Kaspersky Threat Intelligence Portal

Report for web address

After web address browsing emulation, available analysis results are displayed on the report page.

Depending on the web address's zone, it's status (Dangerous, Adware and other, Good, or Not categorized) is displayed on a panel in one of the following colors:

  • Red—There are malicious objects related to the web address.
  • Orange—The web address can be classified as Not trusted and may host malicious objects.
  • Yellow—There are objects related to the web address and that can be classified as Not-a-virus.
  • Grey—No data is available for a web address.
  • Green—The web address cannot be classified as Dangerous.

The report page contains the following:

  • Overview—Displays general information about the analyzed web address.
  • Summary—Displays statistical information about the analyzed web address.
  • WHOIS—Displays the WHOIS information about the analyzed web address.
  • Detection names—Displays detected items that were registered during the web address analysis.
  • Triggered network rules—Displays SNORT and Suricata rules that were triggered during the web address traffic analysis.
  • Connected hosts—Displays IP addresses that were accessed in all HTTP and HTTPS requests after the FQDN resolved.
  • Suspicious activities—Displays suspicious activities that were registered during the web address analysis.
  • HTTP(S) requests—Displays HTTP and HTTPS requests that were registered during the web address analysis.
  • DNS requests—Displays DNS requests that were registered during the web address analysis.
  • Screenshots—Displays a set of screenshots that were taken during the web address analysis.
  • Premium content—Displays sections that contain blurred data about the analyzed web address. The actual data is available for users with Premium Access to Kaspersky Threat Intelligence Portal. You can request a demo version to view a full report and explore other Kaspersky Threat Intelligence Portal features.
Page top
[Topic WebAddressReport]

Overview for web address

Kaspersky Threat Intelligence Portal provides the following general information about an analyzed web address:

General information about web address

Field name

Description

IPv4 count

Number of known IP addresses that the analyzed web address resolves to.

Files count

Number of known malicious files related to the analyzed web address.

Web address count

Number of known malicious web addresses related to the analyzed object.

Hits

Number of the requested web address detections by Kaspersky expert systems.

Created

Analyzed web address creation date.

Expires

Analyzed web address expiration date.

Domain

Name of the upper-level domain.

Registration organization

Name of the registration organization.

Registrar name

Name of the domain name registrar.

Categories

Categories of the analyzed web address. If the web address does not belong to any of the defined categories, the General category is displayed.

Page top
[Topic OverviewWebAddress]

Dynamic analysis summary

Kaspersky Threat Intelligence Portal provides the following graphical information about detected items, connected hosts, extracted files, and network interactions detected during web address analysis:

Dynamic analysis summary for a web address

Chart name

Description

Detects

The total number of objects detected during web address analysis, and the proportion of objects with Malware (red) or Adware and other (yellow) statuses.

Connected hosts

The total number of unique IP addresses related to the analyzed web address, and the proportion of IP addresses with the status of Dangerous (in red), Not trusted (in orange), Good (in green), or Not categorized (no or not enough information about the IP address is available to define the category, in grey).

Extracted files

The total number of files that were transferred or dropped during the analysis process, and the proportion of files with the status of Malicious (extracted files that can be classified as malicious, in red), Adware and other (extracted files that can be classified as Not-a-virus, in yellow), Clean (extracted files that can be classified as not malicious, in green), or Not categorized (no or not enough information about the extracted files is available to define the category, in grey).

Network activities

The total number of registered network activities that were performed during the analysis process, and the proportion of network interactions with the status of Dangerous (requests to resources with the Dangerous status, in red), Adware and other (requests to resources with the Adware and other status, in yellow), Good (requests to resources with the Good status, in green), or Not categorized (requests to resources with the Not categorized status, in grey).

Page top
[Topic Summary]

WHOIS

Kaspersky Threat Intelligence Portal provides WHOIS information about the host of the analyzed web address.

A host may be specified by a fully qualified domain name (FQDN) or by an IP address in dot-decimal notation.

Kaspersky Threat Intelligence Portal does not process web addresses if the host is specified by a local, private, or service IP address. In this case, the results should be interpreted with caution.

Host specified by FQDN

WHOIS section for FQDN as a host

Field name

Description

Domain name

Name of the domain for the analyzed web address.

Domain status

Status of the domain for the analyzed web address.

Created

Date when the domain for the analyzed web address was registered.

Updated

Date when the registration information about the domain for the analyzed web address was last updated.

Paid until

Expiration date of the prepaid domain registration term.

Registrar info

Name of the domain registrar for the analyzed web address.

IANA ID

IANA ID of the domain registrar.

Name servers

List of domain name servers for the analyzed web address.

Host specified by IP address

WHOIS section for IP address as a host

Field name

Description

IP range

Range of IP addresses in the network that the host belongs to. The flag of the country that the IP address belongs to is also displayed. When you hover your mouse over the flag, a tooltip with the country name appears.

Net name

Name of the network that the IP address belongs to.

Net description

Description of the network that the IP address belongs to.

Created

Date when the IP address was registered.

Changed

Date when information about the IP address was last updated.

AS description

Autonomous system description.

ASN

Autonomous system number, according to RFC 1771 and RFC 4893.

Page top
[Topic WHOISWebAddress]

Sandbox detection names

Kaspersky Threat Intelligence Portal provides information about detected items that were registered during the web address analysis.

Sandbox detection names

Field name

Description

Zone

Danger zone (level) to which the threat refers (High, Medium, Low, Info).

Name

Name of the detected object (for example, HEUR:Exploit.Script.Blocker). Each item in the list is clickable—you can click it to view its description at the Kaspersky threats website.

Page top
[Topic SandboxDetectionNamesURL]

Triggered network rules

Kaspersky Threat Intelligence Portal provides information about SNORT and Suricata rules that were triggered during the web address traffic analysis.

Triggered network rules

Field name

Description

Zone

Danger zone (level) of the network traffic detected by the SNORT or Suricata rule (High, Medium, Low, Info).

Rule

SNORT or Suricata rule name.

Page top
[Topic TriggeredIDSrules]

Connected hosts

Kaspersky Threat Intelligence Portal provides information about IP addresses that were accessed in all HTTP(S) requests after the FQDN resolved.

Connected hosts

Field name

Description

Status

Status (danger level) of IP addresses that the domain for the requested web address resolved to (Dangerous, Not trusted, Not categorized, Good).

IP

IP address to which a domain from the Resolved from domain column in this table resolved. The flag of the country that the IP address belongs to is displayed. When you hover your mouse over a flag, a tooltip with the country name appears.

ASN

Autonomous system number according to RFC 1771 and RFC 4893.

Resolved from domain

Fully qualified domain name (FQDN) that resolved to the IP address from the IP column in this table.

Page top
[Topic ConnectedHosts]

Suspicious activities

Kaspersky Threat Intelligence Portal provides information about dangerous activities that were registered during the web address analysis.

Suspicious activities

Field name

Description

Zone

Danger zone (level) of the registered activity (High, Medium, Low).

Severity

Numerical value of the danger level of the registered activity (integer 1–999).

Description

Suspicious activity description. For example, "Executable has obtained the privilege," "The file has been dropped and executed," or "The process has injected binary code into another process." Certain descriptions contain mapping with MITRE ATT&CK threat classification. For example, "MITRE: T1082 System Information Discovery."

Page top
[Topic SuspiciousActivities]

HTTP(S) requests

Kaspersky Threat Intelligence Portal provides information about HTTP and HTTPS requests that were registered during the web address analysis.

HTTP(S) requests

Field name

Description

Status

Status of a web address in the HTTP or HTTPS request.

Scheme

Web address scheme that identifies the protocol that was used (HTTP or HTTPS).

URL

Web address to which the request was registered.

IP

IP address as a host.

Request

Information about the HTTP or HTTPS request.

Response

Information about the HTTP or HTTPS response.

Page top
[Topic HTTPrequests]

DNS requests

Kaspersky Threat Intelligence Portal provides information about DNS requests that were registered during the web address analysis.

DNS requests

Field name

Description

Type

DNS request type.

Request

Contents of the DNS request.

Response

Response to the DNS request.

Page top
[Topic DNSrequests]

Screenshots

Kaspersky Threat Intelligence Portal provides screenshots that were taken during web address browsing.

Page top
[Topic Screenshots]