The first release of the Java API client was published on the 14th of October 2020, as can be read here. In this release, several features have been changed and modified. Below, the changes are explained in detail. One can find the library’s code here. The latest release of the precompiled JAR can be found here.
Table of contents
- Kernel monitoring output
- Uploading samples
- Obtaining supported families
- Searching Triage’s sample uploads
- Future work
Kernel monitoring output
The function named getKernelMonitorOutput has been changed slightly, but should not contain any breaking changes. Triage can now provide the kernel monitoring output for Windows using OneMon, and for Linux distributions using Stahp. The getKernelMonitorOutput function will check the sample’s platform, and return the corresponding kernel monitoring output. To directly get the kernel monitoring of a Linux or Windows sample, one can use getStahpLog and getOneMonLog respectively. The function declarations are given below.
public String getKernelMonitorOutput(String sampleId, String taskId) throws IOException public String getStahpLog(String sampleId, String taskId) throws IOException public String getOneMonLog(String sampleId, String taskId) throws IOException
Uploading samples
The previous blog’s future work referred to the lack of uploading remote samples or URLs. In this version, both are possible using uploadSampleViaUrl and uploadUrl respectively. The returned result is, similar to the uploadSample function, a FileUploadResult object. The function declarations are given below.
public FileUploadResult uploadUrl(String url) throws IOException public FileUploadResult uploadSampleViaUrl(String url) throws IOException
Obtaining supported families
Triage detects quite some malware families, malware configuration extractors, and ransomware note extraction modules. The complete list can be found here. The API client contains three methods, one for each of these groups. The function declarations are given below.
public List<String> getSupportedFamilies() throws IOException public List<String> getSupportedFamillyExtractors() throws IOException public List<String> getSupportedRansomwareFamilies() throws IOException
Searching Triage’s sample uploads
The search functionality was introduced on the 23rd of October 2020, as can be read here. More information can be found here. Currently, the API client supports search queries based on three parameters: the query, the offset, and the limit. The query is used to match (or exclude) certain topics. The offset is used to obtain results after a specific date. The limit is the maximum amount of results for the given query. By default, the imposed limit is 50. However, since Triage does not accept values higher than 200, any value higher than 200 will be changed to 200. Note that searching the public cloud will yield results from the public samples. Using the private cloud, only results from the private cloud are queried. The function declarations are given below.
public SearchResult search(String query) throws IOException public SearchResult search(String query, int limit) throws IOException public SearchResult search(String query, String offset) throws IOException public SearchResult search(String query, String offset, int limit) throws IOException
Future work
As stated last time: not all features of Triage are included in this library. Maintenance is done on a best effort basis, meaning there can and will be a delay between the creation of new endpoints by Triage and the implementation of those endpoints in this library.
Most of the features related to handling malware samples are included. The search function is still a work in progress, as a helper class is currently in development for the next release. The class specification is already present in the code, as can be seen in TriageSearchHelper. Aside from that, other features might be added. The focus was and is on features related to malware analysis.
To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], or DM me on BlueSky @maxkersten.nl.