Spectra Detect Report Schema
This document is a work in progress.
Introduction
This document describes data in the report of the analysis performed by a Spectra Detect Worker.
Notable changes
The format of the report has changed since the last version of this document (v1.6):
- The
classification
field now contains rca_factor
, a unique measure of the trustworthiness of a sample (read more in Classification).
- The
classification
field also contains a result
, which provides the threat name.
- Results by individual scanners may be
ignored
.
- Attack indicators now have descriptions, categories, relevance, and a unique numeric ID.
- The
interesting_strings
and story
sections have additional fields.
- There is more information for analyzed PE files, including a
security_grade
.
- The metadata section has been reorganized (read the full list of metadata changes in Appendix D):
- redesigned
security
, media
and browser
fields
- added
signatures
, certificates
, package
, attack
and malware
fields
- removed
certificate
field
Data Analysis Workflow
- Check the file threat score and classification in the Classification section:
classification
0
: Unknown
1
: Goodware
2
: Suspicious
3
: Malicious
rca_factor
(if classification
is not 0) is the trust or threat level, ranging from 0 to 10:
- 0 represents highest trust
- 10 represents most dangerous threat
result
shows the threat name (only visible if the analyzed file is a threat)
- Analyze interesting strings and strings section
- Check URL and IP address information if present
- Check the file itself
- File name
- File format (type, sub-type, format/packer)
- Check the Tags section
- File type in conjunction with Tag can flag a file with potentially malicious intent
- Interesting tags:
anonymous-email
cert-expired
cert-invalid
cert-revoked-...
cert-untrusted
cert-self-signed
- starts with
contains-
cryptocurrency
- starts with
ransomware-
- starts with
uri-
- starts with
av-
data-exfiltration
file-download
ftp-use
- starts with
privacy-
backdoor
c2
custom-packed
downloader
keylogger
pos
ransomware
anti...
cert-blacklisted
- starts with
capability-
- starts with
indicator-
- starts with
email-
deceptive-link
- PDF files
- check Tags starting with
indicator-
and capability-
to see if the PDF file can execute files or download files
- Microsoft Office files
- Check whether VBA Scripts/Macros present and exhibit suspicious indicators - see tags such as
indicator-macro
and starting with indicator-
and capability-
- Check extracted file statistics
- High entropy value (maximum is 8) can be a sign of obfuscation
- Microsoft .NET files
- JAVA dex files
- Adobe Flash files
- Check called ActionScript functions
- Check YARA matches if any
- Check file certificate
- Check certificate section whether certificate is valid
- Check file validation
- Check validation section to see if the file is malformed, or if the file certificate is blacklisted
- Check who compiled the file and when, sometimes that reveals interesting information
- PDB Path section
- Debug symbols link in the compiled file, can contain information of the machine that compiled the malware
- Compile Date
- Look at the Signer section
- Check whether file is similar to other files of the same status (MALICIOUS/SUSPICIOUS)
- Use RHA statistics section
- Windows executables
- Check PE VS_Info section
- Check if the file content is protected
- Check the content in taggant section
Basic Data Types
Reports received from Spectra Detect Worker will have fields with the following data types:
Type | Description |
---|
int | Signed integer, e.g. int32 |
uint | Unsigned integer, e.g. uint16 |
decimal | Floating-point number, e.g. decimal64 |
bool | Boolean value: True or False |
string | UTF-8 encoded text |
Other data types (enum
, list
, struct
, struct-list
) link to their own sections where their components are listed in terms of basic data types.
Spectra Detect Report
The root of the report contains the following fields:
Field | Type | Description |
---|
submitted | int32 | File submission time (UNIX timestamp). |
task_id | int32 | ID assigned to the processing task. |
processed | int32 | File processing time (UNIX timestamp). |
worker_ip | string | IP address of the Worker that processed the file. |
worker_address | string | Address of the Worker that processed the file. |
worker_hostname | string | Hostname of the Worker that processed the file. |
direct_sender | string | IP address of the machine that sent the file to the Worker (usually Spectra Detect Hub). |
forwarded_for | list: string | IP address of the original sender of the file. |
file_link | string | Link to the analyzed file. |
custom_data | struct | User-defined data (JSON). |
network_reputation | struct-list:Network Reputation | Reputation information on any network resources found within the file |
tc_report | struct: Analysis | Analysis report for the file. |
Analysis
In the tc_report
field of a Spectra Detect report, the following fields are possible:
Field | Type | Description |
---|
relationships | struct: Relationships | List of all the children, children of those children, their children etc. ONLY if previously enabled. |
info | struct: Info | General information about the file. |
metadata | struct: Metadata | File metadata. |
strings | struct-list: String | List of strings found in the file. |
classification | struct: Classification | Classification of the file (is it malicious or not). |
indicators | struct-list: Indicator | Indicators of suspicious behavior. |
interesting_strings | struct-list: Interesting string | Interesting strings (such as IP addresses to which a file might try to connect). |
story | struct-list: Story | Summary that gives a human-readable overview about this file. |
tags | list: string | During analysis, a file receives several tags related to its properties. |
index | int32 | The position of this report in the set of reports. |
parent | int32 | The position of the report that is the parent of this report. |
children | list: int32 | List of report indexes that are considered children of this report. E.g. if a file has two sub-files, there would be three reports in total. The first report representing the main file would contain values [1,2] for children. Reports for 1 and 2 would be analysis reports for the sub-files. |
Classification
The key information here is the classification
field, which will be a number from 0 to 3:
VALUE | DESCRIPTION |
---|
0 | No classification (unknown) |
1 | Goodware |
2 | Suspicious |
3 | Malicious |
Other fields provide more info:
Field | Type | Description |
---|
propagated | boolean | Indicates whether the classification has been propagated from a file contained in the analyzed file. |
classification | int32 | Final verdict on file’s classification based on all scan results. This result should be used when making classification decisions. |
factor | int32 | A number from 0 to 5. If classification is 1 , this is the "trust factor", or how confident we are that the file is goodware (0 is highest confidence, 5 is lowest confidence). If the classification is 3 , then this is the "threat level", or how dangerous the malicious file is (0 is least dangerous, 5 is most dangerous). This field will be deprecated and replaced with rca_factor . |
result | string | Threat name in case the file is a threat. If not, this field is not present. |
rca_factor | int32 | Unique measure of the trustworthiness of a file, regardless of its classification. Ranges from 0 to 10, with 0 being most trustworthy files, and 10 being most dangerous malware. |
scan_results | struct-list: Scanner result | Contains all scan results from all different sources retrieved by the analysis engine. If this section is not present in the output, that means the file could not be classified by the static analysis engine or by any of the Spectra Intelligence components. |
yara | struct-list: YARA | Matched YARA rules. |
propagation_source | struct: Pair | Origin of the final top-level classification (the child file which caused the parent file to receive its classification). |
Scanner result
Different scanners have their own individual classifications, which are then used as components to form the final classification. See the next section for an overview of used scanners.
Field | Type | Description |
---|
ignored | boolean | if true, the result will be excluded from final classification |
classification | int32 | classification that was assigned by this scanner |
factor | int32 | this is either trust or threat factor depending on classification; trust is assigned only to goodware classifications |
name | string | scanner name |
version | string | scanner version |
result | string | scanner result |
type | enum: scanner_type | |
rca_factor | int32 | |
properties | struct-list: Property | scanner result properties |
Spectra Core Classification Scanners
Scanner name | Description |
---|
Spectra Core Format | Certain file formats, such a Windows executable packers, are intended to be used as means of evading security solutions. Detecting that a file is protected with this type of evasive technology is sufficient to declare it, and its payload, as a threat. If the format can also be used by non-malicious applications, the resulting detection will be suspicious or malicious. Threat name is constructed from the format name, for example Win[32|64].Packer.{PackerName} |
Spectra Core YARA | Threat detection capabilities included with the engine can be extended by adding user-defined YARA rules. Native integration with classification logic ensures that threats can be both detected and named using these rules. Spectra Core includes hundreds of YARA rules as examples of such integration. While ideally all YARA rules would be updated for best integration with the engine, this isn’t required. Depending on how the engine is configured, any YARA rule can be considered a threat detection rule. In cases when YARA rule integration is superficial, the detected threat name can, for example, be {Platform}.Malware.YARA |
Spectra Core RHA1 | ReversingLabs Hashing Algorithm (RHA1) is a proprietary functional file similarity algorithm. It is primarily designed for executable formats, and as such it is specifically implemented for each supported format. RHA1 converts functional file features, both the code and its layout, to four precision level hashes. Each precision level represents a 25% increase in similarity between files that share the same hash at the same precision level. Lowest precision is 25% and highest is a 100%. Spectra Core comes with an offline database of blacklisted RHA1 hashes. This technology is capable of detecting polymorphic threats and their variants. Even though threats are detected based on similarity, they are still named after the threat the file is most similar to. |
Spectra Core RICC | Rules, Indicators, Classifications and Capabilities (RICC) is an offline database that applies static analysis rules to analyzed content. Part of its responsibility is to classify files based on signatures and unique metadata properties found only in malicious files. Two such classification technologies are deployed through RICC. Byte Pattern Matches as signatures that detect known threats, and Malware Artifacts Classifier that looks at the metadata for malware clues. Both of these technologies correlate the detection to a named threat. In terms of classification, they are the most specific detection technologies within the engine, and are reserved to be used only for precise threat detections. |
Spectra Core Machine Learning | Machine learning is a predictive detection technology. Explainable Machine Learning, a concept unique to ReversingLabs, bases its classification on the principles of expandability, transparency and relevancy. Based solely on human readable indicators, machine learning models detect specific threat types and can differentiate between threats and benign files. When the machine learning model predicts that a threat type falls into a recognized category, it will name the threat as Win[32|64].{ThreatType}.Heuristic . However, if the model is certain that the file is a threat, but can’t place it into a threat category, it will name the threat as Win[32|64].Malware.Heuristic . Machine learning models are made to detect Windows executable and fileless malware types. |
Spectra Core Document Classifier | Scripts and macros embedded within documents represent a significant attack vector. Due to the nature of script programming languages, attacks can easily be modified to the point they are no longer detectable by simple byte pattern signature. Detecting such threats proactively is only possible through heuristics and machine learning models. Spectra Core applies both of these approaches to threat detection. When a threat is detected through machine learning, the detected threat name can, for example, be Document-{SubPlatform}.Malware.Heuristic . On the other hand, heuristics are human-written and are more specific with their labeling. An example of a human-written heuristic detection is a threat named Document-{SubPlatform}.Trojan.Heuristic |
Spectra Core URL Classifier | Many file formats enable active linking to content hosted on remote servers. These are commonly referred to as hyperlinks or uniform resource locators (URL). Since the active content is on a remote server, it can change at any time. However, some URLs itself do contain information that helps to infer the content type to which they are pointing to. With static analysis, Spectra Core can detect various kinds of deceptive links without visiting the content targeted by the URL. Attacker techniques such as typosquatting, domain spoofing, and homoglyphs are detected for more than 5000 popular websites. In addition to deceptive links, the solution includes an offline database of blacklisted domains and known malicious URL patterns. When the engine finds an embedded link that points to a blacklisted domain, it will name the threat as {Platform}.Hyperlink.Blacklisted |
Spectra Core Email Classifier | Email messages are stored in structured file formats. This encapsulation includes email headers, message body and a number of attachments. Any of these components can be malicious and therefore needs to be inspected. Email headers are checked for identity misrepresentation that relates to phishing and BEC attacks. Message bodies are inspected for URLs that could lead to phishing and malware downloads. Attachments are decomposed through static analysis in search for malicious code. Additionally, any attached file is also inspected for embedded URLs that themselves are checked for malicious intent. When this technology detects phishing, it will name the threat as Email.Phishing.{ServiceName} . The following services can be identified: Adobe, Amazon, AmericanExpress, Apple, BankOfAmerica, ChaseBank, DocuSign, Dropbox, Ebay, Facebook, Google, LinkedIn, Microsoft, Netflix, PayPal, Twitter and WhatsApp. If the email was detected as malicious due to embedded URL, the threat name can appear as Email.Hyperlink.Homoglyph |
Spectra Core Image Analyzer | Multimedia formats are frequently abused as carriers of malicious payloads. They can hide malware using steganography techniques, or they can abuse format parsers to trigger code execution bugs. Static analysis performed for these formats looks for embedded scripts and shellcode. For example, this heuristic detection technology can detect PHP code within a GIF file, or JavaScript within JPEG EXIF properties. In both of these cases, the detected threat name will be {Platform}.Format.Heuristic |
Spectra Core Exploit Detector | During engine analysis, parsed format structure is validated and any departures from specification are reported. Detected malformations are automatically mapped back to exploits that are known to abuse format parsing bugs. Exploit detectors are a special kind of signature detections. They are implemented individually for each supported format, and are made to detect known exploits. Exploit detection is available for images, documents, archives and mobile application package formats. When an exploit is detected within an image format, the reported threat name can be {Platform}.Exploit.CVE-{ID} |
Spectra Core Hierarchy Analyzer | During automated file extraction, the supported formats are decomposed recursively. Unexpected format combinations can be discovered during extraction. For example, documents and multimedia files should never embed executable files. If such unusual format combinations are discovered, the engine will declare those files as suspicious with the following threat name: {Platform}.Format.Content |
Spectra Core Certificate Lists | Applications, archives, documents and software packages can all be digitally signed. These signatures guarantee integrity and certify the origin of the content they are signing. Spectra Core comes with a customizable list of signers, or identities, that own recognized certificates. These identities can be added to either the Spectra Core certificate blacklist or whitelist. The former will declare signed content as malicious, while the latter will classify analyzed content as goodware. When a file is declared to be malicious due to a blacklisted certificate, the threat name will be displayed as {Platform}.Certificate.Blacklisted |
Spectra Core Certificate Validator | Digital signatures include a file integrity validation hash. Validating digital certificates is a multi-step process. Valid certificates have a properly formed digital certificate chain and pass file hash integrity validation. Spectra Core detects signed file tampering and is capable of detecting signer impersonation, certificate malformation and content modification. Failing to comply with any of these checks will classify the file as at least suspicious. The displayed threat name will reflect the detected type of the tampering attempt. When a self-signed certificate is trying to misrepresent itself and emulates a trusted certificate, the displayed threat name will be {Platform}.Certificate.Impersonation . On the other hand, when a file fails integrity validation, the threat name can appear as {Platform}.Certificate.Invalid or {Platform}.Certificate.Malformed . In case of valid signing time, with signature that is created after signing certificate is already expired or revoked by Certificate Authority, threat name will be {Platform}.Certificate.SignedAfterExpiration and {Platform}.Certificate.SignedAfterRevocation respectively. |
Spectra Core Graylisting | Due to a lack of strong goodware indication, an accurate classification can not be determined for a number of analyzed files. While the file was not determined to be a threat, it could not be linked to a trusted publisher or a data source. Such files would typically have to be classified as unknown. Graylisting as a technology implements weak whitelisting approximation. For certain file types that are not known to carry malicious payloads, graylisting will approximate classification to goodware with lowest trust. To qualify, the file must also have no active content such as scripts, macros, hyperlinks, or any kind of statically deducible behavior pointing to code execution. If this criteria is met, the file will be declared as implicit goodware and will be labeled as {Platform}.Format.Graylisted |
Spectra Intelligence | Spectra Core can be connected to ReversingLabs Spectra Intelligence as a file reputation source. During automated static analysis, Spectra Core will submit a hash of every file it encounters for additional classification. Spectra Intelligence has file reputation information on over 10B files, including both whitelisted and blacklisted binaries. Depending on the classification assigned to the hash, locally processed content can change or override the final classification. |
YARA
Field | Type | Description |
---|
classification | int32 | Classification as determined by YARA rule. |
identifier | string | YARA rule name. |
filename | string | Filename of the YARA rule. |
ns | string | YARA rule namespace. |
hash | string | YARA ruleset hash. |
tags | list: string | Tags that the YARA rule is tagged with. |
metas | struct-list: Pair | YARA rule metadata. |
strings | struct-list: YARA string | Strings that matched the YARA rule. |
YARA string
YARA string match
Field | Type | Description |
---|
offset | int64 | match offset |
length | int32 | full matched data length |
data | string | matched data |
Relationships
If this section is enabled in the report service, it lists all children files (and their children files) of the analyzed file.
The full analysis report includes additional parent/child metadata in the form of index numbers starting with 0 and ending with N, where 0 indicates the starting ("root" parent) file, and N the last extracted child file.
If you notice any of the documents embedded in MS DOC, RTF or PDF files of the types documented in Appendix A: Suspicious Embedded File Types there is a reasonable possibility that the original, parent file has malicious intent.
Field | Type | Description |
---|
id | string | SHA1 hash of the analyzed file. |
parent | string | SHA1 of the parent file. This value is not returned for the top-level entry in the list (the "root" parent file), because that file does not have a parent. |
container | string | SHA1 of the top-level parent file. |
children | struct-list: Relationships | List of all the direct children of this particular file. |
Info
Statistics
file_stats_item
file_stats_item_identification
Field | Type |
---|
count | int64 |
name | string |
File
Some archive files (containers) preserve file modification dates, which are propagated down to their children files (contained files). This metadata is stored in the file_properties section.
Field | Type | Description |
---|
file_type | string | File type. |
file_subtype | string | File sub-type. |
file_name | string | File name as assigned by engine. |
file_path | string | File path as assigned by engine. |
size | uint16 | File size. |
entropy | decimal64 | File entropy calculated using Shannon's algorithm. |
hashes | struct-list: Pair | Calculated file hashes. |
modified_time | string | File modified time (ISO-8601). |
access_time | string | File accessed time (ISO-8601). |
proposed_filename | string | Supposed filename extracted from other metadata if the original filename is not available. |
creation_time | string | File created time (ISO-8601). |
Identification
Field | Type | Description |
---|
success | boolean | format identification successful |
name | string | format name |
version | string | format version |
author | string | matching signature author |
Binary Layer
Field | Type | Description |
---|
is_binary_layer | boolean | whether this is a binary layer |
type | enum: binary_layer_type | type of binary layer |
offset | uint64 | first byte position where layer starts |
size | uint64 | size of the layer in bytes |
info | string | additional info |
binary_layer_type (enum)
- unknown
- resource
- section
- overlay
- stego
Validation
Field | Type | Description |
---|
valid | boolean | whether file is valid (if all results are valid) |
scan_results | struct-list: Validation Result | validation results |
Validation Result
Field | Type | Description |
---|
valid | boolean | whether the certificate was found to be valid |
name | string | scanner name |
version | string | scanner version |
results | list: validation_description | possible outcomes related to the analysis of certificates |
warnings | list: string | list of warnings related to validation |
type | enum: scanner_type | used scanners |
validation_description (enum)
- bad_checksum
- bad_signature
- invalid_certificate
- expired_certificate
- blacklisted_certificate
- whitelisted_certificate
- malformed_certificate
- self_signed_certificate
- impersonation_attempt
- untrusted_certificate
- revoked_certificate
- revoked_certificate_unspecified
- revoked_certificate_key_compromise
- revoked_certificate_ca_compromise
- revoked_certificate_affiliation_changed
- revoked_certificate_superseded
- revoked_certificate_cessation_of_operation
- revoked_certificate_hold
- revoked_certificate_remove_from_crl
- revoked_certificate_privilege_withdrawn
- revoked_certificate_aa_compromise
- signed_after_revocation
- bad_certificate_timestamp
- security_catalog
- signed_after_expiration
scanner_type (enum)
- generic
- av
- sandbox
- validator
- unpacker
- internal
- cloud
- user_override
- certificate
- whitelisting
- analyst_override
- ng_av
Unpacking
unpacking_status (enum)
- unknown
- failed
- success
- partial
Overlay
Field | Type | Description |
---|
from | enum: overlay_from | where the overlay comes from |
offset | uint64 | overlay physical offset |
size | uint64 | overlay physical size |
entropy | decimal64 | overlay entropy calculated using Shannon's algorithm |
hashes | struct-list: Pair | set of overlay content hashes |
overlay_from (enum)
- pe
- pe_security_directory
- archive
- binary
- container
- document
- scripts
- text
- video
- image
This section contains the information about a sample extracted from static analysis. The information that is retrieved depends on the sample type, so some sections will not contain any data if they are inapplicable to the sample type.
Field | Type | Description |
---|
capabilities | uint32 | capabilities of the application |
pe | struct: PE | PE application metadata |
elf | struct: ELF | ELF application metadata |
macho | struct: Macho | MachO application metadata |
dex | struct: Dex | DEX application metadata |
dotnet | struct: Dotnet | NET application metadata |
libraries | struct-list: Identity | detected libraries |
identity | struct: Identity | application identity |
The capabilities
provide a brief overview of actions that a sample is capable of performing by outlining its basic features. Capabilities are expressed as a bit array (several capabilities can be expressed with one number code), and the name of each bit is provided.
Bit | Meaning |
---|
0x00000001 | clipboard |
0x00000002 | ipc |
0x00000004 | threads |
0x00000008 | processes |
0x00000010 | storage |
0x00000020 | filesystem |
0x00000040 | peripherals |
0x00000080 | user_input |
0x00000100 | hardware_interfaces |
0x00000200 | networking |
0x00000400 | cryptography |
0x00000800 | security |
0x00001000 | system |
0x00002000 | modules |
0x00004000 | memory_management |
0x00008000 | user_interface |
0x00010000 | command_line |
0x00020000 | time_and_date |
0x00040000 | identity |
0x00080000 | monitoring |
0x00100000 | configuration |
0x00200000 | compression |
0x00400000 | multimedia |
0x00800000 | deprecated |
0x01000000 | undocumented |
0x02000000 | application_management |
0x04000000 | service_management |
0x08000000 | messaging |
0x10000000 | protection |
0x20000000 | drivers_k |
Capabilities bit array for PE files
These are named and expressed in terms of bits as well (bitwise operations), with an additional clarification for what each bit represents.
- none_k = 0,
- clipboard_k = 1 << 0, whether app has capability for managing the clipboard
- ipc_k = 1 << 1, whether app has capability for inter-process communication
- threads_k = 1 << 2, whether app has capability for using and managing threads
- processes_k = 1 << 3, whether app has capability for using and managing processes
- storage_k = 1 << 4, whether app has capability for managing storage devices or volumes
- filesystem_k = 1 << 5, whether app has capability for managing files or folders
- peripherals_k = 1 << 6, whether app has capability for managing peripheral hardware devices
- user_input_k = 1 << 7, whether app has capability for receiving user input
- hardware_interfaces_k = 1 << 8, whether app has capability for managing hardware interfaces, ports or buses
- networking_k = 1 << 9, whether app has capability for network communication
- cryptography_k = 1 << 10, whether app has capability for cryptographic operations
- security_k = 1 << 11, whether app has capability for managing security contexts
- system_k = 1 << 12, whether app has capability for accessing operating system facilities
- modules_k = 1 << 13, whether app has capability for using additional modules
- memory_management_k = 1 << 14, whether app has capability for requesting and managing memory
- user_interface_k = 1 << 15, whether app has capability for managing the user interface
- command_line_k = 1 << 16, whether app has capability for using command line interface
- time_and_date_k = 1 << 17, whether app has capability for managing time information or timers
- identity_k = 1 << 18, whether app has capability for user identity management
- monitoring_k = 1 << 19, whether app has capability for system status monitoring
- configuration_k = 1 << 20, whether app has capability for managing system settings or configurations
- compression_k = 1 << 21, whether app has capability for compressing or extracting data
- multimedia_k = 1 << 22, whether app has capability for graphics, animation, audio or video
- deprecated_k = 1 << 23, whether app has capability for using deprecated functionality
- undocumented_k = 1 << 24, whether app has capability for using undocumented functionality
- application_management_k = 1 << 25, whether app has capability for managing applications
- service_management_k = 1 << 26, whether app has capability for managing services
- messaging_k = 1 << 27, whether app has capability for sending messages
- protection_k = 1 << 28, whether app has capability for securing the execution environment
- drivers_k = 1 << 29, whether app has capability for managing drivers or kernel modules
Analysis
Field | Type |
---|
analysis_state | int32 |
security_grade | int32 |
issues | struct-list: Issue |
Issue
Field | Type | Description |
---|
code | int32 | unique issue code |
name | string | unique issue name |
description | string | issue description |
relevance | int32 | relevance for ML classification |
count | int32 | |
Field | Type | Description |
---|
e_cblp | uint16 | bytes on last page of file |
e_cp | uint16 | pages in file |
e_crlc | uint16 | relocations |
e_cparhdr | uint16 | size of header in paragraphs |
e_minalloc | uint16 | minimum extra paragraphs needed |
e_maxalloc | uint16 | maximum extra paragraphs needed |
e_ss | uint16 | initial (relative) SS value |
e_sp | uint16 | initial SP value |
e_csum | uint16 | checksum |
e_ip | uint16 | initial IP value |
e_cs | uint16 | checksum |
e_lfarlc | uint16 | file address of relocation table |
e_ovno | uint16 | overlay number |
e_res | string | |
e_oemid | uint16 | OEM identifier (for e_oeminfo) |
e_oeminfo | uint16 | OEM information (e_oemid specific) |
e_res2 | string | |
e_lfanew | uint32 | file address of new exe header |
Field | Type | Description |
---|
checksum | uint32 | Rich Header checksum as present in file |
offset | uint64 | Rich Header start offset |
size | uint64 | Rich Header size in bytes |
entries | struct-list: Entry | Rich header entries |
Entry
Field | Type | Description |
---|
tooling | uint32 | toolchain component type |
version | uint16 | toolchain component product version |
product | uint16 | toolchain component product id |
counter | uint32 | number of times used |
Field | Type |
---|
machine | uint16 |
number_of_sections | uint16 |
time_date_stamp | uint32 |
time_date_stamp_decoded | string |
pointer_to_symbol_table | uint32 |
number_of_symbols | uint32 |
size_of_optional_headers | uint16 |
characteristics | uint16 |
Field | Type |
---|
is_checksum_valid | boolean |
major_linker_version | uint8 |
minor_linker_version | uint8 |
size_of_code | uint32 |
size_of_initialized_data | uint32 |
size_of_uninitialized_data | uint32 |
address_of_entry_point | uint32 |
base_of_code | uint32 |
base_of_data | uint32 |
image_base | uint64 |
section_alignment | uint32 |
file_alignment | uint32 |
major_os_version | uint16 |
minor_os_version | uint16 |
major_image_version | uint16 |
minor_image_version | uint16 |
major_subsystem_version | uint16 |
minor_subsystem_version | uint16 |
win32_version_value | uint32 |
size_of_image | uint32 |
size_of_headers | uint32 |
checksum | uint32 |
subsystem | uint16 |
dll_characteristics | uint16 |
size_of_stack_reserve | uint64 |
size_of_stack_commit | uint64 |
size_of_heap_reserve | uint64 |
size_of_heap_commit | uint64 |
loader_flags | uint32 |
number_of_rva_and_sizes | uint32 |
data_directories | struct-list: Data directory |
Data directory
Field | Type | Description |
---|
address | uint32 | data directory relative start |
size | uint32 | data directory size |
PE section
Field | Type | Description |
---|
name | string | section name |
flags | uint32 | section flags |
relative_base | uint32 | section relative virtual address |
physical_base | uint32 | section physical offset |
relative_size | uint32 | section relative size |
physical_size | uint32 | section physical size |
entropy | decimal64 | section content entropy |
hashes | struct-list: Pair | set of section content hashes |
Import
Field | Type |
---|
name | string |
apis | list: string |
Export
Field | Type |
---|
name | string |
apis | list: string |
Resource
Field | Type | Description |
---|
type | string | resource type name or the corresponding ID |
name | string | resource name or the corresponding ID |
language_id_name | string | language ID decoded to language name |
language_id | uint32 | language ID |
code_page | uint32 | code page used |
offset | uint32 | resource physical offset |
size | uint32 | resource physical size |
entropy | decimal64 | data entropy calculated using Shannon's algorithm |
hashes | struct-list: Pair | set of resource content hashes |
Codeview
Field | Type |
---|
timestamp | string |
guid | string |
pdb_path | string |
revision | uint32 |
Taggant
Field | Type | Description |
---|
packer_info | struct: Packer info | Packer information |
timestamp | string | Time stamp |
spv_certificate | struct: Certificate object | SPV (Software Protection Vendor) certificate |
user_certificate | struct: Certificate object | User certificate |
Packer info
Field | Type | Description |
---|
name | string | Packer name |
id | uint32 | Packer ID |
version_major | uint16 | Packer major version |
version_minor | uint16 | Packer minor version |
version_build | uint16 | Packer build version |
reserved | uint16 | Packer reserved field |
ELF
Field | Type | Description |
---|
type | uint16 | object file type |
os_abi_name | uint8 | OS and ABI to which the object is targeted |
abi_version | uint8 | version of the ABI to which the object is targeted |
machine | uint16 | required architecture |
entry_va | uint64 | entry point virtual address |
interpreter_path | string | |
program_headers | struct-list: Program header | list of program headers |
sections | struct-list: Section | list of sections |
symbols | struct-list: Symbol | list of symbols |
dynamic_table | struct-list: Dynamic table | |
Field | Type | Description |
---|
type | uint32 | segment type |
flags | uint32 | segment flags |
offset | uint64 | segment file offset |
virtual_address | uint64 | segment virtual address |
physical_address | uint64 | segment physical address |
file_size | uint64 | segment size in file |
memory_size | uint64 | segment size in memory |
alignment | uint64 | segment alignment |
entropy | decimal64 | segment content entropy |
hashes | struct-list: Pair | set of segment content hashes |
ELF section
Field | Type | Description |
---|
name | string | name of the section |
type | uint64 | categorizes the section's content and semantics |
flags | uint64 | 1-bit flags that describe miscellaneous attributes |
address | uint64 | memory address at which the section's first byte should reside |
alignment | uint64 | address alignment |
offset | uint64 | byte offset from the beginning of the file to the first byte in section |
size | uint64 | section's size in bytes |
link | uint32 | section header table index link |
ELF Symbol
Field | Type | Description |
---|
info | uint8 | type and binding attributes |
other | uint8 | other |
name | string | symbol name |
references | uint32 | symbol references |
sources | uint32 | symbol sources |
Dynamic table
Field | Type |
---|
tag | int64 |
value | string |
Macho
Field | Type | Description |
---|
abi64 | boolean | 64bit or 32bit |
cpu_type | uint32 | intended architecture to be used |
file_type | uint8 | usage and alignment of the file |
flags | uint32 | set of bit flags that indicate the state of certain optional features |
segments | struct-list: Segment | |
sections | struct-list: Section | |
dynamic_libraries | list: string | |
symbols | struct-list: Symbol | |
Segment
Field | Type | Description |
---|
name | string | |
flags | uint32 | segment flags |
virtual_address | uint64 | segment virtual address |
virtual_size | uint64 | |
file_offset | uint64 | |
file_size | uint64 | segment size in file |
maximum_protection | uint32 | |
initial_protection | uint32 | |
entropy | decimal64 | segment content entropy |
hashes | struct-list: Pair | set of segment content hashes |
Macho section
Field | Type | Description |
---|
name | string | section name |
segment | string | name of the segment that should contain this section |
flags | uint32 | section type (8 bits) + other attributes (24 bits) |
address | uint64 | virtual memory address |
size | uint64 | size in bytes of the virtual memory occupied by this section |
offset | uint32 | offset to this section in the file |
alignment | uint32 | section's byte alignment |
Macho Symbol
Field | Type | Description |
---|
name | string | symbol name |
section | string | section that this symbol can be found in |
type | uint8 | type |
external | boolean | whether this symbol cannot be found in any section of this image |
Dex
Field | Type | Description |
---|
checksum_valid | boolean | whether checksum is valid |
signature_valid | boolean | whether signature is valid |
classes | struct-list: Dex Class | list of classes |
Dex Class
Field | Type | Description |
---|
modifiers | uint32 | class modifiers |
name | string | class name |
super_class | string | class' superclass |
source_file | string | original source file for this class |
annotations | struct-list: Annotation | list of class annotations |
interfaces | list: string | list of class interfaces |
methods | struct-list: Method | list of class methods |
fields | struct-list: Field | list of class fields |
Annotation
Field | Type | Description |
---|
visibility | uint8 | annotation visibility |
type_name | string | annotation type name |
attributes | struct-list: Attribute | list of annotation attributes |
Attribute
Field | Type |
---|
name | string |
value | struct: Value |
Value | type |
---|
type | uint32 |
value | string |
Method
Field | Type | Description |
---|
modifiers | uint32 | method modifiers |
name | string | method name |
return_type | string | method return type |
parameters | struct-list: Parameter | list of method parameters |
annotations | struct-list: Annotation | list of method annotations |
Parameter
Field | Type | Description |
---|
type_name | string | |
annotations | struct-list: Annotation | list of method annotations |
Field (Dex)
Field | Type | Description |
---|
modifiers | uint32 | field modifiers |
name | string | field name |
type | string | field type name |
value | string | filed value |
annotations | struct-list: Annotation | list of field annotations |
Dotnet
Field | Type | Description |
---|
module | string | module name |
mvid | string | module version ID |
entry_point | struct: .NET Method | entry point method |
assembly | struct: Assembly | assembly reference |
types | struct-list: Type | list of types |
assembly_references | struct-list: Assembly | list of assembly references |
resources | struct-list: .NET Resource | list of resources |
exported_types | struct-list: Exported type | list of exported types |
.NET Method
Field | Type | Description |
---|
impl_attributes | uint16 | method ImplAttributes |
attributes | uint16 | method attributes |
name | string | method name |
return_type | string | method return type |
pinvoke_info | struct: Pinvoke info | method PInvoke info |
parameters | struct-list: Parameter | list of method parameters |
Pinvoke info
Field | Type | Description |
---|
attributes | uint16 | PInvoke attributes |
module | string | module name |
entry_point | string | module entry point |
Parameter
Field | Type | Description |
---|
attributes | uint16 | parameter attributes |
type_name | string | parameter type name |
name | string | parameter name |
Assembly
Field | Type | Description |
---|
name | string | assembly reference name |
version | string | assembly reference version formatted string |
culture | string | assembly reference culture |
public_key_token | string | assembly reference public key token |
Type
Field | Type | Description |
---|
attributes | uint32 | type attributes |
name | string | type name |
base_type | string | base type name |
methods | struct-list: Method | list of types methods |
fields | struct-list: Field | list of types fields |
interfaces | list: string | list of types interfaces |
events | struct-list: Event | list of types events |
properties | struct-list: Properties | list of types properties |
Field
Field | Type | Description |
---|
attributes | uint16 | field attributes |
name | string | field name |
constant | string | field constant value |
type | string | field type name |
Event
Field | Type | Description |
---|
attributes | uint16 | event attributes |
name | string | event name |
type | string | event type name |
Properties
Field | Type | Description |
---|
attributes | uint16 | property attributes |
name | string | property name |
type | string | declaring type |
constant | string | property constant value |
parameters | struct-list: Parameter | list of property parameters |
.NET Resource
Field | Type | Description |
---|
type | uint8 | resource type |
attributes | uint32 | resource attributes |
name | string | resource name |
file | string | resource file |
hash | string | resource file hash |
assembly | string | resource assembly |
Exported type
Field | Type | Description |
---|
attributes | uint32 | exported type attributes |
name | string | exported type name |
Identity
Field | Type | Description |
---|
type | enum: identity_type | identity type |
verified | enum: Verification | identity verification |
name | string | package name |
version | string | package version |
publisher | string | |
description | string | package summary |
license | string | licence name (e.g. GPLv3) |
cpe | string | CPE |
vulnerabilities | list:string | known vulnerabilities |
identity_type (enum)
- ad
- social
- other
- graphics
- audio
- cloud
- messaging
- compression
- analytics
- database
- crypto
- utility
- multimedia
- networking
- browser
- security
- virtualization
- development
- productivity
- email
- gaming
- entertainment
- educational
- driver
- package
Verification (enum)
- not_verified
- sha256_hash
- authentihash
- certificate
- cloud_source
Protection
Field | Type | Description |
---|
features | list: string | Detected encryption features |
drm | list: string | Detected DRM protection |
crypto | list: string | Detected crypto primitives |
compression | list: string | Detected compression algorithm |
Security
Field | Type | Description |
---|
features | list: string | features detected |
exploits | list: string | exploits detected, CVE references |
vulnerabilities | struct-list: Vulnerability | known vulnerabilities |
owning_user | string | owning user identifier |
owning_group | string | owning group identifier |
access_list | struct-list: Access | access control list |
attributes | list: string | file attributes |
Vulnerability
Field | Type | Description |
---|
cve | string | CVE identifier |
exploit | uint32 | Exploit information |
cvss | struct: CVSS | CVSS score |
CVSS
Field | Type | Description |
---|
version | int32 | CVSS version (2 or 3x) |
base_score | decimal64 | |
metrics | struct-list: Pair | CVSS metrics |
Access
Field | Type | Description |
---|
type | enum: access_type | who has access |
entity | string | entity identifier for either user or group |
permissions | uint32 | access flags |
access_type (enum)
Behaviour
This section describes how a file would behave if executed. It lists values related to the registry, paths when executing, renaming or copying files, shortcuts that might be used, and more. This section will become available when analyzing PDFs, Docker files, as well as various installers.
Field | Type | Description |
---|
registry | struct-list: Registry | list of registry actions |
copy | struct-list: Copy | list of copy actions |
rename | struct-list: Rename | list of rename actions |
process_start | struct-list: Process start | list of process start actions |
shortcut | struct-list: Shortcut | list of shortcut creation actions |
remove | struct-list: Remove | list of remove actions |
edit_ini | struct-list: Edit ini | list of edit INI actions |
uri | struct-list: URI | list of URI actions |
Registry
Values that the program sets in the Windows Registry.
Field | Type | Description |
---|
key | string | registry key |
value_name | string | registry value name |
value | string | registry value name |
properties | struct-list: Property | various properties assigned to object, key-value |
Copy
Field | Type | Description |
---|
source_path | string | |
destination_path | string | |
properties | struct-list: Property | properties that are applied to copy operation |
Rename
Field | Type | Description |
---|
old_path | string | |
new_path | string | |
properties | struct-list: Property | properties that are applied to rename operation |
Process start
Field | Type | Description |
---|
arguments | string | command-line arguments to use when starting application |
create_no_window | boolean | indicates whether to start the process in a new window |
domain | string | identifies the domain to use when starting process |
environment_variables | string | search paths for files, application-specific options, etc. |
filename | string | application or document to start |
password | string | user password to use when starting the process |
username | string | user name to be used when starting the process |
working_directory | string | working directory for the process to be started |
properties | struct-list: Property | additional properties |
Shortcut
Information on shortcuts related to a file. hotkey
designates the keyboard shortcut used to start the program.
Field | Type | Description |
---|
source_path | string | path to the file to be executed |
destination_path | string | where to create shortcut file |
icon_path | string | path to the icon to be displayed |
icon_index | int32 | index of icon to use from the icon file |
description | string | additional description |
working_directory | string | working directory for the application |
hotkey | string | combination of key with which the program can be started |
command_options | string | additional options to use when executing file |
properties | struct-list: Property | additional properties |
Remove
Field | Type | Description |
---|
path | string | path to the file that will be removed |
properties | struct-list: Property | additional properties |
Edit ini
Field | Type | Description |
---|
path | string | path to the INI file that will be edited |
section | string | name of the INI section |
content | struct: Pair | key-value content to be added |
properties | struct-list: Property | additional properties |
URI
Information on a URI that a file is trying to connect to.
{"uri_string": "https://bad_domain.evil/malware/infection",
"protocol": "https",
"hostname": "bad_domain.evil",
"port": "80",
"path": "malware/infection",
"ip_protocol": "TCP/IP"}
Field | Type | Description |
---|
uri_string | string | URI string |
protocol | string | application-layer protocol used (e.g. HTTP) |
hostname | string | |
domain | string | |
port | int32 | |
path | string | |
ip_protocol | string | transport-layer protocol used (e.g. TCP) |
properties | struct-list: Property | additional properties |
Signatures
This section holds information about digital signatures and certificates found during the analysis.
Signature object
Field | Type | Description |
---|
validation | struct: Validation | |
version | int32 | syntax version number |
issuer | struct-list: Pair | issuer distinguished name |
serial_number | string | issuer-specific serial number |
digest_algorithm | string | message digest algorithm |
digest_encryption_algorithm | string | |
encrypted_digest | string | |
authenticated_attributes | struct-list: Pair | set of attributes that are signed |
unauthenticated_attributes | struct-list: Pair | set of attributes that are not signed |
certificate | struct: Certificate object | |
counter_signatures | struct-list: Signature object | |
Certificate object
Among other outcomes, certificates can be whitelisted or blacklisted. The validation
> results
field holds the list of results related to the certificate of the analyzed file. Here are two examples, one of a whitelisted and one of a blacklisted certificate, leading to two different classifications (goodware/malicious).
Whitelisted certificate:
{
common_name: "Microsoft Corporation",
serial: "610f784d000000000003",
thumbprint: "77d73fbbb0a3e91838d5ef1d145e37f025d9ba766604c9aeafd6b3222b252ca9"
}
Blacklisted certificate:
{
common_name: "Elite Web Development Ltd.",
serial: "6cfa5050c819c4acbb8fa75979688dff",
thumbprint: "e7241394097402bf9e32c87cada4ba5e0d1e9923f028683713c2f339f6f59fa9"
}
Field | Type | Description |
---|
validation | struct: Validation | |
version | int32 | certificate version |
valid_from | string | time when validity period begins |
valid_to | string | time when validity period ends |
serial_number | string | certificate serial number issued by CA |
subject | struct-list: Pair | entity associated with the public key |
issuer | struct-list: Pair | entity who has signed and issued the certificate |
issuer_certificate | struct: Certificate object | |
signature_algorithm | string | cryptographic algorithm used by the CA to sign this certificate |
signature | string | cryptographic algorithm used by the CA to sign this certificate |
public_key | struct | |
extensions | struct-list: Extension | certificate extensions |
thumbprints | struct-list: Pair | set of additional thumbprints |
Public key
Field | Type |
---|
type | int32 |
value | string |
rsa | struct |
dsa | struct |
ec | struct |
Example of an RSA public key detected in a file with a whitelisted certificate:
{
value: "3082010a0282010100a2db0a8dcfc2c1499bcdaa3a34ad23596bdb6cbe2122b794c8eaaebfc6d526c232118bbcda5d2cfb36561e152bae8f0ddd14a36e284c7f163f41ac8d40b146880dd98194ad9706d05744765ceaf1fc0ee27f74a333cb74e5efe361a17e03b745ffd53e12d5b0ca5e0dd07bf2b7130dfc606a2885758cb7adbc85e817b490bef516b6625ded11df3aee215b8baf8073c345e3958977609be7ad77c1378d33142f13db62c9ae1aa94f9867add420393071e08d6746e2c61cf40d5074412fe805246a216b49b092c4b239c742a56d5c184aab8fd78e833e780a47d8a4b28423c3e2f27b66b14a74bd26414b9c6114604e30c882f3d00b707cee554d77d2085576810203010001"
}
RSA key
Field | Type |
---|
enabled | boolean |
exponent | string |
modulus | string |
DSA key
Field | Type |
---|
enabled | boolean |
prime | string |
subprime | string |
generator | string |
Elliptic Curve Key
Field | Type |
---|
enabled | boolean |
p | string |
a | string |
b | string |
x | string |
y | string |
generator | string |
order | string |
cofactor | string |
seed | string |
field_type | string |
basis_type | string |
curve_name | string |
Extension
Field | Type |
---|
is_critical | boolean |
name | string |
value | string |
Certificates
A list of Certificate objects, defined in the Signatures section.
Document
Field | Type | Description |
---|
capabilities | uint32 | document capabilities |
author | string | document author |
version | string | document version |
title | string | document title |
subject | string | document subject |
description | string | document description |
language | string | document language |
creation_date | string | creation date |
modified_date | string | last modification date |
needs_rendering | boolean | does document needs rendering |
page_count | int32 | number of pages |
word_count | int32 | number of words |
char_count | int32 | numbers of characters |
keywords | list: string | document keywords |
requirements | list: string | document requirements |
properties | struct-list: Property | various properties assigned to object, key-value |
html | struct: HTML | HTML metadata |
Similarly to the Application section, documents have a bit array describing their capabilities:
- none_k = 0,
- execution_k = 1 << 0, whether document has executable content
- scripting_k = 1 << 1, whether document uses JavaScript, VBA or similar scripting language
- multimedia_k = 1 << 2, whether document has video, has audio, uses webgl, canvas, svg
- user_input_k = 1 << 3, whether document has forms and user controls, drag and drop, pointer lock
- embeds_k = 1 << 4, whether document has objects / embeds, has frame / iframe, OLE
- messaging_k = 1 << 5, whether document has messaging capabilities (e.g. mailto, sendto...)
- networking_k = 1 << 6, whether document has networking capabilities (e.g. http, ajax, websockets, hrefs, clickable URL in documents, webrtc, redirect/refresh)
- storage_k = 1 << 7, whether document has storage capabilities (e.g. web storage, file api, offline storage)
- location_k = 1 << 8, whether document has location capabilities
- notifications_k = 1 << 9, whether the document has notification capabilities (e.g. pop-ups, windows notification API...)
- camera_k = 1 << 10, whether document has camera access
- microphone_k = 1 << 11, whether document has access to microphone
- bluetooth_k = 1 << 12, whether document has access to bluetooth
- peripherals_k = 1 << 13, whether document has access to peripherals (e.g. usb, midi)
- cryptography_k = 1 << 14, whether document has cryptography capabilities (e.g. password protected document / macro, password input fields in HTML...)
- advertising_k = 1 << 15, whether document has advertising capabilities
- social_k = 1 << 16, whether document has access to social networks (Facebook, Twitter, - specific to HTML / JS)
- services_k = 1 << 17, whether document has access to services
- memory_management_k = 1 << 18, whether document has access to memory management
HTML
Field | Type | Description |
---|
doctype | string | HTML doctype |
base_url | string | HTML base url |
html_metadata | struct-list: Property | HTML metadata from META tags |
resources | struct-list: Resource | extracted resources |
links | struct-list: Link | extracted links |
forms | struct-list: Form | extracted forms |
Resource (HTML)
Field | Type | Description |
---|
url | string | URL or path found in HTML |
crossorigin | string | value of crossorigin attribute, if present |
rel | string | value of rel attribute, if present |
type | string | value of type attribute, if present |
Link
Field | Type | Description |
---|
url | string | URL or path found in HTML |
download | string | value of download attribute, if present |
rel | string | value of rel attribute, if present |
Field | Type | Description |
---|
action | string | value of action attribute, if present |
enctype | string | value of enctype attribute, if present |
method | string | value of method attribute, if present |
Mobile
Field | Type | Description |
---|
capabilities | uint32 | detected capabilities |
android | struct: Android | Android metadata |
ios | struct: iOS | iOS metadata |
windows_phone | struct: Windows Phone | Windows Phone metadata |
windows_store_package | struct: Windows Store Package | Windows Store Package metadata |
Capabilities, similarly as in the Application section, are expressed as a bit array. Check the integer from the report against the following descriptions:
Bit | Meaning |
---|
0x000001 | messaging |
0x000002 | calling_services |
0x000004 | advertising |
0x000008 | gaming |
0x000010 | networking |
0x000020 | camera |
0x000040 | microphone |
0x000080 | bluetooth |
0x000100 | notifications |
0x000200 | device_identity |
0x000400 | user_identity |
0x000800 | address_book |
0x001000 | calendar |
0x002000 | location_services |
0x004000 | storage |
0x008000 | social |
0x010000 | system |
0x020000 | motion |
0x040000 | wallet |
0x080000 | vpn |
0x100000 | nfc |
0x200000 | peripheral_devices |
In addition, mobile applications have the following bits set in case of a found capability:
- none_k = 0,
- messaging_k = 1 << 0, whether app has capability for sending messages
- calling_services_k = 1 << 1, whether app has access to calling services
- advertising_k = 1 << 2, whether app has capability for advertising
- gaming_k = 1 << 3, whether app has gaming component
- networking_k = 1 << 4, whether app has access to networking
- camera_k = 1 << 5, whether app has capability for using camera
- microphone_k = 1 << 6, whether app has capability for using microphone
- bluetooth_k = 1 << 7, whether app has capability for using bluetooth
- notifications_k = 1 << 8, whether app has capability for pushing notifications
- device_identity_k = 1 << 9, whether app has access to device id
- user_identity_k = 1 << 10, whether app has access to user id
- address_book_k = 1 << 11, whether app has access to users address book
- calendar_k = 1 << 12, whether app has access to users calendar
- location_services_k = 1 << 13, whether app has capability for defining location of device
- storage_k = 1 << 14, whether app has access to storage
- social_k = 1 << 15, whether app has social component
- system_k = 1 << 16, whether app has access to system
- motion_k = 1 << 17, whether app has capability for detecting motion and direction (accelerometer, magnetometer...)
- wallet_k = 1 << 18, whether app has access to users wallet
- vpn_k = 1 << 19, whether app has capability for vpn
- nfc_k = 1 << 20, whether app has capability for nfc
- peripheral_devices_k = 1 << 21, whether app has access to peripheral devices
Android
Field | Type | Description |
---|
package_name | string | full and unique Java-language-style package name for the application |
version_code | int32 | internal version number |
version_name | string | version number shown to the users |
install_location | string | location where the application can be installed; accepted are: internalOnly, preferExternal or auto |
sdk_version_min | int32 | minimum API level required by the application |
sdk_version_max | int32 | maximum API level required by the application |
sdk_version_target | int32 | guaranteed compatibility API level |
application | struct: Application | android application data |
features | list: string | list of hardware/software features required by the application |
permissions | list: string | list of permissions required by the application |
Application (Android)
Field | Type | Description |
---|
name | string | fully qualified name of an application subclass implemented for the application |
debuggable | boolean | application has debug symbols |
enabled | boolean | application is enabled |
has_code | boolean | whether or not the application contains any code |
persistent | boolean | whether or not the application should remain running at all times |
permission | string | name of a permission that clients must have in order to interact with the application |
process | string | name of a process where all components of the application should run |
backup_agent | string | name of the class that implement's the application's backup agent |
uses_libraries | list: string | |
activities | struct-list: Activity | list of registered user interface activity callback events |
services | struct-list: Service | list of registered service callback events |
providers | struct-list: Provider | list of registered broadcast provider callback events |
receivers | struct-list: Receiver | list of registered broadcast receiver callback events |
Activity
Field | Type | Description |
---|
enabled | boolean | activity is enabled |
exported | boolean | activity is exported and other applications can use it |
exclude_recent | boolean | whether or not the task initiated by this activity should be excluded from the list of recently used applications |
name | string | name of the class that implements the activity |
parent_name | string | class name of the logical parent of the activity |
launch_mode | string | execution mode |
permission | string | name of a permission that clients must have to launch the activity or otherwise get it to respond to an intent |
process | string | name of the process in which the activity should run |
metadata | struct-list: Property | |
intents | struct-list: Intent | activity intents |
Intent
Field | Type |
---|
main | boolean |
actions | list: string |
categories | list: string |
data | struct-list: Data |
Data | |
---|
host | string |
mime_type | string |
path | string |
port | string |
scheme | string |
Service
Field | Type | Description |
---|
enabled | boolean | service is enabled |
exported | boolean | service is exported and other applications can use it |
isolated | boolean | service runs under a special process that is isolated from the rest of the system and has no permissions of its own |
name | string | name of the class that implements the service |
permission | string | name of a permission that clients must have to launch the service or otherwise get it to respond to an intent |
process | string | name of the process in which the service should run |
metadata | struct-list: Property | |
intents | struct-list: Intent | service intents |
Provider
Field | Type | Description |
---|
enabled | boolean | provider is enabled |
exported | boolean | provider is exported and other applications can use it |
syncable | boolean | data under the content provider's control is to be synchronized with data on a server |
name | string | name of the class that implements the provider |
readPermission | string | |
permission | string | name of a permission that clients must have to read or write the content provider's data |
process | string | name of the process in which the content provider should run |
metadata | struct-list: Property | |
intents | struct-list: Intent | provider intents |
Receiver
Field | Type | Description |
---|
enabled | boolean | receiver is enabled |
exported | boolean | receiver is exported and other applications can use it |
name | string | name of the class that implements the provider |
permission | string | name of a permission that clients must have to read or write the content provider's data |
process | string | name of the process in which the content provider should run |
metadata | struct-list: Property | |
intents | struct-list: Intent | receiver intents |
iOS
Field | Type |
---|
copyright | string |
genre | string |
genre_id | int32 |
kind | string |
vendor_id | int32 |
item_id | int32 |
item_name | string |
item_playlist_name | string |
artist_id | int32 |
artist_name | string |
artist_playlist_name | string |
release_date | string |
price | int32 |
price_display | string |
download_info | struct: Download info |
bundle_id | string |
bundle_version | string |
drm_version | int32 |
version_restrictions | int32 |
file_extension | string |
application_bundle | struct: Application bundle |
Download info
Field | Type |
---|
apple_id | string |
person_id | int32 |
purchase_date | string |
Application bundle
Field | Type |
---|
identifier | string |
name | string |
display_name | string |
version | string |
package_type | string |
main_nib_file | string |
main_executable | string |
compiler_version | string |
xcode_version | string |
xcode_build | string |
sdk_name | string |
sdk_build | string |
platform_name | string |
platform_version | string |
platform_build | string |
minimum_os_version | string |
dictionary_version | string |
Windows Phone
Field | Type |
---|
product_id | string |
title | string |
version | string |
description | string |
author | string |
publisher | string |
genre | string |
runtime_type | string |
has_settings | boolean |
platform_version | string |
capabilities | list: string |
Windows Store Package
Field | Type | Description |
---|
name | string | describes contents of the package |
name_display | string | friendly name for the app that can be displayed to users |
publisher | string | describes publisher information |
publisher_display | string | friendly name for the publisher that can be displayed to users |
version | string | version number of the package |
minimum_os_version | string | minimum version of operating system that the package requires |
tested_os_version | string | highest version of Windows that the package was tested on |
dependencies | list: string | other packages that the package depends on to complete its software |
capabilities | list: string | access to protected user resources that the package requires |
extensions | list: string | one or more extensibility points for the package |
applications | struct-list: Application | one or more apps that comprise the package |
Application
Field | Type | Description |
---|
id | string | unique identifier of the application within the package (PRAID) |
name_display | string | friendly name for the app that can be displayed to users |
description | string | description of the app |
entry_point | string | activatable class ID |
executable | string | default launch executable for the app |
start_page | string | default launch HTML page for the app |
extensions | struct-list: Extension | list of extensions |
Extension (Application)
Field | Type | Description |
---|
category | string | type of app extensibility point |
entry_point | string | activatable class ID |
executable | string | default launch executable |
runtime_type | string | runtime provider |
start_page | string | web page that handles the extensibility point |
Field | Type | Description |
---|
image | struct: Image | image object |
audio | struct: Audio | audio object |
video | struct: Video | video object |
Image
Field | Type | Description |
---|
width | uint32 | image width in pixels |
height | uint32 | image height in pixels |
bit_depth | uint32 | bits per pixel |
horizontal_resolution | decimal64 | horizontal resolution in dots per inch |
vertical_resolution | decimal64 | vertical resolution in dots per inch |
frame_count | uint32 | number of image frames |
frame_rate | decimal64 | number of frames per second |
exif | struct-list: Exif | EXIF map |
Exif
Exif value
Field | Type |
---|
name | string |
value | string |
Video
Field | Type | Description |
---|
scan_type | enumeration | Allowed Values: unknown, progressive, interlaced |
codec | string | codec name |
width | uint32 | width in pixels |
height | uint32 | height in pixels |
length | uint64 | length in milliseconds |
frame_rate | decimal64 | frames per second |
data_rate | uint32 | |
bit_rate | uint32 | |
audio_tracks | struct-list: Audio track | |
exif | struct-list: Exif | EXIF map |
Audio tracks
Field | Type |
---|
name | string |
audio | struct: Audio |
Audio
Field | Type | Description |
---|
codec | string | codec name |
length | uint64 | length in milliseconds |
bit_rate | uint32 | audio bit rate |
sample_rate | uint32 | audio sample rate |
channels | uint32 | channel count |
id3 | struct: ID3 | |
exif | struct-list: Exif | EXIF map |
ID3
Field | Type | Description |
---|
version | string | ID3 version |
properties | struct-list: Property | ID3 property list |
Browser
Field | Type | Description |
---|
type | enum: browser_type | |
name | string | Extension identifier |
shorthand | string | Short version of name |
locale | string | Extension default locale |
author | string | Extension author |
license | string | Extension license |
version | string | Extension version |
description | string | Extension description |
public_key | string | Extension public key |
homepage | string | URL of the extension's home page |
update_url | string | URL of the extension's update page |
permissions | struct-list: Permission | Permissions to be requested |
exports | list: string | IDs of extensions allowed to import this extension's resources |
imports | list: string | Resources extension depends on |
scripts | struct-list: Script | Content scripts |
actions | struct-list: Action | Browser actions |
resources | list: string | |
plugins | list: string | |
browser_type (enum)
- none
- chrome
- opera
- firefox
- edge
Permission