Viewing Results

Tool results are created when a pipeline is run on a target file. The running pipeline instance is called a reaction and may involve running several tools (called images) on the target file. The analysis artifacts created by each tool are then automatically stored in Thorium after each pipeline stage has completed. We organize tool results based on the name of the tool/image rather than the name of the pipeline where that tool was run.

Tools may generate several types of result output, including renderable and downloadable formats. These artifacts include:

  • results: renderable data including basic text and JSON formatted tool output
  • result-files: downloadable files produced by the tool and any tool results larger than 1MB
  • children: unpacked or transformed files that Thorium treats like sample files due to potential maliciousness.

You can view or download results and child files from both the Web UI and Thorctl.

Web UI

Results and Result Files

You can navigate to the details page for a file using the sha256 hash of that file, or by browsing and searching through Thorium's data. If you are already on the file details page and see your reaction's have completed, refresh the page to get the latest tool results!

Once you load the file details page, click the Results tab that's displayed after the submission info section. You should see tool results that you can scroll through as shown in the video below.

You can also jump to results by clicking on the tools corresponding tag for a particular tool result.

Tools can create renderable results as well as result files. If a tool produces a result files, those files can be downloaded using the links at the bottom of the result section for that tool.

The number of result files that a tool produced will be displayed on the header of the results section. That file count badge can be clicked to jump to the result files links.

Children Files

Many tools will produce entirely new samples called children files that are saved in Thorium after the tool exits. For example, an unpacking tool might remove protective/obfuscating layers of a given malware sample in order to unpack the core payload and save it as a new sample in Thorium for further analysis. The sample that a tool was run on to produce a child file its parent file. The origin information on a child file's details page contains a convenient link to the child's parent. Clicking the link will take you to the sample details of the parent file.

Thorctl

You can download results for specific samples using Thorctl with the following command:

thorctl results get <SHA256>

Download results for multiple samples by passing multable file SHA's:

thorctl results get <SHA256-1> <SHA256-2> <SHA256-3>

If you want to download results for specific tools then you can use the following command:

thorctl results get --tools <TOOL> --tools <TOOL> <SHA256>

You can also get results for any samples with a certain tag with the following command:

thorctl results get --tags Dataset=Examples

The tool and tag flags can be set together to get the results of running a tool on samples with a particular characteristic:

thorctl results get --tools analyzer --tags Packed=True

The number of results from which Thorctl downloads files is limited to prevent inadvertent massive download requests. To change the limit, use the --limit/-l flag:

thorctl results get --tags Incident=10001234 --limit 100