Screenshots are exported as a folder.
Exporting results for multi-file objects contain only sample-and-execution-properties.json, sample-content.json, and detection-names.json (if available) files. The sample-content.zip archive is not included in JSON archive (.zip) file, and can be exported separately.
For the , only sample-and-execution-properties.json and detection-names.json files are included in the JSON archive.
You can change the archive name if necessary.
Each .zip archive contains files described in the table below.
File name
|
Description
|
JSON attribute
|
sample-and-execution-properties.json
|
Information about object parameters and execution settings (Executing a file, Starting a file upload and execution).
The file contains only one JSON object.
|
Uploaded —Date and time when the object execution started (for example, 2018-01-17T15:30:16.077Z).
Analyzed —Date and time when the object execution completed (for example, 2018-01-17T15:39:02.673Z).
State —Execution task state (for example, completed).
Error —Task execution error description. If the task completed successfully, an empty string is returned.
AvBasesVersion —Date and time when anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
Zone —Zone of the executed file (for example, Red).
Status —Status of the executed file (for example, Malware).
HasApt —Shows whether the file is related to an advanced persistent threat (APT) attack.
FileName —Name of the executed file (for example, 0xDC2ED1E657AEE092B63DC3BB9EAEECA8).
FileExtension —Extension of the executed file (for example, js).
FileType —Automatically detected type of the executed file.
Length —Size of the executed file, in bytes (for example, 539136).
Md5 —MD5 hash of the executed object (for example, DC2ED1E657AEE092B63DC3BB9EAEECA8).
Sha1 —SHA1 hash of the executed object (for example, B617DF5EBC4381305B7268C1ECD4B4DF6A0A02BC).
Sha256 —SHA256 hash of the executed object (for example, 47BB3B7EA8CA384E459BC7D4B69D9DBA638EDEBF1BE837E81DCA1D81FEE703C3).
ExecutionEnvironment —Execution environment of the file (for example, Win7_x64).
Channel —Specified region of a network channel that the object should use to access the internet (for example, any_channel).
ChannelUsed —Region of a network channel that the object actually used to access the internet (for example, US).
ExecutionTime —Object execution time, in seconds (for example, 500).
DecryptHTTPS —Boolean parameter. Indicates whether HTTPS traffic generated by the executed object was decrypted.
ClickOnLinks —Boolean parameter. Indicates whether the links in the opened documents were followed during the file execution.
|
sample-download-info.json
|
Information about downloading the file from the submitted link.
This file is available only for files that were downloaded from a web address.
|
Started —Date and time when the file download started (for example, 2018-01-17T15:30:16.077Z).
Method —Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
RequestFields —Standard request header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name , Value , and the IsDefault indicator.
DownloadRequests —Information about the request, including:
Zone —Zone of the web address from which the file was downloaded (for example, Red ).
Status —Status of the web address from which the file was downloaded (for example, Dangerous ).
HasApt —Shows whether the web address is related to an APT attack.
Protocol —Protocol which was used (HTTP or HTTPS).
Url —Web address used to download a file.
ResponseCode —HTTP response status code (for example, 200 means the request was completed successfully).
ResponseLenght —Size of the response to the HTTP request in bytes.
ResponseHeaders —Standard response header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1, including the Name , Value , and the IsDefault indicator.
Categories —Array with unnamed objects containing information about categories of the web address from which the file was downloaded:
Zone —Zone of the category (for example, Grey ).
Name —Name of the category.
|
detection-names.json
|
Information about objects detected during file execution.
|
Zone —Danger zone to which the object refers (for example, Malware).
Threat —Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
|
triggered-network-rules.json
|
Information about SNORT and Suricata rules triggered during analysis of traffic from executed object.
|
Zone —Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (for example, High).
RuleName —SNORT or Suricata rule name (for example, Trojan.Agent.HTTP.C&C).
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the file execution.
|
—
|
suspicious-activities.json
|
Information about registered suspicious activities.
|
Type —Type of a suspicious activity (for example, RegistryValueUpdate).
Zone —Danger zone (level) of the registered activity (for example, High).
Severity —Numerical value of the danger level of the registered activity (for example, 555).
Properties —Attributive description of the registered activity.
|
suspicious-activities-android.json
|
Information about registered Android suspicious activities.
|
ComponentClass —Component class (for example, action).
ComponentType —Component type (for example, DEFAULT).
Zone —Danger zone (level) of the registered activity (for example, Medium).
Severity —Numerical value of the danger level of the registered activity (for example, 400).
Name —Name of the registered activity (for example, Copy file).
Description —Description of the registered activity (for example, Copy file).
|
loaded-pe-images.json
|
Information about loaded images that were detected during the file execution.
|
Path —Full path to the loaded image (for example, \\Windows\\SysWOW64\\rpcrt4.dll).
Size —Size of the loaded image, in bytes (for example, 555).
|
file-operations.json
|
Information about file operations that were registered during the file execution.
|
Operation —Operation name (for example, FILE_CREATED).
Details —Array of the operation attributes represented as key-value pairs. Includes the following:
Name —The Name attribute of the operation (for example, $selfpath\\KL_APT_SANDBOX_TEST_MARKER_FILE).
Size —The Size attribute of the operation (for example, 555).
|
registry-operations.json
|
Information about operations performed on the operating system registry detected during file execution.
|
Operation —Operation name (for example, REG_CREATE_KEY).
Details —Array of the operation attributes represented as key-value pairs. Includes the following:
Key —The Key attribute of the operation (for example, \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisableUserModeCallbackFilter).
Value —The Value attribute of the operation (for example, 1).
|
process-operations.json
|
Information about interactions of the file with various processes registered during file execution.
|
Operation —Operation name (for example, PROCESS_STARTED).
ProcessName —Name of the process that interacted with the executed file (for example, $windir\\explorer.exe).
|
synchronize-operations.json
|
Information about operations of created synchronization objects registered during file execution.
|
Type —Type of created synchronization object (for example, mutex).
Name —Name of created synchronization object (for example, Skyz.Messaging.ThreadPooling.MyAppSingleInstance).
|
network.pcap
|
Information about activities that were registered during the file execution.
This file is included in the archive if the PCAP (.pcap) option is selected during the results export.
|
—
|
matrix.json
|
Information about known tactics, techniques and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object.
|
Matrix —MITRE ATT&CK matrix type.
Tactics —Information about tactics, contains the following:
Id —ID of a tactic.
Name —Name of a tactic.
Url —Web address to the tactic's description on MITRE ATT&CK web site.
Technique —Information about techniques, contains the following:
Id —ID of a technique.
Name —Name of a technique.
Url —Web address to the technique's description on MITRE ATT&CK web site.
|
sample-content.json
|
Information about the content of the packed file. Use default passwords infected , password , pass , god , 123456 , 123456789 , 12345678 , 111111 , or qwertyto unpack the archive.
|
Zone —Color of the danger zone (level) of the file.
MD5 —MD5 hash of the file.
SHA1 —SHA1 hash of the file.
SHA256 —SHA256 hash of the file.
Path —File name and path to it from the uploaded object's root.
Packer —Name of the packer with which the uploaded object is packed.
Type —Automatically detected type of the file.
DetectionNames —Names of the detected objects (for example, HEUR:Exploit.Script.Blocker).
Size —Size of the file in bytes.
|
sample-content.zip
|
Archive that contains files included in the packed object. Use default passwords infected , password , pass , god , 123456 , 123456789 , 12345678 , 111111 , or qwertyto unpack the archive.
Archive can be exported separately only. It is not exported, when you export all task results.
|
—
|
downloaded-files.json
|
Information about files extracted from network traffic during file execution.
|
Zone —Zone of the file (for example, Red).
Status —Status of the file (for example, Malware).
Md5 —MD5 hash function of the downloaded file (for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt —Shows whether the file is related to an advanced persistent threat (APT) attack.
DetectionName —Name of the detected object (for example, Trojan-Downloader.Script.Generic).
Traffic —Traffic that the downloaded file was extracted from (HTTP or HTTPS).
|
dropped-files.json
|
Information about files saved by executed file.
|
Zone —Zone of the dropped file (for example, Red).
Status —Status of the dropped file (for example, Malware).
Md5 —MD5 hash function of the dropped file (for example, B136E08794A896FDB28C13A5F9D27D4A).
HasApt —Shows whether the file is related to an advanced persistent threat (APT) attack.
DetectionName —Name of the detected object (for example, Trojan-Downloader.Script.Generic).
FileName —File name of the dropped file (for example, sample.exe).
|
dumps.json
|
Dump files (snapshots) of the file execution process and loaded modules.
Available only for execution environments that have the Android operating system installed.
|
Zone —Zone of the dump file (for example, Red).
Md5 —MD5 hash function of the dump file.
Sha1 —SHA1 hash function of the dump file.
Sha256 —SHA256 hash function of the dump file.
DetectionName —Name of the detected object (for example, Trojan-Downloader.Script.Generic).
Name —Name of the dump file.
Size —Size of the dump file.
Type —Type of the dump file.
IsHttpsTraffic —Traffic that the downloaded file was extracted from (HTTP or HTTPS).
|
manifest.zip
|
Information about Android app manifest.
|
—
|
static-modules.json
|
Android app modules detected by using the static analysis.
|
Status —Status (danger level) of the permission.
Severity —Severity of the permission's danger.
File —Path to the app module and its module.
Md5 —MD5 hash of the file contents.
Description —Description of the app module.
|
static-permissions.json
|
Android app permissions detected by using the static analysis.
|
Status —Status (danger level) of the permission.
Severity —Severity of the permission's danger.
Permission —Permission's value.
Description —Detailed description of the permission.
|
static-components.json
|
Android app components detected by using the static analysis.
|
Status —Status (danger level) of the component.
Severity —Severity of the component's danger.
Component —Component name.
Description —Detailed description of the component.
IntentFilters —List of filters applied to the component:
Priority —Filter priority.
Actions —Performed action.
Categories —Component category.
|
static-bundle.json
|
Android App Bundle (APK).
|
Type —File type (Module, Icon, or Picture).
Path —File path and name.
Size —File size.
MD5 —MD5 hash of the file.
|
static-images.json
|
Android App Bundle images.
|
—
|
dynamic-modules.json
|
Android app modules detected by using the dynamic analysis.
|
Status —Status (danger level) of the module.
Severity —Severity of the module's danger.
File —Path to the module and its name.
Md5 —MD5 hash.
Description —Detailed description of the module.
Timestamp —Date and time when a module was loaded, specified in the UNIX time stamp system: number of seconds elapsed since 00:00:00 (UTC), 1 January 1970.
|
network-traffic-tables.json
|
Information about network activities that were registered during the file execution.
The data is saved in the root JSON object with the attributes described below in this table, or in separate CSV files with corresponding names.
|
—
|
IpSessions section
|
Array that contains information about IP sessions that were registered during file execution.
|
DestinationIP —Destination IP address.
ThreatScore —Probability that the destination IP address will appear dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74.
Started —Date and time when the IP session started.
Ended —Date and time when the IP session ended.
Size —Size of data that was sent and received within the IP session (in bytes).
Packets —Number of packets that were sent and received within the IP session.
|
TcpSessions section
|
Array that contains information about TCP sessions that were registered during file execution.
|
DestinationIP —Destination IP address.
ThreatScore —Probability that the destination IP address will appear dangerous (0 to 100).
SourcePort —Source port number (0–65536).
DestinationPort —Destination port number (0–65536).
Size —Size of data that was sent and received within the TCP session (in bytes).
Packets —Number of packets that were sent and received within the TCP session.
SYNPackets —Number of SYN packets that were sent and received within the TCP session.
FINPackets —Number of FIN packets that were sent and received within the TCP session.
OutOfOrderPackets —Number of out-of-order packets that were sent and received within the TCP session.
LostAckPackets —Number of lost ACK packets that were sent and received within the TCP session.
DuplicatedAckPackets —Number of duplicated ACK packets that were sent and received within the TCP session.
WindowIn —Number of incoming segments (bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received.
WindowOut —Number of outgoing segments (bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.
|
UdpSessions section
|
Array that contains information about UDP sessions that were registered during file execution.
|
DestinationIP —Destination IP address.
ThreatScore —Probability that the destination IP address will appear dangerous (0 to 100).
SourcePort —Source port number (0–65536).
DestinationPort —Destination port number (0–65536).
Size —Size of data that was sent and received within the UDP session (in bytes).
Packets —Number of packets that were sent and received within the UDP session.
|
DnsSessions section
|
Array that contains information about DNS sessions that were registered during file execution.
|
Id —DNS message ID.
Qr —Request/response indicator (0—DNS query, 1—DNS response).
RCode —DNS response code.
Size —Size of data that was sent and received within the DNS session (in bytes).
Packets —Number of packets that were sent and received within the DNS session.
Records —Records in the message. For each record, its status, name, section, and type are displayed. If available, TTL and Data fields are available.
|
FtpSessions section
|
Array that contains information about FTP sessions that were registered during file execution.
|
CommandName —Command name.
CommandArg —Command argument.
ReplyCode —Reply code.
ReplyMsg —Reply message from a server.
DataChannelClientIp —FTP client address.
DataChannelServerIp —FTP server address.
DataChannelServerPort —Port number of the FTP server.
|
HttpSessions section
|
Array that contains information about HTTP requests that were registered during the file execution.
|
Status —Danger zone (level) of a URL in the HTTP request.
Method —Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
URL —URL to which the request was registered.
ResponseCode —Response code of the HTTP request.
ResponseLength —Size of the response to the HTTP request in bytes.
RequestHeaders —Standard request header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
ResponseHeaders —Standard response header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
RequestBody —Body of the request (Md5, Name, Size).
ResponseBody —Body of the response (Md5, Name, Size).
|
TlsSessions section
|
Array that contains information about TLS sessions that were registered during file execution.
|
Status —Domain status.
Version —TLS protocol version.
Cipher —Cryptographic algorithm.
Curve —Curve class.
ServerName —Name of the server.
Subject —Subject name.
Issuer —Issuer name.
|
IrcSessions section
|
Array that contains information about IRC sessions that were registered during file execution.
|
Command —Command name.
User —User name.
Nick —User's nickname.
Channels —Names of channels to connect to during the IRC session.
Sender —Nickname of the command's sender.
Channel —Name of the channel to send the message to during the IRC session.
Text —Text that was sent during the IRC session.
|
Pop3Sessions section
|
Array that contains information about POP3 sessions that were registered during file execution.
|
Type —Command type.
Command —Command result.
Arguments —Command arguments.
Message —Description of the result of the command.
|
SmbSessions section
|
Array that contains information about SMB sessions that were registered during file execution.
|
Status —Status of the IP address.
DestinationIP —Session's destination IP address.
DestinationPort —Destination port number (0–65536).
Version —Protocol version.
Md5 —MD5 hashes of files transferred during the command execution.
|
SmtpSessions section
|
Array that contains information about SMTP sessions that were registered during file execution.
|
Status —Status of the hash.
From —Sender's name and address.
To —Receivers' names and addresses.
Subject —Message subject.
Md5 —List of MD5 hashes of attached files.
|
SocksSessions section
|
Array that contains information about SOCKS sessions that were registered during file execution.
|
Status —Status of the IP address.
Version —SOCKS protocol version.
RequestHost —IP address or fully qualified domain name (FQDN), to which the connection request was made via the SOCKS protocol.
RequestPort —Number of the TCP port to which a connection request was made via the SOCKS protocol (0–65536).
BoundHost —IP address or fully qualified domain name (FQDN), to which the connection was established.
BoundPort —Number of the TCP port to which the connection was established (0–65536).
|
HttpsSessions section
|
Array that contains information about HTTPS requests that were registered during the file execution.
|
Status —Danger zone (level) of a URL in the HTTPS request.
Method —Method of sending an HTTPS request. The HTTPS method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
URL —URL to which the request was registered.
ResponseCode —Response code of the HTTPS request.
ResponseLength —Size of the response to the HTTPS request in bytes.
RequestHeaders —Standard request header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
ResponseHeaders —Standard response header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
RequestBody —Body of the request (Md5, Name, Size).
ResponseBody —Body of the response (Md5, Name, Size).
|