Introduction
Malware can be deployed in a huge variety of ways, not all of which make analysis as simple as running a single file. Whether it is a DLL, configuration file, or data resource many samples need to have certain content available on the system in order to function properly. This can especially be true for samples recovered during Incident Response, as the initial dropper may not be available while the 2nd stage malware itself is spread across multiple files.
This short blog post will cover how to submit multiple files to Triage for analysis at the same time, as well as a couple of examples on leveraging this to give more control over the way in which a sample is executed.
Submitting Multiple Files via Web UI
In order to submit the files in one go, create a zip file containing everything you want to end up on the Virtual Machine for analysis. Submit it to Triage and you will be presented with a page like this:
Each executable file will have a checkbox next to it in the table on the left - selecting the box for a file will create a new analysis where the chosen file is executed by the agent on the VM. For each analysis spawned all files in the archive will be extracted onto the machine as well as the chosen file. This means that in most cases the sample will be able to find them if it needs access to them during execution. The files can be found in the Local AppData folder at C:\\Users\\Admin\\AppData\\Local\\Temp:
Submitting with custom options
Sometimes a sample might look at a particular path for a file, or require certain command-line parameters to run properly. There are multiple ways to do this, but due to the functionality outlined above it is relatively easy to customize the execution process by creating a PowerShell script to perform the actions you need and submit it in a zip, selecting only the .ps1 file as above. For example:
Move-Item -Path "example-dll-1.dll" -Dest "C:\System32\sample-dll.dll"
Start-Process -FilePath "example-sample.exe" -ArgumentList "-t","-x"
The above .ps1 script will copy a DLL to the System32 folder and then execute the sample with specific options.
Submitting Multiple Files via Console API
It is also possible to choose which file is executed when submitting via the API. If your account is registered as part of a company on Triage, you will have access to Profiles. You can use these to customize launch options when submitting via API, including defining a particular file in an archive which should be run by the Virtual Machine.
The following command allows you to submit an archive and choose an analysis target:
curl -H 'Authorization: Bearer <API-KEY>' \
-X POST \
-F 'file=@<LOCAL PATH TO ARCHIVE>' \
-F '_json={"profiles":[{"pick":"<TARGET FILEPATH IN ARCHIVE>","profile":"<PROFILE ID>"}],"kind":"file","interactive":false}' \
'https://api.tria.ge/v0/samples'
Note that we choose the file to be run using the pick field of the profiles object. The path entered here should be relative to the root of the archive itself. If we do not specify this when submitting an archive, Triage will create a separate analysis for each file it supports.
You can get a list of your available profile IDs for the above command via the /profiles API endpoint:
curl -H 'Authorization: Bearer <API-KEY>' https://api.tria.ge/v0/profiles
If we then check the status of the sample, we can see that a single task has been created for the specified file:
curl -s -H 'Authorization: Bearer <API-KEY>' 'https://api.tria.ge/v0/samples/<SAMPLE-ID>'
{
"id": "<SAMPLE-ID>",
"status": "reported",
"kind": "file",
"filename": "example-2.zip",
"private": true,
"tasks": [
{
"id": "task1",
"status": "reported",
"target": "example-ps1.ps1"
}
],
"submitted": "2020-01-14T16:18:55.746135Z",
"completed": "2020-01-14T16:20:09Z"
}
Conclusion
We hope this guide will help you to get the most out of Triage sandbox. Further information on the API, including command examples, can be found in the official documentation. If you have any further questions about this or other topics, feel free to reach out to us using the information at the bottom of this page and we will do our best to help.