Skip to main content
Version: Spectra Analyze 9.3.0

Quick Guide

This short introductory section is intended to help with understanding the basic layout of the user interface, terminology and visual indicators that are used on the Spectra Analyze appliance and in its documentation.

Global Header Bar

At the top of the Spectra Analyze interface is the global header bar, containing the most commonly used options and the main appliance menu used to access all sections of the appliance.

The first item from the left, after the logo, is the Search Samples box, a text field where users can enter search queries and get a pull-down list of all supported keywords. For more information on this feature, refer to the Advanced search chapter. Clicking on the text field will expand it to the far right of the header bar and hide other menu items to provide more space for typing and constructing the query. Clicking away from the text field will remove the focus and restore the original menu layout. Performing the search will navigate the users to the Advanced Search page to display results.

To the right of the Search Samples box is the Upload button, allowing a quick way to upload samples and submit URLs to the appliance from any page of the interface. An upload status bar will be displayed in the header bar while files are uploading. Navigating away from the page or refreshing the browser tab during upload is not supported and will trigger a warning that the upload will be lost. For more information on uploading samples, submitting URLs, file privacy and size limitations, refer to the File Submissions chapter.

  • Dashboard: The Dashboard displays statistics related to the amount and type of files that have been submitted and processed on the appliance within a specified time range.
  • Search: The Advanced Search feature introduces rich metadata search capabilities on the Spectra Analyze appliance, makes it easier to search across large data sets (both local and global in ReversingLabs Spectra Intelligence), and enables faster, more powerful malware discovery with increased coverage. Click here for more information on writing advanced search queries.
  • YARA: Allows rule-based identification and classification of files. Users can create their own YARA rules containing textual or binary patterns. When a file matches the pattern found in a YARA rule, it receives the classification defined by that rule. YARA rules can be grouped into rulesets. (Note: If this page is not visible in the header bar, it can be assigned to the user through the Administration > User Role configuration section.)
  • Quota Indicator - Clicking the pie-chart icon opens a pop-up listing all ReversingLabs APIs in use on the appliance which have a limited quota, and their current status.
  • Alerts Indicator - The Alerts feature allows real-time monitoring to track changes in malware classification and analysis results. It automates notifications for specific events, allowing users to utilize their time more efficiently and be informed of malware status changes on-the-go. Clicking the indicator opens a list of recent Alerts. If there are any unresolved alerts, their count is displayed as a red badge on the indicator.
  • Help - Contains options to access the appliance documentation, contact ReversingLabs support, and open the methodology / legend pop-up with basic information about Risk Score
  • User menu - Shows the username of the current user, contains links to the Administration and User Profile (edit user information, change credentials, manage alerts ) pages, and the option to Log Out from the appliance.

Health Status Indicator

The second to last item in the main appliance menu is the health status indicator, pointing out issues with the system load and showing if the appliance is connected to a file reputation service, and if the service is reachable or not. Administrators can click the icon to open a pop-up with a more granular look at the system resources: Disk Usage, Memory usage, CPU utilization, outstanding alerts and issues, and Spectra Detect Manager connection status. The pop-up also contains a link to Open System Status page with detailed information on all the system monitoring services.

Thresholds for these services, such as CPU/memory/disk usage or queue sizes, are configured on the Administration > Configuration > System Health Indicator page.

If there are no issues with the system load and if the appliance is connected to Spectra Intelligence or the T1000 File Reputation Appliance, this will be indicated by a black icon.

A red icon with a small exclamation mark means that the reputation service is not configured or reachable or that CPU/memory/disk usage or queue sizes went over the configured thresholds. In this case, hovering over the icon will list the detected issues.

description

The services used to deliver file reputation data (Spectra Intelligence or T1000 File Reputation Appliance) can be configured in the Spectra Intelligence / T1000 File Reputation Appliance dialogs in the Administration > Configuration section.

Color-Coding and Sample Status

The Spectra Analyze interface makes use of consistent color-coding to indicate sample classification and risk. There are four colors, each one corresponding to a different sample status. The sample status indicates whether the file is goodware, suspicious or malicious - or if no threats were found, indicating the sample remains unclassified.

Four colors (left to right: red indicating malicious, green indicating goodware, orange indicating suspicious, and dark gray indicating no threats were found) used in the interface to indicate sample status

In addition to color-coding, certain parts of the UI also indicate classification status of submitted files and URLs by colored symbols: red square is malicious, orange rhombus is suspicious, green circle is goodware, dark gray square with a circle cutout is no threats found.

Inside each of the symbols is the sample’s risk score. Samples with no threats found (samples without classification) don’t have a risk score.

Samples with a risk score of 5 are represented using a unique icon, as the indicators found during analysis were deemed insufficient to classify the file as definitively malicious or benign. These samples may be of interest, as they have a higher chance of changing classification and/or risk factor as soon as any new information becomes available.

Some Spectra Analyze APIs return sample classification as a numerical value.

ClassificationValue
No threats found0
Goodware1
Suspicious2
Malicious3
info

Read more about the ReversingLabs classification algorithm.

Where to Find Visual Indicators of Sample Status?

Color-coded indicators are present in the following parts of the interface, indicating sample status:

YARA page – statistics about ruleset matches

Section of the YARA page showing color-coded status for YARA rulesets

Inside each of the symbols is the sample’s risk score. Samples with no threats found (samples without classification) don’t have a risk score.

Sample Details page – as the background color of the Summary header section. The Risk Score numerical value is also indicated in the Summary section

Upper part of the Sample Details page with numbered indicators showing color-coded sample status

Sample Details page - Next to links in the Extracted Files and File Similarity sections in the sample summary page sidebar menu, and in the How We Caught This > Prevalence > File Similarity subsection of the main sample summary report page

Section of the Sample Details page with numbered indicators showing color-coded sample status

Sample Details page - as colored symbols in URI stats for particular file types - for example, those containing Interesting strings, Network references or Malware configurations

Network References section of the Sample Details page with color-coded indicators of sample status

What Determines the Classification of Samples?

A sample’s classification is determined from one of multiple different sources. All types of classification that a sample can receive on Spectra Analyze are described in detail in the Threat Classification Descriptions section.

The information about sample classification in the interface can be found in the expanded row on the Search Page.

Expanded row on the Search page showing classification source at the bottom left

and in the Sample Details Summary section. If any files have been extracted from a sample, there will be additional information about the classification of extracted files.

Additional information about classification can be found in the Static Analysis > Classification section on the Sample Details page.

Sample Details Summary section with highlighted information about classification source

How to interpret analysis results?

The Sample Summary page highlights the most interesting information from the sample analysis report. It contains several sections with links to more detailed information.

The information on the Summary page will be different for every sample analyzed on the appliance, depending on the file type and classification status.

The most crucial information about the sample is curated in the header section of the page:

  • the final classification (malicious / suspicious / goodware / no threats found) and the detected threat name
  • risk score
  • classification reason
  • multi-scanner results
  • top 3 detected MITRE ATT&CK tactics

Spectra Analyze will always pick the most accurate classification as the final one and display this information in the Sample Summary header section. To properly read the final classification, users must consider and understand the classification reason and the risk score. The classification reason specifies which technology detected this threat. Files will usually have multiple detections from more than one classifier, but the classification reason tile is always the one that produced the final classification.

The final classification will always match one of the classifiers, but individual classifiers may have differing results between them. Due to differences in how different malicious samples and malware families behave, some samples might end up classified as malicious by one technology, and still be considered goodware by others. This doesn’t negate or diminish the final classification, it is the exact reason why Spectra Analyze uses multiple sources to classify files.

That’s also why overlooking the classification reason may result in confusion. For example, adding custom YARA rules to the Spectra Analyze is a powerful malware hunting feature, but improperly written rulesets can be too broad and result in a large number of samples suddenly getting classified as malicious by a YARA rule, even though everything else points to goodware.

Risk scores are assigned by the severity of the detected threat. Lesser threats like Adware will get a risk score of 6 (scores from 0-5 are reserved for goodware), while ransomware and trojans always get a risk score of 10.

Some users may choose to ignore lower risk classifications, such as Adware or Potentially Unwanted Applications (PUA), but those samples will still be classified as malicious to warn about potential threats, such as installers that have embedded adware.

In most cases, the results will be overwhelmingly biased towards a certain classification: a malicious file will be detected as such by Spectra Core and backed up by a large percentage (not necessarily 100%) of scanner detections. It will probably have an exact threat name, naming the malware type and/or the specific malware family. Certain file types might belong to a RHA File Similarity bucket with other malicious files. Even if such files get some negative results from specific technologies, it’s highly unlikely that they are not malicious.

On some occasions, a sample classified as goodware can still have some Spectra Intelligence scanner detections, but not enough to affect the final classification. These detections are most likely false positives, but users are still advised to check the scanner list to see which scanners detected a threat.

The classification of certain samples originates from samples extracted during analysis. It propagates from children to the parent, for example from a malicious executable file to the zip archive where it originated from. If this is the case, the description beneath the classification will highlight that it was based on an extracted file.

Classifications can also be overridden either through Goodware Overrides, where the classification of a high-trust parent sample is propagated down to extracted files, or manually by using the Spectra Analyze override feature.

In cases where the classification was set by the user, it will be considered final and displayed in the header, as well as in the table below. Local classification overrides will be visible as final to all appliance users, while the Spectra Intelligence overrides will additionally be synchronized with other appliances using the same Spectra Intelligence account, and other Spectra Intelligence accounts belonging to the same company, indicated by the middle segment of the username - u/company/user. In cases where a sample has both overrides, the local override will be displayed as the final classification.

In conclusion, while false detections are not impossible, they are much easier to identify if all of the important factors are considered and understood. For more information on each of these, refer to the Classifications, Risk Score and Threat Classification Sources chapters.

What is ReversingLabs Malware Naming Standard?

The ReversingLabs detection string consists of three main parts separated by dots. All parts of the string will always appear (all three parts are mandatory).

platform-subplatform.type.familyname
  1. The first part of the string indicates the platform targeted by the malware.

    This string is always one of the strings listed in the Platform string table. If the platform is Archive, Audio, ByteCode, Document, Image or Script, then it has a subplatform string. Platform and subplatform strings are divided by a hyphen (-). The lists of available strings for Archive, Audio, ByteCode, Document, Image and Script subplatforms can be found in their respective tables.

  2. The second part of the detection string describes the malware type. Strings that appear as malware type descriptions are listed in the Type string table.

  3. The third and last part of the detection string represents the malware family name, i.e. the name given to a particular malware strain.

    Names "Agent", "Gen", "Heur", and other similar short generic names are not allowed. Names can't be shorter than three characters, and can't contain only numbers. Special characters (apart from -) must be avoided as well. The - character is only allowed in exploit (CVE/CAN) names (for example CVE-2012-0158).

Examples

If a trojan is designed for the Windows 32-bit platform and has the family name "Adams", its detection string will look like this:

Win32.Trojan.Adams

If some backdoor malware is a PHP script with the family name "Jones", the detection string will look like this:

Script-PHP.Backdoor.Jones

Some potentially unwanted application designed for Android that has the family name "Smith" will have the following detection string:

Android.PUA.Smith

Some examples of detections with invalid family names are:

Win32.Dropper.Agent
ByteCode-MSIL.Keylogger.Heur
Script-JS.Hacktool.Gen
Android.Backdoor.12345
Document-PDF.Exploit.KO
Android.Spyware.1a
Android.Spyware.Not-a-CVE
Win32.Trojan.Blue_Banana
Win32.Ransomware.Hydra:Crypt
Win32.Ransomware.HDD#Cryptor

Platform string

The platform string indicates the operating system that the malware is designed for. The following table contains the available strings and the operating systems for which they are used.

StringShort description
ABAPSAP / R3 Advanced Business Application Programming environment
AndroidApplications for Android OS
AOLAmerica Online environment
ArchiveArchives. See Archive subplatforms for more information.
AudioAudio. See Audio subplatforms for more information.
BeOSExecutable content for Be Inc. operating system
BootBoot, MBR
BinaryBinary native type
ByteCodeByteCode, platform-independent. See ByteCode subplatforms for more information.
BlackberryApplications for Blackberry OS
ConsoleExecutables or applications for old consoles (e.g. Nintendo, Amiga, ...)
DocumentDocuments. See Document subplatforms for more information.
DOSDOS, Windows 16 bit based OS
EPOCApplications for EPOC mobile OS
EmailEmails. See Email subplatforms for more information.
FirmwareBIOS, Embedded devices (mp3 players, ...)
FreeBSDExecutable content for 32-bit and 64-bit FreeBSD platforms
ImageImages. See Image subplatforms for more information.
iOSApplications for Apple iOS (iPod, iPhone, iPad…)
LinuxExecutable content for 32 and 64-bit Linux operating systems
MacOSExecutable content for Apple Mac OS, OS X
MenuetExecutable content for Menuet OS
NovellExecutable content for Novell OS
OS2Executable content for IBM OS/2
PackageSoftware packages. See Package subplatforms for more information.
PalmApplications for Palm mobile OS
ScriptScripts. See Script subplatforms for more information.
ShortcutShortcuts
SolarisExecutable content for Solaris OS
SunOSExecutable content for SunOS platform
SymbianApplications for Symbian OS
TextText native type
UnixExecutable content for the UNIX platform
VideoVideos
WebAssemblyBinary format for executable code in Web pages
Win32Executable content for 32-bit Windows OS's
Win64Executable content for 64-bit Windows OS's
WinCEExecutable content for Windows Embedded Compact OS
WinPhoneApplications for Windows Phone
Archive subplatforms
StringShort description
ACEWinAce archives
ARAR archives
ARJARJ (Archived by Robert Jung) archives
BZIP2Bzip2 archives
CABMicrosoft Cabinet archives
GZIPGNU Zip archives
ISOISO image files
JARJAR (Java ARchive) archives
LZHLZH archives
RARRAR (Roshal Archive) archives
7ZIP7-Zip archives
SZDDMicrosoft SZDD archives
TARTar (tarball) archives
XARXAR (eXtensible ARchive) archives
ZIPZIP archives
ZOOZOO archives
Other Archive identificationAll other valid Spectra Core identifications of Archive type
Audio subplatforms
StringShort description
WAVWave Audio File Format
Other Audio identificationAll other valid Spectra Core identifications of Audio type
ByteCode subplatforms
StringShort description
JAVAJava bytecode
MSILMSIL bytecode
SWFAdobe Flash
Document subplatforms
StringShort description
AccessMicrosoft Office Access
CHMCompiled HTML
CookieCookie files
ExcelMicrosoft Office Excel
HTMLHTML documents
MultimediaMultimedia containers that aren't covered by other platforms (e.g. ASF)
OfficeFile that affects multiple Office components
OLEMicrosoft Object Linking and Embedding
PDFPDF documents
PowerPointMicrosoft Office PowerPoint
ProjectMicrosoft Office Project
PublisherMicrosoft Office Publisher
RTFRTF documents
VisioMicrosoft Office Visio
XMLXML and XML metafiles (ASX)
WordMicrosoft Office Word
Other Document identificationAll other valid Spectra Core identifications of Document type
Email subplatforms
StringShort description
MIMEMultipurpose Internet Mail Extensions
MSGOutlook MSG file format
Image subplatforms
StringShort description
ANIFile format used for animated mouse cursors on Microsoft Windows
BMPBitmap images
EMFEnhanced Metafile images
EPSAdobe Encapsulated PostScript images
GIFGraphics Interchange Format
JPEGJPEG images
OTFOpenType Font
PNGPortable Network Graphics
TIFFTagged Image File Format
TTFApple TrueType Font
WMFWindows Metafile images
Other Image identificationAll other valid Spectra Core identifications of Image type
Package subplatforms
StringShort description
NuGetNuGet packages
DEBDebian Linux DEB packages
RPMLinux RPM packages
WindowStorePackagePackages for distributing and installing Windows apps
Other Package identificationAll other valid Spectra Core identifications of Package type
Script subplatforms
StringShort description
ActiveXActiveX scripts
AppleScriptAppleScript scripts
ASPASP scripts
AutoItAutoIt scripts (Windows)
AutoLISPAutoCAD LISP scripts
BATBatch scripts
CGICGI scripts
CorelDrawCorelDraw scripts
FeriteFerite scripts
INFINF Script, Windows installer scripts
INIINI configuration file
IRCIRC, mIRC, pIRC/Pirch Script
JSJavascript, JScript
KiXtartKiXtart scripts
LogoLogo scripts
LuaLua scripts
MacroMacro (e.g. VBA, AmiPro macros, Lotus123 macros)
MakefileMakefile configuration
MatlabMatlab scripts
PerlPerl scripts
PHPPHP scripts
PowerShellPowerShell scripts, Monad (MSH)
PythonPython scripts
RegistryWindows Registry scripts
RubyRuby scripts
ShellShell scripts
ShockwaveShockwave scripts
SQLSQL scripts
SubtitleWorkshopSubtitleWorkshop scripts
WinHelpWinHelp Script
WScriptWindows Scripting Host related scripts (can be VBScript, JScript, …)
Other Script identificationAll other valid Spectra Core identifications of Script type

Type string

This string is used to describe the general type of malware. The following table contains the available strings and describes what each malware type is capable of.

StringDescription
AdwarePresents unwanted advertisements
BackdoorBypasses device security and allows remote access
BrowserBrowser helper objects, toolbars, and malicious extensions
CertificateClassification derived from certificate data
CoinminerUses system resources for cryptocurrency mining without the user's permission
DialerApplications used for war-dialing and calling premium numbers
DownloaderDownloads other malware or components
DropperDrops malicious artifacts including other malware
ExploitExploits for various vulnerabilities, CVE/CAN entries
FormatMalformations of the file format. Classification derived from graylisting, validators on unpackers
HacktoolSoftware used in hacking attacks, that might also have a legitimate use
HyperlinkClassifications derived from extracted URLs
InfostealerSteals personal info, passwords, etc.
KeyloggerRecords keystrokes
MalwareNew and recently discovered malware not yet named by the research community
NetworkNetworking utilities, such as tools for DoS, DDoS, etc.
PackedPacked applications (UPX, PECompact…)
PhishingEmail messages (or documents) created with the aim of misleading the victim by disguising itself as a trustworthy entity into opening malicious links, disclosing personal information or opening malicious files.
PUAPotentially unwanted applications (hoax, joke, misleading...)
RansomwareMalware which encrypts files and demands money for decryption
RogueFraudulent AV installs and scareware
RootkitProvides undetectable administrator access to a computer or a mobile device
SpamOther junk mail that does not unambiguously fall into the Phishing category, but contains unwanted or illegal content.
SpywareCollects personal information and spies on users
TrojanAllows remote access, hides in legit applications
VirusSelf-replicating file/disk/USB infectors
WormSelf-propagating malware with exploit payloads