def file_submit(self, filename, filepath):
token = self.app_secret
connect = Client(token, root_url=self.url)
# Check if it's a zip file and if it's password protected
if zipfile.is_zipfile(filepath):
zf = zipfile.ZipFile(filepath)
for zinfo in zf.infolist():
is_encrypted = zinfo.flag_bits & 0x1
if is_encrypted:
password = self.zip_pw
sample = open(filepath, "rb")
submit = connect.submit_sample_file(filename,
sample,
password=password)
else:
sample = open(filepath, "rb")
submit = connect.submit_sample_file(filename, sample)
else:
# Submit
sample = open(filepath, "rb")
submit = connect.submit_sample_file(filename, sample)
# Wait
time.sleep(self.timeout)
# Enjoy
retrive = connect.overview_report(submit['id'])
return retrive
def submit_file(self, filepath):
triage_client = Client(self.apikey, root_url=self.api_endpoint)
basename = os.path.basename(filepath)
fp = open(filepath, 'rb')
response = triage_client.submit_sample_file(basename, fp)
fp.close()
self.task_id = response['id']
def each_with_type(self, target, target_type):
self.client = Client(
self.api_key, "https://private.tria.ge/api"
if self.private_instance else "https://api.tria.ge")
# Submit the file / URL
self.submit_target(target, target_type)
# Wait for analysis to be over
self.wait_for_analysis()
# Save Results
self.results = self.client.overview_report(self.submission["id"])
# Extract interesting bits
self.parse_results()
# Format Results
self.results = {
"url": self.results["url"],
"analysis": self.results["analysis"],
"signatures": self.results["signatures"]
}
return True
def process_report(self):
try:
triage_client = Client(self.apikey, root_url=self.api_endpoint)
response = triage_client.overview_report(self.task_id)
self.extract_info(response)
except Exception as error:
raise ModuleExecutionError(
'Error encountered while processing report:\n{}'.format(error))
def url_submit(self, data):
# Submit
token = self.app_secret
connect = Client(token, root_url=self.url)
submit = connect.submit_sample_url(data)
# Wait
time.sleep(self.timeout)
# Enjoy
retrive = connect.overview_report(submit['id'])
return retrive
def search_file(self, filepath):
fp = open(filepath, 'rb')
sha256 = hashlib.sha256(fp.read()).hexdigest()
fp.close()
triage_client = Client(self.apikey, root_url=self.api_endpoint)
response = triage_client.search(sha256, max=1)
try:
for item in response:
self.task_id = item['id']
self.log("debug", "Found existing report.")
except:
self.log("debug", "No reports found. Submitting file.")
self.submit_file(filepath)
def wait_for_analysis(self):
triage_client = Client(self.apikey, root_url=self.api_endpoint)
waited_time = 0
while waited_time < self.wait_timeout:
response = triage_client.sample_by_id(self.task_id)
status = response['status']
if status == 'reported':
break
time.sleep(self.wait_step)
waited_time += self.wait_step
if status != 'reported':
raise ModuleExecutionError('could not get report before timeout.')
def client_from_env():
tokenfile = token_file()
if not os.path.exists(tokenfile):
print("Please authenticate")
sys.exit()
return
with open(token_file(), "r") as f:
for line in f:
line = line.strip()
if len(line) == 0 or line.startswith("#"):
continue
url, token = line.split(" ")
return Client(token, root_url=url)
print("%s is not formatted correctly" % tokenfile)
sys.exit()
# Copyright (C) 2020 Hatching B.V
# All rights reserved.
import io, time
from triage import Client
url = "https://api.tria.ge"
token = "<YOUR-APIKEY-HERE>"
c = Client(token, root_url=url)
r = c.submit_sample_url("http://google.com", interactive=True)
print(r)
time.sleep(1)
r = c.set_sample_profile_automatically(r["id"], [])
def extract_info(self, report):
self.results['score'] = 0
self.results['signatures'] = []
probable_name = ""
if report.get('analysis'):
if report['analysis'].get('family'):
probable_name = ",".join(report['analysis']['family'])
self.add_probable_name(str(probable_name).lower())
self.add_tag(str(probable_name).lower())
if report['analysis'].get('score'):
score = report['analysis']['score']
self.results['score'] = float(score)
if report.get('signatures'):
for item in report['signatures']:
signature = dict()
if item.get('name'):
signature['name'] = item['name']
if item.get('score'):
signature['severity'] = item['score']
if item.get('desc'):
signature['description'] = item['desc']
self.results['signatures'].append(signature)
if report.get('extracted'):
configuration = dict()
for item in report['extracted']:
if item.get('config'):
config = item['config']
configuration = dict(
chain(config.items(), configuration.items()))
if item['config'].get('c2'):
for c2 in item['config']['c2']:
c2_tags = ['c2']
for threatname in probable_name.split(","):
c2_tags.append(threatname)
self.add_ioc(c2, c2_tags)
if item.get('credentials'):
config = item['credentials']
configuration = dict(
chain(config.items(), configuration.items()))
if item.get('dropper'):
config = item['dropper']
configuration = dict(
chain(config.items(), configuration.items()))
self.add_extraction(f"{probable_name} configuration",
configuration)
if report.get('tasks'):
for task in report['tasks']:
if task['status'] == "reported":
status = "reported"
if task['name'].startswith("behavioral"):
triage_client = Client(self.apikey,
root_url=self.api_endpoint)
taskreport = triage_client.task_report(
self.task_id, task['name'])
if taskreport.get('network'):
if taskreport['network'].get('flows'):
for flow in taskreport['network']['flows']:
if flow['proto'] == "tcp":
ip, port = flow['dst'].split(":")
self.add_ioc(ip,
["port:" + port, "tcp"])
if taskreport['network'].get('requests'):
for item in taskreport['network']['requests']:
if item.get('dns_request'):
dns = item['dns_request']['domains'][0]
self.add_ioc(dns, ["dns_request"])
if item.get('http_request'):
url = item['http_request']['url']
self.add_ioc(url, ["http_request"])
if self.collect_dropfiles:
if taskreport.get('dumped'):
for item in taskreport['dumped']:
if item['kind'] == "martian":
triage_client = Client(
self.apikey,
root_url=self.api_endpoint)
memdump = triage_client.sample_task_file(
self.task_id, task['name'],
item['name'])
tmpdir = tempdir()
filename = os.path.join(
tmpdir, 'triage_dropped_file')
with open(filename, "wb") as f:
f.write(memdump)
self.register_files(
'dropped_file', filename)
mime = magic.from_file(filename,
mime=True)
if mime == "application/x-dosexec":
self.add_extracted_file(filename)
if self.collect_memdumps:
if taskreport.get('dumped'):
for item in taskreport['dumped']:
if item['kind'] == "mapping" or item[
'kind'] == "region":
triage_client = Client(
self.apikey,
root_url=self.api_endpoint)
memdump = triage_client.sample_task_file(
self.task_id, task['name'],
item['name'])
tmpdir = tempdir()
filename = os.path.join(
tmpdir, 'triage_memory_dump')
with open(filename, "wb") as f:
f.write(memdump)
self.register_files(
'memory_dump', filename)
if self.collect_pcaps:
triage_client = Client(self.apikey,
root_url=self.api_endpoint)
pcapdump = triage_client.sample_task_file(
self.task_id, task['name'], "dump.pcap")
tmpdir = tempdir()
filename = os.path.join(tmpdir, 'triage_pcap')
with open(filename, "wb") as f:
f.write(pcapdump)
self.register_files('pcap', filename)
def submit_url(self, filepath):
triage_client = Client(self.apikey, root_url=self.api_endpoint)
response = triage_client.submit_sample_url(filepath)
self.task_id = response['id']
def __init__(self):
# Instantiate the connector helper from config
config_file_path = os.path.dirname(os.path.abspath(__file__)) + "/config.yml"
config = (
yaml.load(open(config_file_path), Loader=yaml.FullLoader)
if os.path.isfile(config_file_path)
else {}
)
self.helper = OpenCTIConnectorHelper(config)
self.identity = self.helper.api.identity.create(
type="Organization",
name="Hatching Triage",
description="Hatching Triage",
)["standard_id"]
self.octi_api_url = get_config_variable(
"OPENCTI_URL", ["opencti", "url"], config
)
# Get URL and token from config, use to instantiate the Triage Client
base_url = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_BASE_URL",
["hatching_triage_sandbox", "base_url"],
config,
)
token = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_TOKEN",
["hatching_triage_sandbox", "token"],
config,
)
self.triage_client = Client(token, root_url=base_url)
# Get other config values
self.use_existing_analysis = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_USE_EXISTING_ANALYSIS",
["hatching_triage_sandbox", "use_existing_analysis"],
config,
)
self.family_color = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_FAMILY_COLOR",
["hatching_triage_sandbox", "family_color"],
config,
)
self.botnet_color = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_BOTNET_COLOR",
["hatching_triage_sandbox", "botnet_color"],
config,
)
self.campaign_color = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_CAMPAIGN_COLOR",
["hatching_triage_sandbox", "campaign_color"],
config,
)
self.default_tag_color = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_TAG_COLOR",
["hatching_triage_sandbox", "tag_color"],
config,
)
self.max_tlp = get_config_variable(
"HATCHING_TRIAGE_SANDBOX_MAX_TLP",
["hatching_triage_sandbox", "max_tlp"],
config,
)