File behaviour

File behaviour reports

File behaviour reports are obtained either by using the GET /files/{id}/behaviours endpoint or the sandbox behavior feed . They summarize the observed behaviour during the execution or opening of a file. Note that some of these actions could be triggered by children of the file under consideration.

Object Attributes

In a file_behaviour object you will find these attributes:

  • analysis_date: <integer> Unix epoch UTC time (seconds).
  • behash: <string> used to find similar behaviour analyses.
  • calls_highlighted: <list of strings> API calls/Syscalls worth highlighting.
  • command_executions: <list of strings> shell command executions observed during the analysis of the given file.
  • files_opened: <list of strings> files opened during execution.
  • files_written: <list of strings> files written to during execution.
  • files_deleted <list of strings> names of the files deleted.
  • files_attribute_changed: <list of strings> full path of files subject to some sort of active attribute modification.
  • has_html_report: whether there is an HTML report for this behaviour analysis.
  • has_evtx: whether there is a EVTX file for this behaviour analysis. Check out /file_behaviours/{sandbox_id}/evtx for more information.
  • has_memdump: whether there is a memdump file for this behaviour analysis. Check out /file_behaviours/{sandbox_id}/memdump.
  • has_pcap: whether there is a PCAP network capture for this behaviour analysis. Check out /file_behaviours/{sandbox_id}/pcap for more information.
  • hosts_file: <string> the hosts file field stores the content of the local hostname-ip mapping hosts file IF AND ONLY IF the file was modified, else this field is not populated.
  • ids_alerts: <list of dictionaries> list of IDS alerts, sorted by timestamp. Every item contains the following keys:
    • alert_context: <dictionary> matched alert context:
      • dest_ip: <string> destination IP.
      • dest_port: <integer> destination port.
      • hostname: <string> if the alert is related to an HTTP communication, destination hostname.
      • protocol: <string> communication protocol name.
      • src_ip: <string> source IP.
      • src_port: <integer> source port.
      • url: <string> if the alert is related to an HTTP communication, destination URL.
    • alert_severity: <string> one of high, medium, low or info.
    • rule_category: <string> alert category.
    • rule_id: <string> rule SID.
    • rule_msg: <string> alert description.
    • rule_source: <string> rule source, determined by SID range.
  • processes_terminated: <list of strings> name of the processes that were terminated during the execution of a given file.
  • processes_killed: <list of strings> name of the processes that were killed during the execution of a given file.
  • processes_injected: <list of strings> name of the processes that were subjected to some kind of code injection during the execution of the given file.
  • services_opened: <list of strings> names of the services for which a handle was acquired during the analysis of the given file.
  • services_created: <list of strings> new services created.
  • services_started: <list of strings> new services started.
  • services_stopped: <list of strings> services stopped during the execution of the given file.
  • services_deleted: <list of strings> services deleted during the execution of the given file.
  • services_bound: <list of strings> service binding, mainly in Android, see: https://developer.android.com/guide/components/bound-services.html.
  • windows_searched: <list of strings> names of windows that are searched for.
  • windows_hidden: <list of strings> names of windows that are set up to be invisible.
  • mutexes_opened: <list of strings> name of the mutexes for which the file acquires a handle.
  • mutexes_created: <list of strings> new mutexes created.
  • signals_observed: <list of strings> OS Signals and broadcast events, note that Android broadcasts are categorized here also.
  • invokes: <list of strings> method/functionality called via reflection or some sort of runtime instantiation. The best example are Java reflection calls, in those cases we flatten the structure to a string: ..
  • crypto_algorithms_observed: <list of strings> Example: RSA.
  • crypto_keys: <list of strings> e.g. "MySecret".
  • crypto_plain_text: <list of strings> strings that are either ciphered or deciphered during the observed time frame, we record just the plaintext.
  • text_decoded: <list of strings> plaintext which is the result of a decoding operation.
  • text_highlighted <list of strings> interesting text seen in window dialogs, titles, etc.
  • verdict_confidence: <integer> 99 = 99% confident verdict is correct.
  • ja3_digests: <list of strings> JA3 fingerprinting of TLS client connections.
  • tls: <list of dictionaries> contacted domains/IPs certificates. Each entry contains the following fields:
    • issuer: <dictionary> certificate issuer information. Keys are certificate fields (C, CN, O, etc) as string and values are always string.
    • ja3: <string> certificate JA3.
    • ja3s: <string> certificate JA3s.
    • serial_number: <string> certificate serial number.
    • sni: <string> certificate's server name indication.
    • subject: <dictionary> certificate subject information. Same format as issuer field.
    • thumbprint: <string> certificate thumbprint.
    • version: <string> TLS version.

Android specific fields:

  • activities_started: <list of strings> Android activities launched by the app under study.
  • content_model_observers: <list of strings> content for which an Android app registers logic to be informed about any changes to it.
  • content_model_sets: <list of dictionaries> content model entries performed by an Android app.
  • databases_deleted: <list of strings> e.g. Android SQLite DBs deleted.
  • databases_opened: <list of strings> interactions with databases, e.g. when an Android app opens an SQLite DB.
  • permissions_requested: <list of strings> Android permissions requested by the app during runtime. In Windows it should also record process token privilege modifications such as SE_LOAD_DRIVER_PRIVILEGE.
  • shared_preferences_lookups: <list of strings> entries in Android's shared preferences that are checked (https://developer.android.com/reference/android/content/SharedPreferences.html).
  • shared_preferences_sets: <list of dictionaries> entries written in Android's shared preferences. Every subitem contains the following fields:
    • key: <string> preference name.
    • value: <string> set value.
  • signals_hooked: <list of strings> registering a receiver in Android is considered as a broadcast hook. In windows this field will contain SetWindowsHookExA activity and the like.
  • system_property_lookups: <list of strings> interactions with Android's system properties dataset (getInt, getString, putInt, putString, etc. all get simply translated into strings. android.os.SystemProperties.).
  • system_property_sets: <list of dictionaries> keys and values set in Android's system properties dataset.

Windows specific fields:

  • modules_loaded: <list of strings> operations related to dynamic loading of libraries, shared objects and components.
  • registry_keys_opened: <list of strings> Windows registry keys for which a handle is acquired.
  • registry_keys_set: <list of dictionaries> keys and values of registry keys that are set. It is a list of dictionaries, each one containing the following fields:
    • key: <string> modified registry key.
    • value: <string> value set to the registry key.
  • registry_keys_deleted: <list of strings> names of Windows registry keys that are deleted.
{
    "data": {
        "attributes": {
            "activities_started": [
                "<string>"
            ],
            "analysis_date": <int:timestamp>,
            "behash": "<string>",
            "calls_highlighted": [
                "<string>"
            ],
            "command_executions": [
                "<string>"
            ],
            "files_opened": [
                "<string>"
            ],
            "files_written": [
                "<string>"
            ],
            "has_html_report": <boolean>,
            "has_pcap": <boolean>,
            "ids_results": [  
              {
                "alert_context": {
                  "dest_ip": "<string>",
                  "dest_port": <int>,
                  "hostname": "<string>",
                  "protocol": "<string>",
                  "src_ip": "<string>",
                  "src_port": <int>,
                  "url": "<string>"
                },
                "alert_severity": "<string>",
                "rule_id": "<string>",
                "rule_msg": "<string>",
                "rule_source": "<string>"
              },
            ],
            "last_modification_date": <int:timestamp>,
            "modules_loaded": [
                "<string>"
            ],
            "mutexes_created": [
                "<string>"
            ],
            "mutexes_opened": [
                "<string>"
            ],
            "processes_created": [
                "<string>"
            ],
            "processes_terminated": [
                "<string>"
            ]
            "registry_keys_deleted": [
                "<string>"
            ],
            "registry_keys_opened": [
                "<string>"
            ],
            "registry_keys_set": [
                {
                    "key": "<string>",
                    "value": "<string>"
                }
            ],
            "sandbox_name": "<string>",
            "shared_preferences_sets": [
                {
                    "key": "<string>",
                    "value": "<string>"
                }
            ],
            "tags": [
                "<string>"
            ],
            "text_highlighted": [
                "<string>"
            ],
            "tls": [
                {
                    "issuer": {
                        "<string>": "<string>"
                    },
                    "ja3": "<string>",
                    "ja3s": "<string>",
                    "serial_number": "<string>",
                    "sni": "<string>",
                    "subject": {
                        "<string>": "<string>"
                    },
                    "thumbprint": "<string>",
                    "version": "<string>"
                }
            ],
            "verdicts": [
                "<string>"
            ]
        },
        "id": "<file_sha256>_<sandbox_name>",
        "links": {
            "self": "https://www.virustotal.com/api/v3/file_behaviours/<id>"
        },
        "type": "file_behaviour"
    }
}
{
    "data": {
        "attributes": {
            "analysis_date": 1593304117,
            "behash": "3212c1418311361831dd10d10b1914c2",
            "calls_highlighted": [
                "GetTickCount"
            ],
            "dns_lookups": [
                {
                    "hostname": "blablabla.com",
                    "resolved_ips": [
                        "66.66.66.66"
                    ]
                }
            ],
            "files_dropped": [
                {
                    "path": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.virus.tmp",
                    "sha256": "031a4a19f216d1d713f1b710b1eb13131811c113a151716c131c1161c191f15b"
                },
                {
                    "path": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.tmp",
                    "sha256": "b20a8d88c550981137ed831f2015f5f11517aeb649c29642d9d61dea5ebc37d1"
                }
            ],
            "files_opened": [
                "C:\\Windows\\syswow64\\en-US\\KERNELBASE.dll.mui",
                "C:\\Windows\\syswow64\\en\\KERNELBASE.dll.mui",
                "C:\\Windows\\system32\\netmsg.dll",
                "C:\\Users\\<USER>\\Downloads\\blablabla.virus.exe",
                "C:\\Users\\<USER>\\AppData\\Local\\Temp"
            ],
            "files_written": [
                "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.virus.tmp",
                "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.tmp",
                "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blabla.dll"
            ],
            "has_html_report": true,
            "has_pcap": true,
            "http_conversations": [
                {
                    "request_headers": {
                        "accept": "*/*",
                        "accept-encoding": "gzip, deflate",
                        "connection": "Keep-Alive",
                        "host": "blablabla.com",
                        "user-agent": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)"
                    },
                    "request_method": "GET",
                    "url": "http://blablabla.com/tempfile/blablabla.virus"
                }
            ],
            "ids_results": [
              {
               "alert_context": {
                   "dest_ip": "234.0.0.12",
                   "protocol": "IGMP",
                   "src_ip": "10.0.44.24"
                },
                "alert_severity": "low",
                "rule_id": "2200007",
                "rule_msg": "SURICATA IPv4 padding required ",
                "rule_source": "Suricata Decoder Events"
              },
            ],
            "ip_traffic": [
                {
                    "destination_ip": "66.66.66.66",
                    "destination_port": 80,
                    "transport_layer_protocol": "TCP"
                }
            ],
            "last_modification_date": 1593304118,
            "modules_loaded": [
                "C:\\Users\\<USER>\\Downloads\\blablabla.virus.ENU",
                "C:\\Users\\<USER>\\Downloads\\blablabla.virus.EN",
                "UxTheme.dll"
            ],
            "mutexes_created": [
                "Local\\blablabla-blablabla-blablabla"
            ],
            "mutexes_opened": [
                "blablabla-blablabla-blablabla"
            ],
            "processes_created": [
                "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.virus.tmp /SL5=$2A0120,2331237,148992,C:\\Users\\<USER>\\Downloads\\blablabla.virus.exe",
                "C:\\Windows\\system32\\regsvr32.exe /s C:\\Windows\\system32\\jscript.dll"
            ],
            "processes_terminated": [
                "C:\\Windows\\system32\\regsvr32.exe /s C:\\Windows\\system32\\jscript.dll"
            ],
            "processes_tree": [
                {
                    "children": [
                        {
                            "children": [
                                {
                                    "name": "C:\\Windows\\system32\\regsvr32.exe /s C:\\Windows\\system32\\jscript.dll",
                                    "process_id": "2700",
                                    "time_offset": 8
                                }
                            ],
                            "name": "C:\\Users\\<USER>\\AppData\\Local\\Temp\\blablabla.virus.tmp /SL5=$2A0120,2331237,148992,C:\\Users\\<USER>\\Downloads\\blablabla.virus.exe",
                            "process_id": "2372",
                            "time_offset": 1
                        }
                    ],
                    "name": "blablabla.virus.exe",
                    "process_id": "2668"
                }
            ],
            "registry_keys_deleted": [
                "HKCR\\JScript\\CLSID",
                "HKCR\\JScript\\OLEScript",
                "HKCR\\JScript",
                "HKCR\\LiveScript\\CLSID",
                "HKCR\\LiveScript\\OLEScript",
                "HKCR\\LiveScript",
                "HKCR\\JavaScript\\CLSID",
                "HKCR\\JavaScript\\OLEScript",
                "HKCR\\JavaScript",
                "HKCR\\JavaScript1.1\\CLSID",
                "HKCR\\JavaScript1.1\\OLEScript"
            ],
            "registry_keys_opened": [
                "HKCU\\Software\\CodeGear\\Locales",
                "HKCU\\Software\\Borland\\Locales",
                "HKCU\\Software\\Borland\\Delphi\\Locales",
                "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
                "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg 2",
                "HKLM\\System\\CurrentControlSet\\Control\\Keyboard Layouts\\04090409",
                "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
                "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\CommonFilesDir",
                "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
            ],
            "registry_keys_set": [
                {
                    "key": "Software\\Microsoft\\RestartManager\\Session0000\\Owner",
                    "value": "ΰ₯„"
                },
                {
                    "key": "Software\\Microsoft\\RestartManager\\Session0000\\SessionHash"
                },
                {
                    "key": "Software\\Microsoft\\RestartManager\\Session0000\\Sequence",
                    "value": "1"
                }
            ],
            "sandbox_name": "VirusTotal Jujubox",
            "tags": [
                "DIRECT_CPU_CLOCK_ACCESS",
                "RUNTIME_MODULES"
            ],
            "text_highlighted": [
                "Setup",
                "C:\\Windows\\system32\\cmd.exe"
            ],
            "tls": [
                {
                    "issuer": {
                        "C": "US",
                        "CN": "GTS CA 1O1",
                        "O": "Google Trust Services"
                    },
                    "ja3": "28a2c9bd18a11de089ef85a160da29e4",
                    "ja3s": "eca9b8f0f3eae50309eaf901cb822d9b",
                    "serial_number": "00c4ea98ea7e5e1f430200000000870182",
                    "sni": "clients2.google.com",
                    "subject": {
                        "C": "US",
                        "L": "Mountain View",
                        "O": "Google LLC",
                        "ST": "California"
                    },
                    "thumbprint": "c25b1dc8be5f679087ecd28fb5eae7b3985cf604",
                    "version": "TLS 1.2"
                }
            ]
        },
        "id": "5353e23f3653402339c93a8565307c6308ff378e03fcf23a4378f31c434030b0_VirusTotal Jujubox",
        "links": {
            "self": "https://www.virustotal.com/api/v3/file_behaviours/5353e23f3653402339c93a8565307c6308ff378e03fcf23a4378f31c434030b0_VirusTotal Jujubox"
        },
        "type": "file_behaviour"
    }
}
{
    "data": {
        "attributes": {
            "activities_started": [
                "com.software.application.Main (com.software.application)",
                "com.blabla.superuser.RequestActivity (com.thirdparty.superuser)"
            ],
            "analysis_date": 1528096752,
            "behash": "3f613ca3cd3a43fd3723539233a23e45",
            "calls_highlighted": [
                "android.telephony.TelephonyManager.getNetworkOperator"
            ],
            "command_executions": [
                "su"
            ],
            "dns_lookups": [
                {
                    "hostname": "blablabla.com",
                    "resolved_ips": [
                        "66.66.66.66"
                    ]
                }
            ],
            "files_copied": [
                {
                    "destination": "/data/data/com.software.application/shared_prefs/PREFS.xml.bak",
                    "source": "/data/data/com.software.application/shared_prefs/PREFS.xml"
                }
            ],
            "files_deleted": [
                "/data/data/com.software.application/shared_prefs/PREFS.xml.bak",
                "/data/data/com.software.application/shared_prefs/PREFS.xml"
            ],
            "files_opened": [
                "/data/data/com.software.application/shared_prefs/PREFS.xml",
                "/data/data/com.software.application/shared_prefs/PREFS.xml.bak"
            ],
            "has_html_report": true,
            "has_pcap": false,
            "http_conversations": [
                {
                    "request_headers": {
                        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
                        "accept-encoding": "gzip,deflate",
                        "accept-language": "en-US",
                        "connection": "keep-alive",
                        "host": "www.blablabla.com",
                        "user-agent": "Mozilla/5.0 (Linux; Android 4.4.2; VirtualBox Build/KVT49L) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36",
                        "x-requested-with": "com.android.browser"
                    },
                    "request_method": "GET",
                    "url": "http://www.blablabla.com/download.php"
                }
            ],
            "ip_traffic": [
                {
                    "destination_ip": "66.66.66.66",
                    "destination_port": 80,
                    "transport_layer_protocol": "TCP"
                }
            ],
            "last_modification_date": 1593383110,
            "sandbox_name": "VirusTotal Droidy",
            "services_opened": [
                "com.google.android.gms.people.service.bg.PeopleBackgroundTasks (com.google.android.gms)",
                "com.google.android.gms.icing.service.IndexWorkerService (com.google.android.gms)",
                "com.google.android.gsf.gtalkservice.PushMessagingRegistrar (com.google.process.gapps)"
            ],
            "shared_preferences_sets": [
                {
                    "key": "NET_OP",
                    "value": "46001"
                },
                {
                    "key": "SMS_DATA_KEY",
                    "value": "blablabla"
                }
            ],
            "signals_hooked": [
                "INTENT_DONE"
            ]
            "system_property_lookups": [
                "debug.force_rtl",
                "debug.second-display.pkg"
            ],
            "tags": [
                "TELEPHONY",
                "SENDS_SMS"
            ],
            "text_highlighted": [
                "Open",
                "This may cause charges on your mobile account.",
                "Remember my choice",
                "Cancel",
                "Send",
                "Download File",
            ]
        },
        "id": "cb41ce8487854d28441b74eef485d4044c7d474942624fde44c364c9c249f438_VirusTotal Droidy",
        "links": {
            "self": "https://www.virustotal.com/api/v3/file_behaviours/cb41ce8487854d28441b74eef485d4044c7d474942624fde44c364c9c249f438_VirusTotal Droidy"
        },
        "type": "file_behaviour"
    }
}

Relationships

In addition to the previously described attributes, file behaviour objects contain relationships with other objects in our dataset that can be retrieved as explained in the Relationships section.

The following table shows a summary of available relationships.

Relationship

Return object type

file

A single File

attack_techniques

A list of Attack Techniques