def extract_info(self, report):
self.results['score'] = 0
self.results['signatures'] = []
probable_name = ""
if report.get('analysis'):
if report['analysis'].get('family'):
probable_name = ",".join(report['analysis']['family'])
self.add_probable_name(str(probable_name).lower())
self.add_tag(str(probable_name).lower())
if report['analysis'].get('score'):
score = report['analysis']['score']
self.results['score'] = float(score)
if report.get('signatures'):
for item in report['signatures']:
signature = dict()
if item.get('name'):
signature['name'] = item['name']
if item.get('score'):
signature['severity'] = item['score']
if item.get('desc'):
signature['description'] = item['desc']
self.results['signatures'].append(signature)
if report.get('extracted'):
configuration = dict()
for item in report['extracted']:
if item.get('config'):
config = item['config']
configuration = dict(
chain(config.items(), configuration.items()))
if item['config'].get('c2'):
for c2 in item['config']['c2']:
c2_tags = ['c2']
for threatname in probable_name.split(","):
c2_tags.append(threatname)
self.add_ioc(c2, c2_tags)
if item.get('credentials'):
config = item['credentials']
configuration = dict(
chain(config.items(), configuration.items()))
if item.get('dropper'):
config = item['dropper']
configuration = dict(
chain(config.items(), configuration.items()))
self.add_extraction(f"{probable_name} configuration",
configuration)
if report.get('tasks'):
for task in report['tasks']:
if task['status'] == "reported":
status = "reported"
if task['name'].startswith("behavioral"):
triage_client = Client(self.apikey,
root_url=self.api_endpoint)
taskreport = triage_client.task_report(
self.task_id, task['name'])
if taskreport.get('network'):
if taskreport['network'].get('flows'):
for flow in taskreport['network']['flows']:
if flow['proto'] == "tcp":
ip, port = flow['dst'].split(":")
self.add_ioc(ip,
["port:" + port, "tcp"])
if taskreport['network'].get('requests'):
for item in taskreport['network']['requests']:
if item.get('dns_request'):
dns = item['dns_request']['domains'][0]
self.add_ioc(dns, ["dns_request"])
if item.get('http_request'):
url = item['http_request']['url']
self.add_ioc(url, ["http_request"])
if self.collect_dropfiles:
if taskreport.get('dumped'):
for item in taskreport['dumped']:
if item['kind'] == "martian":
triage_client = Client(
self.apikey,
root_url=self.api_endpoint)
memdump = triage_client.sample_task_file(
self.task_id, task['name'],
item['name'])
tmpdir = tempdir()
filename = os.path.join(
tmpdir, 'triage_dropped_file')
with open(filename, "wb") as f:
f.write(memdump)
self.register_files(
'dropped_file', filename)
mime = magic.from_file(filename,
mime=True)
if mime == "application/x-dosexec":
self.add_extracted_file(filename)
if self.collect_memdumps:
if taskreport.get('dumped'):
for item in taskreport['dumped']:
if item['kind'] == "mapping" or item[
'kind'] == "region":
triage_client = Client(
self.apikey,
root_url=self.api_endpoint)
memdump = triage_client.sample_task_file(
self.task_id, task['name'],
item['name'])
tmpdir = tempdir()
filename = os.path.join(
tmpdir, 'triage_memory_dump')
with open(filename, "wb") as f:
f.write(memdump)
self.register_files(
'memory_dump', filename)
if self.collect_pcaps:
triage_client = Client(self.apikey,
root_url=self.api_endpoint)
pcapdump = triage_client.sample_task_file(
self.task_id, task['name'], "dump.pcap")
tmpdir = tempdir()
filename = os.path.join(tmpdir, 'triage_pcap')
with open(filename, "wb") as f:
f.write(pcapdump)
self.register_files('pcap', filename)
# Copyright (C) 2020 Hatching B.V
# All rights reserved.
from triage import Client
url = "https://api.tria.ge"
token = "<YOUR-APIKEY-HERE>"
c = Client(token, root_url=url)
sample_id = input("sample id: ") # e.g. 200916-1tmctk8x46
t = c.sample_by_id(sample_id)
task = input("task id: ") # e.g. behavioral1
t = c.task_report(sample_id, task)
file = input("file: ") # e.g. memory/1652-0-0x0000000000000000-mapping.dmp
t = c.sample_task_file(sample_id, task, file)
with open("test.dmp", "wb") as f:
f.write(t)
print("wrote test.dmp")
