Analysis Results

Once an analysis is completed, several files are stored in a dedicated directory. All the analyses are stored under the $CWD/storage/analyses/ inside a subdirectory named after the incremental numerical ID that represents the analysis task in the database.

Following is an example of an analysis directory structure:

.
|-- analysis.log
|-- binary
|-- dump.pcap
|-- memory.dmp
|-- files
|   |-- 1234567890_dropped.exe
|-- logs
|   |-- 1232.bson
|   |-- 1540.bson
|   `-- 1118.bson
|-- reports
|   |-- report.html
|   |-- report.json
`-- shots
    |-- 0001.jpg
    |-- 0002.jpg
    |-- 0003.jpg
    `-- 0004.jpg

analysis.log

This is a log file generated by the analyzer that contains a trace of the analysis execution inside the guest environment. It will report the creation of processes, files and eventual errors occurred during the execution.

dump.pcap

This is the network dump generated by tcpdump or any other corresponding network sniffer.

dump_sorted.pcap

This is a sorted version of dump.pcap in the sense that it allows the Web Interface to quickly lookup TCP stream.

memory.dmp

In case you enabled it, this file contains the full memory dump of the analysis machine.

files/

This directory contains all the files the malware operated on and that Cuckoo was able to dump.

files.json

This file contains a JSON-encoded entry for each dropped file available (i.e., all files in files/, shots/, etc). It contains meta information, where available, about all processes that touched the file, its original file path in the Guest, etc.

logs/

This directory contains all the raw logs generated by Cuckoo’s process monitoring.

reports/

This directory contains all the reports generated by Cuckoo as explained in the Configuration chapter.

shots/

This directory contains all the screenshots of the guest’s desktop taken during the malware execution.

tlsmaster.txt

This file contains the TLS Master Secrets that were captured during the analysis. TLS Master Secrets can be used to decrypt SSL/TLS traffic and are thus used to decrypt HTTPS streams.