-
Notifications
You must be signed in to change notification settings - Fork 221
0x03_Description_of_JSON_Output
The root element of JSON format on dynamic result file is a list, which represent the behaviors executed by the sample. Each element in the list of root element corresponds to an action, which is also a list, and represent the detail of the action. An example and its explanation are shown below:
[
8,
"/root/test/bin/fork.64.elf (PID=2980, TID=2980)",
"getpid: ",
8020014,
"syscall\u5e8f\u5217\u4fe1\u606f"
],
Example 1. Data of an element representing an action of an ELF sample
| Order | Data | Explanation |
|---|---|---|
| 0 | 8 | Sequence number of the action |
| 1 | "/root/test/bin/fork.64.elf (PID=2980, TID=2980)", | For ELF sample, this is the operator of the action. |
| 2 | "getpid: ", | For ELF sample, this is the detail of the action, e.g., the destination file . |
| 3 | 8020014 | Unique ID of the action. |
| 4 | "syscall\u5e8f\u5217\u4fe1\u606f" | Readable description of the action ID for human, currently in Chinese. |
| 5 | Optional | Extra data of the action, e.g., the content of the file written by the sample. |
Fig 1. Explanation of an element of an action
The root element of JSON format on static result file is a dict, which represent the properties of the sample. Each item in the dict has a readable label in English as its key, and a list of data as its value, which represent a set of the similar properties. Each element of the list is also a dict.
There is always a key named "ID" in the secondary dict, which has a string of the unique ID of the property as its value. In most cases, all the secondary dicts in the same list have the same value of ID, but it is not a guarantee especially in some rare cases.
The other items in the secondary dict have their own readable keys and values. These keys are similar in the same list, but differ from others in different lists.
An example is shown below:
{
"Entry": [
{
"Entry": "4005a0",
"ID": "8010002"
}
],
"BaseInfo": [
{
"SHA1": "3504a486bd3dd6e3490477639ed2d913496f9e5d",
"MachineType": "x86-64",
"Name": "./test/bin/fork.64.elf",
"FileType": "ELF64",
"SizeInfo": 8796,
"__full_path": "./test/bin/fork.64.elf",
"SSDEEP": "96:GsTi4muGWHBRwUfEVlGWOSXR+WZIjkqvoJf7fya4B4d/Br:GsBtBRHsVwWOSFioJfAE/x",
"SHA256": "1656542794a8a26775a468b9df27750f6c102e2bfce4c8e344d7390bd146a8d8",
"ID": "8010001",
"MD5": "afa3eb8d2318481b5477c7728df72c0d"
}
],
...
}
Example 2. Data of a static result file
We have translated some descriptions of actions and properties. These translations are listed below in this part. Other descriptions are being translated, and will be provided as soon as we finish it.
As the next step, we plan to replace the description part of the result file from Chinese to English, and when we add or change a translation, it will be shown directly in the file.
| ID | Description of action |
|---|---|
| 8020005 | clone syscall, fork or vfork |
| 8020006 | execute a file |
| 8020007 | process exit |
| 8020008 | send signal |
| 8020411 | getpid |
| 8020412 | fork |
| 8020413 | wait |
| 8020414 | system |
| 8020201 | file open |
| 8020202 | file read |
| 8020203 | file write |
| 8020204 | file remove |
| 8020205 | file rename |
| 8020206 | readdir |
| 8020210 | self delete |
| 8020211 | self modify |
| 8020212 | lock file of self |
| 8020401 | socket |
| 8020402 | connect |
| 8020403 | query dns |
| 8020405 | send HTTP request |
| 8020407 | TCP package |
| 8020408 | HTTPS package |
| 8020410 | UDP package |
| 8020414 | gethostbyname |
| 8020415 | bind |
| 8020416 | send |
| 8020417 | recv |
| 8020418 | listen |
| 8020419 | accept |
| 8020601 | dlopen |
| 8020602 | dlsym |
| 8020603 | printf |
| 8020604 | puts |
| 8020605 | sprintf |
Fig 2. Translation of actions
| ID | Description of property |
|---|---|
| 8010001 | basic info |
| 8010002 | entry point |
| 8010003 | SO library |
| 8010006 | ELF header |
| 8010007 | ELF section |
| 8010008 | ELF segment |
| 8010009 | ELF symbol |
| 8010011 | exiftool info |
Fig 3. Translation of properties