Threat Analysis

This section explains how you can execute files and emulate opening of web addresses in safe environments that are isolated from your corporate network using Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies.

After you upload a file to the selected environment or start the web address analysis, Kaspersky Threat Intelligence Portal displays various results, including a graphical representation. Execution results can be downloaded as archives. All results, or data from certain sections, can be downloaded for further analysis.

During file execution, screenshots are taken for each change in the file execution environment. You can view screenshots online, or you can download all of them as an archive.

You can also analyze objects by using the Kaspersky Threat Intelligence Portal API.

Using Kaspersky Threat Attribution Engine technology, Kaspersky Threat Intelligence Portal automatically analyzes the "genetics" of malware, looking for code similarities with previously investigated advanced persistent threat (APT) samples and linked attribution entities. The portal compares the "genotypes" (small binary pieces of analyzed files) with the APT malware samples database and provides a report on malware origin, attribution entities, and file similarity with known APT samples.

When you send a file for analysis, Kaspersky Threat Intelligence Portal uses the Kaspersky Threat Attribution Engine technology to find genotypes and strings, and compares them with known genotypes and strings. As a result of this comparison, the analyzed file can be associated with one or more known attribution entities. An attribution entity is an actor, campaign, or known malware, or a combination of these three aspects.

For more information, please see Kaspersky Threat Attribution Engine documentation.

Using machine-learning (ML) methods, Kaspersky Threat Intelligence Portal searches for files that are similar to the analyzed file. Kaspersky systems extract the analyzed file features and detect similar malicious files. Information about similar files can be used in an incident response to search more extensively for modifications and variations of a malicious object. Also, this information allows you to optimize perimeter protection from certain threat and take into account different modifications and variations of a malicious object.

On the Threat Analysis ( Sandbox. ) page, available usage quotas for Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies are displayed. If necessary, you can apply for a quota increase for a corresponding technology by clicking the Increase your quota link. In the side-bar that opens, you have to add a comment if necessary, and click Send.

Analysis results are displayed in the History table on the Threat Analysis page. You can click the required task area to expand it and view more details.

The Active tab displays the latest 1000 task results. Older task results are displayed on the Archived tab.

Result history table

Table field	Description
Created	Date and time when a task was created.
Object	Submitted object name. When expanded, the following information is displayed: MD5—MD5 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the MD5 hash on the Threat Lookup page. The Object field and Sandbox results page may display different hashes if an archive is sent for analysis. SHA1—SHA1 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the SHA1 hash on the Threat Lookup page. SHA256—SHA256 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the SHA256 hash on the Threat Lookup page. File size—Size of the executed file in bytes.
Details	Task execution state, and the status of Kaspersky Sandbox, Similarity, and Kaspersky Threat Attribution Engine technologies for the analyzed object. Displayed status depends on the technology you selected for object execution. The History table displays the object status defined at the moment the request was processed. Task execution state is displayed near the corresponding technology name. If the task execution fails, the error reason is displayed. For Kaspersky Sandbox, status can be one of the following: Good/Clean—Object is not malicious. Dangerous/Malware—There are malicious objects related to the analyzed object. Adware and other—There are objects related to the analyzed objects, which can be classified as Not-a-virus. Not trusted—Object is categorized as Infected or Compromised. Not categorized—No or insufficient information about the object is available to define status, or task execution failed. For Kaspersky Threat Attribution Engine, status can be one of the following: Found—Object is assigned to an attribution entity. Not found—Object is not assigned to an attribution entity. Not categorized—No or insufficient information about the object is available to define status, or task execution failed. For Similarity technology, status can be one of the following: Similar files found—Files that are similar to the submitted file have been detected. Similar files not found—Files that are similar to the submitted file have not been detected. Not categorized—No or insufficient information about the object is available to define status, or task execution failed. When expanded, the following information about task parameters is displayed: For Kaspersky Sandbox technology: MD5—MD5 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the MD5 hash on the Threat Lookup page. SHA1—SHA1 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the SHA1 hash on the Threat Lookup page. SHA256—SHA256 hash of the executed file. You can click the item to copy it to the clipboard, and then search for information about the SHA256 hash on the Threat Lookup page. File name—Name of the executed file. File type—Automatically detected type of the executed file. File size—Size of the executed file in bytes. Execution environment—Selected environment (operating system) for file execution. If you did not specify the execution environment, Kaspersky Threat Intelligence Portal automatically selects the optimal environment for executing your object and displays Auto. Execution time—Specified time of file execution, in seconds. If you did not specify the execution time, Kaspersky Threat Intelligence Portal automatically selects the optimal execution time for your object and displays Auto. Database update—Date and time when the anti-virus databases were updated. HTTPS decryption—Information about whether the HTTPS traffic generated by the object was decrypted during execution. Click links—Information about whether the links in opened documents were followed during the file execution. Internet access options—Region of a network channel that the file used to access the internet. If you selected the Tarpit item when creating the execution task, a warning that the file was executed in the environment without access to the internet is displayed. For more details about channels, refer to Internet channel values. File extension—Specified file extension. Command line parameters—Command line parameters that were used to execute the object in the Sandbox. For Kaspersky Threat Attribution Engine technology: Reset similarity thresholds—Indicates whether similarity thresholds for compared samples were ignored. Unpack—Indicates whether contents of the attached file were unpacked before analysis.
Actions	Action you can perform to object execution results. For recent tasks (the Active tab): Repeat object execution (). Delete the object execution results (). Export execution results (). Also, you can download a debug report, if it is available. View details—View object execution results in a new tab. For Kaspersky Sandbox, Kaspersky Threat Attribution Engine, and Similarity technologies, execution results are displayed separately. Select the required technology (Sandbox / Attribution / Similarity) in the drop-down list. Also, you can click the technology name in the Details column to view execution results when the task finishes. For archived tasks (Archived tab): Delete archived task results. View brief summary.

When you click on the item in the History table, brief information about the analyzed object is displayed. Displayed fields depend on the analyzed object.