Open FuzzyWaffler opened 7 years ago
can you provide more info? as which signatures etc
Added some extra info to original post.. The signature section is where those address's are from. Im not applying any specific yara signatures yet
well that still not says nothing about which signature match that urls
The file has this info ---------------------------------
Size 11.7KB
Type HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5 aec60c798291525aaf513d71ecb9fbdf
SHA1 2f9c45724a92a7a212f417e9d5d47f372b0d062d
SHA256 8f6b5f7847787dde69a0ad9733e3705f75db76d0a922ee4557d644c0af40684d
SHA512
CRC32 6E9D78C0
ssdeep None
Yara None matched
Is there a way to export what the signatures are flagging on?
but which signature do you speak about? can you post screenshot of signature block with opened signature, which you speak about
Right, yeah, URLs from process memory dumps still have to be filtered properly. The "hard" part about this is that it is specific to each VM (and even to types of analyses - running PE files and Office documents may have different results). In other words, it's on our todo list to filter all the standard stuff out, but it requires some relatively big changes for which we don't have a process in-place yet (i.e., always running a sort of "collection" analysis for newly registered VMs - we have something like this called the baseline
feature, but it's definitely not yet complete).
Thanks for your feature request. If you have any additional requests and/or features, please do let me know.
The same Signature events are being displayed anytime a report is ran.
Is there something I'm not clearing properly?