Dynamic analysis report (TCA-0106)
This service allows users to retrieve dynamic analysis reports for files and URLs executed in the ReversingLabs cloud sandbox. It returns two types of reports: merged reports and specific reports.
Merged reports
If you provide only the file or URL identifier, the response will contain a merged report with an overview of all dynamic analyses performed on the file or the URL. Most objects in the merged report include lists of analysis IDs, allowing the users to retrieve specific reports for more information about items of interest.
Specific reports
If the request includes the /latest
query parameter, or an analysis_id
matching an existing report, the report will contain information specific to that execution. All specific reports will contain download links for the network traffic PCAP file, screenshots, and memory strings dump file captured during that specific analysis. These files have a retention period of 1 year, while their download links are dynamically generated on report request, and are valid for 1 hour.
Files and URLs can be submitted for dynamic analysis using the TCA-0207 Dynamic Analysis service.
Fetching Archive Analysis Reports
While working with archives, different endpoints <archive-endpoints>
are used.
Submitting only the SHA1 of the archive to this API returns a list of SHA1 hashes of all files within the archive along with the merged dynamic analysis report for each file. If the /latest
is provided, the API returns a list of SHA1 hashes of all files within the archive, as well as the most recent specific dynamic analysis report for each file. Archives do not get an analysis_id
, only the samples contained inside. They can be used to query the regular Dynamic Analysis Report Query for getting a specific report on an individual sample.
A user's quota is deducted with the number of files or URLs for which the merged or specific DA report is provided.
Privacy
Whether submitted files, PCAP files, dropped files, screenshots, and memory string dumps will be shared with other ReversingLabs customers depends on the role configured for the Spectra Intelligence account used to upload files.
If the account is configured to upload all files as shareable (not private), other ReversingLabs customers will be able to access analysis results, but also download the uploaded files, dropped files, PCAP files, screenshots, and memory string dumps generated during file execution.
If the account is configured to upload all files as not shareable (private), other ReversingLabs customers will only be able to access analysis results, but not retrieve the actual contents of uploaded files, dropped files, PCAP files, screenshots or memory string dumps.
This API is rate limited to 5 requests per second.
Dynamic Analysis File Report Query
This query returns the dynamic analysis report for the requested sample hash.
GET /api/dynamic/analysis/report/v1/query/{hash_type}/{hash_value}
Path parameters:
hash_type
- Accepts these values:
md5
,sha1
,sha256
- Accepts these values:
hash_value
- The hash value of the sample for which to retrieve the report. If neither
/latest
noranalysis_id
are used, the response will contain a merged report of all analyses performed on the sample. Must be a valid hash defined by thehash_type
parameter.
- The hash value of the sample for which to retrieve the report. If neither
/latest
- If added at the end of the endpoint path, the response will contain only the newest dynamic analysis report for the requested file hash. This parameter is incompatible and mutually exclusive with
analysis_id
. - Unlike the merged report, this report will contain download links for the network traffic PCAP file, screenshots, and memory strings dump file captured during file execution.
- If added at the end of the endpoint path, the response will contain only the newest dynamic analysis report for the requested file hash. This parameter is incompatible and mutually exclusive with
analysis_id
- If added at the end of the request, the response will contain only the dynamic analysis report matching the provided
analysis_id
. This parameter is incompatible and mutually exclusive with/latest
. - Unlike the merged report, this report will contain download links for the PCAP network traffic file, screenshots, and memory strings dump file captured during file execution.
- If added at the end of the request, the response will contain only the dynamic analysis report matching the provided
Query parameters:
format
- Specifies the response format. Supported values are
json
(default),xml
- Specifies the response format. Supported values are
artifacts_url
- Add
artifacts_url=True
after the path parameters to receive a response containing the artifact links for specific reports in the history part of the merged report. Passing this parameter will slow the response down.
- Add
Response Format
{
"rl": {
"report": {},
"requested_hash": "string"
}
}
report
- The object containing the dynamic analysis report (merged or report for a specific dynamic analysis run)
requested_hash
- The SHA1 hash of the analyzed file
rl.report
{
"network": {},
"mitre_attack": {},
"process_tree": [],
"sha1": "string",
"analysis_id": "string",
"classification": "string",
"dropped_files": [],
"snort_alerts": [],
"analysis_duration": 0,
"platform": "string",
"configuration": "string",
"behavioral": [],
"memory_strings": "string",
"sha256": "string",
"pcap": "string",
"md5": "string",
"analysis_time": "string",
"optional_parameters": "string",
"yara": {}
}
sha1
,sha256
,md5
- Hashes of the analyzed sample
classification
- The sandbox classification of the sample. Possible values are MALICIOUS, SUSPICIOUS, CLEAN, NO_THREATS_FOUND. In the merged report, classification is always the worst result out of all performed analyses.
risk_score
- Value representing the trustworthiness or malicious severity of a sample. Risk score is expressed as a number from 0 to 10, with 0 indicating whitelisted samples from a reputable origin, and 10 indicating the most dangerous threats. Goodware samples with risk scores of 2 and 3 are labeled "Likely benign / Public origin", and those with scores of 4 and 5 are labeled as "Not a known threat / Unverified origin". Risk scores from 6 to 10 are reserved for suspicious/malicious samples, and express their severity. The score from the specific report will show the risk score for that specific analysis, whereas the score from analysis with the highest risk score will be propagated to the top level of the merged report.
threat_names
- Name of the threats. Shows a list of unique threat names within the analyzed sample.
first_analysis
- The date and time when this sample was first analyzed
last_analysis
- The date and time when this sample was last analyzed
analysis_duration
- The duration of the analysis (in seconds)
platforms
- A list of platforms used to analyze the sample.
browser
- Browser-specific dynamic analysis detonation. This object is present only in specific reports.
configuration
- A short description of the platform configuration specifics (for example, "Win10 x64, Office 2016, Java 8 Update 191"). This object is present only in specific reports.
history_analysis
- An object containing an overview of all available reports. This object is present only in merged reports.
sample_name
- The name of the sample that was used during analysis. In a merged report, each individual analysis has its own sample_name attribute.
sample_path
- The full file path of the sample. In a merged report, each individual analysis has its own sample_path attribute.
optional_parameters
- An object containing a list of optional parameters used during analysis. Possible values:
internet_simulation
,sample_name
,geolocation
,locale
.- If
internet_simulation
is true, dynamic analysis was performed without connecting to the internet and a simulated network was used instead. If this value is false, the report is the same as if the parameter is omitted from the response. HTTPS traffic information is not monitored during analysis wheninternet_simulation
is set to true. sample_name
is a custom file name and/or extension provided on submission. Custom extensions impact which application was used to open and run the file.geolocation
is a geographic location associated with the sample's network activity, reflecting the configured country from which the network traffic is egressed, set via VPN or similar routing methods. Supported geographic location values are:us
(default),uk
,in
,br
,de
,jp
,sg
,it
,es
,fr
,tor
.locale
setting reflects the configured OS language, region, and keyboard layout to simulate a specific country or environment for anti-evasion or targeted analysis purposes. Supported locale values are:en-US
(default),en-GB
,pt-BR
,de-DE
,ja-JP
,it-IT
,es-ES
,fr-FR
.
- If
- An object containing a list of optional parameters used during analysis. Possible values:
mitre_attack
- A list of identified MITRE ATT&CK tactics and techniques.
network
- A list of of network resources the analyzed sample used or contacted during execution
behavioral
- A list of objects containing behavioral information about the executed sample. Every object relates one process spawned during sample execution to specific actions it performed.
malware_configurations
- A list of embedded malware configuration data collected during sample execution.
snort_alerts
- Matched Snort alerts in PCAP network captures.
sigma_detections
- Sysmon events, Windows event logs, and operating system process creation events captured during the detonation of malware in a sandbox.
signatures
- Abstracted behaviors, attributes, and content identified during analysis. Each signature has a signature ID, description and a risk score. Signatures commonly provide the following types of information:
- Behaviors and capabilities observed during execution of the sample.
- Attributes extracted via static analysis of the sample or artifacts generated during execution.
- Data-enrichment results, such as file reputation detections for the sample and any dropped files, Snort signature detections from network traffic, and YARA rule matches in the sample or process memory
dropped_files
- An object containing a list of all files dropped during execution of the analyzed sample. ReversingLabs uses an internal algorithm to filter and store dropped files in order to provide customers with the most interesting and valuable files. Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
pcap
- Contains a link to download the PCAP file with all the network traffic generated during sample execution. PCAP files have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
memory_strings
- Contains a link to download a dump of memory strings stored in the memory and captured during file execution. Memory strings have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
screenshots
- Contains a link to screenshots collected during the analysis. Screenshots have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour. This object is present only in specific reports.
process_tree
- An entire process tree generated during sample execution, sorted in order. This object is present only in specific reports.
warnings
- Descriptive warning messages regarding the status of the analysis.
errors
- Descriptive error messages regarding the status of the analysis.
yara
- Contains details regarding matched YARA rules during analysis.
rl.report.mitre_attack.matrix_list
{
"matrix_list": [
{
"name": "string",
"tactics": {}
}
]
}
name
- The name of the matrix used during analysis
tactics
- A list of tactics detected during sample execution.
Each entry has an
id
,name
,description
and atechnique_list
containing a list of specific techniques that were detected. Technique lists in merged reports will also contain a list ofanalysis_ids
for every technique.
- A list of tactics detected during sample execution.
Each entry has an
rl.report.network
url
- A list of URLs extracted during sample execution. Every entry contains:
- the destination URL
- URL
source
:memory
: the URL was extracted from memory.malware_config
: the URL was extracted from a malware configuration.file
: the URL was extracted from a PDF file.network
: the URL was extracted from network traffic.
- URL
classification
. - A list of
categories
for this URL.
http
- A list of resources this sample contacted using HTTP. Every entry contains the destination IP address and the request method.
udp
- A list of resources this sample contacted using UDP. Every entry contains the destination IP address, the destination port, and the process ID.
tcp
- A list of resources this sample contacted using TCP. Every entry contains the destination IP address, the destination port, and the process ID.
dns
- A list of DNS requests and resolutions the analyzed sample performed during execution. The address field contains the DNS server response, if available.
rl.report.behavioral
process
- An object containing information about the process that spawned during dynamic analysis. Contains the process ID, process name, the full execution path with parameters, and parent process ID.
mutex_actions
- A list of all mutex actions performed by the process during sample execution. Entries contain the file name, file path, the type of action that was performed, and if the action was successful or not.
file_actions
- A list of all files that were accessed or modified by the process. Entries contain the file name, file path, the type of action that was performed, and if the action was successful or not.
registry_actions
- A list of all registry actions performed by the process. Entries contain the registry key name, the type of action that was performed, and if the action was successful or not.
process_actions
- A list of all actions performed by spawned processes. Entries contain the process name, the type of action that was performed, and if the action was successful or not.
modules_loaded
- A list of all modules loaded by the process.
rl.report.malware_configurations
threat_names
- Name of the threats. Shows a list of unique threat names within the analyzed sample.
configuration
- Embedded malware configuration data extracted during sample execution
malware_config_ip
- C2 IP addresses the malware contacted or attempted to contact during sample execution
malware_config_url
- C2 URLs the malware contacted or attempted to contact during sample execution
analysis_ids
- An object containing a list of analysis IDs of specific analyses during which this configuration was extracted. This object is present only in merged reports.
rl.report.signatures
sig_id
- Signature ID
description
- Signature description in human-readable format.
risk_factor
- Risk factor assigned to this signature. Can have one of the following values:
10
- Malicious behavior. Attributable to specific malware family/actor,9
- Highly malicious behavior or content,8
- Malicious behavior,7
- Suspicious behavior,6
- Moderately suspicious behavior or content,5
to1
- Normal behavior or content,0
- Behavior indicative of goodware
- Risk factor assigned to this signature. Can have one of the following values:
rl.report.dropped_files
dropped_files_url
- Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
sha1
- The SHA1 hash of the dropped file
sha256
- The SHA256 hash of the dropped file
md5
- The MD5 hash of the dropped file
classification
- The classification of the dropped file. Possible values are
MALICIOUS
,SUSPICIOUS
,CLEAN
,NO_THREATS_FOUND
.
- The classification of the dropped file. Possible values are
file_name
- The file name of the dropped file
sample_type
- The file type of the dropped file
sample_size
- The file size of the dropped file (in bytes)
analysis_ids
- An object containing a list of analysis IDs and classifications for every occurrence of this dropped file during parent sample execution. This object is present only in merged reports.
The following objects are present only in merged reports:
rl.report.history_analysis
analysis_id
- The analysis ID of the report
classification
- The classification of the sample. Possible values are
MALICIOUS
,SUSPICIOUS
,CLEAN
,NO_THREATS_FOUND
.
- The classification of the sample. Possible values are
risk_score
- Value representing the trustworthiness or malicious severity of a sample.
platform
- The platform used to analyze the sample
browser
- Browser-specific dynamic analysis detonation. This object is present only in merged reports.
configuration
- A short description of the platform configuration specifics (for example, "Win10 x64, Office 2016, Java 8 Update 191")
analysis_time
- The date and time of the analysis
screenshots
- Contains a link to screenshots collected during the analysis. Screenshots have a retention period of 1 year. This link is generated when the report is requested, and expires in 1 hour.
pcap
- Contains a link to download the PCAP file with all the network traffic generated during sample execution. This link is generated when the report is requested, and expires in 1 hour. The PCAP file has a retention period of 1 year.
dropped_files
- An object containing a list of all files dropped during execution of the analyzed sample. ReversingLabs uses an internal algorithm to filter and store dropped files in order to provide customers with the most interesting and valuable files. Contains a link to download all files dropped during the file execution. This link is generated when the report is requested, and expires in 1 hour.
memory_strings
- Contains a link to download the memory strings captured during the sample execution. This link is generated when the report is requested, and expires in 1 hour. Memory strings have a retention period of 1 year.
optional_parameters
- An object containing a list of optional parameters used during analysis. Possible values:
internet_simulation
,sample_name
,geolocation
,locale
. - If
internet_simulation
is true, dynamic analysis was performed without connecting to the internet and a simulated network was used instead. If this value is false, the report is the same as if the parameter is omitted from the response. HTTPS traffic information is not monitored during analysis wheninternet_simulation
is set to true. - The
sample_name
is a custom file name and/or extension provided on submission. Custom extensions impact which application was used to open and run the file. - The
geolocation
is a geographic location associated with the sample's network activity, reflecting the configured country from which the network traffic is egressed, set via VPN or similar routing methods. Supported geographic location values are:us
(default),uk
,in
,br
,de
,jp
,sg
,it
,es
,fr
,tor
. - The
locale
setting reflects the configured OS language, region, and keyboard layout to simulate a specific country or environment for anti-evasion or targeted analysis purposes. Supported locale values are:en-US
(default),en-GB
,pt-BR
,de-DE
,ja-JP
,it-IT
,es-ES
,fr-FR
.
- An object containing a list of optional parameters used during analysis. Possible values:
The following objects are present only in specific reports.
rl.report.process_tree
process_id
- The ID assigned to the process
parent_process_id
- The ID of the parent process
process_name
- The process name
process_parameters
- Specific parameters used to execute the process
The following objects are present only in specific reports. They will be omitted if the sample belongs to a different Spectra Intelligence account, and was uploaded as private (not shareable).
rl.report.memory_strings
memory_strings
- Contains a link to download the memory strings captured during the sample execution. This link is generated when the report is requested, and expires in 1 hour. Memory strings have a retention period of 1 year.
rl.report.pcap
pcap
- Contains a link to download the PCAP file with all the network traffic generated during sample execution. This link is generated when the report is requested, and expires in 1 hour. The PCAP file has a retention period of 1 year.
rl.report.screenshots
screenshots
- Contains an S3 link to screenshots collected during the analysis. This link is generated when the report is requested, and expires in 1 hour. Screenshots have a retention period of 1 year.
rl.report.yara
entries
- Contains a list of matched YARA rules and details about where they matched.
source_type
- The type of file or content where the YARA rule matched. Possible values include:
sample
: The original sample file.dropped_file
: Files created or dropped during the analysis.memory_dump
: Process memory captured during the analysis.unpacked_pe
: Unpacked PE (Portable Executable) files extracted during analysis.html
: HTML files involved in the analysis.pcap
: Network traffic captured in a PCAP file.other
: Any other content types.
- The type of file or content where the YARA rule matched. Possible values include:
source_name
- The name of the source where the YARA rule matched (optional).
rule
- Contains details about each YARA rule that matched against the source.
description
: A textual explanation of the YARA rule's purpose.matched_data
: A list of matched strings within the YARA rule.matched_string
: The base64-encoded string that triggered the YARA rule match.matched_offset
: The decimal-encoded offset where the string was found in the source file or memory dump.
Response Examples
Merged Report
/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11
{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"techniques":{
"technique_list":[
{
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"id":"T1091",
"name":"Replication Through Removable Media"
},
"..."
]
},
"id":"8",
"name":"Lateral Movement"
},
"..."
]
},
"name":"Enterprise"
}
]
},
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"last_analysis":"2021-02-09T18:54:58",
"network":{
"udp":[
{
"destination_port":53,
"destination_ip":"8.8.4.4",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"dns":[
{
"type":"A (IP address)",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"value":"services.homedns.org",
"address":"xxx.xxx.xxx.xxx"
},
"..."
]
},
"classification":"MALICIOUS",
"history_analysis":[
{
"analysis_id":"bc093926-e53f-49d9-82d7-1e5481cb22eb",
"classification":"MALICIOUS",
"analysis_duration":217,
"platform":"windows7",
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"analysis_time":"2021-02-07T23:49:38",
},
"..."
],
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"first_analysis":"2021-02-07T23:49:38",
"dropped_files":[
{
"sha1":"BCF7B98F948D2CDDF2ABB74C4673604DDE801E1A",
"classification":"NO_THREATS_FOUND",
"file_name":"Logs",
"sample_type":"ASCII text, with CRLF line terminators",
"sample_size":33,
"analysis_ids":[
{
"analysis_id":"bc093926-e53f-49d9-82d7-1e5481cb22eb",
"classification":"NO_THREATS_FOUND"
}
],
"sha256":"51BE93BCB053F7412C5FFBCA5C947EC0DDA4A52D6D9A12F18BCE35C4E1F216A0",
"file_path":"C:\\Users\\user\\AppData\\Roaming",
"md5":"F07F3A1093767FF0B58C5FB7FC7617C7"
},
"..."
],
"optional_parameters": "internet_simulation=true, geolocation=us, locale=en-US",
"snort_alerts":[
{
"message":"ICMP Destination Unreachable Port Unreachable",
"classification_type":"Misc activity",
"destination_ip":"8.8.4.4",
"rule":402,
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"platforms":[
"windows7",
"windows10"
],
"behavioral":[
{
"process":{
"name":"cmd.exe",
"parameters":"cmd /c REG ADD HKLM\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile /v 'DoNotAllowExceptions' /t REG_DWORD /d '0' /f",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"mutex_actions":[
{
"status":"success or wait",
"name":"unknown",
"action_type":"mutex_created",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
}
],
"process_actions":[
{
"status":"success or wait",
"path":"C:\\Windows\\SysWOW64\\cmd.exe",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"action_type":"process_terminated"
},
"..."
],
"file_actions":[
{
"status":"success or wait",
"file_name":"reg.exe",
"file_path":"C:\\Windows\\SysWOW64",
"action_type":"file_opened",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"modules_loaded":[
{
"module_name":"\\KnownDlls32\\MPR.dll",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
]
},
"..."
],
"registry_actions":[
{
"status":"success or wait",
"key_name":"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile",
"analysis_ids":[
"bc093926-e53f-49d9-82d7-1e5481cb22eb"
],
"action_type":"key_opened"
},
"..."
]
},
"..."
],
"yara": {
"entries": [
{
"source_type": "sample",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 45520
}
]
}
]
},
{
"source_type": "dropped_file",
"source_name": "C:\\ProgramData\\d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADcMQEApbYBZgAyAgAxg8GcTThakA==",
"matched_offset": 45520
},
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 123848
}
]
}
]
},
{
"source_type": "memory_dump",
"source_name": "d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 3735928559
}
]
}
]
}
]
},
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"md5":"4f2af32661dc73320acbe5acea29cfba"
},
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}
Specific Report
There are no formatting differences between reports retrieved using the analysis_id
and /latest
endpoint parameters. The only differences can occur in cases when users request information on a private sample belonging to another Spectra Intelligence account.
If the sample is public, other ReversingLabs customers will be able to access analysis results, but also download the uploaded files, dropped files, PCAP files, screenshots, and memory string dumps generated during file execution.
If the sample is private, other ReversingLabs customers will only be able to access analysis results, but not retrieve the actual contents of uploaded files, dropped files, PCAP files, screenshots or memory string dumps.
/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11/dd39d858-636f-4c76-a0d1-249ef21ff780
{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"id":"8",
"name":"Lateral Movement",
"techniques":{
"technique_list":[
{
"id":"T1080",
"name":"Taint Shared Content"
},
"..."
]
}
},
"..."
]
},
"name":"Enterprise"
}
]
},
"process_tree":[
{
"process_id":2096,
"name":"rl_file.exe",
"parameters":"'C:\\Users\\user\\Desktop\\rl_file.exe' ",
"parent_process_id":1712
}
],
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"analysis_id":"dd39d858-636f-4c76-a0d1-249ef21ff780",
"classification":"MALICIOUS",
"dropped_files":[
{
"sha1":"E0A8096041DFA6D6E5F9D41E870C892E59438964",
"classification":"NO_THREATS_FOUND",
"file_name":"81608.bpc",
"sample_type":"PE32 executable (GUI) Intel 80386, for MS Windows",
"sample_size":5077073,
"sha256":"6BECD956E49FA786BC2845909BC2C7BB6B8E633DE1633151014B44AF925966C6",
"file_path":"C:\\ProgramData\\Microsoft\\OFFICE\\DATA",
"md5":"60BCE3FACE583205A3247205052FD7A1"
},
"..."
],
"analysis_duration":188,
"platform":"windows7",
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"behavioral":[
{
"process_actions":[
{
"status":"success or wait",
"path":"C:\\Users\\user\\Desktop\\rl_file.exe",
"action_type":"process_queried"
}
],
"registry_actions":[
{
"status":"object name not found",
"key_name":"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language",
"action_type":"key_value_queried"
},
"..."
],
"file_actions":[
{
"status":"success or wait",
"file_name":"KsecDD",
"file_path":"\\Device",
"action_type":"file_opened"
},
"..."
],
"process":{
"name":"rl_file.exe",
"parameters":"'C:\\Users\\user\\Desktop\\rl_file.exe' "
},
"mutex_actions":[
{
"status":"success or wait",
"name":"unknown",
"action_type":"mutex_created"
},
"..."
],
"modules_loaded":[
{
"module_name":"C:\\Windows\\SysWOW64\\sechost.dll"
},
"..."
]
}
],
"yara": {
"entries": [
{
"source_type": "sample",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 45520
}
]
}
]
},
{
"source_type": "dropped_file",
"source_name": "C:\\ProgramData\\d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADcMQEApbYBZgAyAgAxg8GcTThakA==",
"matched_offset": 45520
},
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 123848
}
]
}
]
},
{
"source_type": "memory_dump",
"source_name": "d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 3735928559
}
]
}
]
}
]
},
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"md5":"4f2af32661dc73320acbe5acea29cfba",
"analysis_time":"2021-02-08T12:51:37",
"optional_parameters": "internet_simulation=true, geolocation=us, locale=en-US"
},
"requested_id":"dd39d858-636f-4c76-a0d1-249ef21ff780",
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}
Or:
/api/dynamic/analysis/report/v1/query/sha1/cac61424fb5414d589687bfd35452a351604ef11/latest
{
"rl":{
"report":{
"mitre_attack":{
"matrix_list":[
{
"tactics":{
"tactic_list":[
{
"id":"8",
"name":"Lateral Movement",
"techniques":{
"technique_list":[
]
}
},
"..."
]
},
"name":"Enterprise"
}
]
},
"yara": {
"entries": [
{
"source_type": "sample",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 45520
}
]
}
]
},
{
"source_type": "dropped_file",
"source_name": "C:\\ProgramData\\d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADcMQEApbYBZgAyAgAxg8GcTThakA==",
"matched_offset": 45520
},
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 123848
}
]
}
]
},
{
"source_type": "memory_dump",
"source_name": "d0db02bh22.exe",
"rule": [
{
"description": "Detects executables packed with aPLib.",
"matched_data": [
{
"matched_string": "QVAzMhgAAADP3QAAaFvqdQDMAQDrxK5YTThakA==",
"matched_offset": 3735928559
}
]
}
]
}
]
},
"sha1":"cac61424fb5414d589687bfd35452a351604ef11",
"analysis_id":"64708859-7739-4c1a-9e64-2de5741882db",
"classification":"NO_THREATS_FOUND",
"analysis_duration":210,
"platform":"windows7",
"configuration":"MS Office 2007;Java 7;Adobe reader 8;Firefox 37;Google Chrome 51;Internet Explorer 8",
"sample_name": "Sample",
"sample_path": "C:\Users\user\Desktop",
"memory_strings":"https://...",
"sha256":"cc6102694e9d8f8efbd63c687972291369079c0bbd62b5d71cc106e9f64946d6",
"pcap":"https://...",
"md5":"4f2af32661dc73320acbe5acea29cfba",
"analysis_time":"2021-02-09T18:54:58",
"optional_parameters": "internet_simulation=true, geolocation=us, locale=en-US"
},
"requested_hash":"cac61424fb5414d589687bfd35452a351604ef11"
}
}
Dynamic Analysis URL Report Query
This query returns dynamic analysis reports for the requested URL.
The requested URL is identified by its Base64 encoding or SHA1 hash. Use the Base64/SHA1 identifier that you get in the response of the Dynamic Analysis service (TCA-0207).
If you calculate this value locally, for example using sha1sum
, there is a chance that you won't get results for that URL because the Dynamic Analysis service first performs a normalization process on the URL, and only then calculates the Base64 encoding / SHA1 hash.
GET /api/dynamic/analysis/report/v1/query/url/sha1/{sha1_value}/{analysis_id}
GET /api/dynamic/analysis/report/v1/query/url/base64/{base64_value}/{analysis_id}
Request GET Format
sha1_value
- A valid sha1 value defined by the sha1 parameter.
- Required
base64_value
- A valid base64 value defined by the base64 parameter.
- Required
analysis_id
- If added at the end of the request, the response will contain only the dynamic analysis report matching the provided analysis_id. It can be supplied only if the
latest
parameter is not already supplied. If neither are provided, the response returns a merged report. - Optional
- If added at the end of the request, the response will contain only the dynamic analysis report matching the provided analysis_id. It can be supplied only if the
latest
- Required if the user wants to retrieve the latest dynamic analysis report for the requested URL. It can be supplied only if the
analysis_id
parameter is not already supplied. If neither are provided, the response returns a merged report. - Optional
- Required if the user wants to retrieve the latest dynamic analysis report for the requested URL. It can be supplied only if the
Dynamic Analysis Archive Report Query
This query returns dynamic analysis reports for the requested archive sample hash.
Getting a report by SHA1
By submitting the SHA1 of the archive, the query returns the merged dynamic analysis report for each file within the archive. This endpoint accepts only SHA1 hashes.
GET /api/dynamic/analysis/report/v1/archive/query/sha1/{hash_value}
{
"rl": {
"requested_hash": "e662bfd39cf389b0bad5262e6007c09824261ee4",
"files": [
{
"sha1": "zzzf8d4dd290435a978e70adcf7876c0",
"merged_report": {}
},
{
"sha1": "vvvf8d4dd290435a978e70adcf7876c0",
"merged_report": {}
}
]
}
}
Getting a report by SHA1 and the "latest" parameter
By submitting SHA1 of the archive with the 'latest' parameter, the query returns the most recent specific dynamic analysis report for each file within the archive.
GET /api/dynamic/analysis/report/v1/archive/query/{hash_type}/{hash_value}/latest
{
"rl": {
"requested_hash": "e662bfd39cf389b0bad5262e6007c09824261ee4",
"files": [
{
"sha1": "zzzf8d4dd290435a978e70adcf7876c0",
"report": {}
},
{
"sha1": "vvvf8d4dd290435a978e70adcf7876c0",
"report": {}
}
]
}
}
Custom Response Status Codes
This API implements custom response status codes:
CODE | DESCRIPTION | |
---|---|---|
404 | Preprocessing | If the sample is still being validated for dynamic analysis, the response will contain the pre_processing status. |
Queued | The sample is queued for analysis, indicated by the queued status in the response. | |
Preparing Sample | The preparing_sample status indicates that the sample is currently being submitted to the sandbox. | |
Analyzing | The analyzing status indicates that the sample is currently being analyzed. | |
Postprocessing | The post_processing status indicates that the report is currently being generated. | |
Error | The error message response indicates that the sample failed to analyze. |