The General Information section contains information about the sandbox instance that executed the analyzed file.

The Signature Overview section contains behaviors that were observed in the analyzed binary. The behaviors are stack-ranked and color-coded. Each section also displays a color-coded rating scale to represent the maliciousness. At the left end of the rating scale, green indicates benign. On the right end, red indicates malicious. These ratings can be used at-a-glance to determine if the analyzed file is relatively benign, suspicious, or malicious. Use this high-level information to assign degrees of urgency which help you decide the order in which incidents are investigated.

The Startup section contains a list of files that execute during startup, while the cleanup section contains a list of files that execute during shutdown.

The Created/Dropped Files section contains a list of files that were created by the sample under analysis and dropped in the sandbox while the file was being analyzed.

The Contacted Domains and Contacted IPs list domains and IP addresses that were involved during analysis.

The Static File Information section contains information about the file that was uploaded, prior to execution in the virtual sandboxing environment. This information is collected by parsing the file on disk and can be used to search other threat intelligence sources for additional details.

The Static PE information section describes the portable executable file and can be used to get a quick understanding of the properties of the application. For example:

• The Entrypoint field in the General section can be used to determine if the file is packed.

• The Resources, Imports, and Exports can sometimes give you a general understanding of what the executable does. However, note that this information can be obfuscated if the file is packed, leaving only the Resources, Imports, and Exports of the packer exposed until the file is unpacked or executed.

• The Version Info and Possible Origin can sometimes be used to tell when the file was compiled and on what language version of operating system the file was compiled. This can give you hints about the origin of the attack. However, note that this information can be obfuscated or spoofed.

The Network Behavior section contains a summary of all of the interesting network traffic that was generated while analyzing the file.

TCP Packets and UDP Packets list all of the TCP/UDP traffic observed while analyzing the file. The IP address and port information can be used to create rudimentary rules on a firewall to restrict ingress/egress activity to certain IP addresses and ports that are known to be associated with malicious code.

DNS Queries lists all of the DNS transactions that were observed while analyzing the file. The query information can be used to detect hosts that are infected on your network, or as a guideline on what domain names need to be blocked in order to control an infection on your network.

HTTP subsections contain HTTP traffic that was observed while analyzing the file. The HTTP information can be used to write network IDS signatures or to block communication with these hosts at the network perimeter.

The System Behavior section lists the activities observed while analyzing the file. You can also show or hide the windows behavior details.