5.2.4. `Reports` screen of the Web UI

5.2.4.1. Overview of the `Reports` screen

After pressing the `Reports` button on the navigation bar, the `Reports` screen is displayed.
This screen enables:
  • Viewing reports in order to analyse the results

  • Filter them

  • Export reports in pdf format

  • Download the analysed file

../../_images/GBOX-OP15.PNG

It includes the following main items:

Marker

Name

1

Number of reports in the log (here 2)

2

Area enabling searches in reports

3

Configuration zone

4

Detailed reports area


5.2.4.2. Zone enabling searches

This zone enables reports to be filtered using the following criteria.

../../_images/GBOX-OP16.PNG

Marker

Field

Description

1

`Search for an analysis`

Filters reports according to the entered input. The filter is applied to the `FILENAME`, `FILE HASH (SHA256)`, `THREAT NAMES` fields.

2

`Hide advanced search fields`

Show / hide advanced search fields

3

`Yara rule`

Yara rule (for example shellcode or stack)

4

`Signature`

Signature (injection or cmdline, for example)

5

`TTPs`

Tactics, Technique, Procedure (e.g. T1059 or script)

6

`Malware behaviour catalog`

Catalogue of malicious behaviour (e.g. C0007 or memory allocation)

7

`Malware family`

Malware family (e.g. formware or nanocore)

8

`File Hashes`

All or part of the file hash (MD5, SHA1, SHA256, SHA512, CRC32, TLSH, SSDEEP)

9

`Network`

Network settings (ids, hosts, domain name or ip)


5.2.4.3. Configuration zone

This zone enables configuring the report postings.

../../_images/GBOX-OP17.PNG

Marker

Name

Description

1

`Auto refresh`

Automatic renewal

2

`Hide analysis without threat score`

Conceals the analysis if there is no threat score

Note

If the GBox directly receives the files without going through a GCenter, then the analysed files receiving a score of zero can be considered as healthy for the engine used.
If the GBox receives the files from a GCenter, then the files analysed are deemed suspicious.
Just because they have a score of zero is not enough to be considered healthy. An analyst must examine the reports and take into account the engines used (and not used!) during the analysis

5.2.4.4. Reports area

This area enables details of the analyses performed to be displayed.
Each line represents a separate analysis. The information for each analysis is presented and detailed in the table below.
../../_images/GBOX-OP18.PNG

Note

The information listed in the table below are the same fields as in the reports on the `Home` screen.

Marker

Name

Description

1

`ID`

Analysis number.
The listed reports are sorted from the most recent to the earliest.
Clicking on this field opens the `Analysis report` page for this report

2

`SUBMISSION DATE`

Time and date of the analysis submission

3

`FILENAME`

Name of the analysed file
Clicking on this field copies the name to the clipboard

4

`FILE HASH (SHA256)`

SHA256 of the file
Clicking on this field copies the hash to the clipboard

5

`ANALYSERS`

Indicates the name of the engines used for the analysis

6

`SCORE`

Global threat analysis score calculated from the analysis score reported by the various engines

7

`THREAT NAMES`

Name of the threat reported by the gmalcore module (or n/a) | Clicking on this field copies the hash to the clipboard

8

`DONE DATE`

End date and time of the analysis

9

`STATUS`

Overall status of the analysis, either Done, In Progress, In queue, or Error
In the event of an error, further information is available in the analysis report

10

`ACTIONS`

Possible actions: download the report in pdf format

The fields below are additional fields enabling report filtering.

Marker

Name

Description

11

`Filter by status`

Enables filtering of reports with this status to be selected from the list

12

`Filter by threat`

Enables filtering of reports with this threat name to be entered

13

`Filter by analyser`

Enables filtering of reports with an engine name to be selected from the list

14

`Filter by hash`

Enables filtering of reports with this hash to be entered

15

`Filter by name`

Enables reports to be filtered by the file name to be entered


5.2.4.5. Detailed report

../../_images/GBOX-OP18.PNG
After pressing the ID (1) of a report, the detailed report is displayed.
../../_images/GBOX-OP19.PNG
Depending on the engines selected in the model during the analysis, certain information may be displayed. These are indicated on a case-by-case basis.
In the example above, the report was run on a model in which only the Gmalcore engine was active.
The analysis report includes all the information extracted from the file submitted to the various analysis engines.

5.2.4.5.1. Information included in this report

The information contained in this report is:

Marker

Description

1

Summary of the analysis results:

  • The result (Threat Score) of the global analysis calculated from the analysis score provided by the various Gmalcore engines
    - 0% for a file found to be sound by the engine used
    - to 100% max value for a file reported as malicious
  • The number of engines involved (here 1/1 analysers)

  • overall status (healthy, suspicious, or malicious): here Clean or healthy

A score is only provided for the Gmalcore and Goasm engines

2

Summary of the analysis stages:

  • The list of engines used: here Gmalcore

  • The results of loading the file for each of the engines: here for Gmalcore, the tick indicates that loading was successful

  • on the right, the result of the analysis: here the icon indicates OK

3

Information includes:

  • A chart (see note below)

  • The analysis (hash and date)

  • The file (name, sha256)

4 and 5

Optional analysis sections. This information depends on the engine in the template.
In this example, only the `Analysis options` and `Heuristic` sections are displayed. This section can be folded/unfolded
Information on heuristic analysis (5): this section can be folded / unfolded
This section shows the results for each of the engines: here the 16 engines of the Gmalcore engine

6

This `SAMPLE` button enables you to download the analysed file.
he downloaded file is compressed and protected by a password (the password is infected).
Once decompressed, the file analysed will have a .sample extension.

7

The `REPORT` button enables downloading the report in pdf format.

8

The `RETRY` button enables re-running the analysis of this file with this or another template.

9

The `Analysis sections` include shortcuts for opening these sections and refocusing the display.
These sections provide details of the analyses from the engines defined in the analysis model.
This information enables an analyst to obtain a more precise idea of the anatomy and behaviour of the file when it is opened and executed.
In this example, only the `Top`, `Analysis options` and `Heuristic` sections are displayed.

Depending on the combination of engines employed, some sections may be omitted from this list: details are provided in the table below.

The `ALL ARTEFACTS` button enables downloading of artefacts resulting from the analysis, such as memory dump, network capture (pcap), character strings detected.
This section also enables the removal of artefacts.
This button is only available if the Gnest engine is active.

5.2.4.5.2. List of sections included in the `Analysis sections`

List of sections included in the `Analysis sections`

Section title

Description

Is activated by the engine

`Top`

Shortcut to the top section of the report, i.e. sections (1) to (3).

All engines

`Analysis options`

Option values used for analysis

Grip and Gnest

`Iocs`

List of actions performed, including files, registry, network, processes, and so on.

GNEST

`Ttps`

TTPs analyse how a malicious actor operates. They describe the way cyber attackers orchestrate, execute, and manage operational attacks.
TTPs contextualise a threat. They reveal the steps or actions taken by malicious actors when exfiltrating data, for example.

GNEST

`Static`

Metadata

GRIP

`Overview`

Information about the file, including size, various hashes, type, etc.

GNEST

`Heuristic`

List of engines (Entry#x) and name of the threat reported by the Gmalcore module (or n/a)

Gmalcore

`Shellcode`

Shellcode detection result

GOASM

`Signatures`

List of yara signatures corresponding to the analysed file

Gnest

`Process Tree`

Graphical representation of the process tree

Gnest


5.2.4.5.3. Chart details

Note

The chart is only available if Gnest is part of the model. The data required for the chart is generated by this engine.

../../_images/GBOX-OP21.PNG

This graph enables viewing the dangerousness of the file analysed:

  • The category of seriousness is defined by the axes (1) (5) and (7): titles and number of axes are provided by the engines

  • The degree of danger is indicated by the concentric circles.

  • The central circle (6) indicates the healthy level

  • The middle circle (3) indicates the suspicious level

  • The outer circle (2) indicates the malicious level

The summary for the file is read from the vertices of the shape shown (4).
In the example shown, the vertex (5) indicates that the file is:
  • malicious on the `execution` axis (5)

  • suspicious in the `antidebug` axis (1)

  • healthy on the `stealth` axis (7)

For an analysis of a report, see the Procedure to analyse the contents of a report.