Skip to main content

Cyware Threat Intelligence eXchange

Understand Sectoral Feed Data

Cyware Sectoral Feeds provide rich context around each threat indicator by combining static analysis, sandbox behavior, and source-specific tags. You can use this data to assess severity, understand attacker techniques, and take informed response actions.

Threat indicators ingested from Cyware Sectoral Feeds include detailed analysis results to support your investigation and response efforts. These results help you understand the threat’s nature, severity, and context through the following three analysis results:

  • Static Analysis Result: Review structural and metadata insights extracted directly from the file, without executing it. These details help you determine whether a file shows signs of malicious behavior. The analysis includes results from the following tools:

    • PEFile Analysis: This helps you understand the file’s executable characteristics, such as imphash, compilation timestamp, file type, and the presence of packing or obfuscation. It also reveals security attributes, giving you insight into how evasive or risky the file might be.

    • EXIFTool Analysis: This provides metadata details, including file size, type, MIME format, encoding, and timestamps. These attributes help you verify the legitimacy and consistency of the file’s identity.

    • LIEF Analysis: This provides you with low-level binary insights such as the virtual image size, execution flags like PIE or NX, and imported libraries. This analysis helps you identify if the file interacts with system-level components, which is often associated with malware.

  • Sandbox Analysis Result: Understand how the file behaves when executed, using sandbox analysis data provided by the source. These dynamic insights help identify malicious behavior that static scans might miss. The analysis includes results from the following sandboxes:

    • CAPE: Reports behavioral indicators such as malware family, process execution, dropped files, botnet communication, Suricata alerts, and triggered YARA rules. These findings reveal potential tactics, techniques, and procedures (TTPs).

    • Triage: Complements CAPE by offering static and behavioral risk scores, ransomware-specific insights (family name, ransom note), and observed network activity. This helps assess impact and malware type.

  • Scan Result: These details help you understand how widely a threat has been seen and how serious it may be. The results may include a threat severity score, known malware associations, antivirus detection counts, and timestamps showing when the file was last observed. You can also find technical file information, like its MIME type, to support further validation.

One or more of the following source tags are automatically added to threat data objects ingested from Cyware Sectoral Feeds:

Tag

Description

PEType/<PE Type>

Represents the PE (Portable Executable) type of the file, as extracted from EXIFTool analysis

MIMEType/<MIME Type>

Represents the MIME type of the file, as reported by EXIFTool

Is APK

Represents that the file is an Android Package (APK). This tag is present when the APK ID is detected in the analysis results.

AnalysisSource/Static Analysis

Indicates that the threat data includes static file analysis results

AnalysisSource/EXIFTool Analysis

Represents that the threat object includes metadata extracted using EXIFTool

Charset/<Character Set>

Represents the character encoding detected in the file during EXIFTool analysis

AnalysisSource/LIEF Analysis

Represents that the threat object includes binary structure data extracted using LIEF

Import DLLs

Represents that the file imports one or more dynamic link libraries (DLLs). This tag is present when LIEF identifies such imports during static analysis.

NX/DEP Enabled

Represents that the file has memory protection mechanisms enabled, such as No-eXecute (NX) or Data Execution Prevention (DEP). This tag is present when LIEF or PEFile analysis detects these protections during static inspection.

Position-Independent Executable

Represents that the file is compiled as a Position-Independent Executable (PIE). This tag is present when the static analysis results indicate that the file supports address space layout randomization by not relying on fixed memory addresses.

AnalysisSource/PE File Analysis

Represents that the threat object includes structural metadata extracted using PEFile

PEFileType/exe

Represents that the file is an executable. This tag is present when PEFile analysis classifies the file as a standard Windows executable.

PEFileType/dll

Represents that the file is a Dynamic Link Library (DLL). This tag is present when PEFile analysis classifies the file as a DLL.

PEFileType/driver

Represents that the file is a driver. This tag is present when PEFile analysis classifies the file as a driver.

PEFileType/WDM Driver

Represents that the file is a Windows Driver Model (WDM) driver. This tag is present when PEFile analysis identifies the file as a WDM driver.

Authenticode Signature Present

Represents that the file contains an Authenticode digital signature. This tag is present when PEFile analysis detects a valid signature in the file.

ASLR Enabled

Represents that Address Space Layout Randomization (ASLR) is enabled on the file. This tag is present when PEFile analysis detects that ASLR is configured as an active memory protection feature.

Possible File Packing Detected

Represents that the file may be packed or obfuscated. This tag is present when static analysis, such as PEFile inspection, detects traits commonly associated with packing.

Control-Flow Guard Enabled

Represents that the file has Control-Flow Guard (CFG) protection enabled. This tag is present when static analysis confirms that CFG is used to defend against memory corruption vulnerabilities.

Imports DLL

Represents that the file imports one or more dynamic link libraries (DLLs). This tag is present when PEFile analysis identifies the presence of imported DLLs.

Possible Reflective DLL Injection

Represents the potential for reflective DLL injection. This tag is present when the export table contains the entry ReflectiveLoader, suggesting the file may support reflective loading techniques often used in advanced threats.

Contains Self Signed Certificate

Represents the presence of a self-signed certificate. This tag is present when the file’s signing certificate is self-signed, which may indicate lower trustworthiness or an attempt to bypass traditional certificate validation.

Contains CA Signed Certificate

Represents a valid certificate authority (CA) signature. This tag is present when the file is signed with a valid certificate issued by a recognized certificate authority (CA), indicating higher authenticity and trust.

AnalysisSource/Scan Results

Represents that scan results are included for the threat object

<Detection Label>

Represents classification labels or verdicts assigned by the scan source

TargetedOperatingSystem/<Operating System>

Represents the operating system targeted by the file, as determined by the scan source

AnalysisSource/CAPE Sandbox

Represents that the file was analyzed using the CAPE sandbox for behavioral analysis

CAPEDetection/<Detection Label>

Represents the detection outcome provided by the CAPE sandbox

CAPESandboxSignature/<Signature Name>

Represents behavioral signatures triggered during CAPE sandbox execution

YARA Rule/<CAPE YARA Rule Name>

Represents the YARA rule triggered by the CAPE filter during sandbox analysis. This tag is present when the file matches known patterns or behaviors defined in that rule.

YARA Rule/<Custom YARA Rule Name>

Represents the YARA rule triggered by a custom rule set during CAPE sandbox analysis. This tag is present when the file matches the behavior or signature defined in the custom YARA rule.

C2 Communication Detection

Represents the detection of command-and-control (C2) infrastructure. This tag is present when either the CAPE or Triage sandbox identifies C2 URLs, IP addresses, or port combinations during sandbox analysis.

Botnet Communication Detection

Represents botnet activity identified during sandbox analysis. This tag is present when the sandbox configuration reveals signs of communication with a botnet.

Spawns Processes

Represents process creation behavior observed during sandbox execution. This tag is present when sandbox analysis detects the file spawning child processes during execution.

Extracted Config Present

Represents the presence of configuration data within the analyzed file. This tag is present when configuration data is extracted from the file during sandbox execution.

AnalysisSource/Triage Sandbox

Represents that the file was analyzed in the Triage sandbox environment

TriageSandboxSignature/<Signature Name>

Represents behavioral signatures triggered during Triage sandbox analysis

Ransom Note Found

Represents the presence of ransom-related artifacts. This tag is present when a ransom note is found in the file during Triage sandbox execution.

Ransomware/<Ransomware Family>

Represents the ransomware family associated with the ransom note discovered during sandbox analysis. This tag is present when the extracted ransom note includes a known ransomware family name.

Ransomware Transactions Observed

Represents that ransomware-related financial or operational activity was detected by the source

Ransomware Family/<Ransomware Family>

Represents the specific ransomware family linked to the threat object, based on transactional analysis

Cyware Sectoral Feeds enrich threat data objects in Intel Exchange with the following custom attributes:

Attribute

Description

file_uses_cfg

Indicates whether the analyzed file uses a configuration file (CFG)

file_is_dll

Indicates whether the analyzed file is a Dynamic Link Library (DLL)

latest_scan_details

The raw scan results from the most recent antivirus or static analysis performed on the file

source_id

The source identifier that originated the data

cape_sandbox_score

The threat score assigned to the file by the CAPE sandbox. The score ranges from 0 to 10.

normalized_threat_score

The overall threat score based on static, sandbox, and AV results. The score ranges from 0 to 100.

targeted_os

The list of operating systems targeted by the file or associated threat behavior

cape_sandbox_v2_results

The raw behavioral analysis results from CAPE Sandbox version 2 for the analyzed file. Includes network activity, TTP mappings (MITRE ATT&CK), signatures, sandbox scores, and associated metadata.

file_is_apk

Indicates whether the file is an Android Package (APK)

file_is_wdm_driver

Indicates whether the file is identified as a Windows Driver Model (WDM) driver

analysis_source

Lists the analysis engines or tools that generated results for the file. Possible values: exiftool, lief, scan_results, triage_sandbox, cape_sandbox, and pefile.

triage_sandbox_score

The threat score assigned by the Triage sandbox based on observed behavior during dynamic analysis. The score ranges from 0 to 10.

file_uses_aslr

Indicates whether the file uses Address Space Layout Randomization (ASLR), a security technique that helps prevent memory-based attacks.

lief_analysis

The metadata extracted from the binary using LIEF, a library for parsing executable formats. Includes security features, library dependencies, file size, and a list of imported functions.

observed_ransomware_transactions

The ransomware-related activity or artifacts that were observed during analysis

file_is_drive

Indicates whether the file is identified as a full disk or drive image

triage_sandbox_results

The raw results from the Triage sandbox analysis, such as extracted IOCs, MITRE ATT&CK mappings, malware family, score, and behavioral signatures

source_threat_score

The normalized threat score assigned to the object, derived from the source

file_is_exe

Indicates whether the analyzed file is a Windows executable (EXE)

artifact_id

The unique identifier assigned to the analyzed artifact

file_is_probably_packed

Indicates whether the file is likely packed or obfuscated

file_dep_nx_enabled

Indicates whether Data Execution Prevention (DEP) with NX (No-eXecute) is enabled for the file

file_imphash

Represents the import hash (imphash) of the file. An imphash is a hash value calculated from the list and order of imported functions in a PE (Portable Executable) file.

av_scan_score

Represents the antivirus (AV) scan score of the file, with a value ranging from 0 to 1

pefile_analysis

The raw Portable Executable (PE) metadata extracted from the file, including information such as section names, imported functions, security features, and compiler characteristics.

exfiltool_analysis

The raw metadata extracted from the file using ExifTool, primarily focused on PE (Portable Executable) file characteristics

av_detections

Represents raw antivirus detection counts for the file. Includes total scans, number of benign results, and number of malicious detections.