Threatray relies on core entities across both API and UI: sample, analysis, code region, and function. Analyzing a sample yields one or more analyses, with each analysis comprising one or more code regions. Each code region may contain functions for binary files with code. The term code region generically refers to a potential code-containing section within an analysis, such as memory dumps from dynamic analysis or the static analysis of a submitted file.
These base entities are uniquely identifiable:
sample: Identified by Hash (MD5, SHA1, SHA256)analysis: Identified by UUIDcode region: Identified by analysis identifier, hash (MD5, SHA1, SHA256), PID, base addressfunction: Identified by code region identifier, effective address
API endpoints return adequate information on these entities, enabling subsequent API calls, like fetching an analysis report after searching for analyses.
Certain API actions initiate tasks lasting seconds or minutes, notably file/URL submissions, and YARA ruleset modifications. These actions return a task ID used to track task status as follows:
queued: Awaiting processinganalyzing: Undergoing processingdone: Successfully completedfailed: Unsuccessful due to an error