Contents
Report for analyzed files
After file execution, available analysis results are displayed on the report page.
In the mobile version of Kaspersky Threat Intelligence Portal, only the basic report for the file is displayed. You can use a desktop version to view the full report.
Depending on the executed file's zone, the MD5 hash and status of the executed file (Malware, Adware and other, Clean, or No threats detected) are displayed on the Report for hash panel in one of the following colors:
- Red—The executed file can be classified as Malware.
- Green—The executed file has a Clean or No threats detected status. The No threats detected status is applied if the file was not classified by Kaspersky, but it was previously scanned and/or analyzed, and no threats were detected at the time of the analysis.
- Yellow—The executed file is classified as Adware and other (Adware, Pornware, and other programs).
The panel displays the color as soon as file execution completes. Also, the Submit to reanalyze button appears. You can submit the file to Kaspersky experts for analysis result re-validation.
The report page contains the following:
- Overview—Displays general information about the analyzed file.
- Detection names—Displays information about detects related to the analyzed file and that were previously reported in Kaspersky statistics.
- Dynamic analysis summary—Displays the last file scan date and graphics of detects, suspicious activities, extracted files, and network interactions detected during file execution.
- Results tab—Displays information about dynamic analysis detects and network rules triggered during analysis of traffic from the executed file. For registered users, execution map, information about suspicious activities, and screenshots are also available.
- Static analysis tab—Displays Portable Executable (PE) information and information about strings extracted during file execution.
- Sections that are available for registered users:
- System activities tab—Displays information about activities that were registered during the file execution.
- Extracted files tab—Displays information about files that were extracted from network traffic or saved by the executed file during the execution.
- Network activities tab—Displays information about network activities that were registered during the file execution.
- Premium content—Displays sections that contain blurred data about the executed file. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
Overview
Kaspersky Threat Intelligence Portal provides the following general information about analyzed files:
General information about files
Field name |
Description |
|---|---|
Hits |
Number of hits (popularity) of the analyzed file hash detected by Kaspersky expert systems. Number of hits is rounded to the nearest power of 10. |
First seen |
Date and time when the analyzed file hash was first detected by Kaspersky expert systems. |
Last seen |
Date and time when the analyzed file hash was last detected by Kaspersky expert systems for the last time. |
Format |
Analyzed file type. |
Size |
Analyzed file size. |
Signed by |
Organization that signed the file hash. |
Packed by |
Packer name (if any). |
MD5 |
MD5 hash of the analyzed file. |
SHA1 |
SHA1 hash of the analyzed file. |
SHA256 |
SHA256 hash of the analyzed file. |
Detection names
Kaspersky Threat Intelligence Portal provides the following information about detects related to the analyzed file and previously reported in Kaspersky statistics:
- Color of the zone that the detect belongs to (red or yellow).
- Date and time when the detect was last detected by Kaspersky expert systems.
- Name of the detect. You can click any entry to view its description on the Kaspersky threats website.
Dynamic analysis summary
Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, suspicious activities, extracted files, and network interactions detected during file execution:
Dynamic analysis summary for a file
Chart name |
Description |
|---|---|
Detects |
The total number of objects that were detected during file execution and the proportion of objects with Malware (red) or Adware and other (yellow) statuses. |
Suspicious activities |
The total number of suspicious activities registered during file execution and the proportion of activities with High (red), Medium (yellow), or Low (grey) levels. |
Extracted files |
The total number of files that were downloaded or dropped by the file during the execution process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to categorize them, in grey). |
Network activities |
The total number of registered network interactions that the file performed during the execution process and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey). |
Results tab
Kaspersky Threat Intelligence Portal provides information about detected items and activities that were registered during the file execution. For registered users, execution map, information about suspicious activities, and screenshots are also available.
Dynamic analysis detects
Detects that were registered during the file execution.
Dynamic analysis detects
Field name |
Description |
|---|---|
Status |
Danger zone (level) associated with the detect (Malware or Adware and other). |
Name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description on the Kaspersky threats website. |
Triggered network rules
SNORT and Suricata rules that were triggered during analysis of traffic from the executed file.
Triggered network rules
Field name |
Description |
|---|---|
Zone |
Danger zone (level) associated with the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info). |
Rule |
SNORT or Suricata rule name. |
Execution map
Graphically represented sequence of the file activities and relationships between them.
Execution map is available only for registered users.
The root node of the tree represents the executed file. Each tree element is marked according to its danger level (High, Medium, or Low). You can click a tree element to view detailed information. You can also zoom the execution map by scrolling the map area.
Suspicious activities
Suspicious activities registered during the file execution.
This section is available only for registered users.
Suspicious activities
Field name |
Description |
|---|---|
Zone |
Danger zone (level) of the registered activity (High, Medium, Low). |
Severity |
Numerical value of the danger level of the registered activity (integer 1–999). |
Description |
Activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK threat classification. For example, "MITRE: T1082 System Information Discovery." |
Screenshots
Set of screenshots that were taken during the file execution.
Screenshots are available only for registered users.
Page topStatic analysis tab
Kaspersky Threat Intelligence Portal provides PE information and information about extracted strings.
PE information
This section displays information about the structure of the executed file in Portable Executable (PE) format, if this information is available.
PE information
Table name |
Parameters |
|---|---|
Sections |
Name—File section name. Virtual size—Section size. Virtual address—Section's relative virtual address (RVA). Raw size—Section size in the file. |
Export information |
Name—Name of the file. Ordinal—Sequence number of the exported element. RVA—RVA of the exported element. Name—Name of the exported element. |
Import information |
Library—Name of the imported library (.dll). Function—Function name. Ordinal—Sequence number of the imported element. |
Debug information |
Time stamp—Date and time when the debug information was created. Type—Type of the debug information. |
Extracted strings
This section displays information about strings that were extracted during the file execution.
Extracted strings
Parameter |
Description |
|---|---|
Line |
Extracted string (the first 1000 characters). |
Encoding |
List of encodings (UTF-8, UTF-16BE, UTF-16LE, ASCII). |
System activities tab
Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution.
This tab is available only for registered users.
Loaded PE images
Loaded PE images that were detected during the file execution.
Loaded PE images
Field name |
Description |
|---|---|
Path |
Full path to the loaded PE image. |
Size |
Size of the loaded PE image in bytes. |
File operations
File operations that were registered during the file execution.
File operations
Field name |
Description |
|---|---|
Operation |
Operation name. |
Name |
Path and name of the file. |
Size |
Size of the file in bytes. |
Registry operations
Operations performed on the operating system registry that were detected during the file execution. Operations that have led to suspicious activities are shown first.
Registry operations
Field name |
Description |
|---|---|
Operation |
Operation name. |
Details |
Operation attributes. |
Process operations
Interactions of the file with various processes that were registered during the file execution.
Process operations
Field name |
Description |
|---|---|
Interaction type |
Type of interaction between the executed file and a process. |
Process name |
Name of the process that interacted with the executed file. |
Synchronize operations
Operations of created synchronization objects (mutual exclusions (mutexes), semaphores, and events) that were registered during the file execution.
Synchronize operations
Field name |
Description |
|---|---|
Type |
Type of the created synchronization object. |
Name |
Name of the created synchronization object. |
Extracted files tab
Kaspersky Threat Intelligence Portal provides information about files that were extracted from network traffic or saved by the executed file during the execution.
This tab is available only for registered users.
Transferred files
Files that were extracted from network traffic during the file execution.
Transferred files
Field name |
Description |
|---|---|
Status |
Status of the transferred file (Clean, Adware and other, Malware, Not categorized). |
MD5 |
MD5 hash of the transferred file. |
Traffic |
Traffic that the transferred file was extracted from (HTTP or HTTPS). |
Detection name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website. |
Dropped files
Files that were saved or changed by the executed file in the operating system.
Dropped files
Field name |
Description |
|---|---|
Status |
Status of the downloaded file (Clean, Adware and other, Malware, Not categorized). |
MD5 |
MD5 hash of the downloaded file. |
Detection name |
Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click an item to view its description at Kaspersky threats website. |
File name |
File name of the dropped file. |
Network activities tab
Kaspersky Threat Intelligence Portal provides information about network activities that were registered during the file execution.
This tab is available only for registered users.
DNS requests
DNS sessions that were registered during file execution.
DNS requests
Field name |
Description |
|---|---|
Status |
Status of an object in the DNS request. |
Type |
DNS request type. |
Response |
Contents of the DNS response. Each item is clickable, and navigates to investigation results on the Lookup tab. |
HTTP(S) requests
HTTP and HTTPS requests that were registered during the file execution.
HTTP(S) requests
Field name |
Description |
|---|---|
Status |
Status of a web address in the HTTP(S) request. The web address can belong to one of the following zones: Dangerous (there are malicious objects related to the web address). Adware and other (there are objects related to the web address and that can be classified as not-a-virus). Good (the web address is not malicious). Not categorized (no or not enough information about the web address is available to define the category). |
Web address |
Web address to which the request was registered. |
Method |
Method of sending an HTTP(S) request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. |
Scheme |
Web address scheme that identifies the protocol which was used (HTTP or HTTPS). |
Response code |
Response code of the HTTP(S) request. |
Response length |
Size of the response to the HTTP(S) request (in bytes). |
Fields |
Additional fields (Request headers and Response headers) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
Information available to users with Premium Access
Kaspersky Threat Intelligence Portal provides the following detailed information about the submitted file, if available, to users with Premium Access.
Signatures and certificates tab
Information about file signatures and certificates
Table name |
Description |
Table fields |
|---|---|---|
File signatures and certificates |
Information about signatures and certificates of the submitted file. |
Status—Status of the file certificate. Vendor—Owner of the certificate. Publisher—Publisher of the certificate. Signed—Date and time when the certificate was signed. Issued—Date and time when the certificate was issued. Expires—Expiration date of the certificate. Serial number—Serial number of the certificate. |
Container signatures and certificates |
Information about signatures and certificates of the container. |
Status—Status of the container's certificate. Container MD5—MD5 hash of the container's file. Signed—Date and time when the container's certificate was signed. Issued—Date and time when the container's certificate was issued. Expires—Expiration date of the container's certificate. |
Paths tab
Information about file paths
Table name |
Description |
Table fields |
|---|---|---|
File paths |
Known paths to the file on computers using Kaspersky software. |
Hits—Number of path detections by Kaspersky expert systems. Path—Path to the submitted file on user computers. Location—Root folder or drive where the submitted file is located on user computers. |
Names tab
Information about file names
Table name |
Description |
Table fields |
|---|---|---|
File names |
Known names of the file on computers using Kaspersky software. |
Hits—Number of file name detections by Kaspersky expert systems. File name—Name of the submitted file. |
Downloads tab
Information about web addresses from which the file was downloaded
Table name |
Description |
Table fields |
|---|---|---|
File downloaded from web addresses and domains |
Web addresses and domains from which the file was downloaded. |
Status—Status of web addresses or domains used to download the submitted file. Web address—Web addresses used to download the submitted file. Last downloaded—Date and time when the submitted file was last downloaded from the web address / domain. Domain—Upper domain of the web address used to download the submitted file. IP count—Number of IP addresses that the domain resolves to. |
Web addresses tab
Information about web addresses
Table name |
Description |
Table fields |
|---|---|---|
File accessed the following web addresses |
Web addresses accessed by the submitted file. |
Status—Status of accessed web addresses. Web address—Web addresses accessed by the submitted file. Last accessed—Date and time when the submitted file last accessed the web address. Domain—Upper domain of the web address accessed by the submitted file. IP count—Number of IP addresses that the domain resolves to. |
Started objects tab
Information about started objects
Table name |
Description |
Table fields |
|---|---|---|
File started the following objects |
Objects started by the submitted file. |
Status—Status of started objects. Hits—Number of times the submitted file started the object, as detected by Kaspersky expert systems. File MD5—MD5 hash of the started object. Location—Root folder or drive where the started object is located on user computers. Path—Path to the object on user computers. File name—Name of the started object. Last started—Date and time when the object was last started by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was started by the following objects |
Objects that started the submitted file. |
Status—Status of objects that started the submitted file. Hits—Number of times the submitted file was started, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that started the submitted file. Location—Root folder or drive where the object is located on user computers. Path—Path to the object on user computers. File name—Name of the object that started the submitted file. Last started—Date and time when the submitted file was last started. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Downloaded objects tab
Information about downloaded objects
Table name |
Description |
Table fields |
|---|---|---|
File downloaded the following objects |
Objects downloaded by the submitted file. |
Status—Status of downloaded objects. Hits—Number of times the object was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded object. Location—Root folder or drive where the downloaded object is located on user computers. Path—Path to the downloaded object on user computers. File name—Name of the downloaded object. Last downloaded—Date and time when the object was last downloaded by the submitted file. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
File was downloaded by the following objects |
Objects that downloaded the submitted file. |
Status—Status of objects that downloaded the submitted file. Hits—Number of times the submitted file was downloaded, as detected by Kaspersky expert systems. File MD5—MD5 hash of the object that downloaded the submitted file. Location—Root folder or drive where the object is located on user computers. File name—Name of the object that downloaded the submitted file. Path—Path to the object on user computers. Last downloaded—Date and time when the submitted file was last downloaded. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |