Introduction
Over recent weeks, a number of users have got in touch asking about downloading files dropped by a sample during analysis. Although not currently accessible through the web UI, this feature is available via the API. This short guide will cover how to use the API to lookup and download dropped files for an analysis.
1. Viewing Dropped Files
When the Onemon agent (our Windows kernel driver) identifies the creation of a new unique file by the sample being analysed, it may dump its contents and its name will be recorded in the final report file. The raw JSON for this file is accessible using the report_triage.json endpoint:
curl -H 'Authorization: Bearer <API-KEY>' \
https://api.tria.ge/v0/samples/<SAMPLE_ID>/<TASK_ID>/report_triage.json
| Field | Description |
|---|---|
| SAMPLE_ID | The identifier visible in the report URL - e.g. 200303-bdsch48nyx. This is also returned by the API when submitting a file using the samples endpoint. |
| TASK_ID | Can be quickly accessed from the final part of the report URL - e.g. behavioral1, behavioral2, etc. Where possible, Task IDs should be obtained using the summary endpoint instead, e.g. ```curl -sH ‘Authorization: Bearer <API_KEY>’ ‘https://api.tria.ge/v0/samples/<SAMPLE_ID>’ |
The following command example will fetch the JSON report for the analysis 200303-bdsch48nyx and output the section detailing dropped files:
curl -H 'Authorization: Bearer <API-KEY>' \
https://api.tria.ge/v0/samples/200303-bdsch48nyx/behavioral1/report_triage.json \
| jq .dumped
The list this returns includes all dumped data from the analysis - note that this can also include other files such as process memory dumps. This can be filtered to only dropped files by selecting those of the martian kind:
jq '.dumped[] | select(.kind=="martian")'
This gives us a list of the available dropped files, with each entry following this structure:
{
"at": 42900,
"pid": 1604,
"procid": 30,
"path": "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cyuujswhia\\ciynbw.exe",
"name": "files/0x0003000000012f27-8.dat",
"kind": "martian"
}
at: Timestamp (in milliseconds) at which the file was created, relative to the start of the analysis.pid: PID of the process which created the fileprocid: Unique internal ID value assigned to the process by Triage to avoid confusions if PIDs are reused during an analysis.path: Original file path of then file on the VM.name: Internal ID of the dropped file. This is used to fetch the file itself from the API.
2. Downloading Dropped Files
Using the name field from the output above, the files endpoint can be used to fetch files directly:
curl -H 'Authorization: Bearer <API_KEY>' \
'https://api.tria.ge/v0/samples/<SAMPLE_ID>/<TASK_ID>/files/<FILE_NAME>' \
--output output.bin
For example, using the output from part 1 above for the analysis 200303-bdsch48nyx:
curl -H 'Authorization: Bearer <API_KEY>' \
'https://api.tria.ge/v0/samples/200303-bdsch48nyx/behavioral1/files/0x0003000000012f27-8.dat' \
--output ciynbw.exe
Conclusion
We hope this guide answers your questions about this feature. Further information on the API, including command examples, can be found in the official documentation. As usual, feel free to get in touch with us to give us any feedback on this or other aspects of Triage. Follow us on Twitter (@hatching_io) for news on the latest changes as they are released.
Not signed up yet? Head on over to https://tria.ge/ to request early access to the platform!