Network activities

Kaspersky Research Sandbox provides information about activities that were registered during file execution. The results are displayed in separate tables, each of which contains up to 10 entries.

Network interactions

Table name

Description

Table fields

IP sessions

IP sessions that were registered during file execution.

Status—Status (Dangerous, Not trusted, Good, or Not categorized) of the destination IP address.

Destination IP address—Destination IP address. Items are clickable. You can copy the item to the clipboard (Copy to clipboard drop-down list option) or navigate to Kaspersky Threat Intelligence Portal (Lookup drop-down list option).

Started—Date and time when the IP session started.

Ended—Date and time when the IP session ended.

Size—Size of data that was sent and received within the IP session (in bytes).

Packets—Number of packets that were sent and received within the IP session.

TCP sessions

TCP sessions that were registered during file execution.

Source port—Source port number (0–65536).

Destination port—Destination port number (0–65536).

Size—Size of data that was sent and received within the TCP session (in bytes).

Packets—Number of packets that were sent and received within the TCP session.

SYN packets—Number of SYN packets that were sent and received within the TCP session.

FIN packets—Number of FIN packets that were sent and received within the TCP session.

Out-of-order packets—Number of out-of-order packets that were sent and received within the TCP session.

Lost ACK packets—Number of lost ACK packets that were sent and received within the TCP session.

Duplicated ACK packets—Number of duplicated ACK packets that were sent and received within the TCP session.

Window In—Number of incoming segments (bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received.

Window Out—Number of outgoing segments (bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received.

UDP sessions

UDP sessions that were registered during file execution.

Source port—Source port number (0–65536).

Destination port—Destination port number (0–65536).

Size—Size of data that was sent and received within the UDP session (in bytes).

Packets—Number of packets that were sent and received within the UDP session.

DNS sessions

DNS sessions that were registered during file execution.

ID—DNS message ID.

QR—Request/response indicator (0—DNS query, 1—DNS response).

RCode—DNS response code.

Size—Size of data that was sent and received within the DNS session (in bytes).

Packets—Number of packets that were sent and received within the DNS session.

Records—Records in the message. You can click the Show records link to view detailed information about records. For each record, its name, section, and type are displayed. If available, TTL and Data fields are available.

SSL sessions

SSL sessions that were registered during file execution.

Version—TLS protocol version.

Cipher—Cryptographic algorithm.

Curve—Curve class.

Server name—Name of the server.

Subject—Subject name.

Issuer—Issuer name.

FTP sessions

FTP sessions that were registered during file execution.

Command—Command name.

Status—Danger level.

Arguments—Command argument.

Reply code—Reply code.

File—File that was transferred when the command was executed.

Source address—FTP client address.

Destination address—FTP server address.

Destination port—Port number of the FTP server.

IRC sessions

IRC sessions that were registered during file execution.

Command—Command name.

User—User name.

Nick—User's nickname.

Channels—Names of channels to connect to during the IRC session.

Sender—Nickname of the command's sender.

Channel—Name of the channel to send the message to during the IRC session.

Text—Text that was sent during the IRC session.

POP3 sessions

POP3 sessions that were registered during file execution.

Type—Command type.

Command—Command result.

Arguments—Command arguments.

Message—Description of the result of the command.

SMB sessions

SMB sessions that were registered during file execution.

Destination IP—Session's destination IP address.

Destination port—Destination port number (0–65536).

Version—Protocol version.

Name—Command name.

Status—Command execution status.

File—File transferred during the command execution.

SMTP sessions

SMTP sessions that were registered during file execution.

From—Sender's name and address.

To—Receivers' names and addresses.

Subject—Message subject.

Files—List of MD5 hashes of attached files.

SOCKS sessions

SOCKS sessions that were registered during file execution.

Version—SOCKS protocol version.

Request host—IP address or fully qualified domain name (FQDN), to which the connection request was made via the SOCKS protocol.

Request port—Number of the port to which a connection request was made via the SOCKS protocol (0–65536).

Bound host—IP address or fully qualified domain name (FQDN), to which the connection was established.

Bound port—Number of the port to which the connection was established (0–65536).

HTTP requests

HTTP requests that were registered during the file execution.

Zone—Danger zone (level) of a URL in the HTTP request. The URL can belong to one of the following zones:

  • Dangerous (there are malicious objects related to the URL).
  • Adware and other (there are objects related to the URL, which are legitimate but infected or compromised at the moment of the analysis).
  • Good (the URL is not malicious).
  • Not categorized (no information about the URL is available).

URL—URL to which the request was registered. Items are clickable. You can copy the item to the clipboard (Copy to clipboard drop-down list option) or navigate to Kaspersky Threat Intelligence Portal (Lookup drop-down list option).

Method—Method of sending an HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.

Response code—Response code of the HTTP request.

Response length—Size of the response to the HTTP request in bytes.

Fields—Additional fields (Request headers, Response headers, Request body, and Response body) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.

Items in the table are sorted in the Zone field from Dangerous to Not categorized status.

HTTPS requests

HTTPS requests that were registered during file execution.

Zone—Danger zone (level) of a URL in the HTTPS request. The URL can belong to one of the following zones:

  • Dangerous (there are malicious objects related to the URL).
  • Adware and other (there are objects related to the URL, which are legitimate but infected or compromised at the moment of the analysis).
  • Good (the URL is not malicious).
  • Not categorized (no information about the URL is available).

URL—URL to which the request was registered. Items are clickable. You can copy the item to the clipboard (Copy to clipboard drop-down list option) or navigate to Kaspersky Threat Intelligence Portal (Lookup drop-down list option).

Method—Method of sending an HTTPS request. The HTTPS method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH.

Response code—Response code of the HTTPS request.

Response length—Size of the response to the HTTPS request in bytes.

Fields—Additional fields (Request headers, Response headers, Request body, and Response body) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue.

Items in the table are sorted in the Zone field from Dangerous to Not categorized status.

Page top