Once an analysis is completed, several files are stored in a dedicated directory. All the analyses are stored under the directory storage/analyses/ inside a subdirectory named after the incremental numerical ID that represents the analysis task in the database.
Following is an example of an analysis directory structure:
. |-- analysis.conf |-- analysis.log |-- binary |-- dump.pcap |-- memory.dmp |-- files | |-- 1234567890 | `-- dropped.exe |-- logs | |-- 1232.raw | |-- 1540.raw | `-- 1118.raw |-- reports | |-- report.html | |-- report.json | |-- report.maec-4.0.1.xml | `-- report.metadata.xml `-- shots |-- 0001.jpg |-- 0002.jpg |-- 0003.jpg `-- 0004.jpg
This is a configuration file automatically generated by Cuckoo to give its analyzer some details about the current analysis. It’s generally of no interest to the end-user, as it’s used internally by the sandbox.
This is a log file generated by the analyzer and that contains a trace of the analysis execution inside the guest environment. It will report the creation of processes, files and eventual errors occurred during the execution.
This is the network dump generated by tcpdump or any other corresponding network sniffer.
In case you enabled it, this file contains the full memory dump of the analysis machine.
This directory contains all the files the malware operated on and that Cuckoo was able to dump.
This directory contains all the raw logs generated by Cuckoo’s process monitoring.
This directory contains all the reports generated by Cuckoo as explained in the Configuration chapter.
This directory contains all the screenshots of the guest’s desktop taken during the malware execution.