Detonate File - Lastline v2
Detonates a File using the Lastline sandbox. Lastline supports the following File Types: EXE, SYS, DLL, COM, SCR, CPL, OCX, CGI, DOC, DOTM, DOCX, DOTX, XLS, PPAM, XSLX, PPS, XLSB, PPSX, XLSM, PPSM, PPT, PPTX, PPTM, RTF, SHS, XLTM, SLDM, XLTX, SLDX, XLAM, THMX, DOCM, XAR, JTD, JTDC, PDF, SWF, GZ, 7Z, TGZ, MSI, ZIP, LZH, CAB, LZMA, APK, JAR, CLASS, JPEG, PNG, GIF, CMD, ACE, BAT, ARJ, VBS, CHM, XML, LNK, URL, MOF, HTM, OCX, HTML, POTM, EML, POTX, MSG, PS, |VB, REG, VBA, WSC, VBE, WSF, VBS, WSH
Lastline · 11 tasks · 3 inputs · 38 outputs
Inputs
File— The file to detonate. File is taken from the context.Interval— Polling frequency - how often the polling command should run (minutes)Timeout— How much time to wait before a timeout occurs (minutes)
Outputs
DBotScore.Type— The type of the indicator (only in case of report type=json)InfoFile.EntryID— The EntryID of the report fileDBotScore.Vendor— Vendor used to calculate the score (only in case of report type=json)IP.Address— IP's relevant to the sampleDBotScore.Score— The actual score (only in case of report type=json)DBotScore.Indicator— The indicator we tested (only in case of report type=json)InfoFile.Extension— The extension of the report fileInfoFile.Name— The name of the report fileInfoFile.Info— The info of the report fileInfoFile.Size— The size of the report fileInfoFile.Type— The type of the report fileURL.Data— List of malicious URLs identified by Lastline analysisURL.Malicious.Vendor— For malicious URLs, the vendor that made the decisionURL.Malicious.Description— For malicious URLs, the reason for the vendor to make the decisionURL.Malicious.Score— For malicious URLs, the score from the vendorFile.MD5— Bad hash MD5File.SHA1— Bad hash SHA1File.SHA256— Bad hash SHA256File.Malicious.Vendor— For malicious files, the vendor that made the decisionFile.Malicious.Score— For malicious files, the score from the vendorLastline.Submission.Status— Status of the submissionLastline.Submission.DNSqueries— List of DNS queries done by the analysis subjectLastline.Submission.NetworkConnections— ist of network connections done by the analysis subjectLastline.Submission.DownloadedFiles— List of files that were downloaded using the Microsoft Windows file-download API functions. Each element is a tuple of file-origin URL and a File element.Lastline.Submission.UUID— Task UUID of submitted sampleLastline.Submission.YaraSignatures.name— Yara signatures nameLastline.Submission.YaraSignatures.score— The score according to the yara signatures. from 0 to 100.Lastline.Submission.Process.arguments— Argument of the processLastline.Submission.Process.process_id— The process IDLastline.Submission.Process.executable.abs_path— Absolute path of the executable of the processLastline.Submission.Process.executable.filename— Filename of the executableLastline.Submission.Process.executable.yara_signature_hits— Yara signature of the executable of the processLastline.Submission.Process.executable.ext_info— Executable info of the processLastline.Submission.YaraSignatures.internal— True if the signature is only for internal usageFile— File objectFile.Malicious— File Malicious objectDBotScore— DBot score objectLastline.Submission— Lastline submission object
Commands used
lastline-check-status
lastline-get-report
lastline-upload-file