Skip to main content
Version: Spectra Analyze 9.2.2

Spectra Core - Static Analysis Results

The Spectra Core page visualizes the static analysis report for every sample. The information is organized into sections which can be expanded using the accordion menus. The amount of information and the available sections vary based on file type.

File information and statistics

The Info section displays basic information such as file type, predicted filename (if it exists), file size, and entropy; file validation; the set of hashes computed for the sample; as well as statistics about other files contained within the original sample.

If there are any errors or warnings detected during sample analysis, they are listed as individual entries in this section.

File type-specific information

This section contains detailed information about the sample based on the metadata extracted by Spectra Core. As the name implies, the information in this section depends on the file type of the sample.

In the example of an Application (Portable Executable), the following information may be included:

Identity

Application identity takes whitelisting and certificates into consideration and labels applications with their correct software versions. It removes the ambiguity left by source and certificate whitelisting as it can pinpoint the exact software release. Furthermore, it can identify the correct identity for software that isn’t typically signed or published on a reputable source.

Capabilities

Capabilities are actions the sample can perform without executing an application. Insight into capabilities is obtained exclusively through static analysis of the sample.

tip

To find samples that exhibit specific capabilities, use the tag keyword in Advanced Search. For example, tag:capability-cryptography will find samples that can encrypt data. Consult the full list of supported tags.

Analysis

Shows the security grade and detected security issues for the analyzed sample. Depending on the security issues, the sample can get one of the following grades:

  • Grade A. Best security grade. The application follows the latest standards and policies.
  • Grade B. Good security grade. The application has sufficient security mechanisms implemented, but does not have all the latest features enabled.
  • Grade C. Minor security issues detected. The application has some security mechanisms implemented, but is not considered safe to use in all environments.
  • Grade D. Major security issues detected. The application should only be executed in secured environments.
  • Grade E. Major security issues detected. The application should only be executed in highly secured environments.
  • Grade F. Major security issues detected. Consider the application unsafe to run.

DOS Header

Historical header that serves as a pointer to the File Header through e_lfanew entry.

File Header

Important entries in the File Header include:

  • Machine - target architecture for which the PE file was compiled
  • Time Date Stamp - date when the PE file was compiled
  • Characteristics – PE file attributes
  • Number of Sections, Number of Symbols

Sample Details page with visible File Header

Optional Header

Describes elements such as import and export directories that make it possible to locate and link DLL libraries. Other entries provide structural information about the layout of the file, such as the alignment of its sections.

Sections

Describes each of the sections making up the file. Sections can contain code, initialized and uninitialized data, resources and any other data.

The following information may be of particular interest to malware analysts:

  • Flags show whether the section contains executable code, can be read from, written to or has other properties
  • Hashes can be used to correlate with other files
  • Entropy can show if a section is encrypted or compressed

Imports

Contains an array of import directory entries; one entry for each DLL to which the file refers. Every entry can be expanded to reveal the list of symbols that are being imported.

Resources

Indicates what resources the file contains, together with all the details about them (such as type, language, and whole resource data hashes).

The language can be an indicator of the machine locale settings used by the person who developed and/or compiled the file. Hashes can be used to look up and correlate which files contain the same resources.

Additional information can include version info, dynamic libraries, symbols, segments, and more, depending on the file type.

If the sample is an email message, the sections can include information about from, sender, and reply-to email addresses, email message subject and headers, as well as attachments (if there are any).

If the sample is an image, EXIF metadata will be extracted and included in the sections (for example, camera make and model).

For mobile applications, the sections can include information about the application package, activities, services, receivers, and permissions. Currently supported mobile platforms are iOS, Android, and Windows Phone.

Software Packages

Relevant information for files recognized as software packages, which are archive files containing an assortment of individual files or resources and related metadata (such as name, vendor, version number, version number) that work together to provide users with a particular functionality.

For the full list of supported package formats, refer to this article.

Signatures

The Signatures section contains tabbed information about signatures, digital certificates and their validation states reported by the Spectra Core engine, including the certificate trust chain with signer and counter-signer details. The chain of trust starts with a certificate authority and ends with the signer. Clicking any of the individual elements in the signer/counter signer chains will show more detailed information below. In case there are multiple signatures found, results will be paginated.

Sample Details page showing a Certificate Trust Chain of a sample

Spectra Core supports classifying samples based on digital certificate blacklists and whitelists. By default, it provides more than 300 CA (Certificate Authority) certificates in its certificate store. The certificate store is a set of trusted CA certificates imported from sources such as Microsoft Windows, Mozilla Firefox, and Apple, which are included in Spectra Core and, by extension, in the Spectra Analyze system.

Samples classified on the basis of their certificates receive the “Classified by Digital Certificate” threat description.

Spectra Analyze also provides information about certificate status. Check the Sample Details > Static Analysis > Info > Validation section to see how Spectra Core validated the certificate(s) for a sample.

Certificate StatusDetailed Status Description
Valid certificateAny certificate with an intact digital certificate chain that confirms the integrity of the signed file. The hash within Signer Info matches the hash of the file contents.
Invalid certificateAny certificate with an intact digital certificate chain, but for which the certificate chain validation failed due to other reasons (e.g. because of attribute checks). Without a valid digital certificate chain, the integrity of the signed file cannot be validated.
Bad checksumThe integrity of the signed file could not be verified, because the hash within Signer Info does not match the hash of the file contents.
Bad signatureAny certificate with an intact digital certificate chain, but for which the signature validation failed. Without a valid signature, the integrity of the signed file cannot be validated.
Malformed certificateAny certificate that does not have an intact digital certificate chain. The digital certificate is corrupted or incomplete, but that doesn’t mean the file is also corrupted. Without a valid digital certificate chain, the integrity of the signed file cannot be validated.
Self-signed certificateA self-signed certificate is a certificate that is signed by the same entity whose identity it certifies. In other words, this is a certificate that is used to sign a file, but is its own CA (certificate authority), and doesn’t have a CA that issued it. If CA information is present, but not found within the Spectra Core certificate store, the CA will be considered plausible and files signed with it will be declared valid (i.e., they will not be considered as self-signed).
Impersonation attemptAny self-signed certificate is a candidate for an impersonation check. Impersonation means that the signer is trying to misrepresent itself as a trusted party, where “trusted party” is defined by the certificate whitelist. Any self-signed certificate that matches the common name of another certificate on the Spectra Core whitelist is marked as an impersonation attempt.
Expired certificateAny certificate with signing time information is checked for expiration. When the time on the local machine indicates that the certificate has passed its “valid to” date and time, the certificate is considered expired. The “Expired” certificate status is merely informative, and expired certificates cannot influence certificate classification.
Untrusted certificateAny valid certificate for which the digital certificate chain cannot be validated against a trusted CA. Untrusted certificates are valid certificates, but they cannot be whitelisted because their chain does not terminate with a CA in the Spectra Core certificate store.
tip

To find samples by their certificate status, use the tag keyword in Advanced Search. For example, tag:cert-invalid will find samples signed with invalid certificates. Consult the full list of supported tags.

Indicators

Indicators are extracted by Spectra Core during static analysis and displayed as human-readable descriptions of sample behavior. There are many indicators that are common in regular applications, like opening files, writing to files, and so on. The full list of indicator IDs and their descriptions can be found here. The Indicators section shows what a sample is capable of doing, with more significant indicators listed first.

If static analysis indicates that an application contains an encrypted executable or that it is capable of accessing passwords, those indicators will get much higher priority than if the application can just open files. The former indicators are more important in this context and not common at all in legitimate applications. Therefore, they will be listed before other indicators.

img

Spectra Analyze displays special icons next to indicators that contributed to the final classification by a Machine Learning model. This applies only when Machine Learning is among the engines that classified the file, and is limited to Worm, Ransomware, Keylogger, and Backdoor (RAT) malware types. This indicator is not be displayed if classification is propagated, or if Machine Learning is not on the list of engines used to classify the sample.

tip

To find samples with specific indicators, use the tag keyword in Advanced Search. For example, tag:indicator-macro will find samples that contain or execute macros. Consult the full list of supported tags.

ATT&CK

The ATT&CK section maps indicators detected by Spectra Core to MITRE threat IDs. This section can be displayed for all samples regardless of their classification status (malicious/suspicious/known/unknown) as long as they have indicators that can be appropriately mapped to the ATT&CK framework. Samples without indicators will not have this section on their Sample Details page at all.

MITRE tactics are listed as table columns, and MITRE techniques are grouped under each tactic. Every technique can be clicked to show Spectra Core indicators mapped to it.

The same technique can be listed under multiple different tactics.

The mapping is limited to indicators that Spectra Core can detect with static analysis, so it does not cover the full range of MITRE tactics and techniques, but only a subset of it.

Buttons above the table can be used to filter Techniques to only those that were triggered, and to show or hide technique IDs.

Classification

If the sample has been classified, this section shows its status and a list of scanners that determined the classification.

If the sample has been classified by a YARA rule, this section contains the relevant YARA ruleset metadata.

More information on sample classification can be found on the Sample Details Summary page.

To find out more about classification methods and reasons, consult the Threat Classification Descriptions chapter.

Protection

Shows the protection features with which this file was compiled, and other protection mechanisms that were detected while analyzing the file (such as cryptographic or compression algorithms).

Strings and Interesting strings

Spectra Analyze extracts all strings from samples and separates Interesting strings into their own section. Strings are considered interesting if they contain information related to network resources and addresses (for example IP addresses, HTTP, HTTPS, FTP or SSH). Interesting strings are usually found in binary files, documents and text files.

If available, reputation statistics are displayed next to URIs in the Interesting strings section.

In both sections related to strings, results can be searched with regular expression patterns and filtered by string length for more dynamic hunting.

Additionally, Interesting Strings can be filtered by category (all, http, https) and by classification (all, malicious, suspicious, goodware, unknown).

Strings can be filtered by their origin.

  • CARVED - String is generically extracted from the file.
  • TABLE - String is found within a file format specific strings table.
  • DEEP - String is found within a compressed part of the file or a non-offset accessible location.

Any of these strings can be deemed human readable by a ML model. This filter is available as a separate button.

Sample Details showing string filtering options

Very long strings can exceed the display length and appear as if they are cut off. To see the entire string, click the Show more button.