The main page for this API client can be found here. This release contains new features, and several bug fixes. One can find the library’s code here. The latest release of the precompiled JAR can be found here.
Table of contents
Since Hatching is continuously developing their sandbox (and their API endpoints), there were new features to be added to this library. The main addition is the existence of the TriageOverview object. This object contains the information of all reports with in a given submission. Previously, the TriageReport object was the only way to get information from the dynamic execution of a sample, and the StaticReport contained the statically retrieved information of the sample. The TriageOverview contains all information within a single object, as returned by Triage’s endpoint.
Aside from the newly added TriageOverview, and the embedded objects within it, the TriageApi object has been updated to reflect the changes, as can be seen by the function declarations below.
public TriageOverview getTriageOverview(String sampleId) throws IOException public byte downloadSample(TriageOverview overview) throws IOException public Map<String, Byte> downloadSamples(TriageOverview overviews, boolean suppressExceptions) throws IOException public Set<String> getFamilies(TriageOverview overviews)
The already present helper functions to download a sample, and to download samples in bulk, are now also overloaded to allow the usage of the overview object. Lastly, a helper function has been added to get all unique families from an overview object.
The static report has been updated with the import hash, authenticode validation, countersigned timestamp validation, and PE section information, as described in the Triage Thursday recap of the 20th of January 2022. The newly added fields are present in an object named TriageFileMetaData. Additionally, the ssdeep hash has been added to the static report.
The Config object’s attributes field has been retyped into a HashMap
A minor change in TaskSummary is the renaming of the taskname field to taskName.
At last, null checks have been added to the SearchResultParser, which is located in triageapi.json. This ensures that all search results are returned, even if some values cause an error. In short, the search results are more reliable now.