Submitting files
Threatray supports the submission and analysis of various file types and URLs, both through the user interface (UI) and the API. All submissions are private to your instance and not shared.
Dynamic and static file analysis
Dynamic analysis involves executing the file within a sandbox environment. This method is recommended for all unknown files unless specific circumstances require static-only analysis (see below). For documents or scripts, dynamic analysis is mandatory, as static analysis is not provided for these file types.
Below is the submission dialogue for dynamic analysis. This dialogue includes standard options such as selecting the virtual machine, setting the analysis duration, and configuring timeout settings. More advanced options can be given to handle compound samples, calling DLL exports and giving optional command line arguments.
Static analysis is ideal for shellcode, non-executable code dumped from memory, manually unpacked code, "broken" binaries, and PE files that cannot be executed. In these scenarios, dynamic analysis is either unsuitable or unnecessary because the code is not runnable or has already been unpacked. Advanced users can take advantage of various options in static analysis, such as specifying the base address of the code to be analyzed.
It is important to note that static analysis is not recommended for packed code; dynamic analysis should be used instead for unpacking.
File types supported
Threatray supports the following binary file types (x86-32 and x86-64) for both dynamic and static analysis:
- Windows executable files (.exe, .dll, .sys, .ocx)
- Windows Installer files (.msi)
For static analysis, the following binary file types (x86-32 and x86-64) are supported:
- Shellcode and memory dumps of PE files (not executable but containing code)
For dynamic analysis, the following document and script file types are supported:
- PowerShell scripts (.ps1)
- Visual Basic scripts (.vbs, .vbe)
- Command and batch files (.cmd, .bat)
- Microsoft link files (.lnk)
- JavaScript files (.js, .jse)
- Microsoft documents (.docx, .xlsx, .pptx, etc.)
- PDF documents (.pdf)
- OneNote documents (.one)
- Others (.hta, .chm, .wsf)
Threatray also supports archive submissions. All files within an archive (up to a limit of 100) will be analyzed individually by default. Supported archive types include ZIP, 7-Zip, RAR, gzip, POSIX-tar, and ISO9660. Archives can be password-protected using the password ‘infected’.
If the option 'Submit as compound sample' is selected, the archive file will be treated as the primary sample, and all files within the archive will be placed in the sandbox environment. The entry point, which specifies which executable file inside the archive should be executed, is mandatory. Supported file types for the entry point are all types listed above as supported for dynamic analysis.
The files are placed in C:\Users\%USERNAME%\Desktop
, which serves as the current working directory for the entry point. If some files within the archive need to access other files in the same archive, such as a batch or PS1 script, you may need to use absolute paths. This is because processes like cmd.exe or powershell.exe run in a different working directory.
Compound sample submissions can optionally be combined with command line arguments or manually selected DLL exports to call. In the example shown below, the autoit3.exe file inside the archive is executed along with the command line argument 'script.a3x'.
Command line arguments can be given during normal file submissions as well. Supported file types to combine with command line arguments are all types listed above as supported for dynamic analysis, excluding DLL files and documents.
When DLL files are submitted for dynamic analysis, Threatray automatically invokes all DLL exports during the sandboxing phase. If there are more than 20 exports, it will invoke the first and last 10 exports. Alternatively, you can override this behavior and specify which DLL export should be invoked for executing the DLL.
Minidump analysis
Minidump analysis provides a rapid means to investigate potential malware infections within a minidump of a process. To this end Threatray conducts static analysis on all memory sections within a minidump.
Various methods exist for generating minidumps; to create a minidump of the process on the targeted system, we recommend using Sysinternals’ procdump.exe with a user account having elevated privileges and the -ma flag:
procdump.exe -ma <pid>
While minidumps from other tools are acceptable for submission, they might lack crucial memory fragments needed for effective threat identification.
To upload a file for Minidump analysis, use the file submission UI and select the Minidump analysis mode.
Trellix HX MANS analysis
Trellix HX provides the capability to acquire process memory data from host endpoints with the process-memoryacquire
audit, as detailed in this documentation. The acquisition generates a MANS file, which Threatray can analyze by performing static analysis on all memory sections within the file.
To upload a file for MANS analysis, use the file submission UI and select the MANS analysis mode.
Analyzing files using URLs
An alternative method for file analysis is to submit a URL for examination. The system loads the URL in a web browser, attempts to download the referenced files, and then dynamically analyzes these files.
Updated 16 days ago