Lastline Analyst API Documentation Release 2.0 Lastline, Inc. Nov 09, 2022 CONTENTS 1 Overview 1 1.1 SupportedArtifacts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 GettingStarted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 1.3 APIConcepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.4 Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 1.5 HandlingofContainers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2 APIReference 15 2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.2 ResponseFormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2.3 Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4 ErrorCodes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 2.5 SubmissionMetadata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 2.6 Web-PortalIntegration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3 AnalysisResults 49 3.1 AnalysisReportFormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.2 ReportFormat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 3.3 ReportFormatll-int-win . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.4 ReportFormatll-int-osx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 3.5 ReportFormatll-win-timeline-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 3.6 PEStatsinformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.7 PEResourceStatsinformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 3.8 ReportFormatll-osx-timeline-based . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 3.9 ReportFormatll-int-win-doc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 3.10 ReportFormatll-int-apk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 3.11 ReportFormatll-int-archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 3.12 ReportFormatll-web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 3.13 ReportFormatll-static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 3.14 ReportFormatll-ioc-json . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 3.15 ReportFormatll-pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 3.16 ReportFormatll-flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 3.17 ReportFormatll-doc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 3.18 ReportDescriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 4 ChildTasks 129 5 SampleAPIClients 131 5.1 AnalystAPIclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 5.2 AnalysisClientShell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 i 5.3 AnalystAPIShellExample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 5.4 AnalystAPIShellHelpers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 5.5 ApplicationBundleModule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 PythonModuleIndex 159 Index 161 ii CHAPTER ONE OVERVIEW TheLastlineAnalystAPIprovidesfunctionalityforsubmittingresourcesforanalysisandobtainingtheresults. Cur- rently,itsupportsURLsaswellasvarioustypesofexecutablesanddocuments. Executables areanalyzed by running theminside a sandbox, recordingthe behavior of theprogram, and classifying the file based on the observed actions. Similarly, documents are opened in an instrumented file-editor/viewer or by analyzinganyactivecomponents(suchasscripts)embeddedinsidethedocuments;ineithercase,thebehaviorofthe codeisusedfordetectingifthefilecontainsanyanomalies. Additionally, the content of a submitted file is analyzed for structural similarities with other, previously classified malwareartifacts. URLsareanalyzedbyvisitingthemwithspecial,instrumentedbrowsersandobservingactionsinsidethebrowseror itsinteractionswithitsenvironment. Thelatestversionofthisdocumentationcanbefoundathttps://analysis.lastline.com/analysis/api-docs/html/overview. html,ordownloadedinPDFformatfromhttps://analysis.lastline.com/analysis/api-docs/LastlineAnalystAPI.pdf. 1.1 Supported Artifacts TheAPIsupportssubmissionsofURLsandfiles. Themaximumfilesizeis64MBforthehostedLastlineinfrastruc- ture-forOn-Premisesdeployments,thelimitisconfigurable(upto100MB)anddefaultsto10MB. Thefollowingtableprovidesanoverviewofthesupportedfiletypes: • AceArchiveFile: ACEarchivedata Lastlinemimetype: application/x-ace Typicalextension: .ace • BzipArchiveFile: bzip2compresseddata Lastlinemimetype: application/x-bzip Typicalextensions: .bz,.bz2,.tbz,.tbz2 • CabArchiveFile: MicrosoftCabinetarchivedata Lastlinemimetype: application/vnd.ms-cab-compressed Typicalextension: .cab • DiagCabArchiveFile: MicrosoftDiagnosticCabinetarchivedata Lastlinemimetype: application/vnd.ms-diagcab-compressed Typicalextension: .diagcab 1 LastlineAnalystAPIDocumentation,Release2.0 • DmgArchiveFile: Applediskimage Lastlinemimetype: application/x-apple-diskimage Typicalextensions: .dmg,.smi • Rfc2822EmailArchiveFile: RFC2822-formattedEmailfile Lastlinemimetype: data/email-rfc2822 Typicalextension: .eml • GzipArchiveFile: gzipcompresseddata Lastlinemimetype: application/x-gzip Typicalextensions: .gz,.tgz • JarArchiveFile: JavaJARarchive Lastlinemimetype: application/java-archive Typicalextension: .jar • WebappJarArchiveFile: JavaWebapparchive Lastlinemimetype: application/war-archive Typicalextension: .war • LhaArchiveFile: LHaarchivedata Lastlinemimetype: application/x-lha Typicalextensions: .lha,.lzh • LzmaArchiveFile: LZMAcompresseddata Lastlinemimetype: application/x-lzma Typicalextension: .lzma • NugetArchiveFile: NuGetpackagearchive Lastlinemimetype: application/x-nuget Typicalextension: .nupkg • UDFISOArchiveFile: UDFfilesystemdata Lastlinemimetype: application/x-udf-image Typicalextensions: .iso,.udf • ISO9660ISOArchiveFile: ISO9660CD-ROMfilesystemdata Lastlinemimetype: application/x-iso9660-image Typicalextension: .iso • RarArchiveFile: RARarchivedata Lastlinemimetype: application/x-rar Typicalextension: .rar • Rar5ArchiveFile: RARarchivedata,version5 Lastlinemimetype: application/x-rar5 Typicalextension: .rar 2 Chapter1. Overview LastlineAnalystAPIDocumentation,Release2.0 • TarArchiveFile: POSIXtararchivedata Lastlinemimetype: application/tar Typicalextension: .tar • DocumentLLAppBundleTarArchiveFile: LastlineApplicationBundleDocumentType Lastlinemimetype: application/llappbundle-document Typicalextensions: .tar,.llappbundle,.llapp • WindowsExecutableLLAppBundleTarArchiveFile: LastlineApplicationBundleWindowsExecutableType Lastlinemimetype: application/llappbundle-windows-executable Typicalextensions: .tar,.llappbundle,.llapp • WebReplayLLAppBundleTarArchiveFile: LastlineApplicationBundleWebReplayType Lastlinemimetype: application/llappbundle-web-replay Typicalextensions: .tar,.llappbundle,.llapp • TnefArchiveFile: TransportNeutralEncapsulationFormat Lastlinemimetype: application/vnd.ms-tnef Typicalextension: .dat • XarArchiveFile: XARarchivedata Lastlinemimetype: application/x-xar Typicalextensions: .xar,.pkg • XzArchiveFile: XZcompresseddata Lastlinemimetype: application/x-xz Typicalextensions: .xz,.txz • ZipArchiveFile: Ziparchivedata Lastlinemimetype: application/zip Typicalextension: .zip • SevenZipArchiveFile: 7-ziparchivedata Lastlinemimetype: application/x-7z-compressed Typicalextension: .7z • MicrosoftSettingContentDataFile: MicrosoftContent-Settingsdatafile* Lastlinemimetype: text/ms-settingcontent Typicalextension: .settingcontent-ms • CsvDataFile: CSVData Lastlinemimetype: data/csv Typicalextension: .csv • InternetInquiryDataFile: InternetInquirydatafile* Lastlinemimetype: text/x-ms-iqy Typicalextension: .iqy 1.1. SupportedArtifacts 3 LastlineAnalystAPIDocumentation,Release2.0 • SymbolicLinkDataFile: SymbolicLinkdatafile Lastlinemimetype: data/symbolic-link Typicalextensions: .slk,.sylk • PcapDataFile: tcpdumpcapturefile Lastlinemimetype: application/vnd.tcpdump.pcap Typicalextensions: .pcap,.pcapng • WordHangulCdfDocFile: HangulWordProcessordocument Lastlinemimetype: application/hangul-word Typicalextension: .hwp • ChmDocFile: MicrosoftWindowsHtmlHelpdata Lastlinemimetype: application/x-chm Typicalextension: .chm • HangulDocFile: HangulHWP3/HWP2000document* Lastlinemimetype: application/x-hwp Typicalextension: .hwp • ExcelMsMimeDocFile: MicrosoftExceldocumentinMHTMLformat Lastlinemimetype: application/msoffice-mime-xls Typicalextension: .xls • PowerpointMsMimeDocFile: MicrosoftPowerpointdocumentinMHTMLformat Lastlinemimetype: application/msoffice-mime-ppt Typicalextension: .ppt • WordMsMimeDocFile: MicrosoftWorddocumentinMHTMLformat Lastlinemimetype: application/msoffice-mime-doc Typicalextension: .doc • ExcelMsDocFile: MicrosoftOfficeExceldocument Lastlinemimetype: application/msoffice-xls Typicalextension: .xls • TemplateExcelMsDocFile: MicrosoftOfficeExceltemplatedocument Lastlinemimetype: application/msoffice-xlt Typicalextension: .xlt • ExcelEncryptedKnownMsDocFile: MicrosoftOfficeExceldocument(withpassword) Lastlinemimetype: application/msoffice-xls-encrypted Typicalextensions: .xls,.xlsx • MacroExcelEncryptedKnownMsDocFile: MicrosoftOfficeExceldocument(withpassword),withmacros Lastlinemimetype: application/msoffice-xlam-encrypted Typicalextension: .xlam 4 Chapter1. Overview LastlineAnalystAPIDocumentation,Release2.0 • PowerpointEncryptedKnownMsDocFile: MicrosoftOfficePowerpointdocument(withpassword) Lastlinemimetype: application/msoffice-ppt-encrypted Typicalextensions: .ppt,.pptx • WordEncryptedKnownMsDocFile: MicrosoftOfficeWorddocument(withpassword) Lastlinemimetype: application/msoffice-doc-encrypted Typicalextensions: .doc,.docx • PowerpointMsDocFile: MicrosoftOfficePowerpointdocument Lastlinemimetype: application/msoffice-ppt Typicalextensions: .ppt,.pps • TemplatePowerpointMsDocFile: MicrosoftOfficePowerpointtemplatedocument Lastlinemimetype: application/msoffice-pot Typicalextension: .pot • WordMsDocFile: MicrosoftOfficeWorddocument Lastlinemimetype: application/msoffice-doc Typicalextension: .doc • PublisherWordMsDocFile: MicrosoftPublisherdocument Lastlinemimetype: application/msoffice-publisher Typicalextension: .pub • TemplateWordMsDocFile: MicrosoftOfficeWorddocumenttemplate Lastlinemimetype: application/msoffice-dot Typicalextension: .dot • OoDocFile: Open/LibreOfficedocument Lastlinemimetype: application/vnd.oasis.opendocument Typicalextensions: .odp,.otp,.ods,.odt,.ott,.odg,.otg • PdfDocFile: PDFdocument Lastlinemimetype: application/pdf Typicalextension: .pdf • WordPerfectDocFile: WordPerfectdocument Lastlinemimetype: application/wordperfect Typicalextension: .wpd • RtfDocFile: RTFdocument Lastlinemimetype: text/rtf Typicalextension: .rtf • SwfDocFile: MacromediaFlashdata Lastlinemimetype: application/x-shockwave-flash Typicalextension: .swf 1.1. SupportedArtifacts 5 LastlineAnalystAPIDocumentation,Release2.0 • ExcelXmlDocFile: XML-basedMicrosoftOfficeExceldocument,pre-Office2007 Lastlinemimetype: application/x-spreadsheetml Typicalextension: .xml • PowerpointXmlDocFile: XML-basedMicrosoftOfficePowerpointpresentation,pre-Office2007 Lastlinemimetype: application/x-presentationml Typicalextension: .xml • WordXmlDocFile: XML-basedMicrosoftOfficeWorddocument,pre-Office2007 Lastlinemimetype: application/x-wordprocessingml Typicalextension: .xml • XdpXmlDocFile: AdobeXDPdocument Lastlinemimetype: application/vnd.adobe.xdp+xml Typicalextension: .xdp • XslXmlDocFile: eXtensibleStylesheetLanguageforXMLfile Lastlinemimetype: text/xsl Typicalextension: .xsl • ExcelMsDocxFile: MicrosoftOfficeExceldocument,OfficeOpenXMLformat Lastlinemimetype: application/msoffice-xlsx Typicalextension: .xlsx • MacroExcelMsDocxFile: MicrosoftOfficeExceldocument,OfficeOpenXMLformat,withmacros Lastlinemimetype: application/msoffice-xlsm Typicalextension: .xlsm • BinaryMacroExcelMsDocxFile: Microsoft Office Excel document, Office Open XML format, with macros andbinarystorage Lastlinemimetype: application/msoffice-xlsb Typicalextension: .xlsb • TemplateExcelMsDocxFile: MicrosoftOfficeExceltemplatedocument,OfficeOpenXMLformat Lastlinemimetype: application/msoffice-xltx Typicalextension: .xltx • MacroTemplateExcelMsDocxFile: Microsoft Office Excel spreadsheet template, Office Open XML format, withmacros Lastlinemimetype: application/msoffice-xltm Typicalextension: .xltm • PowerpointMsDocxFile: MicrosoftOfficePowerpointdocument,OfficeOpenXMLformat Lastlinemimetype: application/msoffice-pptx Typicalextensions: .pptx,.ppsx • MacroAddInPowerpointMsDocxFile: MicrosoftOfficePowerpointAddIndocument,OfficeOpenXMLfor- mat,withmacros 6 Chapter1. Overview