Hatching Triage Java API client version 1.3 release notes

The main page for this API client can be found here. In this release, two new features have been added, and the documentation has been updated. Below, the changes are explained in detail. One can find the library’s code here. The latest release of the precompiled JAR can be found here.

Table of contents

Getting the families from a sample

It is convenient to easily obtain all families that are linked to a given sample. Using the previously included getSupportedFamilies function, one can match all signatures of a report (as given in TriageReport.getSignatures) with family names. Some minor changes (such as excluding spaces) are required, which is handled internally. There are several overloads to increase the ease of use.

Noteworthy is the required boolean named allowCaching. Obtaining the list of families requires the API client to contact corresponding endpoint, which can cause quite some overhead if one calls this function in a loop. To avoid the overhead, the list of families is kept in a list within the class itself, rather than within the function. The first call will initialise the list with the families that are returned from the endpoint. Consequent calls will not recreate this list if caching is allowed. If this option is not allowed, the family list is recreated, after which the execution resumes as it normally would.

The newly added functions are added below.

public Set<String> getFamilies(Signature[] signatures, boolean allowCaching) throws IOException
public Set<String> getFamilies(TriageReport report, boolean allowCaching) throws IOException
public Map<TriageReport, Set<String>> getFamilies(List<TriageReport> reports, boolean allowCaching) throws IOException
public Set<String> getFamilies(String sampleId, String taskId, boolean allowCaching) throws IOException

Downloading memory dumps

The memory dumps that are collected during the execution of the sample can be downloaded from Triage. The three newly added functions will return one or more dumped sections, based on the given input.

public byte[] getDumpedSection(String sampleId, String taskId, String dumpName) throws IOException
public Map<String, Byte[]> getDumpedSections(TriageReport report) throws IOException
public Map<TriageReport, Map<String, Byte[]>> getDumpedSections(List<TriageReport> reports) throws IOException

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit or DM me on Twitter @LibraAnalysis.