Hatching Triage Java API client version 1.6 release notes

The main page for this API client can be found here. This release contains new features, and several bug fixes. One can find the library’s code here. The latest release of the precompiled JAR can be found here.

Table of contents

New features

Since Hatching is continuously developing their sandbox (and their API endpoints), there were new features to be added to this library. The main addition is the existence of the TriageOverview object. This object contains the information of all reports with in a given submission. Previously, the TriageReport object was the only way to get information from the dynamic execution of a sample, and the StaticReport contained the statically retrieved information of the sample. The TriageOverview contains all information within a single object, as returned by Triage’s endpoint.

Aside from the newly added TriageOverview, and the embedded objects within it, the TriageApi object has been updated to reflect the changes, as can be seen by the function declarations below.

public TriageOverview getTriageOverview(String sampleId) throws IOException
public byte[] downloadSample(TriageOverview overview) throws IOException
public Map<String, Byte[]> downloadSamples(TriageOverview[] overviews, boolean suppressExceptions) throws IOException
public Set<String> getFamilies(TriageOverview[] overviews)

The already present helper functions to download a sample, and to download samples in bulk, are now also overloaded to allow the usage of the overview object. Lastly, a helper function has been added to get all unique families from an overview object.

Bug fixes

The static report has been updated with the import hash, authenticode validation, countersigned timestamp validation, and PE section information, as described in the Triage Thursday recap of the 20th of January 2022. The newly added fields are present in an object named TriageFileMetaData. Additionally, the ssdeep hash has been added to the static report.

The Config object’s attributes field has been retyped into a HashMap, which is empty if there are none. The key name is taken from Triage’s API response, meaning there is no list of used names upfront. Another change in this object is the type change of listenPort from String to int. Additionally, the value is now correctly included when the object is created, which wasn’t done previously.

A minor change in TaskSummary is the renaming of the taskname field to taskName.

At last, null checks have been added to the SearchResultParser, which is located in triageapi.json. This ensures that all search results are returned, even if some values cause an error. In short, the search results are more reliable now.

To contact me, you can e-mail me at [info][at][maxkersten][dot][nl], send me a PM on Reddit, or DM me on Twitter @Libranalysis.