Understand Sectoral Feed Data
Cyware Sectoral Feeds provide rich context around each threat indicator by combining static analysis, sandbox behavior, and source-specific tags. You can use this data to assess severity, understand attacker techniques, and take informed response actions.
Threat indicators ingested from Cyware Sectoral Feeds include detailed analysis results to support your investigation and response efforts. These results help you understand the threat’s nature, severity, and context through the following three analysis results:
Static Analysis Result: Review structural and metadata insights extracted directly from the file, without executing it. These details help you determine whether a file shows signs of malicious behavior. The analysis includes results from the following tools:
PEFile Analysis: This helps you understand the file’s executable characteristics, such as imphash, compilation timestamp, file type, and the presence of packing or obfuscation. It also reveals security attributes, giving you insight into how evasive or risky the file might be.
EXIFTool Analysis: This provides metadata details, including file size, type, MIME format, encoding, and timestamps. These attributes help you verify the legitimacy and consistency of the file’s identity.
LIEF Analysis: This provides you with low-level binary insights such as the virtual image size, execution flags like PIE or NX, and imported libraries. This analysis helps you identify if the file interacts with system-level components, which is often associated with malware.
Sandbox Analysis Result: Understand how the file behaves when executed, using sandbox analysis data provided by the source. These dynamic insights help identify malicious behavior that static scans might miss. The analysis includes results from the following sandboxes:
CAPE: Reports behavioral indicators such as malware family, process execution, dropped files, botnet communication, Suricata alerts, and triggered YARA rules. These findings reveal potential tactics, techniques, and procedures (TTPs).
Triage: Complements CAPE by offering static and behavioral risk scores, ransomware-specific insights (family name, ransom note), and observed network activity. This helps assess impact and malware type.
Scan Result: These details help you understand how widely a threat has been seen and how serious it may be. The results may include a threat severity score, known malware associations, antivirus detection counts, and timestamps showing when the file was last observed. You can also find technical file information, like its MIME type, to support further validation.
One or more of the following source tags are automatically added to threat data objects ingested from Cyware Sectoral Feeds:
Tag | Description |
|---|---|
PEType/<PE Type> | Represents the PE (Portable Executable) type of the file, as extracted from EXIFTool analysis |
MIMEType/<MIME Type> | Represents the MIME type of the file, as reported by EXIFTool |
Is APK | Represents that the file is an Android Package (APK). This tag is present when the APK ID is detected in the analysis results. |
AnalysisSource/Static Analysis | Indicates that the threat data includes static file analysis results |
AnalysisSource/EXIFTool Analysis | Represents that the threat object includes metadata extracted using EXIFTool |
Charset/<Character Set> | Represents the character encoding detected in the file during EXIFTool analysis |
AnalysisSource/LIEF Analysis | Represents that the threat object includes binary structure data extracted using LIEF |
Import DLLs | Represents that the file imports one or more dynamic link libraries (DLLs). This tag is present when LIEF identifies such imports during static analysis. |
NX/DEP Enabled | Represents that the file has memory protection mechanisms enabled, such as No-eXecute (NX) or Data Execution Prevention (DEP). This tag is present when LIEF or PEFile analysis detects these protections during static inspection. |
Position-Independent Executable | Represents that the file is compiled as a Position-Independent Executable (PIE). This tag is present when the static analysis results indicate that the file supports address space layout randomization by not relying on fixed memory addresses. |
AnalysisSource/PE File Analysis | Represents that the threat object includes structural metadata extracted using PEFile |
PEFileType/exe | Represents that the file is an executable. This tag is present when PEFile analysis classifies the file as a standard Windows executable. |
PEFileType/dll | Represents that the file is a Dynamic Link Library (DLL). This tag is present when PEFile analysis classifies the file as a DLL. |
PEFileType/driver | Represents that the file is a driver. This tag is present when PEFile analysis classifies the file as a driver. |
PEFileType/WDM Driver | Represents that the file is a Windows Driver Model (WDM) driver. This tag is present when PEFile analysis identifies the file as a WDM driver. |
Authenticode Signature Present | Represents that the file contains an Authenticode digital signature. This tag is present when PEFile analysis detects a valid signature in the file. |
ASLR Enabled | Represents that Address Space Layout Randomization (ASLR) is enabled on the file. This tag is present when PEFile analysis detects that ASLR is configured as an active memory protection feature. |
Possible File Packing Detected | Represents that the file may be packed or obfuscated. This tag is present when static analysis, such as PEFile inspection, detects traits commonly associated with packing. |
Control-Flow Guard Enabled | Represents that the file has Control-Flow Guard (CFG) protection enabled. This tag is present when static analysis confirms that CFG is used to defend against memory corruption vulnerabilities. |
Imports DLL | Represents that the file imports one or more dynamic link libraries (DLLs). This tag is present when PEFile analysis identifies the presence of imported DLLs. |
Possible Reflective DLL Injection | Represents the potential for reflective DLL injection. This tag is present when the export table contains the entry ReflectiveLoader, suggesting the file may support reflective loading techniques often used in advanced threats. |
Contains Self Signed Certificate | Represents the presence of a self-signed certificate. This tag is present when the file’s signing certificate is self-signed, which may indicate lower trustworthiness or an attempt to bypass traditional certificate validation. |
Contains CA Signed Certificate | Represents a valid certificate authority (CA) signature. This tag is present when the file is signed with a valid certificate issued by a recognized certificate authority (CA), indicating higher authenticity and trust. |
AnalysisSource/Scan Results | Represents that scan results are included for the threat object |
<Detection Label> | Represents classification labels or verdicts assigned by the scan source |
TargetedOperatingSystem/<Operating System> | Represents the operating system targeted by the file, as determined by the scan source |
AnalysisSource/CAPE Sandbox | Represents that the file was analyzed using the CAPE sandbox for behavioral analysis |
CAPEDetection/<Detection Label> | Represents the detection outcome provided by the CAPE sandbox |
CAPESandboxSignature/<Signature Name> | Represents behavioral signatures triggered during CAPE sandbox execution |
YARA Rule/<CAPE YARA Rule Name> | Represents the YARA rule triggered by the CAPE filter during sandbox analysis. This tag is present when the file matches known patterns or behaviors defined in that rule. |
YARA Rule/<Custom YARA Rule Name> | Represents the YARA rule triggered by a custom rule set during CAPE sandbox analysis. This tag is present when the file matches the behavior or signature defined in the custom YARA rule. |
C2 Communication Detection | Represents the detection of command-and-control (C2) infrastructure. This tag is present when either the CAPE or Triage sandbox identifies C2 URLs, IP addresses, or port combinations during sandbox analysis. |
Botnet Communication Detection | Represents botnet activity identified during sandbox analysis. This tag is present when the sandbox configuration reveals signs of communication with a botnet. |
Spawns Processes | Represents process creation behavior observed during sandbox execution. This tag is present when sandbox analysis detects the file spawning child processes during execution. |
Extracted Config Present | Represents the presence of configuration data within the analyzed file. This tag is present when configuration data is extracted from the file during sandbox execution. |
AnalysisSource/Triage Sandbox | Represents that the file was analyzed in the Triage sandbox environment |
TriageSandboxSignature/<Signature Name> | Represents behavioral signatures triggered during Triage sandbox analysis |
Ransom Note Found | Represents the presence of ransom-related artifacts. This tag is present when a ransom note is found in the file during Triage sandbox execution. |
Ransomware/<Ransomware Family> | Represents the ransomware family associated with the ransom note discovered during sandbox analysis. This tag is present when the extracted ransom note includes a known ransomware family name. |
Ransomware Transactions Observed | Represents that ransomware-related financial or operational activity was detected by the source |
Ransomware Family/<Ransomware Family> | Represents the specific ransomware family linked to the threat object, based on transactional analysis |
Cyware Sectoral Feeds enrich threat data objects in Intel Exchange with the following custom attributes:
Attribute | Description |
|---|---|
file_uses_cfg | Indicates whether the analyzed file uses a configuration file (CFG) |
file_is_dll | Indicates whether the analyzed file is a Dynamic Link Library (DLL) |
latest_scan_details | The raw scan results from the most recent antivirus or static analysis performed on the file |
source_id | The source identifier that originated the data |
cape_sandbox_score | The threat score assigned to the file by the CAPE sandbox. The score ranges from 0 to 10. |
normalized_threat_score | The overall threat score based on static, sandbox, and AV results. The score ranges from 0 to 100. |
targeted_os | The list of operating systems targeted by the file or associated threat behavior |
cape_sandbox_v2_results | The raw behavioral analysis results from CAPE Sandbox version 2 for the analyzed file. Includes network activity, TTP mappings (MITRE ATT&CK), signatures, sandbox scores, and associated metadata. |
file_is_apk | Indicates whether the file is an Android Package (APK) |
file_is_wdm_driver | Indicates whether the file is identified as a Windows Driver Model (WDM) driver |
analysis_source | Lists the analysis engines or tools that generated results for the file. Possible values: exiftool, lief, scan_results, triage_sandbox, cape_sandbox, and pefile. |
triage_sandbox_score | The threat score assigned by the Triage sandbox based on observed behavior during dynamic analysis. The score ranges from 0 to 10. |
file_uses_aslr | Indicates whether the file uses Address Space Layout Randomization (ASLR), a security technique that helps prevent memory-based attacks. |
lief_analysis | The metadata extracted from the binary using LIEF, a library for parsing executable formats. Includes security features, library dependencies, file size, and a list of imported functions. |
observed_ransomware_transactions | The ransomware-related activity or artifacts that were observed during analysis |
file_is_drive | Indicates whether the file is identified as a full disk or drive image |
triage_sandbox_results | The raw results from the Triage sandbox analysis, such as extracted IOCs, MITRE ATT&CK mappings, malware family, score, and behavioral signatures |
source_threat_score | The normalized threat score assigned to the object, derived from the source |
file_is_exe | Indicates whether the analyzed file is a Windows executable (EXE) |
artifact_id | The unique identifier assigned to the analyzed artifact |
file_is_probably_packed | Indicates whether the file is likely packed or obfuscated |
file_dep_nx_enabled | Indicates whether Data Execution Prevention (DEP) with NX (No-eXecute) is enabled for the file |
file_imphash | Represents the import hash (imphash) of the file. An imphash is a hash value calculated from the list and order of imported functions in a PE (Portable Executable) file. |
av_scan_score | Represents the antivirus (AV) scan score of the file, with a value ranging from 0 to 1 |
pefile_analysis | The raw Portable Executable (PE) metadata extracted from the file, including information such as section names, imported functions, security features, and compiler characteristics. |
exfiltool_analysis | The raw metadata extracted from the file using ExifTool, primarily focused on PE (Portable Executable) file characteristics |
av_detections | Represents raw antivirus detection counts for the file. Includes total scans, number of benign results, and number of malicious detections. |