Investigation Package

The investigation package helps administrators and investigators inspect and interpret threat data generated from samples analyzed by Virtual Analyzer. It includes files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the affected host or network.

The table below describes some of the files within the investigation package that will aid in an investigation.

Table 1. Investigation Package Contents

Path within the Investigation Package

Description

\%SHA1%

Each folder at the root level, with an SHA-1 hash value as its name, is associated with one object. More than one folder of this type will only exist if the first object is an archive file or an email message.

\%SHA1%\%imageID%

Associated with a sandbox image that analyzed the object.

\%SHA1%\%imageID%\drop\droplist

Contains a list of the files that were generated or modified during analysis.

\%SHA1%\%imageID%\memory\image.bin

Contains the raw memory dump after the process was launched into memory.

\%SHA1%\%imageID%\pcap\%SHA1%.pcap

Contains captured network data that can be used to extract payloads. The file does not exist If no network data was generated.

\%SHA1%\%imageID%\report\report.xml

Contains the final analysis report for a single object for a specific image.

\%SHA1%\%imageID%\report\so.xml

Contains a list of all suspicious objects detected during analysis. This file is empty if no suspicious objects were detected during analysis.

\%SHA1%\%imageID%\report\SHA1.ioc

Contains technical characteristics that identify attacker’s tactics, techniques and procedures or other evidence of compromise.

\%SHA1%\%imageID%\screenshot\%SHA1%-%N%.png

A screenshot of a UI event that occurred during analysis. The file does not exist if no UI events occurred during analysis.

\common

Contains files that are common amongst all of the samples.

\common\drop\%%

Generated or modified during analysis.

\common\sample\%SHA1%

The submitted sample.

\common\sample\extracted\%SHA1%

Extracted from the sample during analysis.

\%SHA1%.report.xml

The final analysis report for all objects.

\%SHA1%\%imageID%\extrainfo

Contains files related to the sandbox image that analyzed the object.

\%SHA1%\%imageID%\extrainfo\extra_info.xml

Contains additional details about the sandbox image that analyzed the object.

\%SHA1%\%imageID%\strings

Contains files related to the sandbox image that analyzed the object.

\%SHA1%\%imageID%\strings\%SHA1%.string

Contains string dump retrieved from the object during the analysis in the sandbox image.

\%SHA1%.ioc

The IOC file.

\%SHA1%_ioc.stix

The STIX IOC file.

\%SHA1%_so.stix

The STIX SO file.

\%SHA1%_so_stix2.json

The STIX2 SO file.

\%SHA1%_ioc_stix2.json

The STIX2 IOC file.