Information about network traffic is exported to a network.pcap file.
Screenshots are exported as a folder.
By default, the format of the archive name is as follows: <web address>.zip. You can change the archive name if necessary.
Each .zip archive contains files described in the table below. The first string in all files contains column names.
File name
|
Description
|
Column name
|
url-and-analysis-properties.json
|
Information about web address browsing parameters.
The file contains only one entry.
|
Created—Date and time when the web address browsing started (for example, 2018-01-17T15:30:16.077Z).
Analyzed—Date and time when the browsing results analysis completed (for example, 2018-01-17T15:39:02.673Z).
AvBasesVersion—Date and time when anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone—Zone of the web address (for example, Red).
Status—Status of the web address (for example, Malware).
State—Browsing task state (for example, completed).
ErrorCode—Task error description. If the task completed successfully, an empty string is returned.
Url—Web address that was browsed in Kaspersky Sandbox (for example, http://example.com/path/to/page.html).
HasApt—Shows whether the file is related to an advanced persistent threat (APT) attack.
|
categories.json
|
Information about browsed and redirected web addresses categories.
|
Zone—Zone of the web address (for example, Green).
Category—Name of a category to which the web address belongs (for example, CATEGORY_SOCIAL_NETS).
|
dns-requests.json
|
Information about DNS requests that were registered when browsing the web address.
|
Status—Status of an object in DNS request.
Type—DNS request type.
Response—Contents of the DNS response.
|
publications.json
|
Information about Crimeware Threat Intelligence and/or APT Intelligence reports to which the analyzed web address is related.
|
Id—ID of a Crimeware Threat Intelligence and/or APT Intelligence report (for example, 216456).
Name—Name of a Crimeware Threat Intelligence and/or APT Intelligence report (for example, Sofacy - New AZZY backdoor).
|
detection-names.json
|
Information about threats that were detected during the web address emulation.
|
Zone—Danger zone to which the object refers (for example, Malware).
Threat—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
|
hosts-ips.json
|
Information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.
|
Zone—Zone of the IP address (for example, Green).
Ip—IP address to which FQDN resolved.
IpStatus—Status of a country's region detection (Reserved, Known, NoInfo).
IpCountryCode—Two-letter country code (ISO 3166-1 alpha-2 standard) of a country to which the IP address belongs. For reserved and not defined IP addresses, the NULL value is exported.
ASN—Autonomous system number according to RFC 1771 and RFC 4893.
Hits—Number of times when the IP address was detected by Kaspersky expert systems.
Domain—Fully qualified domain name (FQDN) that resolved to the IP address.
|
http-requests.json
|
Information about HTTPS requests that were registered during the file execution.
|
Status—Status of a web address in the HTTP(S) request.
Scheme—Web address scheme that identifies the protocol which was used (HTTP or HTTPS).
URL—Web address to which the request was registered.
IP—IP address that indicates the host. The corresponding flag and the status of the IP address are also displayed.
Request—HTTP(S) request details.
Response—Response details.
|
WHOIS-ip.json
|
WHOIS information about host of the analyzed web address.
This file is available for IP address as a host.
|
ASN—Autonomous system number according to RFC 1771 and RFC 4893.
Net—Array of descriptions of the networks that the IP address belongs to.
RangeStart—Start IP address in the network that the host IP address belongs to.
RangeEnd—End IP address in the network that the host IP address belongs to.
Changed—Date when information about the network was last updated.
Name—Name of the network that the host IP address belongs to.
Description—Description of the network that the host IP address belongs to.
Contacts—Contacts that are registered for the IP address.
Address—Postal address that is registered for the IP address (array of strings).
Name—Name of an organization or a person to whom the a network is registered.
ContactType—Type of a contact (organization or person).
ContactRole—Role of a contact (for example, owner).
Phone—Phone number of a contact.
Email—Email address of a contact.
|
WHOIS-domain.json
|
WHOIS information about host of the analyzed web address.
This file is available for FQDN as a host.
|
DomainName—Name of the domain for the analyzed web address.
Created—Date and time when the domain for the analyzed web address was registered.
Updated—Date and time when registration information about the domain for the analyzed web address was last updated.
Expires—Date when the domain expires.
NameServers—Name servers of the domain for the analyzed web address.
Contacts—Contact that are registered for the IP address.
Registrar—Name of the registrar of the domain for the analyzed web address.
DomainStatus—Status of the domain for the analyzed web address (for example, clientTransferProhibited).
RegistrationOrganization—Name of the registration organization.
|
triggered-network-rules.json
|
Information about SNORT and Suricata rules that were triggered during analysis of traffic from the web address.
|
Zone—Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (for example, High).
RuleName—SNORT or Suricata rule name (for example, Trojan.Agent.HTTP.C&C).
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the web address browsing.
|
—
|
network.pcap
|
Information about activities that were registered during the web address browsing.
|
—
|