Deep scan report for dynamic malware analysis

If Dynamic Analysis is enabled and a threat was detected for a file that is up to 64 MB, a deep scan report in PDF format is available for download in ETP. You can download the report from the associated threat event. The report is available for download for 30 days.

The deep scan report details the results of scans completed in the sandbox environment. Depending on the type of content that’s analyzed and the scan results, the report may contain this data.

Report Section Field Definition
Analysis Overview MD5 MD5 hash of the analyzed file or content.
SHA1 SHA1 hash of the analyzed file or content.
MIME Type Multipurpose Internet Mail Extensions (MIME) standard for classifying or identifying the format of analyzed file or content.
Analysis report create time Timestamp when report was created.
Most recent submission time Timestamp when a request triggered dynamic malware analysis.
Sandbox execution description Describes the sandbox environment where dynamic malware analysis occurred. For example, this field may describe the operating system of the environment.
Sandbox execution start time Timestamp when the file analysis was started in the sandbox environment.
Sandbox execution end time Timestamp when the file analysis ended in the sandbox environment.
Threat Level Threat Level Provides the name of the file and a score that ranges from 0 to 100. Depending on the score, this applies:
  • If the score is less than 30, the file is benign.
  • If the score ranges from 30 to less than 70, the file is considered suspicious.
  • If the score is 70 or more, the file is malicious.
Malicious Activity Summary Anomaly Indicates malicious code was detected.
Family Threat family associated with the malicious activity.
Code Indicates if there’s malicious code in the file.
Structure Indicates if malicious code is embedded in the file.
Autostart Indicates there’s code that automatically runs when the analyzed file is opened.
Execution Indicates the analyzed file can execute shell commands, read or write to the hard disk, and run programs.
Network Indicates the analyzed file can communicate over the network.
Signature Indicates that trojan code was identified.
Analysis Subject Command Line Indicates how the process was started from the analyzed file. The exact command line interface is provided.
Libraries Loaded Libraries Library files that were loaded by the analyzed file or content.
Console I/0 Console Writes Indicates the console output that the analyzed file produced in the sandbox environment.
Device I/0 Devices Indicates the device interactions that occurred when the file was run in the sandbox environment. This field provides any key inputs.
File System Activity Files Written Files written by the analyzed file or content.
Files Read Files read by the analyzed file or content.
Files Deletes Files deleted by the analyzed file or content.
Registry Activity Registry Values Modified Registry values that were modified in the sandbox environment by the analyzed file or content
Registry Values Read Registry keys that were read in the sandbox environment by the analyzed file or content.
Registry Values Deleted Registry keys that were deleted in the sandbox environment by the analyzed file or content.
Registry Values Monitored Registry keys that were monitored in the sandbox environment by the analyzed file or content.
Process Interactions Process Operations Operations performed by a process that interacts with the analyzed file or content.
Services Created Services created by the analyzed file or content.
Services Started Services started by the analyzed file or content.
Services Stopped Services stopped by the analyzed file or content.
Services Changes Services that were modified by the analyzed file or content.
Mutex Activity Mutexes Created Mutual exclusions created by the analyzed file or content. Mutual exclusions prevent multiple files from accessing the same resources at the same time.
Mutexes Opened Mutual exclusions opened by the analyzed file or content.
Exceptions Exceptions Raised Exceptions or events that disrupt file execution. Exceptions are raised by the analyzed file or content.
Network Activity Name resolution Any hostname resolution that was completed by the analyzed file or content.
Downloaded Files Files that were downloaded by the analyzed file or content.
HTTP Traffic HTTP traffic recorded by the analyzed file or content.
FTP Traffic FTP traffic recorded by the analyzed file or content.
IRC Traffic Internet Relay Chat (IRC) traffic recorded by the analyzed file or content.
SMTP Traffic SMTP traffic recorded by the analyzed file or content.
Other TCP/UDP Traffic TCP or UDP traffic recorded by the analyzed file or content.
Analysis details Network activity Network activity that was detected during analysis. This field may show a list of URLs, content type, and the activity that was detected.
Code execution Identifies any code that was executed.
Memory contents The contents of memory fingerprinted in the analyzed file or content.
Plugins Plugins that were loaded during the analysis.
Exploits List of vulnerabilities that were detected during the analysis.
Shellcode Shellcode detected in the analysis.
Spawned processes Specific processes that were started unexpectedly during the analysis.
Dropped files Files that were dropped to the sandbox environment during the analysis.
Signatures Yara signatures YARA signatures that were identified in the analysis.