By default, the format of the archive name is as follows: <object MD5>-csv.zip. You can change the archive name if necessary.
Each .zip archive contains files described in the table below. If there is no data for a certain section, the corresponding file is not included in the archive. The first string in all files contains column names.
Please note, in the current Kaspersky Research Sandbox version, the loaded-pe-images.csv file has been renamed to loaded-images.csv.
File name
|
Description
|
Column name
|
sample-and-execution-properties.csv
|
Information about object parameters and execution settings.
The file contains only one entry.
|
TaskID—ID (GUID) of the created file execution task.
Created—Date and time when the file execution started (for example, 2018-01-17T15:30:16.077Z).
Processed—Date and time when the file execution completed (for example, 2018-01-17T15:39:02.673Z).
AvBasesVersion—Date and time when anti-virus databases were updated (for example, 2018-01-17T18:36:00Z).
TaskState—File execution task status (for example, completed).
Zone—Color of the object's danger level.
Status—Status of the executed object (for example, Malware).
ErrorCode—Error code (for example, ProcessingFailed).
ErrorMessage—Error message.
OriginalFileName—Original name of the uploaded file.
FileName—Name of the executed file.
ArchiveSampleName—Path inside the archive to the analyzed object, if it was uploaded in the archive.
FileExtension—Extension of the executed file (for example, js).
FileType—Automatically detected type of the executed file.
FileSize—Size of the executed file, in bytes (for example, 539136).
Md5—MD5 hash of the executed object.
Sha1—SHA1 hash of the executed object.
Sha256—SHA256 hash of the executed object.
SSDeep—SSDeep hash of the executed object.
VirtualMachineID—Execution environment of the sample (for example, Win7_x64).
EmulationTimeSeconds—Object execution time, in seconds (for example, 500).
Detects—Information about the detected objects:
detectTechnology—Technology that was used to detect the object.isNotAVirus—Indicates whether the detected object is malicious.severity—Danger level of the detected object.threat—Detected object name.
screenshots—List of created screenshots.
DecryptHTTPS—Boolean parameter. Indicates whether HTTPS traffic generated by the executed object was decrypted.
PreScan—Boolean parameter. Indicates whether the full (both static and dynamic) object analysis including execution in the Sandbox was performed.
PreScanState—State of the static analysis stage:
CalcParam—Boolean parameter. Indicates whether the parameters calculation is completed.AvsScan—Boolean parameter. Indicates whether the object scan is completed.statPars—Boolean parameter. Indicates whether static analysis is completed.
Channel—Name of the specified network channel to be used by the object to access the internet.
UsedChannel—Name of the network channel that was actually used by the object to access the internet.
IsDataAvailable—Indicates whether if there is report data for the task.
UnpackPassword—Password for the archive.
Url—Browsed web address.
DocPassword—Password for the protected document.
CmdLine—Command line parameters that were used to execute the object in the Sandbox.
SampleType—Type of the object (for example, simple).
CalculatedParams—Automatically calculated execution parameters:
ExecEnv—Execution environment.ExecTime—Execution time.
ClickLinks—Boolean parameter. Indicates whether Kaspersky Research Sandbox browsed the links in the documents that were opened in the Sandbox.
ThreatScore—Threat score of files and web addresses, which is based on metrics and data obtained during task execution.
AppsCloseTimeout—Application close timeout.
Userscan—Status of the YARA and Suricata scan task of the object and its extracted files:
Yara:Status—Status of the triggered YARA rule (matched), see description below.Filename—Name of the uploaded file that contains YARA rules.ScanningTime—Date and time when the YARA rule triggered, specified in the ISO 8601:2004 format (YYYY-MM-DDThh:mm:ssZ).
Suricata:Status—Status of the triggered Suricata rule, see description below.Filename—Name of the uploaded file that contains Suricata rules.ScanningTime—Date and time when the Suricata rule triggered.
Possible Status values for YARA and Suricata rules:
not scanned—Rules were not submitted.created—Scan task created.scanning—Scan task is in progress.matched—Scan completed successfully, there are detections.truncated—Suricata scan completed successfully, there are detections. Some results have been removed: no more than 50,000 records remain, no more than 25 hits per rule. This status is returned for Suricata rules only, YARA rule scan results are not filtered.not matched—Scan completed successfully, there are no detections.syntax error—Rules are not validated by regular expression.processing error—Error occurred during scan process with validated rules. There may be detections.
VncAccess—Indicates whether the VNC access was used for the task:
true—VNC access was used.false—VNC access was not used.
VncSampleAutostart—Indicates whether automatic sample start was enabled in the VNC mode.
true—Automatic sample start was enabled.false—Automatic sample start was not enabled.
VncStarted—Date and time when VNC was started for the task.
VncTimeLeft—Time till the VNC access will be disabled, in seconds.
VncStatus—Indicates if VNC is currently active for the task.
true—VNC is currently active.false—VNC is currently inactive.
DisableClicker—Indicates whether clicker was disabled in the VNC mode.
true—Clicker was disabled.false—Clicker was enabled.
|
detection-names.csv
|
Information about objects detected during file execution.
|
Zone—Danger zone to which the object refers (for example, "Red" for "Malware", "Yellow" for "Adware and other", "Orange" for "Not trusted" web addresses, "Green" for "Clean", "Grey" for "Not categorized").
Threat—Name of the detected object (for example, HEUR:Exploit.Script.Blocker).
DetectTechnology—Technology that was used to detect the object.
AvsScaner—Object detected during static analysis.SBScaner—Object detected in Sandbox logs.
KPSN—Object detected by Kaspersky Private Security Network.
|
triggered-network-rules.csv
|
Information about Suricata rules triggered during analysis of traffic from executed object.
|
Zone—Danger zone (level) of the network traffic detected by the Suricata rule (for example, High).
RuleName—Suricata rule name (for example, Trojan.Agent.HTTP.C&C).
|
triggered-yara-rules.csv
|
Information about YARA rules that were triggered during analysis of traffic from the executed file and from the files that were transferred or dropped during the execution.
|
RuleName—Name of the triggered YARA rule.
FileType—Source of the file detected by the YARA rule (Sample, Transferred, Dropped).
Zone—Danger zone of the file detected by the YARA rule.
Status—Danger level of the file detected by the YARA rule.
MD5—MD5 hash of the file detected by the YARA rule.
Tags—Tags of the YARA rule, separated by commas.
|
triggered-custom-suricata-rules.csv
|
Information about custom Suricata rules triggered during analysis of traffic from the executed file and from the files that were transferred or dropped during the execution.
The response structure contains the data received directly from the Suricata scanner. For more details about data structure, refer to Suricata documentation.
|
timestamp—Date and time when an alert was registered.
event_type—Event type, for example "alert".
flow_id—Flow ID.
src_ip—Source IP address.
src_port—Source port number.
dest_ip—Destination IP address.
dest_port—Destination port number.
proto—Protocol used, for example, "UDP".
app_proto—Application level protocol, for example "TLS".
packet_info—Information about a packet:
linktype—Link type, for example, "1".
alert—Alert description:
action—Performed action. Possible values: "allowed" and "blocked".gid—Group ID.signature_id—User-specified numeric rule ID. Each rule in a set has a unique ID.rev—User-specified rule version. Custom versions allow you to vary version numbers of the same rule while retaining the same signature_id.signature—Detected object name.category—Alert category.severity—Alert danger level.
packet—Packet.
|
screens (folder)
|
Set of screenshots (PNG images) that were taken during the file execution.
|
—
|
suspicious-activities.csv
|
Information about registered suspicious activities.
|
Name—Code of a suspicious activity description (for example, RegistryValueUpdate).
Description—Complete description of the activity.
Zone—Danger zone (level) of the registered activity (for example, High).
Severity—Numerical value of the danger level of the registered activity (for example, 555).
Techniques—Structure containing codes of MITRE ATT&CK tactics, techniques, and sub-techniques to which the activity may be related.
Props—Attributive description of the registered activity.
The file also contains other fields used by the system for technical purposes (linking and categorizing activities).
|
loaded-images.csv
|
Information about loaded images that were detected during the file execution.
|
Process ID—Integer process identifier.
Thread ID—Integer thread identifier.
Path—Full path to the loaded image (for example, \\Windows\\SysWOW64\\rpcrt4.dll).
Size—Size of the loaded image, in bytes (for example, 555).
Image Base—Preferred address of the first byte of image when loaded into memory.
The file also contains other fields used by the system for technical purposes (linking and categorizing activities).
|
file-operations.csv
|
Information about file operations that were registered during the file execution.
|
Process ID—Integer process identifier.
Thread ID—Integer thread identifier.
Operation—Operation name (for example, FILE_CREATED).
Path—The Name attribute of the operation (for example, $selfpath\\KL_APT_SANDBOX_TEST_MARKER_FILE).
Size—The Size attribute of the operation (for example, 555).
|
registry-operations.csv
|
Information about operations performed on the operating system registry detected during file execution.
|
Process ID—Integer process identifier.
Operation—Operation name (for example, REG_CREATE_KEY).
Key—The Key attribute of the operation (for example, \\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisableUserModeCallbackFilter).
Thread ID—Integer thread identifier.
Value Name—The Value attribute of the operation (for example, 1).
|
process-operations.csv
|
Information about interactions of the file with various processes registered during file execution.
|
Process ID—Integer process identifier.
Operation—Operation name (for example, PROCESS_STARTED).
Path—Name and path of the process that interacted with the executed file (for example, $windir\\explorer.exe).
Command Line—Command line parameters that were used.
Requestor Process ID—Integer requestor process identifier.
|
sync-operations.csv
|
Information about operations of created synchronization objects registered during file execution.
|
Process ID—Integer process identifier.
Operation—Type of created synchronization object (for example, mutex).
Name—Name of created synchronization object (for example, Skyz.Messaging.ThreadPooling.MyAppSingleInstance).
|
downloaded-files.csv
|
Information about files extracted from network traffic during file execution.
|
Zone—Danger level of the downloaded file (for example, Red).
Md5—MD5 hash function of the downloaded file.
Sha1—SHA1 hash of the downloaded file.
Sha256—SHA256 hash of the downloaded file.
Name—Downloaded file's name.
DetectionNames—Name of the detected object (for example, Trojan-Downloader.Script.Generic).
Traffic—Traffic that the downloaded file was extracted from (HTTP or HTTPS).
TriggeredYaraRules—List of triggered YARA rules.
Size—Downloaded file's size (in bytes).
Type—Downloaded file's type.
|
dropped-files.csv
|
Information about files saved by executed file.
|
Zone—Danger level of the dropped file (for example, Red).
Md5—MD5 hash function of the dropped file.
Sha1—SHA1 hash of the dropped file.
Sha256—SHA256 hash of the dropped file.
Size—Dropped file's size (in bytes).
Type—Dropped file's type.
DetectionNames—Name of the detected object (for example, Trojan-Downloader.Script.Generic).
FileName—File name of the dropped file (for example, sample.exe).
TriggeredYaraRules—List of triggered YARA rules.
|
sample-content.csv
|
Information about the content of the packed file. Use a default password infected to unzip the archive.
|
Zone—Color of the danger zone (level) of the file.
MD5—MD5 hash of the file.
SHA1—SHA1 hash of the file.
SHA256—SHA256 hash of the file.
Path—File name and path to it from the uploaded object's root.
Packer—Name of the packer with which the uploaded object is packed.
Type—Automatically detected type of the file.
DetectionNames—Names of the detected objects (for example, HEUR:Exploit.Script.Blocker).
Size—Size of the file in bytes.
|
sample-content.zip
|
Archive that contains files included in the packed object. Use a default password infected to unzip the archive.
|
Archive can be exported separately only. It is not exported, when you export all task results.
|
network.pcap
|
Information about snapshots of network activity.
|
—
|
matrix.csv
|
Information about known tactics, techniques and procedures (TTPs), and mapping with MITRE ATT&CK classification for the executed object.
|
Id—ID of a tactic.
Name—Name of a tactic.
Url—Web address to the tactic's description on MITRE ATT&CK web site.
Techniques—Information about techniques, contains the following:
Id—ID of a technique.
Name—Name of a technique.
Url—Web address to the technique's description on MITRE ATT&CK web site.
SubTechniques—SubTechniques' description.
|
manifest.zip
|
Information about Android app manifest.
|
—
|
static-modules.csv
|
Android app modules detected by using the static analysis.
|
Path—Path to the app module.
Description—Description of the app module.
|
static-permissions.csv
|
Android app permissions detected by using the static analysis.
|
Status—Status (danger level) of the permission.
Severity—Severity of the permission's danger.
Permission—Permission's value.
Description—Detailed description of the permission.
|
static-components.csv
|
Android app components detected by using the static analysis.
|
Status—Status (danger level) of the component.
Severity—Severity of the component's danger.
Component—Component name.
Description—Detailed description of the component.
Intent filters—List of filters applied to the component.
|
static-bundle.csv
|
Android App Bundle (APK).
|
Type—File type (Module, Icon, or Picture).
Path—File path and name.
Size—File size.
MD5—MD5 hash of the file.
|
static-images.csv
|
Android App Bundle images.
|
—
|
network-traffic-tables-IpSessions.csv
|
Information about IP sessions that were registered during file execution.
|
source_address—Source IP address.
dest_address—Destination IP address.
start_time—Date and time when the IP session started.
end_time—Date and time when the IP session ended.
data_length—Size of data that was sent and received within the IP session (in bytes).
packets_count—Number of packets that were sent and received within the IP session.
|
network-traffic-tables-TcpSessions.csv
|
Information about TCP sessions that were registered during file execution.
|
source_port—Source port number (0–65536).
dest_port—Destination port number (0–65536).
data_length—Size of data that was sent and received within the TCP session (in bytes).
packets_count—Number of packets that were sent and received within the TCP session.
packets_syn—Number of SYN packets that were sent and received within the TCP session.
packets_fin—Number of FIN packets that were sent and received within the TCP session.
packets_outoforder—Number of out-of-order packets that were sent and received within the TCP session.
packets_acks_postloss—Number of lost ACK packets that were sent and received within the TCP session.
packets_acks_duplicate—Number of duplicated ACK packets that were sent and received within the TCP session.
window_in_diff—Number of incoming segments (bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received.
window_out_diff—Number of outgoing segments (bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.
source_ip—Source IP address.
destination_ip—Destination IP address.
|
network-traffic-tables-UdpSessions.csv
|
Information about UDP sessions that were registered during file execution.
|
source_port—Source port number (0–65536).
dest_port—Destination port number (0–65536).
data_length—Size of data that was sent and received within the UDP session (in bytes).
packets_count—Number of packets that were sent and received within the UDP session.
source_ip—Source IP address.
destination_ip—Destination IP address.
|
network-traffic-tables-DnsSessions.csv
|
Information about DNS sessions that were registered during file execution.
|
id—DNS message ID.
qr—Request/response indicator (0—DNS query, 1—DNS response).
rcode—DNS response code.
data_length—Size of data that was sent and received within the DNS session (in bytes).
packets_count—Number of packets that were sent and received within the DNS session.
dns_records—Records in the message. For each record, its name, section, and type are displayed. If available, TTL and Data fields are available.
|
network-traffic-tables-DnsMessages.csv
|
Information about DNS messages that were registered during file execution.
|
Section—Section name.
Name—Type of data in the section.
TTL—Duration of caching a record at each middle host for a DNS record (in seconds).
Data—Data in the returned section.
DnsSessionId—Identifier of the message to which the DNS record belongs.
|
network-traffic-tables-FtpSessions.csv
|
Information about FTP sessions that were registered during file execution.
|
CommandName—Command name.
CommandArg—Command argument.
ReplyCode—Reply code.
ReplyMsg—Reply message from a server.
Md5—The file that was transferred when the command was executed.
DataChannelClientIp—FTP client address.
DataChannelServerIp—FTP server address.
DataChannelServerPort—Port number of the FTP server.
|
network-traffic-tables-HttpSessions.csv
|
Information about HTTP requests that were registered during the file execution.
|
Status—Danger zone (level) of a URL in the HTTP request.
Scheme—URL's scheme (traffic type).
Method—Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.
URL—URL to which the request was registered.
ResponseCode—Response code of the HTTP request.
ResponseLength—Size of the response to the HTTP request in bytes.
RequestHeaders—Standard request header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
ResponseHeaders—Standard response header names based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Provided as <name>:<value> pairs.
RequestBody—Body of the request (Md5, Name, Size).
ResponseBody—Body of the response (Md5, Name, Size).
|
network-traffic-tables-SslSessions.csv
|
Information about SSL sessions that were registered during file execution.
|
Version—TLS protocol version.
Cipher—Cryptographic algorithm.
Curve—Curve class.
ServerName—Name of the server.
Subject—Subject name.
Issuer—Issuer name.
|
network-traffic-tables-IrcSessions.csv
|
Information about IRC sessions that were registered during file execution.
|
Command—Command name.
User—User name.
Nick—User's nickname.
Channels—Names of channels to connect to during the IRC session.
Sender—Nickname of the command's sender.
Channel—Name of the channel to send the message to during the IRC session.
Text—Text that was sent during the IRC session.
|
network-traffic-tables-Pop3Sessions.csv
|
Information about POP3 sessions that were registered during file execution.
|
Type—Command type.
Command—Command result.
Arguments—Command arguments.
Message—Description of the result of the command.
|
network-traffic-tables-SmbSessions.csv
|
Information about SMB sessions that were registered during file execution.
|
DestinationIP—Session's destination IP address.
DestinationPort—Destination port number (0–65536).
Version—Protocol version.
CommandName—Command name.
CommandStatus—Command execution status.
Md5—File transferred during the command execution.
|
network-traffic-tables-SmtpSessions.csv
|
Information about SMTP sessions that were registered during file execution.
|
From—Sender's name and address.
To—Receivers' names and addresses.
Subject—Message subject.
Files—List of MD5 hashes of attached files.
|
network-traffic-tables-HttpProxySessions.csv
|
Information about HTTP proxy sessions that were registered during file execution.
|
—
|
network-traffic-tables-SocksSessions.csv
|
Information about SOCKS sessions that were registered during file execution.
|
Version—SOCKS protocol version.
RequestHost—IP address or fully qualified domain name (FQDN), to which the connection request was made via the SOCKS protocol.
RequestPort—Number of the TCP port to which a connection request was made via the SOCKS protocol (0–65536).
BoundHost—IP address or fully qualified domain name (FQDN), to which the connection was established.
BoundPort—Number of the TCP port to which the connection was established (0–65536).
|