Short Guides

Short Guide: Accessing Dropped Files on Triage

Blog.

Introduction

Over recent weeks, a number of users have got in touch asking about downloading files dropped by a sample during analysis. Although not currently accessible through the web UI, this feature is available via the API. This short guide will cover how to use the API to lookup and download dropped files for an analysis.

1. Viewing Dropped Files

When the Onemon agent (our Windows kernel driver) identifies the creation of a new unique file by the sample being analysed, it may dump its contents and its name will be recorded in the final report file. The raw JSON for this file is accessible using the report_triage.json endpoint:

curl -H 'Authorization: Bearer <API-KEY>' \
https://api.tria.ge/v0/samples/<SAMPLE_ID>/<TASK_ID>/report_triage.json
Field Description
SAMPLE_ID The identifier visible in the report URL - e.g. 200303-bdsch48nyx.

This is also returned by the API when submitting a file using the samples endpoint.
TASK_ID Can be quickly accessed from the final part of the report URL - e.g. behavioral1, behavioral2, etc.

Where possible, Task IDs should be obtained using the summary endpoint instead, e.g.

curl -sH 'Authorization: Bearer <API_KEY>' 'https://api.tria.ge/v0/samples/<SAMPLE_ID>' | jq -r .tasks[].id

The following command example will fetch the JSON report for the analysis 200303-bdsch48nyx and output the section detailing dropped files:

curl -H 'Authorization: Bearer <API-KEY>' \
https://api.tria.ge/v0/samples/200303-bdsch48nyx/behavioral1/report_triage.json \
| jq .dumped

The list this returns includes all dumped data from the analysis - note that this can also include other files such as process memory dumps. This can be filtered to only dropped files by selecting those of the martian kind:

jq '.dumped[] | select(.kind=="martian")'

This gives us a list of the available dropped files, with each entry following this structure:

{
  "at": 42900,
  "pid": 1604,
  "procid": 30,
  "path": "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Cyuujswhia\\ciynbw.exe",
  "name": "files/0x0003000000012f27-8.dat",
  "kind": "martian"
}

2. Downloading Dropped Files

Using the name field from the output above, the files endpoint can be used to fetch files directly:

curl -H 'Authorization: Bearer <API_KEY>' \
'https://api.tria.ge/v0/samples/<SAMPLE_ID>/<TASK_ID>/files/<FILE_NAME>' \
--output output.bin

For example, using the output from part 1 above for the analysis 200303-bdsch48nyx:

curl -H 'Authorization: Bearer <API_KEY>' \
'https://api.tria.ge/v0/samples/200303-bdsch48nyx/behavioral1/files/0x0003000000012f27-8.dat' \
--output ciynbw.exe

Conclusion

We hope this guide answers your questions about this feature. Further information on the API, including command examples, can be found in the official documentation. As usual, feel free to get in touch with us to give us any feedback on this or other aspects of Triage. Follow us on Twitter (@hatching_io) for news on the latest changes as they are released.

Not signed up yet? Head on over to https://tria.ge/ to request early access to the platform!

You may also like: