Once an analysis is completed, several files are stored in a dedicated directory. Unless you configured differently, all of the analysis are saved into analysis/ with a subdirectory named after the numerical ID assigned to the analysis into the database.
Following is an example of analysis results:
. |-- additional |-- analysis.conf |-- analysis.log |-- dump.pcap |-- files | |-- dropped.tmp | `-- dropped.exe |-- logs | |-- 1232.csv | |-- 1540.csv | `-- 1118.csv |-- reports | |-- report.html | |-- report.json | `-- report.txt |-- malware.exe `-- shots |-- shot_001.jpg |-- shot_002.jpg |-- shot_003.jpg `-- shot_004.jpg
analysis.conf is a configuration file automatically generated by Cuckoo to specify some parameters to the guest component (analyzer). It’s generally not relevant for an end-users as it’s exclusively used internally by Cuckoo.
analysis.log is a log file generated by Cuckoo analyzer and that keeps track of analysis execution and might report errors occurred during the analysis.
dump.pcap is the trace dump containing all the network activity generated by the virtual machine during the malware execution.
The additional/ directory can be used to drop any kind of additional file or data which is not generated by the malware. For example memory dumps, dumped configs or anything else you might want to store during an analysis.
The files/ directory contains all files created or deleted by the malware and that were successfully dumped by Cuckoo.
The logs/ directory contains the raw CSV-like logs generated by the monitored processes and that contains the concrete behavioral tracing results.
The reports/ directory contains the abstract analysis reports generated automatically by Cuckoo. The number and the format of such reports depends on the the configuration explained in the Configuration chapter.
The shots/ directory contains the screenshots of Windows desktop taken during the analysis execution.