{% extends "base.html" %} {% block content %}

For details on how to perform searches, get some .

ElasticSearch queries do not use a prefix. ie: '*windows.*' would match 'time.windows.com'

For MD5, SHA1, SHA3 SHA256 and SHA512 no prefix is needed(will match any file generated by this analysis as binary/dropped/CAPEdump/etc).

Prefix Description
target_sha256: sha256
configs: Family name
id: task_id, Example: id:1
ids: task_ids, Example: ids:1,2,3,4,5
options: x=y, Example: options:function=DllMain
tags_tasks: my_tag, Example: tags_tasks:mytag
package: package, Example: package:ps1
name: File name pattern
type: File type/format
ssdeep: Fuzzy hash
crc32: CRC32 hash
imphash: Search for PE Imphash
iconhash: Search for exact hash of the icon associated with the PE
iconfuzzy: Search for hash designed to match on similar-looking icons
file: Open files matching the pattern
command: Executed commands matching the pattern
resolvedapi: APIs resolved at runtime matching the pattern
key: Open registry keys matching the pattern
mutex: Open mutexes matching the pattern
sport: Source port. Ex: sport:X
dport: Destination port. Ex: dport:443
port: Search in Source and Destination ports. Ex port:x
ip: Contact the specified IP address
domain: Contact the specified domain
url: Search for CAPE Sandbox URL analysis
signame: Search for CAPE Sandbox signatures through signature names
signature: Search for CAPE Sandbox signatures through signature descriptions
detections: Search for samples associated with malware family
surimsg: Search for Suricata Alerts MSG
surialert: Search for Suricata Alerts
surisid: Search for Suricata Alerts SID
suriurl: Search for URL in Suricata HTTP Logs
suriua: Search for User-Agent in Suricata HTTP Logs
surireferrer: Search for Referrer in Suricata HTTP Logs
surihhost: Search for Host in Suricata HTTP Logs
suritlssubject: Search for TLS Subject in Suricata TLS Logs
suritlsissuerdn: Search for TLS Issuer DN in Suricata TLS Logs
suritlsfingerprint: Search for TLS Fingerprint in Suricata TLS Logs
suritls: Search for Suricata TLS
surihttp: Search for Suricata HTTP
ja3_string: Search for ja3 string
ja3_hash: Search for ja3 hash
clamav: Local ClamAV detections
yaraname: Yara Rule Name for analysis samples (from binary folder)
capeyara: Yara Rule Name for CAPE Yara hits (from cape folder)
procdumpyara: Yara Rule Name for process dumps
procmemyara: Yara Rule Name for process memory dumps
virustotal: Virus Total Detected Name
machinename: Name of the Target Machine
machinelabel: Label of the Target Machine
custom: Custom data
shrikemsg: Shrike Suri Alert MSG
shrikesid: Shrike Suri Alert Sid (exact int)
shrikeurl: Shrike url before mangling
shrikerefer: Shrike Referrer
comment: Search for Analysis Comments
malscore: Search for Malscore greater than the value
ttp: TTP id, Ex: T1053
dhash: hash
die: keyboard, Ex die:obsidium
extracted_tool: keyboard, Ex extracted_tool:InnoExtract. See file_extra_info.py for the rest of the tool names
asn: AS ID, Ex asn:AS15169
asn_name: ASN name, Ex: asn_name:Google LLC
{% if term %}

Term {{term}} {% if settings.ZIPPED_DOWNLOAD_ALL and term_only in 'capetype,capeyara' %}
Download All Files
{% endif %}

{% endif %} {% if analyses != None %} {% if analyses|length > 0 %}

Search Results

{% if config.expanded_dashboard %} {% endif %} {% if config.moloch %} {% endif %} {% if config.display_office_martians or config.display_browser_martians%} {% endif %} {% if config.suricata %} {% endif %} {% if config.virustotal %} {% endif %} {% if config.malscore %} {% endif %} {% if config.expanded_dashboard %} {% endif %} {% if config.display_shrike %} {% endif %} {% for analysis in analyses %} {% if config.expanded_dashboard %} {% endif %} {% if config.moloch %} {% endif %} {% if analysis.category == "url" %} {% if config.display_browser_martians %} {% endif %} {% else %} {% if config.display_office_martians %} {% endif %} {% endif %} {% if config.suricata %} {% endif %} {% if config.virustotal %} {% endif %} {% if config.malscore %} {% endif %} {% if config.expanded_dashboard %} {% endif %} {% if config.display_shrike %} {% endif %} {% endfor %}
ID Timestamp Package Filename Target DetectionsPKGMolochMartiansSuriAlert {% if config.expanded_dashboard %} /HTTP/TLS/Files {% endif %} VTMalScoreDetections PCAP ClamAV CustomShrikeStatus
{{analysis.id}} {% if analysis.status == "reported" %} {{analysis.completed_on}} {% else %} {{analysis.added_on}} (added on) {% endif %} {{analysis.package}} {% if analysis.filename %} {{analysis.filename}} {% else %} None {% endif %} {% if analysis.status == "reported" %} {% if analysis.category == "url" %} {{analysis.target}} {% else %} {{analysis.sample.md5}} {% endif %} {% else %} {% if analysis.category == "url" %} {{analysis.target}} {% else %} {{analysis.sample.md5}} {% endif %} {% endif %} {% if analysis.detections %} {% if analysis.detections|is_string %} {{analysis.detections}} {% elif analysis.detections|length == 1 %} {{analysis.detections.0.family}} {% elif analysis.detections|length > 1 %} Multiple {% endif %} {% endif %} {% if analysis.package %} {{analysis.package}} {% else %} None {% endif %} {% if analysis.moloch_url %} MOLOCH {% else %} None {% endif %} {% if analysis.mlist_cnt %} {{analysis.mlist_cnt}} {% else %} None {% endif %} {% if analysis.f_mlist_cnt %} {{analysis.f_mlist_cnt}} {% else %} None {% endif %} {% if analysis.suri_alert_cnt %} {{analysis.suri_alert_cnt}}/{{analysis.suri_http_cnt}}/0/{{analysis.suri_tls_cnt}}/0/{{analysis.suri_file_cnt}}/0 {% if analysis.virustotal_summary %} {{analysis.virustotal_summary}} {% else %} None {% endif %} {% if analysis.malscore != None %} {{analysis.malscore|floatformat:1}} {% else %} None {% endif %} {% if analysis.detections %} {{analysis.detections}} {% else %} None {% endif %} {% if analysis.pcap_sha256 %} PCAP {% else %} None {% endif %} {% if analysis.clamav %} {{analysis.clamav}} {% else %} None {% endif %} {% if analysis.custom %} {{analysis.custom}} {% else %} None {% endif %} {% if analysis.shrike_msg %} {% if analysis.status == "reported" %} {{analysis.shrike_msg}} {% else %} {{analysis.shrike_msg}} {% endif %} {% else %} None {% endif %} {% if analysis.status == "pending" %} pending {% elif analysis.status == "running" %} running {% elif analysis.status == "completed" %} processing {% elif analysis.status == "reported" %} {% if analysis.errors %} {% else %} {% endif%} reported {% else %} {{analysis.status}} {% endif %}
{% else %}
No results found.
{% endif %} {% else %} {% if error %}
{{error}}
{% endif %} {% endif %} {% endblock %}