can be assigned to profiles that will be used for dynamic analysis. Each file type can be assigned to only one profile.

New samples of the supported file type assigned to a profile will be automatically sent for dynamic analysis.

Up to 100 submissions can be simultaneously queued for analysis on FireEye. Samples are considered as queued if they are waiting for analysis or if they are already being processed. If the queue is full, the appliance will attempt to resubmit a sample up to 5 times, with a delay of 20 seconds between each attempt, before timing out. If it fails to resubmit the sample, that sample will no longer remain in the queue.

When FireEye finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed from the Sample Details page of the processed sample by clicking the FireEye link in the sidebar (above Discussion).

For more details on configuring and using the FireEye integration, contact ReversingLabs Support (

Joe Sandbox

Maximum supported file size400 MiB
Submitting only distinct filesSupported

Once the integration has been properly configured, the Fetch profiles button will retrieve a list of profiles available on the Joe Sandbox instance. Supported file types can be assigned to profiles that will be used for dynamic analysis. Each file type can be assigned to only one profile.

New samples of the supported file type assigned to a profile will be automatically sent for dynamic analysis.

Appliance administrators can check the status of the Joe Sandbox service in the External Services Connectivity section on the System Status page.

Up to 20 submissions can be simultaneously queued for analysis on Joe Sandbox. Samples are considered as queued if they are waiting for analysis (those that are already in a running or processing state do not count towards the limit). If the queue is full, the appliance will attempt to resubmit a sample up to 5 times, with a delay of 20 seconds between each attempt, before timing out and displaying a “Failed Upload” status message in the Sample Details > Joe Sandbox section. If this happens, the failed sample will no longer remain in the queue.

Joe Sandbox analysis reports are added to the Sample Details page as a separate section accessible from the navigation sidebar. Clicking the section name in the sidebar opens the page with general information about Joe Sandbox, and details about the latest analysis.

If enabled in the Administration > Integrations > Joe Sandbox integration dialog, there will also be a See Task on Joe Sandbox button at the top right of the page.

Preview of the Joe Sandbox results on the Sample Details page

The Behavior Analysis tab contains the process tree menu obtained from the Joe Sandbox JSON report.

The Network Analysis tab displays all network activity detected during dynamic analysis. The following protocols are listed: TCP, UDP, DNS, HTTP, HTTPS, FTP, ICMP, IRC and SMTP

The Domains/IPs/URLs tab shows the extracted URIs in three separate tabs as they are differentiated in the HTML report. Public and private IP addresses are not in separate tabs; instead, they have a boolean attribute Private visible in the list.

VMRay Integration

Maximum supported file size305 MiB
Submitting only distinct filesNot Supported

There is no need to retrieve available profiles/environments from VMRay and assign file types to specific platforms, samples will be sent to dynamic analysis according to how the VMRay instance is configured.

When VMRay finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed from the Sample Details page of the processed sample by clicking the VMRay link in the sidebar.

Static Analysis

ReversingLabs Auxiliary Analysis

Maximum supported file size100 MiB
Submitting only distinct filesNot Supported

When RL Auxiliary Analysis finishes processing a sample, a report with the analysis results is sent to the Spectra Analyze appliance. This report can be accessed from the Sample Details page of the processed sample by clicking the link in the sidebar.

The report for this integration includes the following report fields, including, but not limited to: general sample information, detected heuristics, ATT&CK information, extracted files, IOCs, and more.