From 1cf7ce76308f9cdbd19ace194d97dc8d6dc9accd Mon Sep 17 00:00:00 2001 From: msever Date: Thu, 2 May 2024 17:41:18 +0200 Subject: [PATCH 01/13] Update --- .../ReversingLabsA1000v2.py | 152 +++++++++++++++++- .../ReversingLabsA1000v2.yml | 55 ++++++- 2 files changed, 205 insertions(+), 2 deletions(-) diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index ad1adb3734d4..c99e043c52fd 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -2,7 +2,7 @@ from ReversingLabs.SDK.a1000 import A1000 -VERSION = "v2.3.2" +VERSION = "v2.4.0" USER_AGENT = f"ReversingLabs XSOAR A1000 {VERSION}" HOST = demisto.getParam('host') TOKEN = demisto.getParam('token') @@ -862,6 +862,136 @@ def urls_from_ip_output(ip, response): return results +def user_tags_command(a1000: A1000): + action = demisto.getArg("action") + sample_hash = demisto.getArg("hash") + tags = demisto.getArg("tags") + + try: + if action == "GET": + resp = a1000.get_user_tags(sample_hash=sample_hash) + + elif action == "CREATE": + tags_list = tags.split(",") + resp = a1000.post_user_tags(sample_hash=sample_hash, tags=tags_list) + + elif action == "DELETE": + tags_list = tags.split(",") + resp = a1000.delete_user_tags(sample_hash=sample_hash, tags=tags_list) + + else: + return_error("This action is not supported.") + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + raise + + results = user_tags_output(resp=resp, action=action) + return results + + +def user_tags_output(resp, action): + markdown = f"## ReversingLabs A1000 user tags - {action} tags\n **Tag list**: {resp.text}" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_user_tags": resp.json()}, + readable_output=markdown + ) + + return results + + +def file_analysis_status_command(a1000: A1000): + sample_hashes = demisto.getArg("hashes") + hash_list = sample_hashes.split(",") + + analysis_status = demisto.getArg("analysis_status") + + try: + resp = a1000.file_analysis_status(sample_hashes=hash_list, sample_status=analysis_status) + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + raise + + results = file_analysis_status_output(resp_json=resp.json(), status=analysis_status) + return results + + +def file_analysis_status_output(resp_json, status=None): + markdown = f"""## ReversingLabs A1000 file analysis status\n **Hash type**: {resp_json.get("hash_type")}\n""" + + if status: + markdown = markdown + f"**Only status**: {status}\n" + + results_table = tableToMarkdown("Analysis status", resp_json.get("results")) + + markdown = markdown + results_table + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_file_analysis_status": resp_json}, + readable_output=markdown + ) + + return results + + +def pdf_report_command(a1000: A1000): + sample_hash = demisto.getArg("hash") + action = demisto.getArg("action") + + try: + if action == "CREATE REPORT": + resp = a1000.create_pdf_report(sample_hash=sample_hash).json() + + elif action == "CHECK STATUS": + resp = a1000.check_pdf_report_creation(sample_hash=sample_hash).json() + + elif action == "DOWNLOAD REPORT": + resp = a1000.download_pdf_report(sample_hash=sample_hash) + + else: + return_error("This action is not supported.") + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + raise + + results, file_result = pdf_report_output(resp=resp, action=action, sample_hash=sample_hash) + return [results, file_result] + + +def pdf_report_output(resp, action, sample_hash): + markdown = f"## ReversingLabs A1000 PDF report - {action}\n" + + file_result = None + + if action == "CREATE REPORT": + markdown = markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n **Download endpoint**: {resp.get("download_endpoint")}""" + context = resp + + elif action == "CHECK STATUS": + markdown = markdown + f"""**Status**: {resp.get("status")}\n **Status message**: {resp.get("status_message")}""" + context = resp + + else: + file_result = fileResult(sample_hash, resp.content, file_type=EntryType.FILE) + context = None + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_pdf_report": context}, + readable_output=markdown + ) + + return results, file_result + + def main(): try: wait_time_seconds = int(WAIT_TIME_SECONDS) @@ -922,6 +1052,26 @@ def main(): return_results(get_ip_domain_resolutions(a1000)) elif demisto.command() == 'reversinglabs-a1000-ip-urls': return_results(get_urls_from_ip(a1000)) + elif demisto.command() == 'reversinglabs-a1000-user-tags': + return_results(user_tags_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-file-analysis-status': + return_results(file_analysis_status_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-pdf-report': + return_results(pdf_report_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-static-analysis-report': + pass + elif demisto.command() == 'reversinglabs-a1000-create-dynamic-analysis-report': + pass + elif demisto.command() == 'reversinglabs-a1000-check-dynamic-analysis-report-status': + pass + elif demisto.command() == 'reversinglabs-a1000-download-dynamic-analysis-report': + pass + elif demisto.command() == 'reversinglabs-a1000-get-sample-classification': + pass + elif demisto.command() == 'reversinglabs-a1000-set-sample-classification': + pass + elif demisto.command() == 'reversinglabs-a1000-delete-sample-classification': + pass else: return_error(f'Command [{demisto.command()}] not implemented') diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index 43df4274791d..652eddf3dd08 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -397,7 +397,60 @@ script: - contextPath: ReversingLabs.a1000_ip_urls description: A1000 URL-s hosted on an IP address. type: Unknown - dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.86428 + - name: reversinglabs-a1000-user-tags + description: Perform user tag actions for a sample - Get existing tags, create new tags or delete existing tags. + arguments: + - name: action + description: Which tag action to perform - GET, CREATE or DELETE + required: true + auto: PREDEFINED + predefined: + - 'GET' + - 'CREATE' + - 'DELETE' + - name: hash + description: Hash of the desired sample. + required: true + default: true + - name: tags + description: Comma-separated list of tags. + outputs: + - contextPath: ReversingLabs.a1000_user_tags + description: Actions for managing user tags on samples. + type: Unknown + - name: reversinglabs-a1000-file-analysis-status + description: Check the analysis status of submitted files. + arguments: + - name: hashes + description: Comma-separated list of file hashes. Should be written without spaces and all hashes should be of the same type. + default: true + required: true + - name: analysis_status + description: Check only files with this analysis status. Available values are 'processed' and 'not_found'. + outputs: + - contextPath: ReversingLabs.a1000_file_analysis_status + description: Analysis status of requested files. + type: Unknown + - name: reversinglabs-a1000-pdf-report + description: Perform PDF report actions for a sample - create a report, check the status of a report and download a report. + arguments: + - name: hash + description: Sample hash. + default: true + required: true + - name: action + description: Which PDF report action to perform - CREATE REPORT, CHECK STATUS or DOWNLOAD REPORT + required: true + auto: PREDEFINED + predefined: + - 'CREATE REPORT' + - 'CHECK STATUS' + - 'DOWNLOAD REPORT' + outputs: + - contextPath: ReversingLabs.a1000_pdf_report + description: Actions for creating and downloading PDF reports. + type: Unknown + dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.93622 runonce: false script: '-' subtype: python3 From db37c510c804ece71326d4ed371e4dea73fa6e02 Mon Sep 17 00:00:00 2001 From: msever Date: Fri, 3 May 2024 12:48:57 +0200 Subject: [PATCH 02/13] Update --- .../ReversingLabsA1000v2.py | 149 ++++++++++++++++-- .../ReversingLabsA1000v2.yml | 38 +++++ 2 files changed, 175 insertions(+), 12 deletions(-) diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index c99e043c52fd..3234e6306e63 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -885,7 +885,8 @@ def user_tags_command(a1000: A1000): except Exception as e: if hasattr(e, "response_object"): return_error(e.response_object.content) - raise + else: + raise results = user_tags_output(resp=resp, action=action) return results @@ -915,7 +916,8 @@ def file_analysis_status_command(a1000: A1000): except Exception as e: if hasattr(e, "response_object"): return_error(e.response_object.content) - raise + else: + raise results = file_analysis_status_output(resp_json=resp.json(), status=analysis_status) return results @@ -960,10 +962,14 @@ def pdf_report_command(a1000: A1000): except Exception as e: if hasattr(e, "response_object"): return_error(e.response_object.content) - raise + else: + raise results, file_result = pdf_report_output(resp=resp, action=action, sample_hash=sample_hash) - return [results, file_result] + if file_result: + return [results, file_result] + else: + return results def pdf_report_output(resp, action, sample_hash): @@ -980,7 +986,8 @@ def pdf_report_output(resp, action, sample_hash): context = resp else: - file_result = fileResult(sample_hash, resp.content, file_type=EntryType.FILE) + markdown = markdown + "The PDF report is returned as a downloadable file below." + file_result = fileResult(f"{sample_hash}.pdf", resp.content, file_type=EntryType.FILE) context = None results = CommandResults( @@ -992,6 +999,128 @@ def pdf_report_output(resp, action, sample_hash): return results, file_result +def static_analysis_report_command(a1000: A1000): + sample_hash = demisto.getArg("hash") + + try: + resp = a1000.get_titanium_core_report_v2(sample_hash=sample_hash) + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + else: + raise + + results = static_analysis_report_output(resp_json=resp.json(), sample_hash=sample_hash) + return results + + +def static_analysis_report_output(resp_json, sample_hash): + classification_obj = resp_json.get("classification") + indicators_table = tableToMarkdown("Indicators", resp_json.get("indicators")) + tags_table = tableToMarkdown("Tags", resp_json.get("tags")) + + markdown = f"""## ReversingLabs A1000 static analysis report for {sample_hash}\n **Classification**: {classification_obj.get("classification")} + **Factor**: {classification_obj.get("factor")} + **Result**: {classification_obj.get("result")} + **SHA-1**: {resp_json.get("sha1")} + **MD5**: {resp_json.get("md5")} + **SHA-256**: {resp_json.get("sha256")} + **SHA-512**: {resp_json.get("sha512")} + **Story**: {resp_json.get("story")}\n {indicators_table} {tags_table} + """ + + dbot_score = Common.DBotScore( + indicator=sample_hash, + indicator_type=DBotScoreType.FILE, + integration_name='ReversingLabs A1000 v2', + score=classification_obj.get("classification"), + malicious_description=classification_obj.get("result"), + reliability=RELIABILITY + ) + + indicator = Common.File( + md5=resp_json.get("md5"), + sha1=resp_json.get("sha1"), + sha256=resp_json.get("sha256"), + dbot_score=dbot_score + ) + + command_results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_static_analysis_report": resp_json}, + indicator=indicator, + readable_output=markdown + ) + + return command_results + + +def dynamic_analysis_report_command(a1000: A1000): + sample_hash = demisto.getArg("hash") + action = demisto.getArg("action") + report_format = demisto.getArg("report_format") + + try: + if action == "CREATE REPORT": + resp = a1000.create_dynamic_analysis_report(sample_hash=sample_hash, report_format=report_format).json() + + elif action == "CHECK STATUS": + resp = a1000.check_dynamic_analysis_report_status(sample_hash=sample_hash, report_format=report_format).json() + + elif action == "DOWNLOAD REPORT": + resp = a1000.download_dynamic_analysis_report(sample_hash=sample_hash, report_format=report_format) + + else: + return_error("This action is not supported.") + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + else: + raise + + results, file_result = dynamic_analysis_report_output( + resp=resp, + action=action, + sample_hash=sample_hash, + report_format=report_format + ) + if file_result: + return [results, file_result] + else: + return results + + +def dynamic_analysis_report_output(resp, action, sample_hash, report_format): + markdown = f"## ReversingLabs A1000 dynamic analysis report - {action}\n" + + file_result = None + + if action == "CREATE REPORT": + markdown = markdown + f"""**Status endpoint**: {resp.get("status_endpoint")}\n **Download endpoint**: {resp.get("download_endpoint")}""" + context = resp + + elif action == "CHECK STATUS": + markdown = markdown + f"""**Status**: {resp.get("status")}\n **Status message**: {resp.get("message")}""" + context = resp + + else: + markdown = markdown + "The dynamic analysis report is returned as downloadable file below." + file_result = fileResult(f"{sample_hash}.{report_format}", resp.content, file_type=EntryType.FILE) + context = None + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_dynamic_analysis_report": context}, + readable_output=markdown + ) + + return results, file_result + + + + def main(): try: wait_time_seconds = int(WAIT_TIME_SECONDS) @@ -1059,13 +1188,9 @@ def main(): elif demisto.command() == 'reversinglabs-a1000-pdf-report': return_results(pdf_report_command(a1000)) elif demisto.command() == 'reversinglabs-a1000-static-analysis-report': - pass - elif demisto.command() == 'reversinglabs-a1000-create-dynamic-analysis-report': - pass - elif demisto.command() == 'reversinglabs-a1000-check-dynamic-analysis-report-status': - pass - elif demisto.command() == 'reversinglabs-a1000-download-dynamic-analysis-report': - pass + return_results(static_analysis_report_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-dynamic-analysis-report': + return_results(dynamic_analysis_report_command(a1000)) elif demisto.command() == 'reversinglabs-a1000-get-sample-classification': pass elif demisto.command() == 'reversinglabs-a1000-set-sample-classification': diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index 652eddf3dd08..5cedff40a25e 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -450,6 +450,44 @@ script: - contextPath: ReversingLabs.a1000_pdf_report description: Actions for creating and downloading PDF reports. type: Unknown + - name: reversinglabs-a1000-static-analysis-report + description: Retrieve the static analysis report for a local sample. + arguments: + - name: hash + description: Sample hash. + default: true + required: true + outputs: + - contextPath: ReversingLabs.a1000_static_analysis_report + description: The static analysis report. + type: Unknown + - name: reversinglabs-a1000-dynamic-analysis-report + description: Perform dynamic analysis report actions for a sample - create a report, check the status of a report and download a report. + arguments: + - name: hash + description: Sample hash. + default: true + required: true + - name: action + description: Which dynamic analysis report action to perform - CREATE REPORT, CHECK STATUS or DOWNLOAD REPORT + required: true + auto: PREDEFINED + predefined: + - 'CREATE REPORT' + - 'CHECK STATUS' + - 'DOWNLOAD REPORT' + - name: report_format + description: Dynamic analysis report format. + required: true + auto: PREDEFINED + predefined: + - 'pdf' + - 'html' + defaultValue: 'pdf' + outputs: + - contextPath: ReversingLabs.a1000_dynamic_analysis_report + description: Actions for creating and downloading dynamic analysis reports. + type: Unknown dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.93622 runonce: false script: '-' From f344adf2cb747b8ef4b1fada76e2d7a2787c63cf Mon Sep 17 00:00:00 2001 From: msever Date: Thu, 9 May 2024 21:46:13 +0200 Subject: [PATCH 03/13] Update --- .../ReversingLabsTitaniumScale.py | 109 +++++++++++++++++- .../ReversingLabsTitaniumScale.yml | 71 +++++++++--- .../ReversingLabsTitaniumScale_image.png | Bin 3684 -> 2412 bytes .../pack_metadata.json | 2 +- 4 files changed, 160 insertions(+), 22 deletions(-) diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py index 001add8d1e8a..a295ecf9a29e 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py @@ -4,7 +4,7 @@ import json -VERSION = "v1.1.0" +VERSION = "v1.2.0" USER_AGENT = f"ReversingLabs XSOAR TitaniumScale {VERSION}" HOST = demisto.params().get('host') TOKEN = demisto.params().get('token') @@ -114,14 +114,23 @@ def parse_upload_report_and_return_results(response_json): return command_result -def upload_file(tiscale): +def upload_file(tiscale: TitaniumScale): """ Upload a file and return task url """ try: file_entry = demisto.getFilePath(demisto.getArg('entryId')) + custom_token = demisto.getArg("custom_token") + user_data = demisto.getArg("user_data") + custom_data = demisto.getArg("custom_data") + with open(file_entry['path'], 'rb') as file: - response_json = tiscale.upload_sample_from_file(file_source=file).json() + response_json = tiscale.upload_sample_from_file( + file_source=file, + custom_token=custom_token, + user_data=user_data, + custom_data=custom_data + ).json() except Exception as e: return_error(str(e)) @@ -234,15 +243,23 @@ def get_report(tiscale): return [command_result, file_result] -def upload_file_and_get_results(tiscale): +def upload_file_and_get_results(tiscale: TitaniumScale): """ Upload a file and get report """ - try: file_entry = demisto.getFilePath(demisto.getArg('entryId')) + custom_token = demisto.getArg("custom_token") + user_data = demisto.getArg("user_data") + custom_data = demisto.getArg("custom_data") + with open(file_entry['path'], 'rb') as f: - response_json = tiscale.upload_sample_and_get_results(file_source=f).json() + response_json = tiscale.upload_sample_and_get_results( + file_source=f, + custom_token=custom_token, + user_data=user_data, + custom_data=custom_data + ).json() except Exception as e: return_error(str(e)) @@ -256,6 +273,76 @@ def upload_file_and_get_results(tiscale): return [command_result, file_result] +def list_processing_tasks_command(tiscale: TitaniumScale): + age = demisto.getArg("age") + if age: + age = int(age) + custom_token = demisto.getArg("custom_token") + + try: + resp = tiscale.list_processing_tasks(age=age, custom_token=custom_token) + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.text) + else: + raise + + results = list_processing_tasks_output(resp_json=resp.json()) + return results + + +def list_processing_tasks_output(resp_json): + task_table = tableToMarkdown("Processing tasks", resp_json) + + markdown = f"""## ReversingLabs TitaniumScale List processing tasks\n {task_table}""" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"list_processing_tasks": resp_json}, + readable_output=markdown + ) + + return results + + +def get_processing_task_info_command(tiscale: TitaniumScale): + task_id = int(demisto.getArg("task_id")) + + try: + resp = tiscale.get_processing_task_info(task_id=task_id, full=False) + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.text) + else: + raise + + command_result = parse_report_and_return_results(title="## ReversingLabs TitaniumScale get processing task info\n", + response_json=resp.json()) + + file_result = fileResult('Full report in JSON', json.dumps(resp.json(), indent=4), + file_type=EntryType.ENTRY_INFO_FILE) + + return [command_result, file_result] + + +def delete_processing_task_command(tiscale: TitaniumScale): + task_id = int(demisto.getArg("task_id")) + + try: + tiscale.delete_processing_task(task_id=task_id) + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.text) + else: + raise + + results = CommandResults( + readable_output=f"""## ReversingLabs TitaniumScale delete processing task\n Task {task_id} deleted successfully.""" + ) + + return results + + def main(): try: wait_time_seconds = int(WAIT_TIME_SECONDS) @@ -290,6 +377,16 @@ def main(): return_results(upload_file(tiscale)) elif demisto.command() == 'reversinglabs-titaniumscale-get-results': return_results(get_report(tiscale)) + elif demisto.command() == 'reversinglabs-titaniumscale-list-processing-tasks': + return_results(list_processing_tasks_command(tiscale)) + elif demisto.command() == 'reversinglabs-titaniumscale-get-processing-task-info': + return_results(get_processing_task_info_command(tiscale)) + elif demisto.command() == 'reversinglabs-titaniumscale-delete-processing-task': + return_results(delete_processing_task_command(tiscale)) + elif demisto.command() == 'reversinglabs-titaniumscale-delete-multiple-tasks': + pass + elif demisto.command() == 'reversinglabs-titaniumscale-get-yara-id': + pass else: return_error(f'Command [{demisto.command()}] not implemented') except Exception as e: diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml index 685fee39f9b5..0932c6f00cd1 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml @@ -62,13 +62,19 @@ display: ReversingLabs TitaniumScale name: ReversingLabs TitaniumScale script: commands: - - arguments: - - default: true - description: The file entry to upload. - name: entryId - required: true + - name: reversinglabs-titaniumscale-upload-sample-and-get-results description: Upload sample to TitaniumScale and retrieve analysis report. - name: reversinglabs-titaniumscale-upload-sample-and-get-results + arguments: + - name: entryId + required: true + default: true + description: The file entry to upload. + - name: custom_token + description: A custom token for filtering processing tasks. + - name: user_data + description: User-defined data in the form of a JSON string. This data is NOT included in file analysis reports. + - name: custom_data + description: User-defined data in the form of a JSON string. This data is included in file analysis reports. outputs: - contextPath: File.SHA256 description: The SHA256 hash of the file. @@ -109,24 +115,30 @@ script: - contextPath: ReversingLabs.tc_report description: Full report. type: String - - arguments: - - default: true - description: The file entry to upload. - name: entryId - required: true + - name: reversinglabs-titaniumscale-upload-sample description: Upload sample to TitaniumScale for analysis. - name: reversinglabs-titaniumscale-upload-sample + arguments: + - name: entryId + required: true + default: true + description: The file entry to upload. + - name: custom_token + description: A custom token for filtering processing tasks. + - name: user_data + description: User-defined data in the form of a JSON string. This data is NOT included in file analysis reports. + - name: custom_data + description: User-defined data in the form of a JSON string. This data is included in file analysis reports. outputs: - contextPath: ReversingLabs.task_Url description: url to get report from. type: Unknown - - arguments: + - name: reversinglabs-titaniumscale-get-results + description: Retrieve report of a previously uploaded file from TitaniumScale. + arguments: - default: true description: The file entry to upload. name: taskUrl required: true - description: Retrieve report of a previously uploaded file from TitaniumScale. - name: reversinglabs-titaniumscale-get-results outputs: - contextPath: File.SHA256 description: The SHA256 hash of the file. @@ -167,6 +179,35 @@ script: - contextPath: ReversingLabs.tc_report description: Full report. type: String + - name: reversinglabs-titaniumscale-list-processing-tasks + description: List active processing tasks. + arguments: + - name: age + description: Task age in seconds. + - name: custom_token + description: A custom token for filtering processing tasks. + outputs: + - contextPath: ReversingLabs.list_processing_tasks + description: Processing tasks. + type: Unknown + - name: reversinglabs-titaniumscale-get-processing-task-info + description: Retrieves information about a completed file processing task. + arguments: + - name: task_id + required: true + default: true + description: Task ID. + outputs: + - contextPath: ReversingLabs.tc_report + description: Full report. + type: Unknown + - name: reversinglabs-titaniumscale-delete-processing-task + description: Deletes a processing task. + arguments: + - name: task_id + required: true + default: true + description: Task ID. dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.72317 runonce: false script: '-' diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale_image.png b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale_image.png index 4b72e9f259cff0bee0893159b1af2db0f08cd430..37de3692453e6daf39dd73aa87643bc3e42cb419 100644 GIT binary patch delta 2402 zcmV-o37z)j9PAR1BYy#fX+uL$Nkc;*aB^>EX>4Tx04R}tkv&MmP!xqvQ>7{`4t5X` z%usc)i;6hbDionYs1;guFnQ@8G-*g$TpR`0f`dPcRR6lU)@9ukc|6A%BdcS7w$mCrL?o*4I6C zQ{6>*mUrKu6;g8+1AHQJj2UK?c!PLmvubeOCl0fstP-CSPndK;;zzD4F28XuI4tnY zu$fNH6Nib#LI*1y%!;N)JWU)?HJ$Q>jLRzLEzVlG##;B}FAV1Nm1VBe8b$((Sb_u* z3Th~!j4GnE>wlzJNYQ!R!$0KsC2}d`DuIz>0TpPF9Y6RV{GP3qpPF=&f^nex#kN02 zfxs@%tlReYv28a`0RJ;^rMLZ+1~B_cdcCbhj)4Ac;NrTiDSN=>4lwv+$foQ_ep*64 z54@kzH)Vl=TcB^vom=Z1rw>4yW|h1F4i15_0%fmzynnl=b8i3kwC48%hFEg0t>2QU z00006VoOIv00000008+zyMF)x010qNS#tmY3ljhU3ljkVnw%H_000McNliru=m8%M zE-gjbn>+vj2WUw|K~#9!?VNpVmDL@`Kj-ParM+#})jl}hLI)0=HelJZjm^ZTBA}vl zhAqBfTz{OJ=$IIFO;&U)V04*eZ>|HU;)XhnQ{qG+!%n%^iHN8m$fmH;OrSV+TcOI+ z(tGc7_Q(C*diKy;`J);4cITTsX`l0)-#I7e`+NDGC+(vsGWf3dA~5YFF5$sgGO@T= z_A5g1;j@5y66dcdrp0R1;F zL2uq`2`+eKG?7OZ6P-H?9Osir22ctG1fy%Sx0NxRx(O1&Wi~|@MeNS0Cpxy$`>4sa5K-C79+O7E$>{lQq~n{2%sQ9IyxBx9XhipX3|gbA zt84_1fD;m_YnPGU5C^58Gzyim>=h}o1b>eVk`>PBld~y%&t8trxPrd3zfI8bzD?01 z0VQ`{gEMI&^ruLzT#fELoQ>w(dDs$M#KAjtEYWXW0!op7^>u>BUOur+xS|O?@BIH3 zY>C$hp4n;%E*uFBkz21txu>8%JVJWeiWA?2OD{aGEp_aeCAgsAmZ5ulNw04s*nj>v z^v(mOz9t>tgtMoe%o{thE&Dzoy}m8KzwG$?NYS0e1>g1F1io|8r^>E> z5sGoX>s>F-_a@LH+2S*3b{7)C^}tx*2H+v1t={Of8~BlNKMlAD_w<3fT?y8O0{xFt8G6 zRp@hpwYf5)G;3mAiMJ(c8)Sc~#E}!RWa9DRu9w3_@W=9VVxHQDc<_898n;PAUIhFY z7zLas5z`}mszWxr27ehhCehggY?5@k67a;?w&YpQF5n~J2aQLzIK(p_9X95pstzN3=iuV^%4c;Xw zxuE{Sg^;F3uYe63YUI%6$bsKY^4{$UrMez{ODvr6j zA{qCU=3-#AWTACR=}msEcSa!*oC3Zhb+%ffW`C&93lbfbay=uP9|10rtItTYNSZWl z%v72aUSp)@u75IY<^yK|zmv4ND9^gLi{M%)>DnYVYV`Yyj5m6Sqr+Trj#g3J9xz^^ zr{^3>Y33-@M6{Y9CF?$b@~%W@ESb0gt)>8X0SzdY6`G2^SyJUK63LqfIm%>2M5N_@ zGmr!>1ZIoM?Hs};Fxp$C=09N&YT9)GcS;(bJjA;1k$*Y9o6EM6<{Ly!Bbgxhl%rV_ zuuszRrNH-u@Ft^AP@aruVqNiW34l|3s?HnWAl4N>RMuazRFr>RA=Tj1fLkRh*AF4Y zT8$L=ijea%FjH#qU9yq6|MeUnve^lAg*LfG>iE4v_(BmnDPV?(n60AP2g6=bG5y?tcPlv1^>kO-bD0;k3B^!KDjrbO*l0;d}`d*tV%a>UWVvj%ZnfDc19 z-BRz{Px@9!W$&RCodHTnlhi)fv8LH!p-B4-=9|LU>4`C@P8;s)7$he06-ZR_YX;PSv*9 zsju;^Xsfo?TG2Y%(JHkvsI3+Y3OXvHrJ^G~aY(`|CM63546nR*@9Fp5-G6g(xqEjb ziD@$X&3t?Q^Pm5md++(r`OklEP|HdqJp<_(NY6le2GTQ-o`LiXq-UVpXFw$xk?j+~ zLU1T}Fc<+_!IoHAi}DljLNFB^0wa#IF=o6RWn)ZERGf>3Y%l{X0&BojPyr*}-+ACb zZ~(|Lf*|j|0sI>L4E!&c2mv(A0FMPnfO#P2VJ{d0H-le-9Oq;(A0)PbAA`KUKtosz z+M;lk=b)Yw)4hjsyQ_T)>c@j4LHdPg0_#COLlw9N+yf@W7_>YJvIB3(k1wM=Gl`8~ z|BKPr55;Ko>+jcgANn4ZLVr&72jDdzooRv-UJd$PN7}d{-ZE@of;`Nqi`^B_B?1?W z*l|$_z60TNP}=;;`O?Y#Fw{>5xg+O-hk`wUea4{NoqjOe!+wSb&_>6c06qf#6J(uW z^m+jt#Y#8g9*o6kk}9Uba0ST4+9fbtnc#yh1P2?+4UidTHh~Ol?ck5VBfvy>7Y*!_ z2#2F#W~^}*N-nfSA&IdlSZUPV;wrZS^*?~SKt4Nj-amNbA$AlrGK*@!6pa^4t zt+7G4)9y@Rz_SdSjgW5zIZjG&JD3+0FdX-Ub2)w+xST=^Ok})Z>KTeRc^P$+&U7F{ z9l?xLa4CdD3sG#6m7MPf45OX)@xX$Ro^Qp+Fcel9281NX# zBaOOXhllh&R{N-&wR+69u6|p$hEkdP0;Dm#&R0SKBkVzhTnB~@2Q-@C&8}S z7<&O^!QUX5*A$u0co#TS3}fY6D8=R_$is{}^^6Wbb?K&}E^wd0ra$J0(Sek&ptIZ{ z%iSPv^fB;$@b@6k0{2D}XVq|Qdfo4Lr+Gtw{nQ%LJFLZv_@p7Z^s0L~ z_&UGAjkYq^HRR0AhdyGoF~K3+4o>8ZsCD$$y@S1;fjWlhF=odEau)QwpEaO+tW%*& z)xj{e%tg$Ejys#7U&fsQxy`6w0oe_17QW)~{-s~s!R{nWI%h&ST`DNof|I~0AkT}} z!R|mM2H}GVBuhOT3c0s1>Ew?Qrjxv=(wOrpDiJFwJH&V~F5$QAcKxC87iEHMT;D<(_H zD$mGWF@1Lw9PbVA9q`v6pG$BT1V)Kez}<2`XfDvwR5}_qDilH+XfT8Xdk;&CBKst*U3f|*LssAwF5JW`i zLdm)2eGp^7@s8B-^InH&eGfA8ij?8yV6IB0^2A>7Mn~$opH&!|S+d{~2wY@>r6TlD z$%wST82c*7sqU1MVaqdKzzEk>e2xy>M2YYZqahD6KbaO8I$x28x(S{u<~hQU6*3J{ zly8UKFMVuz(>KK0x$1ew@(&oq&!dI&%kXE0K%>bKAI0zQ+)AVV7-aK{nbFiqp?E|mKbwTa<_dKR3O3ED<+&%Sm`3}fc+1^Y>$52!EbK+z)OCGy9SoUJIEM_)Wl2M<&7{t_Fr_aqwuPZHXa!iCocs@Vf`I zA02ob$OS>10iF*I2f64|!LMNSaVmx$HgweEAjj~+Y$#WP5?Ka8o(?93>0qvm!$3YP zF&A`abWQ_)+Q8;mg)4}VdbH;M%hhgzyKFCL-VfW&^O<#?l?QSij*$pYpy7vLdCcG@ zl+S^@9(PD0tU$v(;5#vcT_|M^cSCmHGwWWs7s?Aj^Ni&@6Fb4l;LYHbU;&s2Eog{G zUD>UPjQfk8VOJ1Og!H_5fre+7CkT* zBXGeIuo&e1aS`qS>DVoxByI6<4BdetR8sbLEX_=g642Ju1+|s#-IwqJdiwN?t(!uN zq`w%dfcj%$b;U}l*O!&$hMSxu1FKvQfPJ>I6rE>lrFY{=xnuC4!4(5@BCidus^UY( zv2)ysgIim7%~pzeh8}~xbqK}~=Ql%Nr?uLE4vULwE1!sW?8AaPB!1&Z(Uv|B6Xqld zSU&G|WuR@FL#Jr1FW#?D#L2GX4$f98tKG6^nRd8tw2C4op&q%svDvcgO2$7`n3p?O zty$B)d%}caO?w+YMB`Z9VQ3CD0Q#{QWvr#(YRl>u4i1=4*juu#orK1@Jm$78ejiGo z!!R1Jy9LDzQZ*qCwZJ2t+=fa3nk%=~@8j8KHSKACGU~wCAWF5tjbEbQYV^m)4poI~ zhY%4GT7}&o_m0x{Dy`;YXJ)`5`P-j){zQ!ZzUTPC;F(36*Ttj7 zp7QeHO-2(K(N{*PIby%DMA7rhtRQu-;CUIUP(cSIsVAsSCuBc$PximEDaNE+6SJ@1QcWk{7N+xR)0|e2gDt!EW4vU z#d}ggU2B@QMxeo%-)Tg#js6tJD$M^`Gu8pJBInhrAam^7 zNOty#UR!M)i$Ihp17UkeXxy=RWPNd2(e_bC99vgB{#tE2|Mod*snp`3)t~OtO5H78 z5rcyW*|#+A3D<^-%bpI6o^XP+^|!KD9jqg*=Q!CeW)(ZPJu5SJIVU*!(Luir^1J@Xq-=!81tinIr?gjQ&dy=oKk_flcQtngOJQ!p~LMT z)RmO2+E!XVGpg@DzrF0>j@Khh^vYqI*6>3`6e`g1p+sA!G?X3_Pm;vMuS7`Jhyu^% zR#r0ca!^=PF)yfsGtkEO;m*){Y9wMWuPZKFs7t5wj|u$(y_Q9D61PS|GnleE&}!e- zQDr}gSGDG6K?i(gYPDKs;qz5|S33<#J&dH+Ia`sKWn!#Cgx*tOKN+&p+I}QdT7EEW ze-j-E|7l>&x;G)e3H>x3v9ChtxClEwOWLt6W``nmSOeDV4qe}s_#oW^BrPqN-0aw3 z*B8}RJ>)kqUS-bKcJx)o&(3IDG-zPpnthFS$LGh4;573+SZqVZ;~#{BuaDMMQ+D={ z!r>b}*dy&`$@AN4ZM+G(YthGvXwL4>3QjE8xNfa!+ZW|t3(-p3o{3Y!NmSM>)!r`O zjT4%&A()kEd}h=KMOybBov1_MhEM7XYpZV1D)2M0;qJG>c0BnLeP1klB}DUU5&k%F zZhXR&T7!gWQM@jKwkP5>34a&>@S&nHk}-usGT4^g=?v9D8`0e#0|GfOHbP{MG0gsY|(S^pPX%aNA`PI`R5*mbCen?e^)N+LaD< zs(V!0RC9@`M#jC~toK#9M;wfAy+>n*em~))Xq&G`4shN@2Ii=ajM?ZkV)NQJ=kzw_t4lfJ_1DRpV&JNr5SY;#0(jEW#Dk4K&{+vtK)<5&YBs*Y- z17T}NFmq7jP&>EPx_o-ut_6z+x9a9ek%)dUJ}?A3pjMgnzAE=rl9g;em?$|}G92)B zVNGS{9cT0ojViklU#1=~R9zC43eG94S@$dwuhm!^DV?jBlt1BIzNSkT`ad=9tt2b{ z3WS%Lm;L4jyK}K$d!jZ(kxjvXx{S_EWaFjBf_t$bKleJXw!WzAwh)bv3iGXiN;+OZ z>pX@>8G#yfKX-j(sSOXXlpzCKl>zCI(6`FMWym!GEm|M2m< z@pM~y2GTQ-o`LiXq-P*K1L+w^&p>(x(lgLUXW)MU((_iai)b1E0000 Date: Fri, 24 May 2024 18:39:25 +0200 Subject: [PATCH 04/13] Update A1000 --- .../ReversingLabsA1000v2.py | 261 +++++++++++++++++- .../ReversingLabsA1000v2.yml | 121 ++++++++ Packs/ReversingLabs_A1000/pack_metadata.json | 2 +- 3 files changed, 377 insertions(+), 7 deletions(-) diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index 3234e6306e63..dd21e16c80b8 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -1119,6 +1119,253 @@ def dynamic_analysis_report_output(resp, action, sample_hash, report_format): return results, file_result +def sample_classification_command(a1000: A1000): + sample_hash = demisto.getArg("hash") + action = demisto.getArg("action") + system = demisto.getArg("system") + av_scanners = False + + try: + if action == "GET CLASSIFICATION": + local_only = False + if demisto.getArg("local_only"): + local_only = argToBoolean(demisto.getArg("local_only")) + + if demisto.getArg("av_scanners"): + av_scanners = argToBoolean(demisto.getArg("av_scanners")) + + resp = a1000.get_classification_v3( + sample_hash=sample_hash, + local_only=local_only, + av_scanners=av_scanners + ) + + elif action == "SET CLASSIFICATION": + classification = demisto.getArg("classification") + risk_score = demisto.getArg("risk_score") + threat_platform = demisto.getArg("threat_platform") + threat_name = demisto.getArg("threat_name") + threat_type = demisto.getArg("threat_type") + resp = a1000.set_classification( + sample_hash=sample_hash, + classification=classification, + system=system, + risk_score=risk_score, + threat_platform=threat_platform, + threat_name=threat_name, + threat_type=threat_type + ) + + elif action == "DELETE CLASSIFICATION": + resp = a1000.delete_classification(sample_hash=sample_hash, system=system) + + else: + return_error("This action is not supported.") + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + else: + raise + + results = sample_classification_output( + resp_json=resp.json(), + action=action, + av_scanners=av_scanners, + sample_hash=sample_hash + ) + + return results + + +def sample_classification_output(resp_json, action, av_scanners, sample_hash): + markdown = f"""## ReversingLabs A1000 sample classification - {action}\n""" + + if action == "GET CLASSIFICATION": + markdown = markdown + f"""**Classification**: {resp_json.get("classification")} + **Risk score**: {resp_json.get("riskscore")} + **First seen**: {resp_json.get("first_seen")} + **Last seen**: {resp_json.get("last_seen")} + **Classification result**: {resp_json.get("classification_result")} + **Classification reason**: {resp_json.get("classification_reason")} + **SHA-1**: {resp_json.get("sha1")} + **SHA-256**: {resp_json.get("sha256")} + **MD5**: {resp_json.get("md5")} + """ + if av_scanners: + scanners_table = tableToMarkdown("Scanner results", resp_json.get("av_scanners")) + markdown = markdown + f"\n{scanners_table}" + + d_bot_score = classification_to_score(resp_json.get("classification").upper()) + dbot_score = Common.DBotScore( + indicator=sample_hash, + indicator_type=DBotScoreType.FILE, + integration_name='ReversingLabs A1000 v2', + score=d_bot_score, + malicious_description=resp_json.get("classification_result"), + reliability=RELIABILITY + ) + + indicator = Common.File( + md5=resp_json.get("md5"), + sha1=resp_json.get("sha1"), + sha256=resp_json.get("sha256"), + dbot_score=dbot_score + ) + + command_results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_sample_classification": resp_json}, + indicator=indicator, + readable_output=markdown + ) + + return command_results + + elif action == "SET CLASSIFICATION": + set_table = tableToMarkdown("Set classification response", resp_json) + markdown = markdown + set_table + + elif action == "DELETE CLASSIFICATION": + markdown = markdown + "Custom classification removed." + + command_results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_sample_classification": resp_json}, + readable_output=markdown + ) + + return command_results + + +def yara_command(a1000: A1000): + action = demisto.getArg("action") + ruleset_name = demisto.getArg("ruleset_name") + ruleset_content = demisto.getArg("ruleset_content") + publish = demisto.getArg("publish") + if publish: + publish = argToBoolean(publish) + sync_time = demisto.getArg("sync_time") + + if action == "GET RULESETS": + resp = a1000.get_yara_rulesets_on_the_appliance_v2() + + elif action == "GET CONTENTS": + resp = a1000.get_yara_ruleset_contents(ruleset_name=ruleset_name) + + elif action == "GET MATCHES": + resp = a1000.get_yara_ruleset_matches_v2(ruleset_name=ruleset_name) + + elif action == "UPDATE RULESET": + resp = a1000.create_or_update_yara_ruleset(name=ruleset_name, content=ruleset_content, publish=publish) + + elif action == "DELETE RULESET": + resp = a1000.delete_yara_ruleset(name=ruleset_name, publish=publish) + + elif action == "ENABLE RULESET": + resp = a1000.enable_or_disable_yara_ruleset(enabled=True, name=ruleset_name, publish=publish) + + elif action == "DISABLE RULESET": + resp = a1000.enable_or_disable_yara_ruleset(enabled=False, name=ruleset_name, publish=publish) + + elif action == "GET SYNCHRONIZATION TIME": + resp = a1000.get_yara_ruleset_synchronization_time() + + elif action == "UPDATE SYNCHRONIZATION TIME": + resp = a1000.update_yara_ruleset_synchronization_time(sync_time=sync_time) + + else: + return_error("This action is not supported.") + + results = yara_output(resp_json=resp.json(), action=action) + return results + + +def yara_output(resp_json, action): + markdown = f"""## ReversingLabs A1000 YARA - {action}""" + resp_table = tableToMarkdown("", resp_json) + markdown = markdown + f"""\n{resp_table}""" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_yara": resp_json}, + readable_output=markdown + ) + + return results + + +def yara_retro_command(a1000: A1000): + action = demisto.getArg("action") + ruleset_name = demisto.getArg("ruleset_name") + operation = demisto.getArg("operation") + + if action == "MANAGE LOCAL SCAN": + resp = a1000.start_or_stop_yara_local_retro_scan(operation=operation) + + elif action == "LOCAL SCAN STATUS": + resp = a1000.get_yara_local_retro_scan_status() + + elif action == "MANAGE CLOUD SCAN": + resp = a1000.start_or_stop_yara_cloud_retro_scan(operation=operation, ruleset_name=ruleset_name) + + elif action == "CLOUD SCAN STATUS": + resp = a1000.get_yara_cloud_retro_scan_status(ruleset_name=ruleset_name) + + else: + return_error("This action is not supported.") + + results = yara_retro_output(resp_json=resp.json(), action=action) + return results + + +def yara_retro_output(resp_json, action): + markdown = f"""## ReversingLabs A1000 YARA Retroactive Hunt - {action}""" + resp_table = tableToMarkdown("", resp_json) + markdown = markdown + f"""\n{resp_table}""" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_yara_retro": resp_json}, + readable_output=markdown + ) + + return results + + +def list_containers_command(a1000: A1000): + sample_hashes = demisto.getArg("sample_hashes") + hash_list = sample_hashes.split(",") + + if not len(hash_list) > 0: + return_error("Please enter at least one sample hash or check the formatting. " + "The hashes should be comma-separated with no whitespaces") + + try: + resp = a1000.list_containers_for_hashes(sample_hashes=hash_list) + + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.content) + else: + raise + + results = list_containers_output(resp_json=resp.json()) + return results + + +def list_containers_output(resp_json): + markdown = f"""## ReversingLabs A1000 List containers for hashes""" + resp_table = tableToMarkdown("", resp_json) + markdown = markdown + f"""\n{resp_table}""" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_list_containers": resp_json}, + readable_output=markdown + ) + + return results def main(): @@ -1191,12 +1438,14 @@ def main(): return_results(static_analysis_report_command(a1000)) elif demisto.command() == 'reversinglabs-a1000-dynamic-analysis-report': return_results(dynamic_analysis_report_command(a1000)) - elif demisto.command() == 'reversinglabs-a1000-get-sample-classification': - pass - elif demisto.command() == 'reversinglabs-a1000-set-sample-classification': - pass - elif demisto.command() == 'reversinglabs-a1000-delete-sample-classification': - pass + elif demisto.command() == 'reversinglabs-a1000-sample-classification': + return_results(sample_classification_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-yara': + return_results(yara_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-yara-retro': + return_results(yara_retro_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-list-containers': + return_results(list_containers_command(a1000)) else: return_error(f'Command [{demisto.command()}] not implemented') diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index 5cedff40a25e..5db972c35218 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -488,6 +488,127 @@ script: - contextPath: ReversingLabs.a1000_dynamic_analysis_report description: Actions for creating and downloading dynamic analysis reports. type: Unknown + - name: reversinglabs-a1000-sample-classification + description: Perform sample classification actions - get sample classification, set sample classification or delete sample classification. + arguments: + - name: hash + description: Sample hash. + default: true + required: true + - name: action + description: Which classification action to perform - GET CLASSIFICATION, SET CLASSIFICATION or DELETE CLASSIFICATION + required: true + auto: PREDEFINED + predefined: + - 'GET CLASSIFICATION' + - 'SET CLASSIFICATION' + - 'DELETE CLASSIFICATION' + - name: system + description: Local or TitaniumCloud. + auto: PREDEFINED + predefined: + - 'local' + - 'ticloud' + - name: local_only + description: Return only local samples without querying TitaniumCloud. + auto: PREDEFINED + predefined: + - 'true' + - 'false' + - name: av_scanners + description: Return return AV scanner results. + auto: PREDEFINED + predefined: + - 'true' + - 'false' + - name: classification + description: goodware, suspicious or malicious. + auto: PREDEFINED + predefined: + - 'goodware' + - 'suspicious' + - 'malicious' + - name: risk_score + description: If specified, it must be within range for the specified classification. If not specified, a default value is used. Goodware - 0, Suspicious - 6, Malicious - 10 + - name: threat_platform + description: If specified, it must be on the supported list (platforms and subplatforms - see official API docs). If not specified, the default value is 'Win32'. + - name: threat_type + description: If specified, it must be on the supported list (malware types - see official API docs). If not specified, the default value is 'Malware'. + - name: threat_name + description: If specified, must be an alphanumeric string not longer than 32 characters. If not specified, the default value is 'Generic'. + outputs: + - contextPath: ReversingLabs.a1000_sample_classification + description: Sample classification actions. + type: Unknown + - name: reversinglabs-a1000-yara + description: Perform A1000 YARA actions. + arguments: + - name: action + description: Which YARA action to perform. + required: true + auto: PREDEFINED + predefined: + - 'GET RULESETS' + - 'GET CONTENTS' + - 'GET MATCHES' + - 'UPDATE RULESET' + - 'DELETE RULESET' + - 'ENABLE RULESET' + - 'DISABLE RULESET' + - 'GET SYNCHRONIZATION TIME' + - 'UPDATE SYNCHRONIZATION TIME' + - name: ruleset_name + description: Ruleset name. + - name: ruleset_content + description: Ruleset content. + - name: publish + description: Publish the ruleset. + auto: PREDEFINED + predefined: + - 'true' + - 'false' + - name: sync_time + description: Desired ruleset synchronization time. + outputs: + - contextPath: ReversingLabs.a1000_yara + description: YARA actions. + type: Unknown + - name: reversinglabs-a1000-yara-retro + description: Perform A1000 YARA Retroactive Hunt actions. + arguments: + - name: action + description: Which YARA Retro action to perform. + required: true + auto: PREDEFINED + predefined: + - 'MANAGE LOCAL SCAN' + - 'LOCAL SCAN STATUS' + - 'MANAGE CLOUD SCAN' + - 'CLOUD SCAN STATUS' + - name: ruleset_name + description: Ruleset name. + - name: operation + description: Select a ruleset operation. + auto: PREDEFINED + predefined: + - 'START' + - 'STOP' + - 'CLEAR' + outputs: + - contextPath: ReversingLabs.a1000_yara_retro + description: YARA Retro actions. + type: Unknown + - name: reversinglabs-a1000-list-containers + description: Get a list of all top-level containers from which the requested samples have been extracted during analysis. + arguments: + - name: sample_hashes + description: Comma-separated list of sample hashes. No whitespaces are allowed. + required: true + default: true + outputs: + - contextPath: ReversingLabs.a1000_list_containers + description: A10000 list top-level containers. + type: Unknown dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.93622 runonce: false script: '-' diff --git a/Packs/ReversingLabs_A1000/pack_metadata.json b/Packs/ReversingLabs_A1000/pack_metadata.json index 0553e8caba5e..0f3454b4f7e4 100644 --- a/Packs/ReversingLabs_A1000/pack_metadata.json +++ b/Packs/ReversingLabs_A1000/pack_metadata.json @@ -2,7 +2,7 @@ "name": "ReversingLabs A1000", "description": "Powerful threat detection and file analysis platform. Get detailed information on each file's status and threat capabilities.", "support": "partner", - "currentVersion": "2.3.2", + "currentVersion": "2.4.0", "author": "ReversingLabs", "url": "https://www.reversinglabs.com/products/malware-threat-hunting-and-investigations", "email": "support@reversinglabs.com", From dbdb2839be2bd20436b46551f8991f39a3da6d27 Mon Sep 17 00:00:00 2001 From: msever Date: Fri, 24 May 2024 18:39:37 +0200 Subject: [PATCH 05/13] Update TiScale --- .../ReversingLabsTitaniumScale.py | 48 ++++++++++++++++++- .../ReversingLabsTitaniumScale.yml | 13 +++++ 2 files changed, 59 insertions(+), 2 deletions(-) diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py index a295ecf9a29e..655b1706cae2 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.py @@ -343,6 +343,50 @@ def delete_processing_task_command(tiscale: TitaniumScale): return results +def delete_multiple_tasks_command(tiscale: TitaniumScale): + age = int(demisto.getArg("age")) + + try: + tiscale.delete_multiple_tasks(age=age) + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.text) + else: + raise + + results = CommandResults( + readable_output=f"## ReversingLabs TitaniumScale delete multiple tasks\n Tasks " + f"of age {age} seconds or less deleted successfully." + ) + + return results + + +def get_yara_id_command(tiscale: TitaniumScale): + try: + resp = tiscale.get_yara_id() + except Exception as e: + if hasattr(e, "response_object"): + return_error(e.response_object.text) + else: + raise + + results = get_yara_id_output(resp_json=resp.json()) + return results + + +def get_yara_id_output(resp_json): + markdown = f"""## ReversingLabs TitaniumScale YARA ruleset ID\n **ID**: {resp_json.get("id")}""" + + results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"yara_id": resp_json}, + readable_output=markdown + ) + + return results + + def main(): try: wait_time_seconds = int(WAIT_TIME_SECONDS) @@ -384,9 +428,9 @@ def main(): elif demisto.command() == 'reversinglabs-titaniumscale-delete-processing-task': return_results(delete_processing_task_command(tiscale)) elif demisto.command() == 'reversinglabs-titaniumscale-delete-multiple-tasks': - pass + return_results(delete_multiple_tasks_command(tiscale)) elif demisto.command() == 'reversinglabs-titaniumscale-get-yara-id': - pass + return_results(get_yara_id_command(tiscale)) else: return_error(f'Command [{demisto.command()}] not implemented') except Exception as e: diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml index 0932c6f00cd1..7c41c592ccb5 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml @@ -208,6 +208,19 @@ script: required: true default: true description: Task ID. + - name: reversinglabs-titaniumscale-delete-multiple-tasks + description: Deletes multiple processing tasks. + arguments: + - name: age + required: true + default: true + description: Task age in seconds. + - name: reversinglabs-titaniumscale-get-yara-id + description: Retrieves the identifier of the current set of YARA rules on the TitaniumScale Worker instance. + outputs: + - contextPath: ReversingLabs.yara_id + description: Identifier of the current set of YARA rules on the TitaniumScale Worker instance. + type: Unknown dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.72317 runonce: false script: '-' From fbcd80e25459bb0390a2f1888ce4e3c487a00c7c Mon Sep 17 00:00:00 2001 From: msever Date: Fri, 24 May 2024 18:46:49 +0200 Subject: [PATCH 06/13] Edit app maintainers --- Packs/ReversingLabs_A1000/pack_metadata.json | 3 +-- Packs/ReversingLabs_TitaniumScale/pack_metadata.json | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/Packs/ReversingLabs_A1000/pack_metadata.json b/Packs/ReversingLabs_A1000/pack_metadata.json index 0f3454b4f7e4..f74cc356ddb9 100644 --- a/Packs/ReversingLabs_A1000/pack_metadata.json +++ b/Packs/ReversingLabs_A1000/pack_metadata.json @@ -12,8 +12,7 @@ "Forensics & Malware Analysis" ], "githubUser": [ - "MislavReversingLabs", - "ivukovicRL" + "MislavReversingLabs" ], "tags": [], "useCases": [], diff --git a/Packs/ReversingLabs_TitaniumScale/pack_metadata.json b/Packs/ReversingLabs_TitaniumScale/pack_metadata.json index 2d23850eb3c4..6fea9824627c 100644 --- a/Packs/ReversingLabs_TitaniumScale/pack_metadata.json +++ b/Packs/ReversingLabs_TitaniumScale/pack_metadata.json @@ -12,8 +12,7 @@ "Forensics & Malware Analysis" ], "githubUser": [ - "MislavReversingLabs", - "ivukovicRL" + "MislavReversingLabs" ], "tags": [], "useCases": [], From 9292d0e221ae0efb8d5c99c990131a304f24a033 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 17:18:21 +0200 Subject: [PATCH 07/13] Add URL actions --- .../ReversingLabsA1000v2.py | 105 ++++++++++++++++++ .../ReversingLabsA1000v2.yml | 34 +++++- 2 files changed, 138 insertions(+), 1 deletion(-) diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py index dd21e16c80b8..740e156841bf 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.py @@ -1368,6 +1368,109 @@ def list_containers_output(resp_json): return results +def upload_from_url_command(a1000: A1000): + action = demisto.getArg("action") + file_url = demisto.getArg("file_url") + crawler = demisto.getArg("crawler") + archive_password = demisto.getArg("archive_password") + sandbox_platform = demisto.getArg("sandbox_platform") + task_id = demisto.getArg("task_id") + retry = demisto.getArg("retry") + if retry: + retry = argToBoolean(retry) + + if action == "UPLOAD": + resp = a1000.upload_sample_from_url( + file_url=file_url, + crawler=crawler, + archive_password=archive_password, + rl_cloud_sandbox_platform=sandbox_platform + ) + + elif action == "GET REPORT": + resp = a1000.get_submitted_url_report(task_id=task_id, retry=retry) + + elif action == "UPLOAD AND GET REPORT": + resp = a1000.upload_sample_from_url_and_get_report( + file_url=file_url, + crawler=crawler, + archive_password=archive_password, + rl_cloud_sandbox_platform=sandbox_platform, + retry=retry + ) + + elif action == "CHECK ANALYSIS STATUS": + resp = a1000.check_submitted_url_status(task_id=task_id) + + else: + return_error("This action is not supported.") + + results = upload_from_url_output(resp_json=resp.json(), action=action) + return results + + +def upload_from_url_output(resp_json, action): + markdown = f"""## ReversingLabs A1000 URL sample actions - {action}\n""" + + if action == "UPLOAD": + output = tableToMarkdown("Upload results", resp_json) + indicator = None + + else: + report = resp_json.get("report") + + output = f"""**Processing status**: {resp_json.get("processing_status")} + **Classification**: {report.get("classification")} + **Risk score**: {report.get("riskscore")} + **ID**: {report.get("id")} + **SHA-1**: {report.get("sha1")} + **SHA-256**: {report.get("sha256")} + **SHA-512**: {report.get("sha512")} + **MD5**: {report.get("md5")} + **IMPHASH**: {report.get("imphash")} + **Category**: {report.get("category")} + **File type**: {report.get("file_type")} + **File subtype**: {report.get("file_subtype")} + **File size**: {report.get("file_size")} + **Classification origin**: {report.get("classification_origin")} + **Classification reason**: {report.get("classification_reason")} + """ + + av_scanners = tableToMarkdown("AV Scanners", report.get("av_scanners_summary")) + rl_sandbox = tableToMarkdown("RL Cloud Sandbox", report.get("rl_cloud_sandbox")) + + output = output + "\n" + av_scanners + rl_sandbox + + score = classification_to_score(report.get("classification").upper()) + + dbot_score = Common.DBotScore( + indicator=report.get("sha1"), + indicator_type=DBotScoreType.FILE, + integration_name="ReversingLabs A1000 v2", + score=score, + malicious_description=report.get("file_subtype"), + reliability=RELIABILITY + ) + + indicator = Common.File( + md5=report.get("md5"), + sha1=report.get("sha1"), + sha256=report.get("sha256"), + dbot_score=dbot_score + ) + + markdown = markdown + output + + command_results = CommandResults( + outputs_prefix="ReversingLabs", + outputs={"a1000_upload_from_url_actions": resp_json}, + indicator=indicator, + readable_output=markdown + ) + + return command_results + + def main(): try: wait_time_seconds = int(WAIT_TIME_SECONDS) @@ -1446,6 +1549,8 @@ def main(): return_results(yara_retro_command(a1000)) elif demisto.command() == 'reversinglabs-a1000-list-containers': return_results(list_containers_command(a1000)) + elif demisto.command() == 'reversinglabs-a1000-upload-from-url-actions': + return_results(upload_from_url_command(a1000)) else: return_error(f'Command [{demisto.command()}] not implemented') diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml index 5db972c35218..af38f0e65824 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/ReversingLabsA1000v2.yml @@ -609,7 +609,39 @@ script: - contextPath: ReversingLabs.a1000_list_containers description: A10000 list top-level containers. type: Unknown - dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.93622 + - name: reversinglabs-a1000-upload-from-url-actions + description: Actions for uploading a sample from a URL and fetching the analysis results. + arguments: + - name: action + description: Which action to perform. Upload a sample from URL, get the report for an sample or both actions combined. + required: true + auto: PREDEFINED + predefined: + - 'UPLOAD' + - 'GET REPORT' + - 'UPLOAD AND GET REPORT' + - 'CHECK ANALYSIS STATUS' + - name: file_url + description: URL to the file you want to submit for analysis. Used in UPLOAD and UPLOAD AND GET REPORT. + - name: crawler + description: Which crawler to use - local or cloud. Used in UPLOAD and UPLOAD AND GET REPORT. + auto: PREDEFINED + predefined: + - 'local' + - 'cloud' + - name: archive_password + description: Required if the sample is an archive and it has a password. Used in UPLOAD and UPLOAD AND GET REPORT. + - name: sandbox_platform + description: Which sandbox platform to use. Check the A1000 documentation to see the current list of supported platforms. Used in UPLOAD and UPLOAD AND GET REPORT. + - name: task_id + description: ID of the URL processing task. Used in GET REPORT. + - name: retry + description: Utilize the retry mechanism for fetching the report. Used in GET REPORT and UPLOAD AND GET REPORT. + outputs: + - contextPath: ReversingLabs.a1000_upload_from_url_actions + description: Actions for uploading a sample from a URL and fetching the analysis results. + type: Unknown + dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.96712 runonce: false script: '-' subtype: python3 From 0c912e817df553d688644971119c68c3514c8925 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 17:24:20 +0200 Subject: [PATCH 08/13] Add release notes --- Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md diff --git a/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md new file mode 100644 index 000000000000..ae13e87cfc5d --- /dev/null +++ b/Packs/ReversingLabs_A1000/ReleaseNotes/2_4_0.md @@ -0,0 +1,15 @@ +#### Integrations +##### ReversingLabs A1000 v2 +- Updated the Docker image to: *demisto/reversinglabs-sdk-py3:2.0.0.96712*. + +Added new commands: +- ***reversinglabs-a1000-user-tags*** +- ***reversinglabs-a1000-file-analysis-status*** +- ***reversinglabs-a1000-pdf-report*** +- ***reversinglabs-a1000-static-analysis-report*** +- ***reversinglabs-a1000-dynamic-analysis-report*** +- ***reversinglabs-a1000-sample-classification*** +- ***reversinglabs-a1000-yara*** +- ***reversinglabs-a1000-yara-retro*** +- ***reversinglabs-a1000-list-containers*** +- ***reversinglabs-a1000-upload-from-url-actions*** From 7931a64caec68e714ee6650f6d62eb9acc5ead60 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 18:08:03 +0200 Subject: [PATCH 09/13] Update dockerimage --- .../ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml index 7c41c592ccb5..69ab867623b9 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/ReversingLabsTitaniumScale.yml @@ -221,7 +221,7 @@ script: - contextPath: ReversingLabs.yara_id description: Identifier of the current set of YARA rules on the TitaniumScale Worker instance. type: Unknown - dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.72317 + dockerimage: demisto/reversinglabs-sdk-py3:2.0.0.96712 runonce: false script: '-' subtype: python3 From 309db27876993e264b8039f395a7e5fe25135cd5 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 18:08:13 +0200 Subject: [PATCH 10/13] Add new examples --- .../ReversingLabsA1000v2/README.md | 4257 +++++++++++++++++ .../ReversingLabsA1000v2/command_examples.txt | 14 +- 2 files changed, 4270 insertions(+), 1 deletion(-) diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md index d6150c069ea3..65b339ae9316 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/README.md @@ -6691,3 +6691,4260 @@ Get a list of URLs hosted on the requested IP address. >| https://consent.youtube.com/m?continue=https://www.youtube.com/playlist?list=PLUdyEkajrVvQgvw3E7Ms4YAvqa8yze0mk&bsft_aaid=d3faaff4-8ea9-405d-9544-4da5a26dc24a&bsft_eid=9ee948cc-69cb-27ef-383f-8b42608edab0&bsft_clkid=a51526e6-0d0d-42ba-a5b2-4ffe739b39b3&bsft_uid=13d7aa07-4c09-453f-85ae-fbd4e975b709&bsft_mid=5b0f75fb-615d-401c-b15c-8e301bce51a0&bsft_txnid=a887540d-743a-4d12-ab6a-9e9a09073a67&bsft_mime_type=html&bsft_ek=2022-03-20T12%253A10%253A17Z&bsft_lx=7&bsft_tv=25&&list_code=MONMARW&email_id=000139679745&cbrd=1&gl=DE&hl=de&m=0&pc=yt&src=1&uxe=23983171 | + +### reversinglabs-a1000-user-tags + +*** +Perform user tag actions for a sample - Get existing tags, create new tags or delete existing tags. + +#### Base Command + +`reversinglabs-a1000-user-tags` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| action | Which tag action to perform - GET, CREATE or DELETE. Possible values are: GET, CREATE, DELETE. | Required | +| hash | Hash of the desired sample. | Required | +| tags | Comma-separated list of tags. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_user_tags | Unknown | Actions for managing user tags on samples. | + +#### Command example +```!reversinglabs-a1000-user-tags hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" tags="tag3,tag4" action="CREATE"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_user_tags": [ + "tag3", + "tag4" + ] + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 user tags - CREATE tags +> **Tag list**: ["tag3","tag4"] + +### reversinglabs-a1000-file-analysis-status + +*** +Check the analysis status of submitted files. + +#### Base Command + +`reversinglabs-a1000-file-analysis-status` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hashes | Comma-separated list of file hashes. Should be written without spaces and all hashes should be of the same type. | Required | +| analysis_status | Check only files with this analysis status. Available values are 'processed' and 'not_found'. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_file_analysis_status | Unknown | Analysis status of requested files. | + +#### Command example +```!reversinglabs-a1000-file-analysis-status hashes="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" analysis_status="processed"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_file_analysis_status": { + "hash_type": "sha1", + "results": [ + { + "hash_value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "status": "processed" + } + ] + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 file analysis status +> **Hash type**: sha1 +>**Only status**: processed +>### Analysis status +>|hash_value|status| +>|---|---| +>| 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 | processed | + + +### reversinglabs-a1000-pdf-report + +*** +Perform PDF report actions for a sample - create a report, check the status of a report and download a report. + +#### Base Command + +`reversinglabs-a1000-pdf-report` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash | Sample hash. | Required | +| action | Which PDF report action to perform - CREATE REPORT, CHECK STATUS or DOWNLOAD REPORT. Possible values are: CREATE REPORT, CHECK STATUS, DOWNLOAD REPORT. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_pdf_report | Unknown | Actions for creating and downloading PDF reports. | + +#### Command example +```!reversinglabs-a1000-pdf-report hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="CREATE REPORT"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_pdf_report": { + "download_endpoint": "/api/pdf/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/download", + "status_endpoint": "/api/pdf/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/status" + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 PDF report - CREATE REPORT +>**Status endpoint**: /api/pdf/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/status +> **Download endpoint**: /api/pdf/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/download + +### reversinglabs-a1000-static-analysis-report + +*** +Retrieve the static analysis report for a local sample. + +#### Base Command + +`reversinglabs-a1000-static-analysis-report` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash | Sample hash. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_static_analysis_report | Unknown | The static analysis report. | + +#### Command example +```!reversinglabs-a1000-static-analysis-report hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06"``` +#### Context Example +```json +{ + "DBotScore": { + "Indicator": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "Reliability": "C - Fairly reliable", + "Score": 3, + "Type": "file", + "Vendor": "ReversingLabs A1000 v2" + }, + "File": { + "Hashes": [ + { + "type": "MD5", + "value": "a984de0ce47a8d5337ef569c812b57d0" + }, + { + "type": "SHA1", + "value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06" + }, + { + "type": "SHA256", + "value": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + } + ], + "MD5": "a984de0ce47a8d5337ef569c812b57d0", + "Malicious": { + "Description": "Win32.Downloader.Unruy", + "Vendor": "ReversingLabs A1000 v2" + }, + "SHA1": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "SHA256": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + }, + "ReversingLabs": { + "a1000_static_analysis_report": { + "application": { + "capabilities": [ + [ + "clipboard", + false + ], + [ + "ipc", + false + ], + [ + "threads", + true + ], + [ + "processes", + true + ], + [ + "storage", + false + ], + [ + "filesystem", + false + ], + [ + "peripherals", + false + ], + [ + "user_input", + false + ], + [ + "hardware_interfaces", + false + ], + [ + "networking", + false + ], + [ + "cryptography", + false + ], + [ + "security", + false + ], + [ + "system", + true + ], + [ + "modules", + true + ], + [ + "memory_management", + true + ], + [ + "user_interface", + true + ], + [ + "command_line", + false + ], + [ + "time_and_date", + false + ], + [ + "identity", + false + ], + [ + "monitoring", + false + ], + [ + "configuration", + false + ], + [ + "compression", + false + ], + [ + "multimedia", + true + ], + [ + "deprecated", + false + ], + [ + "undocumented", + false + ], + [ + "application_management", + false + ], + [ + "service_management", + false + ], + [ + "messaging", + false + ], + [ + "protection", + false + ], + [ + "drivers", + false + ] + ], + "libraries": [ + { + "community": 0, + "description": "Windows NT BASE API Client Library", + "license": "Proprietary (Microsoft Windows Operating System License)", + "linking": 2, + "name": "kernel32", + "publisher": "Microsoft Corporation", + "type": 3, + "verified": 0, + "version": "Generic" + }, + { + "community": 0, + "description": "Multi-User Windows USER API Client Library", + "license": "Proprietary (Microsoft Windows Operating System License)", + "linking": 2, + "name": "user32", + "publisher": "Microsoft Corporation", + "type": 3, + "verified": 0, + "version": "Generic" + } + ], + "pe": { + "analysis": { + "analysis_state": 0, + "issues": [ + { + "code": 24014, + "count": 4, + "description": "Section virtual size will be automatically rounded up by section alignment value.", + "name": "WC24014", + "relevance": 0 + }, + { + "code": 28286, + "count": 1, + "description": "Detected the presence a resource node that has no data entries.", + "name": "WC28286", + "relevance": 0 + }, + { + "code": 31501, + "count": 1, + "description": "Detected that image_rich_header_t::product list includes a reference to an older toolchain version. This outdated compiler version lacks built-in protection from integer based overflow attacks while dynamically allocation memory buffers. Lowers grade to D.", + "name": "SC31501", + "relevance": 0 + }, + { + "code": 32004, + "count": 1, + "description": "Non-optimal file_header_t::characteristics value. File has relocations stripped, which eliminates the possibility of ASLR being used. Lowers grade to C.", + "name": "SC32004", + "relevance": 0 + }, + { + "code": 33012, + "count": 1, + "description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Data execution prevention feature flag is not set. Lowers grade to D.", + "name": "SC33012", + "relevance": 1 + }, + { + "code": 33013, + "count": 1, + "description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Control flow guard feature flag is not set. Lowers grade to B.", + "name": "SC33013", + "relevance": 1 + }, + { + "code": 33014, + "count": 1, + "description": "Detected security mitigation policy issue in optional_header_t::dll_characteristics. Address space layout randomization feature flag is not set. Lowers grade to C.", + "name": "SC33014", + "relevance": 0 + }, + { + "code": 38610, + "count": 1, + "description": "Detected security mitigation policy issue in dll_extended_data_t::flags. The image is not compatible with Intel Control Flow Enforcement Technology. No impact to the final grade at this time.", + "name": "SC38610", + "relevance": 1 + }, + { + "code": 39196, + "count": 1, + "description": "Detected the use of SDLC banned function kernel32.lstrcatA. Use of this function is considered unsafe because it's an unbound string operation. Lowers grade to D.", + "name": "SC39196", + "relevance": 0 + } + ], + "security_grade": 3 + }, + "dos_header": { + "e_cblp": 144, + "e_cp": 3, + "e_cparhdr": 4, + "e_crlc": 0, + "e_cs": 0, + "e_csum": 0, + "e_ip": 0, + "e_lfanew": 208, + "e_lfarlc": 64, + "e_maxalloc": 65535, + "e_minalloc": 0, + "e_oemid": 0, + "e_oeminfo": 0, + "e_ovno": 0, + "e_res": "0000000000000000", + "e_res2": "0000000000000000000000000000000000000000", + "e_sp": 184, + "e_ss": 0 + }, + "file_header": { + "characteristics": 271, + "machine": 332, + "number_of_sections": 4, + "number_of_symbols": 0, + "pointer_to_symbol_table": 0, + "size_of_optional_headers": 224, + "time_date_stamp": 1290670165, + "time_date_stamp_decoded": "2010-11-25T07:29:25Z" + }, + "imports": [ + { + "apis": [ + "HeapAlloc", + "GetProcessHeap", + "GetProcAddress", + "LoadLibraryA", + "lstrcatA" + ], + "name": "KERNEL32.dll" + }, + { + "apis": [ + "SetWindowPos", + "AttachThreadInput", + "SetForegroundWindow" + ], + "name": "USER32.dll" + } + ], + "optional_header": { + "address_of_entry_point": 14976, + "base_of_code": 4096, + "base_of_data": 20480, + "checksum": 0, + "data_directories": [ + { + "address": 0, + "size": 0 + }, + { + "address": 20520, + "size": 60 + }, + { + "address": 53248, + "size": 16 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 20480, + "size": 40 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + }, + { + "address": 0, + "size": 0 + } + ], + "dll_characteristics": 0, + "file_alignment": 512, + "image_base": 4194304, + "is_checksum_valid": true, + "loader_flags": 0, + "major_image_version": 0, + "major_linker_version": 6, + "major_os_version": 4, + "major_subsystem_version": 4, + "minor_image_version": 0, + "minor_linker_version": 0, + "minor_os_version": 0, + "minor_subsystem_version": 0, + "number_of_rva_and_sizes": 16, + "section_alignment": 4096, + "size_of_code": 13824, + "size_of_headers": 4096, + "size_of_heap_commit": 4096, + "size_of_heap_reserve": 1048576, + "size_of_image": 57344, + "size_of_initialized_data": 27648, + "size_of_stack_commit": 4096, + "size_of_stack_reserve": 1048576, + "size_of_uninitialized_data": 0, + "subsystem": 2, + "win32_version_value": 0 + }, + "rich_header": { + "checksum": 2475530069, + "entries": [ + { + "counter": 11, + "product": 1, + "tooling": 7, + "version": 0 + }, + { + "counter": 5, + "product": 19, + "tooling": 6, + "version": 8034 + }, + { + "counter": 1, + "product": 14, + "tooling": 5, + "version": 7299 + }, + { + "counter": 4, + "product": 11, + "tooling": 2, + "version": 8966 + }, + { + "counter": 1, + "product": 6, + "tooling": 10, + "version": 1735 + } + ], + "offset": 128, + "size": 80 + }, + "sections": [ + { + "entropy": 6.065153483391547, + "flags": 1610612768, + "hashes": [ + { + "name": "md5", + "value": "d12a64610c6295a375e8cbf3fabf111e" + }, + { + "name": "sha1", + "value": "834d581edfd155bf0fe638bc91a779cfd56c373f" + }, + { + "name": "sha256", + "value": "0a618f93e0810c85ee993ef5bcb1450317c0e744bce1b47a4da1a05371a152a6" + } + ], + "name": ".text", + "physical_base": 1024, + "physical_size": 13824, + "relative_base": 4096, + "relative_size": 16384 + }, + { + "entropy": 2.8575599963638005, + "flags": 1073741888, + "hashes": [ + { + "name": "md5", + "value": "ec1240c941749e4bdd90f90d2bdba34f" + }, + { + "name": "sha1", + "value": "3fb3458d1cee383c732457afd35d75612ee0db88" + }, + { + "name": "sha256", + "value": "3f1bdeb0017ef544a6cffacdf9f6fd89e03bfbabdb889eb0ad089710c3d9a380" + } + ], + "name": ".rdata", + "physical_base": 14848, + "physical_size": 512, + "relative_base": 20480, + "relative_size": 4096 + }, + { + "entropy": 7.714661527808296, + "flags": 3221225536, + "hashes": [ + { + "name": "md5", + "value": "39187b844a3ffa357b1726f8d4ace948" + }, + { + "name": "sha1", + "value": "55bfd9fa4d3ea132935988eb068dd5f4ac4c2db6" + }, + { + "name": "sha256", + "value": "e1bc4715e1e1a34da4c16df2bc283f60456c8fa22f9b8d29e61335416fbe0bd0" + } + ], + "name": ".data", + "physical_base": 15360, + "physical_size": 26624, + "relative_base": 24576, + "relative_size": 28672 + }, + { + "entropy": 0, + "flags": 1073741888, + "hashes": [ + { + "name": "md5", + "value": "bf619eac0cdf3f68d496ea9344137e8b" + }, + { + "name": "sha1", + "value": "5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5" + }, + { + "name": "sha256", + "value": "076a27c79e5ace2a3d47f9dd2e83e4ff6ea8872b3c2218f66c92b89b55f36560" + } + ], + "name": ".rsrc", + "physical_base": 41984, + "physical_size": 512, + "relative_base": 53248, + "relative_size": 4096 + } + ] + } + }, + "attack": [ + { + "matrix": "Enterprise", + "tactics": [ + { + "description": "The adversary is trying to run malicious code.", + "id": "TA0002", + "name": "Execution", + "techniques": [ + { + "description": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.", + "id": "T1106", + "indicators": [ + { + "category": 10, + "description": "Loads additional APIs.", + "id": 70, + "priority": 2, + "relevance": 0 + } + ], + "name": "Native API" + } + ] + } + ] + } + ], + "behaviour": {}, + "certificate": {}, + "classification": { + "classification": 3, + "factor": 8, + "propagated": false, + "result": "Win32.Downloader.Unruy", + "scan_results": [ + { + "classification": 3, + "factor": 8, + "ignored": false, + "name": "Antivirus (based on the RCA Classify)", + "result": "Win32.Downloader.Unruy", + "type": 1, + "version": "2.89" + }, + { + "classification": 3, + "factor": 8, + "ignored": false, + "name": "TitaniumCore RHA1", + "result": "Win32.Downloader.Unruy", + "type": 5, + "version": "5.0.0.24" + }, + { + "classification": 3, + "factor": 6, + "ignored": false, + "name": "TitaniumCore Machine Learning", + "result": "Win32.Malware.Heuristic", + "type": 5, + "version": "5.0.0.24" + } + ] + }, + "document": {}, + "email": {}, + "imphash": "054e4e5c28d6533b44ae24cbf3e08a15", + "indicators": [ + { + "category": 4, + "description": "Allocates additional memory in the calling process.", + "id": 17985, + "priority": 3, + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: HeapAlloc", + "propagated": false + } + ], + "relevance": 0 + }, + { + "category": 10, + "description": "Loads additional libraries.", + "id": 69, + "priority": 2, + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: LoadLibraryA", + "propagated": false + } + ], + "relevance": 1 + }, + { + "category": 10, + "description": "Loads additional APIs.", + "id": 70, + "priority": 2, + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: GetProcAddress", + "propagated": false + }, + { + "category": "Indicator Match", + "description": "Matched another indicator that describes the following: Loads additional libraries.", + "propagated": false + } + ], + "relevance": 0 + }, + { + "category": 16, + "description": "Uses string related methods.", + "id": 18050, + "priority": 1, + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: lstrcatA", + "propagated": false + } + ], + "relevance": 0 + } + ], + "info": { + "file": { + "entropy": 7.222407502197507, + "file_subtype": "Exe", + "file_type": "PE", + "hashes": [ + { + "name": "imphash", + "value": "054e4e5c28d6533b44ae24cbf3e08a15" + }, + { + "name": "md5", + "value": "a984de0ce47a8d5337ef569c812b57d0" + }, + { + "name": "rha0", + "value": "6e60e6783d0e5104dab2311c93d6f9b42cebbf03" + }, + { + "name": "sha1", + "value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06" + }, + { + "name": "sha256", + "value": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + }, + { + "name": "sha512", + "value": "9357144084c64531dec928de2a85c924d8079b50b5e98ab2c61ae59b97992a39b833f618341e91b071ec94e65bd901ebdf892851e5a4247e1557a55c14923da5" + }, + { + "name": "ssdeep", + "value": "768:JbTqavYjTvEBTfVDAyNX8PFOJ40feIaFzSUqSH3Uxr:JbTqBjT8fhAyF8NKeIaJExr" + } + ], + "proposed_filename": null, + "size": 42544 + }, + "overlays": [ + { + "entropy": 0, + "from": 0, + "hashes": [ + { + "name": "md5", + "value": "e932766776e6ec8c734075b277a9dabe" + }, + { + "name": "sha1", + "value": "7062d43e1185995b5b7bba93e5d22e607df49245" + }, + { + "name": "sha256", + "value": "addc3bfa329b888c3430d549b9b6c9f57dca041007d84e013b6a503096a14e92" + } + ], + "offset": 42496, + "size": 48 + } + ], + "statistics": { + "file_stats": [ + { + "count": 1, + "identifications": [ + { + "count": 1, + "name": "Unknown" + } + ], + "subtype": "Exe", + "type": "PE" + } + ] + }, + "validation": { + "scan_results": [ + { + "name": "TitaniumCore PE Rich Header Validator", + "type": 5, + "valid": true, + "version": "5.0.0.24" + }, + { + "name": "TitaniumCore PE Checksum Validator", + "type": 5, + "valid": true, + "version": "5.0.0.24" + }, + { + "name": "TitaniumCore PECOFF Validator", + "type": 3, + "valid": true, + "version": "5.0.6" + } + ], + "valid": true + } + }, + "interesting_strings": [], + "md5": "a984de0ce47a8d5337ef569c812b57d0", + "media": {}, + "mobile": {}, + "protection": {}, + "security": {}, + "sha1": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "sha256": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3", + "sha512": "9357144084c64531dec928de2a85c924d8079b50b5e98ab2c61ae59b97992a39b833f618341e91b071ec94e65bd901ebdf892851e5a4247e1557a55c14923da5", + "story": "This file (SHA1: 0000a0a381d31e0dafcaa22343d2d7e40ff76e06) is a 32-bit portable executable application. The application uses the Windows graphical user interface (GUI) subsystem. Appended data was detected at the file's end. Its length is smaller than the size of the image. This application has access to running processes. Libraries kernel32 Generic and user32 Generic were detected in the file. There are no extracted files.", + "strings": [ + { + "c": 1, + "f": 2, + "o": 1078, + "v": "\rDa@" + }, + { + "c": 5, + "f": 2, + "o": 1171, + "v": "\fj\tj" + }, + { + "c": 1, + "f": 2, + "o": 1266, + "v": "\fj\\h" + }, + { + "c": 1, + "f": 2, + "o": 1303, + "v": "\rlf@" + }, + { + "c": 2, + "f": 2, + "o": 1309, + "v": "- P@" + }, + { + "c": 1, + "f": 2, + "o": 1348, + "v": "\rxb@" + }, + { + "c": 2, + "f": 2, + "o": 1488, + "v": "\rD`@" + }, + { + "c": 1, + "f": 2, + "o": 1554, + "v": "hln@" + }, + { + "c": 1, + "f": 2, + "o": 1607, + "v": "\r`n@" + }, + { + "c": 1, + "f": 2, + "o": 1626, + "v": "\rhn@" + }, + { + "c": 1, + "f": 2, + "o": 1720, + "v": "\r4b@" + }, + { + "c": 2, + "f": 2, + "o": 1733, + "v": "\rhf@" + }, + { + "c": 1, + "f": 2, + "o": 1763, + "v": "hPn@" + }, + { + "c": 1, + "f": 2, + "o": 1787, + "v": "\r@n@" + }, + { + "c": 1, + "f": 2, + "o": 1809, + "v": "\rHn@" + }, + { + "c": 2, + "f": 2, + "o": 1868, + "v": "\rLf@" + }, + { + "c": 1, + "f": 2, + "o": 1875, + "v": "\fj;h\"P" + }, + { + "c": 1, + "f": 2, + "o": 1991, + "v": "h(n@" + }, + { + "c": 1, + "f": 2, + "o": 2099, + "v": "\r@b@" + }, + { + "c": 1, + "f": 2, + "o": 2303, + "v": "\r8g@" + }, + { + "c": 1, + "f": 2, + "o": 2537, + "v": "\r8f@" + }, + { + "c": 2, + "f": 2, + "o": 2820, + "v": "\r\\b@" + }, + { + "c": 2, + "f": 2, + "o": 2836, + "v": "\rtf@" + }, + { + "c": 1, + "f": 2, + "o": 2916, + "v": "\rxf@" + }, + { + "c": 1, + "f": 2, + "o": 2950, + "v": "\r\f`@" + }, + { + "c": 1, + "f": 2, + "o": 3024, + "v": "\rpm@" + }, + { + "c": 1, + "f": 2, + "o": 3046, + "v": "\rxm@" + }, + { + "c": 1, + "f": 2, + "o": 3127, + "v": "\r\fa@" + }, + { + "c": 1, + "f": 2, + "o": 3181, + "v": "hXm@" + }, + { + "c": 6, + "f": 2, + "o": 3204, + "v": "\fj\rj" + }, + { + "c": 1, + "f": 2, + "o": 3228, + "v": "\rLm@" + }, + { + "c": 1, + "f": 2, + "o": 3308, + "v": "h4m@" + }, + { + "c": 1, + "f": 2, + "o": 3332, + "v": "\r$m@" + }, + { + "c": 1, + "f": 2, + "o": 3354, + "v": "\r,m@" + }, + { + "c": 1, + "f": 2, + "o": 3380, + "v": "\r@a@" + }, + { + "c": 1, + "f": 2, + "o": 3472, + "v": "\rta@" + }, + { + "c": 1, + "f": 2, + "o": 3521, + "v": "\r`c@" + }, + { + "c": 1, + "f": 2, + "o": 3608, + "v": "\r\fm@" + }, + { + "c": 2, + "f": 2, + "o": 3675, + "v": "\r$`@" + }, + { + "c": 1, + "f": 2, + "o": 3900, + "v": "j\rh|E1" + }, + { + "c": 1, + "f": 3, + "o": 17737, + "v": "ik\nL" + }, + { + "c": 1, + "f": 2, + "o": 17786, + "v": "M},x" + }, + { + "c": 1, + "f": 2, + "o": 17850, + "v": "\\)VXo53" + }, + { + "c": 1, + "f": 2, + "o": 17901, + "v": "h6pp&" + }, + { + "c": 1, + "f": 2, + "o": 17958, + "v": "72Jh" + }, + { + "c": 1, + "f": 2, + "o": 17998, + "v": "Wfj&%" + }, + { + "c": 1, + "f": 2, + "o": 18103, + "v": "_i=/." + }, + { + "c": 1, + "f": 2, + "o": 18142, + "v": "]Q9[" + }, + { + "c": 1, + "f": 2, + "o": 18252, + "v": "i0>!" + }, + { + "c": 1, + "f": 2, + "o": 18384, + "v": "=8wo" + }, + { + "c": 1, + "f": 2, + "o": 18416, + "v": "G+~s" + }, + { + "c": 1, + "f": 2, + "o": 18486, + "v": "<\rt\\" + }, + { + "c": 1, + "f": 2, + "o": 18623, + "v": "7D\ra" + }, + { + "c": 1, + "f": 2, + "o": 18638, + "v": "OO\"#u" + }, + { + "c": 1, + "f": 2, + "o": 18766, + "v": "]=p)" + }, + { + "c": 1, + "f": 2, + "o": 18829, + "v": "e\f[m[" + }, + { + "c": 1, + "f": 2, + "o": 18934, + "v": "!P7W" + }, + { + "c": 1, + "f": 2, + "o": 19082, + "v": "TaA" + }, + { + "c": 1, + "f": 2, + "o": 19574, + "v": "'=R4" + }, + { + "c": 1, + "f": 2, + "o": 19607, + "v": "-~\fM" + }, + { + "c": 1, + "f": 2, + "o": 19714, + "v": "sL?_" + }, + { + "c": 1, + "f": 2, + "o": 19719, + "v": "'4gk[l;" + }, + { + "c": 1, + "f": 2, + "o": 19743, + "v": "lgn!" + }, + { + "c": 1, + "f": 2, + "o": 19748, + "v": "3LeY[" + }, + { + "c": 1, + "f": 2, + "o": 19754, + "v": "z^aq" + }, + { + "c": 1, + "f": 2, + "o": 19764, + "v": "\rCt%" + }, + { + "c": 1, + "f": 2, + "o": 19898, + "v": "3l\tk" + }, + { + "c": 1, + "f": 2, + "o": 20235, + "v": "C]3c7" + }, + { + "c": 1, + "f": 2, + "o": 20244, + "v": "w\"Sk" + }, + { + "c": 1, + "f": 2, + "o": 20282, + "v": "Nl(//6E" + }, + { + "c": 1, + "f": 3, + "o": 20379, + "v": "iR1N" + }, + { + "c": 1, + "f": 2, + "o": 20478, + "v": ".(fB" + }, + { + "c": 1, + "f": 2, + "o": 20545, + "v": "*N:p" + }, + { + "c": 1, + "f": 2, + "o": 20628, + "v": "bMVU" + }, + { + "c": 1, + "f": 2, + "o": 20685, + "v": "G<~." + }, + { + "c": 1, + "f": 2, + "o": 20737, + "v": "gSrt" + }, + { + "c": 1, + "f": 2, + "o": 20795, + "v": "-fFo" + }, + { + "c": 1, + "f": 2, + "o": 20954, + "v": "\u000bQoi" + }, + { + "c": 1, + "f": 2, + "o": 20966, + "v": "Y|^j)" + }, + { + "c": 1, + "f": 2, + "o": 21057, + "v": "g1z>" + }, + { + "c": 1, + "f": 2, + "o": 21193, + "v": "j@fr" + }, + { + "c": 1, + "f": 2, + "o": 21357, + "v": "s3.'" + }, + { + "c": 1, + "f": 2, + "o": 21425, + "v": "?^>\"" + }, + { + "c": 1, + "f": 2, + "o": 21437, + "v": "\\^ZH~)4" + }, + { + "c": 1, + "f": 2, + "o": 21467, + "v": "k(NM" + }, + { + "c": 1, + "f": 2, + "o": 21577, + "v": "B;!d" + }, + { + "c": 1, + "f": 2, + "o": 21592, + "v": "M\"cn" + }, + { + "c": 1, + "f": 2, + "o": 21622, + "v": "+ `h" + }, + { + "c": 1, + "f": 2, + "o": 21713, + "v": "LoM0" + }, + { + "c": 1, + "f": 2, + "o": 21726, + "v": "3JS\"" + }, + { + "c": 1, + "f": 2, + "o": 21829, + "v": "Z,{oX`" + }, + { + "c": 1, + "f": 2, + "o": 21836, + "v": "p5rjZ@" + }, + { + "c": 1, + "f": 2, + "o": 22043, + "v": "BuA]_" + }, + { + "c": 1, + "f": 2, + "o": 22070, + "v": "\t }:R" + }, + { + "c": 1, + "f": 2, + "o": 22125, + "v": "MG+," + }, + { + "c": 1, + "f": 2, + "o": 22181, + "v": "(Jz\n" + }, + { + "c": 1, + "f": 2, + "o": 22319, + "v": "0b]d" + }, + { + "c": 1, + "f": 2, + "o": 22380, + "v": "\",}je" + }, + { + "c": 1, + "f": 2, + "o": 22468, + "v": "zI\fC" + }, + { + "c": 1, + "f": 2, + "o": 22516, + "v": "^\u000bxU" + }, + { + "c": 1, + "f": 2, + "o": 22662, + "v": "w6!2" + }, + { + "c": 1, + "f": 2, + "o": 22672, + "v": "wKBT" + }, + { + "c": 1, + "f": 2, + "o": 22788, + "v": "j)d[" + }, + { + "c": 1, + "f": 2, + "o": 22793, + "v": "O^bF" + }, + { + "c": 1, + "f": 2, + "o": 22895, + "v": "B0Dv\\\r`" + }, + { + "c": 1, + "f": 2, + "o": 22968, + "v": "}!'x" + }, + { + "c": 1, + "f": 2, + "o": 23000, + "v": "\"8nS" + }, + { + "c": 1, + "f": 2, + "o": 23016, + "v": "-S'Y" + }, + { + "c": 1, + "f": 2, + "o": 23023, + "v": "x1$v" + }, + { + "c": 1, + "f": 2, + "o": 23032, + "v": "!a\u000bR" + }, + { + "c": 1, + "f": 2, + "o": 23038, + "v": "\t;UA" + }, + { + "c": 1, + "f": 2, + "o": 23073, + "v": "zU8I" + }, + { + "c": 1, + "f": 2, + "o": 23186, + "v": "<).\tT" + }, + { + "c": 1, + "f": 2, + "o": 23203, + "v": "_de[-!" + }, + { + "c": 1, + "f": 2, + "o": 23218, + "v": ";Nlvj^" + }, + { + "c": 1, + "f": 2, + "o": 23348, + "v": "\f\f+xyL" + }, + { + "c": 1, + "f": 2, + "o": 23361, + "v": "nWO=" + }, + { + "c": 1, + "f": 2, + "o": 23371, + "v": "l'WL" + }, + { + "c": 1, + "f": 2, + "o": 23446, + "v": "Z}LEE" + }, + { + "c": 1, + "f": 2, + "o": 23507, + "v": "%\r%}" + }, + { + "c": 1, + "f": 2, + "o": 23519, + "v": "\t,P9" + }, + { + "c": 1, + "f": 2, + "o": 23547, + "v": "kc$," + }, + { + "c": 1, + "f": 2, + "o": 23561, + "v": "a$\u000bR" + }, + { + "c": 1, + "f": 2, + "o": 23617, + "v": ")eTio{h" + }, + { + "c": 1, + "f": 2, + "o": 23745, + "v": "|SA'%2" + }, + { + "c": 1, + "f": 2, + "o": 23858, + "v": "WW/!" + }, + { + "c": 1, + "f": 2, + "o": 23926, + "v": "t0g'" + }, + { + "c": 1, + "f": 3, + "o": 23939, + "v": "I.Dd" + }, + { + "c": 1, + "f": 2, + "o": 23965, + "v": "I1PN" + }, + { + "c": 1, + "f": 3, + "o": 24110, + "v": "AiN\nb" + }, + { + "c": 1, + "f": 2, + "o": 24230, + "v": "{hM:~" + }, + { + "c": 1, + "f": 2, + "o": 24253, + "v": "_?iH" + }, + { + "c": 1, + "f": 3, + "o": 24346, + "v": "attO" + }, + { + "c": 1, + "f": 2, + "o": 24430, + "v": "Jr6)" + }, + { + "c": 1, + "f": 2, + "o": 24474, + "v": "]^;p" + }, + { + "c": 1, + "f": 2, + "o": 24523, + "v": "wRzS" + }, + { + "c": 1, + "f": 2, + "o": 24675, + "v": "b\n5e\\*" + }, + { + "c": 1, + "f": 2, + "o": 24726, + "v": ";,G[" + }, + { + "c": 1, + "f": 2, + "o": 24733, + "v": "M8ak" + }, + { + "c": 1, + "f": 2, + "o": 24840, + "v": "^Jj-" + }, + { + "c": 1, + "f": 2, + "o": 25013, + "v": "Bs&?" + }, + { + "c": 1, + "f": 2, + "o": 25037, + "v": "r8^@" + }, + { + "c": 1, + "f": 2, + "o": 25065, + "v": "SP/=" + }, + { + "c": 1, + "f": 2, + "o": 25220, + "v": "]\u000bTxf" + }, + { + "c": 1, + "f": 2, + "o": 25325, + "v": "\f1Bn" + }, + { + "c": 1, + "f": 2, + "o": 25339, + "v": "r`>N%" + }, + { + "c": 1, + "f": 2, + "o": 25362, + "v": "d)nM" + }, + { + "c": 1, + "f": 2, + "o": 25526, + "v": "D|G$" + }, + { + "c": 1, + "f": 2, + "o": 25560, + "v": "z" + }, + { + "c": 1, + "f": 2, + "o": 26822, + "v": "o\t*p," + }, + { + "c": 1, + "f": 2, + "o": 26836, + "v": "W\rLmBBr;S" + }, + { + "c": 1, + "f": 2, + "o": 26888, + "v": "tg\u000b," + }, + { + "c": 1, + "f": 2, + "o": 26967, + "v": "]{Q~R" + }, + { + "c": 1, + "f": 2, + "o": 26990, + "v": "RTm\\" + }, + { + "c": 1, + "f": 2, + "o": 27030, + "v": "MF4L" + }, + { + "c": 1, + "f": 2, + "o": 27047, + "v": "dAUO" + }, + { + "c": 1, + "f": 2, + "o": 27373, + "v": "f*EX" + }, + { + "c": 1, + "f": 2, + "o": 27420, + "v": "%})z" + }, + { + "c": 1, + "f": 2, + "o": 27524, + "v": "\rs\t;{" + }, + { + "c": 1, + "f": 2, + "o": 27663, + "v": "IN|GE" + }, + { + "c": 1, + "f": 2, + "o": 27733, + "v": "U7kG" + }, + { + "c": 1, + "f": 2, + "o": 27768, + "v": "EP%o}" + }, + { + "c": 1, + "f": 2, + "o": 27880, + "v": "Ru6Z/7" + }, + { + "c": 1, + "f": 2, + "o": 28005, + "v": "#A~1" + }, + { + "c": 1, + "f": 2, + "o": 28094, + "v": "Yw[\rX" + }, + { + "c": 1, + "f": 2, + "o": 28296, + "v": "uoTu" + }, + { + "c": 1, + "f": 2, + "o": 28308, + "v": "LS#U" + }, + { + "c": 1, + "f": 2, + "o": 28314, + "v": "y$^1" + }, + { + "c": 1, + "f": 2, + "o": 28452, + "v": "3akq" + }, + { + "c": 1, + "f": 2, + "o": 28486, + "v": "$mP1d=" + }, + { + "c": 1, + "f": 2, + "o": 28521, + "v": "uA\t\nq" + }, + { + "c": 1, + "f": 2, + "o": 28551, + "v": "0uq/36" + }, + { + "c": 1, + "f": 2, + "o": 28564, + "v": "osZQ" + }, + { + "c": 1, + "f": 2, + "o": 28638, + "v": "\"*QK" + }, + { + "c": 1, + "f": 2, + "o": 28656, + "v": "L{&[" + }, + { + "c": 1, + "f": 2, + "o": 28692, + "v": "Mo$\rt?" + }, + { + "c": 1, + "f": 2, + "o": 28702, + "v": ".&Bv" + }, + { + "c": 1, + "f": 2, + "o": 28710, + "v": "EM\f&PN" + }, + { + "c": 1, + "f": 2, + "o": 28717, + "v": "Hk1O" + }, + { + "c": 1, + "f": 2, + "o": 28921, + "v": "o&| " + }, + { + "c": 1, + "f": 2, + "o": 28942, + "v": "0Dco" + }, + { + "c": 1, + "f": 2, + "o": 28985, + "v": "tBC," + }, + { + "c": 1, + "f": 2, + "o": 29005, + "v": ">M5m" + }, + { + "c": 1, + "f": 2, + "o": 29015, + "v": "Jb$s" + }, + { + "c": 1, + "f": 2, + "o": 29068, + "v": "Fxsl" + }, + { + "c": 1, + "f": 2, + "o": 29109, + "v": "\fv l" + }, + { + "c": 1, + "f": 2, + "o": 29161, + "v": "(t_}" + }, + { + "c": 1, + "f": 2, + "o": 29236, + "v": "_a/T" + }, + { + "c": 1, + "f": 2, + "o": 29254, + "v": "&6ElU" + }, + { + "c": 1, + "f": 2, + "o": 29278, + "v": "e&64\fm" + }, + { + "c": 1, + "f": 2, + "o": 29302, + "v": "*'.%" + }, + { + "c": 1, + "f": 2, + "o": 29397, + "v": "gb,a" + }, + { + "c": 1, + "f": 2, + "o": 29454, + "v": "VD\t-" + }, + { + "c": 1, + "f": 2, + "o": 29515, + "v": " bvsZ" + }, + { + "c": 1, + "f": 2, + "o": 29587, + "v": "F\tJP" + }, + { + "c": 1, + "f": 2, + "o": 29779, + "v": "$-\t'" + }, + { + "c": 1, + "f": 2, + "o": 29975, + "v": "}&E." + }, + { + "c": 1, + "f": 2, + "o": 30051, + "v": "t#&Q[@" + }, + { + "c": 1, + "f": 2, + "o": 30060, + "v": "\r=r^" + }, + { + "c": 1, + "f": 2, + "o": 30065, + "v": "M1JL@" + }, + { + "c": 1, + "f": 3, + "o": 30270, + "v": "mS\ta" + }, + { + "c": 1, + "f": 2, + "o": 30302, + "v": "|mW&" + }, + { + "c": 1, + "f": 2, + "o": 30312, + "v": "l6|}" + }, + { + "c": 1, + "f": 2, + "o": 30324, + "v": "`']a" + }, + { + "c": 1, + "f": 2, + "o": 30333, + "v": "tI\\i~" + }, + { + "c": 1, + "f": 2, + "o": 30366, + "v": "FH30" + }, + { + "c": 1, + "f": 2, + "o": 30423, + "v": "3QL8" + }, + { + "c": 1, + "f": 2, + "o": 30459, + "v": "eEUJ" + }, + { + "c": 1, + "f": 2, + "o": 30554, + "v": "I`B^" + }, + { + "c": 1, + "f": 2, + "o": 30572, + "v": "+X&f" + }, + { + "c": 1, + "f": 2, + "o": 30617, + "v": "=r7#K#" + }, + { + "c": 1, + "f": 2, + "o": 30717, + "v": "8Jbt" + }, + { + "c": 1, + "f": 2, + "o": 30798, + "v": "0!4\tYB=x" + }, + { + "c": 1, + "f": 2, + "o": 30917, + "v": "'5vIm1Qo " + }, + { + "c": 1, + "f": 2, + "o": 30954, + "v": "$&*s" + }, + { + "c": 1, + "f": 2, + "o": 31050, + "v": "9K%C" + }, + { + "c": 1, + "f": 2, + "o": 31125, + "v": "%Z+P" + }, + { + "c": 1, + "f": 2, + "o": 31193, + "v": "\tFTGW\"h" + }, + { + "c": 1, + "f": 2, + "o": 31342, + "v": "Sh@G" + }, + { + "c": 1, + "f": 2, + "o": 31367, + "v": "a\rq(" + }, + { + "c": 1, + "f": 2, + "o": 31380, + "v": "Y\"h>" + }, + { + "c": 1, + "f": 2, + "o": 31474, + "v": "_u=k" + }, + { + "c": 1, + "f": 2, + "o": 31479, + "v": "#.>-" + }, + { + "c": 1, + "f": 2, + "o": 31507, + "v": "B5'\t" + }, + { + "c": 1, + "f": 2, + "o": 31635, + "v": "SmI`" + }, + { + "c": 1, + "f": 2, + "o": 31746, + "v": ")rfh" + }, + { + "c": 1, + "f": 2, + "o": 31811, + "v": "m4SM" + }, + { + "c": 1, + "f": 2, + "o": 31870, + "v": "N}2\r" + }, + { + "c": 1, + "f": 2, + "o": 31941, + "v": ">No+" + }, + { + "c": 1, + "f": 2, + "o": 32008, + "v": "])&h\n" + }, + { + "c": 1, + "f": 2, + "o": 32051, + "v": "U\"k9" + }, + { + "c": 1, + "f": 2, + "o": 32068, + "v": "Rmqy" + }, + { + "c": 1, + "f": 2, + "o": 32104, + "v": "_BG(Rh\u000b" + }, + { + "c": 1, + "f": 2, + "o": 32134, + "v": "@RaHl|2l" + }, + { + "c": 1, + "f": 2, + "o": 32274, + "v": "t3=e`1" + }, + { + "c": 1, + "f": 2, + "o": 32303, + "v": "\tk\n^" + }, + { + "c": 1, + "f": 2, + "o": 32445, + "v": "J'uT/" + }, + { + "c": 1, + "f": 2, + "o": 32519, + "v": "Wp% v" + }, + { + "c": 1, + "f": 2, + "o": 32561, + "v": "kXME" + }, + { + "c": 1, + "f": 2, + "o": 32626, + "v": "Vk9B" + }, + { + "c": 1, + "f": 2, + "o": 32659, + "v": "$T7'" + }, + { + "c": 1, + "f": 2, + "o": 32752, + "v": "5nP " + }, + { + "c": 1, + "f": 2, + "o": 32891, + "v": "rH?G" + }, + { + "c": 1, + "f": 2, + "o": 33057, + "v": "o_WU/" + }, + { + "c": 1, + "f": 2, + "o": 33144, + "v": "fbiFL+" + }, + { + "c": 1, + "f": 2, + "o": 33225, + "v": "@c\u000b)\n" + }, + { + "c": 1, + "f": 2, + "o": 33244, + "v": "k8EJ" + }, + { + "c": 1, + "f": 2, + "o": 33325, + "v": "8aM;" + }, + { + "c": 1, + "f": 2, + "o": 33338, + "v": "q78<\r" + }, + { + "c": 1, + "f": 2, + "o": 33375, + "v": "bZb4" + }, + { + "c": 1, + "f": 2, + "o": 33433, + "v": "wg#m" + }, + { + "c": 1, + "f": 2, + "o": 33446, + "v": "J&sHI[" + }, + { + "c": 1, + "f": 2, + "o": 33514, + "v": "eR \r|" + }, + { + "c": 1, + "f": 2, + "o": 33530, + "v": "W5FCZ" + }, + { + "c": 1, + "f": 2, + "o": 33582, + "v": "\tCm&" + }, + { + "c": 1, + "f": 2, + "o": 33938, + "v": "'cJ6q" + }, + { + "c": 1, + "f": 2, + "o": 34014, + "v": "OO&L" + }, + { + "c": 1, + "f": 2, + "o": 34120, + "v": "\t*hzM" + }, + { + "c": 1, + "f": 2, + "o": 34141, + "v": "ZH6U" + }, + { + "c": 1, + "f": 2, + "o": 34603, + "v": ":R8P" + }, + { + "c": 1, + "f": 2, + "o": 34728, + "v": "1Jh(" + }, + { + "c": 1, + "f": 2, + "o": 34800, + "v": "r=A4" + }, + { + "c": 1, + "f": 2, + "o": 34821, + "v": " ru^oU" + }, + { + "c": 1, + "f": 2, + "o": 34879, + "v": "m/o>" + }, + { + "c": 1, + "f": 2, + "o": 34920, + "v": "],uE" + }, + { + "c": 1, + "f": 2, + "o": 34983, + "v": "e\rK%!8" + }, + { + "c": 1, + "f": 3, + "o": 34992, + "v": "Ln.I" + }, + { + "c": 1, + "f": 2, + "o": 35019, + "v": "bi\"d" + }, + { + "c": 1, + "f": 2, + "o": 35041, + "v": "Qd\t$" + }, + { + "c": 1, + "f": 2, + "o": 35143, + "v": "'['," + }, + { + "c": 1, + "f": 2, + "o": 35191, + "v": "277Q" + }, + { + "c": 1, + "f": 2, + "o": 35314, + "v": ")HK&n" + }, + { + "c": 1, + "f": 2, + "o": 35518, + "v": "^w3 " + }, + { + "c": 1, + "f": 2, + "o": 35561, + "v": "{2f9" + }, + { + "c": 1, + "f": 2, + "o": 35682, + "v": "%>vD" + }, + { + "c": 1, + "f": 2, + "o": 35696, + "v": "Do[f" + }, + { + "c": 1, + "f": 2, + "o": 35720, + "v": "I. 7oP" + }, + { + "c": 1, + "f": 2, + "o": 36008, + "v": "\\yFb@" + }, + { + "c": 1, + "f": 2, + "o": 36200, + "v": "Yj'p)" + }, + { + "c": 1, + "f": 2, + "o": 36320, + "v": "}Ok`" + }, + { + "c": 1, + "f": 2, + "o": 36357, + "v": "J=(R" + }, + { + "c": 1, + "f": 2, + "o": 36372, + "v": ".ghp" + }, + { + "c": 1, + "f": 2, + "o": 36383, + "v": "f,&k>" + }, + { + "c": 1, + "f": 2, + "o": 36536, + "v": "Tua}Z" + }, + { + "c": 1, + "f": 2, + "o": 36556, + "v": "!Clb" + }, + { + "c": 1, + "f": 2, + "o": 36569, + "v": "S;\f4" + }, + { + "c": 1, + "f": 3, + "o": 36578, + "v": "r-nl\fu" + }, + { + "c": 1, + "f": 2, + "o": 36666, + "v": "Oi\"B" + }, + { + "c": 1, + "f": 2, + "o": 36693, + "v": "4zF9" + }, + { + "c": 1, + "f": 2, + "o": 36740, + "v": "|S43" + }, + { + "c": 1, + "f": 2, + "o": 37051, + "v": "SJ2\"" + }, + { + "c": 1, + "f": 2, + "o": 37236, + "v": "L\"c$" + }, + { + "c": 1, + "f": 2, + "o": 37321, + "v": "3~Pj8" + }, + { + "c": 1, + "f": 2, + "o": 37369, + "v": "}qP." + }, + { + "c": 1, + "f": 2, + "o": 37415, + "v": "j1;?]Xn" + }, + { + "c": 1, + "f": 2, + "o": 37440, + "v": "r$RZ" + }, + { + "c": 1, + "f": 2, + "o": 37467, + "v": "lif.B(" + }, + { + "c": 1, + "f": 3, + "o": 37495, + "v": "n\reO" + }, + { + "c": 1, + "f": 2, + "o": 37550, + "v": "LU{4u*" + }, + { + "c": 1, + "f": 2, + "o": 41182, + "v": "[nhsO" + }, + { + "c": 1, + "f": 2, + "o": 41248, + "v": "]\tW]" + }, + { + "c": 1, + "f": 2, + "o": 41267, + "v": "$5Fi" + }, + { + "c": 1, + "f": 2, + "o": 41298, + "v": "N6UD" + }, + { + "c": 1, + "f": 2, + "o": 41332, + "v": "\r,mk" + }, + { + "c": 1, + "f": 2, + "o": 41411, + "v": "#Jk?8" + }, + { + "c": 1, + "f": 2, + "o": 41483, + "v": "\ffLZ" + }, + { + "c": 1, + "f": 2, + "o": 41500, + "v": "q@P+" + }, + { + "c": 1, + "f": 3, + "o": 41516, + "v": "Heap" + } + ], + "tags": { + "ticore": [ + "antivirus", + "arch-x86", + "capability-execution", + "desktop", + "entropy-high", + "gui", + "machine-learning", + "overlay", + "rich-header" + ], + "user": [ + "tag1", + "tag2", + "tag3", + "tag4" + ] + }, + "web": {} + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 static analysis report for 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 +> **Classification**: 3 +> **Factor**: 8 +> **Result**: Win32.Downloader.Unruy +> **SHA-1**: 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 +> **MD5**: a984de0ce47a8d5337ef569c812b57d0 +> **SHA-256**: b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3 +> **SHA-512**: 9357144084c64531dec928de2a85c924d8079b50b5e98ab2c61ae59b97992a39b833f618341e91b071ec94e65bd901ebdf892851e5a4247e1557a55c14923da5 +> **Story**: This file (SHA1: 0000a0a381d31e0dafcaa22343d2d7e40ff76e06) is a 32-bit portable executable application. The application uses the Windows graphical user interface (GUI) subsystem. Appended data was detected at the file's end. Its length is smaller than the size of the image. This application has access to running processes. Libraries kernel32 Generic and user32 Generic were detected in the file. There are no extracted files. +> ### Indicators +>|category|description|id|priority|reasons|relevance| +>|---|---|---|---|---|---| +>| 4 | Allocates additional memory in the calling process. | 17985 | 3 | {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: HeapAlloc'} | 0 | +>| 10 | Loads additional libraries. | 69 | 2 | {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: LoadLibraryA'} | 1 | +>| 10 | Loads additional APIs. | 70 | 2 | {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: GetProcAddress'},
{'propagated': False, 'category': 'Indicator Match', 'description': 'Matched another indicator that describes the following: Loads additional libraries.'} | 0 | +>| 16 | Uses string related methods. | 18050 | 1 | {'propagated': False, 'category': 'Imported API Name', 'description': 'Imports the following function: lstrcatA'} | 0 | +> ### Tags +>|ticore|user| +>|---|---| +>| antivirus,
arch-x86,
capability-execution,
desktop,
entropy-high,
gui,
machine-learning,
overlay,
rich-header | tag1,
tag2,
tag3,
tag4 | +> +> + +### reversinglabs-a1000-dynamic-analysis-report + +*** +Perform dynamic analysis report actions for a sample - create a report, check the status of a report and download a report. + +#### Base Command + +`reversinglabs-a1000-dynamic-analysis-report` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash | Sample hash. | Required | +| action | Which dynamic analysis report action to perform - CREATE REPORT, CHECK STATUS or DOWNLOAD REPORT. Possible values are: CREATE REPORT, CHECK STATUS, DOWNLOAD REPORT. | Required | +| report_format | Dynamic analysis report format. Possible values are: pdf, html. Default is pdf. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_dynamic_analysis_report | Unknown | Actions for creating and downloading dynamic analysis reports. | + +#### Command example +```!reversinglabs-a1000-dynamic-analysis-report report_format="pdf" hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="CREATE REPORT"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_dynamic_analysis_report": { + "download_endpoint": "/api/rl_dynamic_analysis/export/summary/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/pdf/download/", + "status_endpoint": "/api/rl_dynamic_analysis/export/summary/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/pdf/status/" + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 dynamic analysis report - CREATE REPORT +>**Status endpoint**: /api/rl_dynamic_analysis/export/summary/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/pdf/status/ +> **Download endpoint**: /api/rl_dynamic_analysis/export/summary/0000a0a381d31e0dafcaa22343d2d7e40ff76e06/pdf/download/ + +### reversinglabs-a1000-sample-classification + +*** +Perform sample classification actions - get sample classification, set sample classification or delete sample classification. + +#### Base Command + +`reversinglabs-a1000-sample-classification` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| hash | Sample hash. | Required | +| action | Which classification action to perform - GET CLASSIFICATION, SET CLASSIFICATION or DELETE CLASSIFICATION. Possible values are: GET CLASSIFICATION, SET CLASSIFICATION, DELETE CLASSIFICATION. | Required | +| system | Local or TitaniumCloud. Possible values are: local, ticloud. | Optional | +| local_only | Return only local samples without querying TitaniumCloud. Possible values are: true, false. | Optional | +| av_scanners | Return return AV scanner results. Possible values are: true, false. | Optional | +| classification | goodware, suspicious or malicious. Possible values are: goodware, suspicious, malicious. | Optional | +| risk_score | If specified, it must be within range for the specified classification. If not specified, a default value is used. Goodware - 0, Suspicious - 6, Malicious - 10. | Optional | +| threat_platform | If specified, it must be on the supported list (platforms and subplatforms - see official API docs). If not specified, the default value is 'Win32'. | Optional | +| threat_type | If specified, it must be on the supported list (malware types - see official API docs). If not specified, the default value is 'Malware'. | Optional | +| threat_name | If specified, must be an alphanumeric string not longer than 32 characters. If not specified, the default value is 'Generic'. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_sample_classification | Unknown | Sample classification actions. | + +#### Command example +```!reversinglabs-a1000-sample-classification hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="GET CLASSIFICATION" system="local" local_only="true" av_scanners="false" classification="malicious"``` +#### Context Example +```json +{ + "DBotScore": { + "Indicator": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "Reliability": "C - Fairly reliable", + "Score": 3, + "Type": "file", + "Vendor": "ReversingLabs A1000 v2" + }, + "File": { + "Hashes": [ + { + "type": "MD5", + "value": "a984de0ce47a8d5337ef569c812b57d0" + }, + { + "type": "SHA1", + "value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06" + }, + { + "type": "SHA256", + "value": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + } + ], + "MD5": "a984de0ce47a8d5337ef569c812b57d0", + "Malicious": { + "Description": "Win32.Downloader.Unruy", + "Vendor": "ReversingLabs A1000 v2" + }, + "SHA1": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "SHA256": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + }, + "ReversingLabs": { + "a1000_sample_classification": { + "classification": "malicious", + "classification_origin": null, + "classification_reason": "Antivirus", + "classification_result": "Win32.Downloader.Unruy", + "cloud_last_lookup": "2024-06-05T15:43:13Z", + "data_source": "LOCAL", + "first_seen": "2011-09-21T02:09:00Z", + "last_seen": "2024-06-05T15:10:39Z", + "md5": "a984de0ce47a8d5337ef569c812b57d0", + "riskscore": 8, + "sha1": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "sha256": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 sample classification - GET CLASSIFICATION +>**Classification**: malicious +> **Risk score**: 8 +> **First seen**: 2011-09-21T02:09:00Z +> **Last seen**: 2024-06-05T15:10:39Z +> **Classification result**: Win32.Downloader.Unruy +> **Classification reason**: Antivirus +> **SHA-1**: 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 +> **SHA-256**: b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3 +> **MD5**: a984de0ce47a8d5337ef569c812b57d0 +> + +### reversinglabs-a1000-yara + +*** +Perform A1000 YARA actions. + +#### Base Command + +`reversinglabs-a1000-yara` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| action | Which YARA action to perform. Possible values are: GET RULESETS, GET CONTENTS, GET MATCHES, UPDATE RULESET, DELETE RULESET, ENABLE RULESET, DISABLE RULESET, GET SYNCHRONIZATION TIME, UPDATE SYNCHRONIZATION TIME. | Required | +| ruleset_name | Ruleset name. | Optional | +| ruleset_content | Ruleset content. | Optional | +| publish | Publish the ruleset. Possible values are: true, false. | Optional | +| sync_time | Desired ruleset synchronization time. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_yara | Unknown | YARA actions. | + +#### Command example +```!reversinglabs-a1000-yara action="GET RULESETS"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_yara": { + "count": 4, + "next": null, + "previous": null, + "results": [ + { + "cloud_synced": false, + "goodware_match_count": 27, + "last_matched": "2024-06-05T15:47:06.917422Z", + "malicious_match_count": 1, + "name": "get_money3", + "owner": "admin", + "status": "pending", + "suspicious_match_count": 0, + "system_ruleset": false, + "unknown_match_count": 1 + }, + { + "cloud_synced": false, + "goodware_match_count": 2, + "last_matched": "2024-05-24T16:00:19.220946Z", + "malicious_match_count": 0, + "name": "Rule_Find_PDF_with_URLs", + "owner": "admin", + "status": "pending", + "suspicious_match_count": 0, + "system_ruleset": false, + "unknown_match_count": 0 + }, + { + "cloud_synced": false, + "goodware_match_count": 0, + "last_matched": null, + "malicious_match_count": 0, + "name": "MislavTesting", + "owner": "admin", + "status": "pending", + "suspicious_match_count": 0, + "system_ruleset": false, + "unknown_match_count": 0 + }, + { + "cloud_synced": true, + "goodware_match_count": 0, + "last_matched": null, + "malicious_match_count": 0, + "name": "test_yara_rule", + "owner": "admin", + "status": "active", + "suspicious_match_count": 0, + "system_ruleset": false, + "unknown_match_count": 0 + } + ], + "source": "all", + "status": "all", + "type": "my" + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 YARA - GET RULESETS +>|count|next|previous|results|source|status|type| +>|---|---|---|---|---|---|---| +>| 4 | | | {'status': 'pending', 'suspicious_match_count': 0, 'malicious_match_count': 1, 'goodware_match_count': 27, 'unknown_match_count': 1, 'name': 'get_money3', 'owner': 'admin', 'last_matched': '2024-06-05T15:47:06.917422Z', 'system_ruleset': False, 'cloud_synced': False},
{'status': 'pending', 'suspicious_match_count': 0, 'malicious_match_count': 0, 'goodware_match_count': 2, 'unknown_match_count': 0, 'name': 'Rule_Find_PDF_with_URLs', 'owner': 'admin', 'last_matched': '2024-05-24T16:00:19.220946Z', 'system_ruleset': False, 'cloud_synced': False},
{'status': 'pending', 'suspicious_match_count': 0, 'malicious_match_count': 0, 'goodware_match_count': 0, 'unknown_match_count': 0, 'name': 'MislavTesting', 'owner': 'admin', 'last_matched': None, 'system_ruleset': False, 'cloud_synced': False},
{'status': 'active', 'suspicious_match_count': 0, 'malicious_match_count': 0, 'goodware_match_count': 0, 'unknown_match_count': 0, 'name': 'test_yara_rule', 'owner': 'admin', 'last_matched': None, 'system_ruleset': False, 'cloud_synced': True} | all | all | my | + + +### reversinglabs-a1000-yara-retro + +*** +Perform A1000 YARA Retroactive Hunt actions. + +#### Base Command + +`reversinglabs-a1000-yara-retro` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| action | Which YARA Retro action to perform. Possible values are: MANAGE LOCAL SCAN, LOCAL SCAN STATUS, MANAGE CLOUD SCAN, CLOUD SCAN STATUS. | Required | +| ruleset_name | Ruleset name. | Optional | +| operation | Select a ruleset operation. Possible values are: START, STOP, CLEAR. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_yara_retro | Unknown | YARA Retro actions. | + +#### Command example +```!reversinglabs-a1000-yara-retro action="LOCAL SCAN STATUS" ruleset_name="get_money3"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_yara_retro": { + "message": null, + "status": { + "history": [ + { + "samples": 281, + "started": "2024-05-24T15:58:55.075337+00:00", + "started_username": "admin", + "state": "COMPLETED", + "stopped": "2024-05-24T16:28:13.110974+00:00", + "stopped_username": null + }, + { + "samples": 11, + "started": "2022-11-15T10:14:16.515681+00:00", + "started_username": "admin", + "state": "COMPLETED", + "stopped": "2022-11-15T10:14:20.687855+00:00", + "stopped_username": null + }, + { + "samples": 11, + "started": "2022-11-11T15:02:00.683418+00:00", + "started_username": "admin", + "state": "COMPLETED", + "stopped": "2022-11-11T15:02:07.011490+00:00", + "stopped_username": null + } + ], + "processed": 371, + "samples": 281, + "started": "2024-05-24T15:58:55.075337+00:00", + "state": "COMPLETED", + "stopped": "2024-05-24T16:28:13.110974+00:00" + }, + "success": true + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 YARA Retroactive Hunt - LOCAL SCAN STATUS +>|message|status|success| +>|---|---|---| +>| | state: COMPLETED
started: 2024-05-24T15:58:55.075337+00:00
stopped: 2024-05-24T16:28:13.110974+00:00
samples: 281
processed: 371
history: {'state': 'COMPLETED', 'started': '2024-05-24T15:58:55.075337+00:00', 'stopped': '2024-05-24T16:28:13.110974+00:00', 'samples': 281, 'started_username': 'admin', 'stopped_username': None},
{'state': 'COMPLETED', 'started': '2022-11-15T10:14:16.515681+00:00', 'stopped': '2022-11-15T10:14:20.687855+00:00', 'samples': 11, 'started_username': 'admin', 'stopped_username': None},
{'state': 'COMPLETED', 'started': '2022-11-11T15:02:00.683418+00:00', 'stopped': '2022-11-11T15:02:07.011490+00:00', 'samples': 11, 'started_username': 'admin', 'stopped_username': None} | true | + + +### reversinglabs-a1000-list-containers + +*** +Get a list of all top-level containers from which the requested samples have been extracted during analysis. + +#### Base Command + +`reversinglabs-a1000-list-containers` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| sample_hashes | Comma-separated list of sample hashes. No whitespaces are allowed. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_list_containers | Unknown | A10000 list top-level containers. | + +#### Command example +```!reversinglabs-a1000-list-containers sample_hashes="0000a0a381d31e0dafcaa22343d2d7e40ff76e06,661566e9131c39a1b34cabde9a14877d9bcb3d90"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_list_containers": { + "count": 0, + "next": null, + "previous": null, + "results": [] + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 List containers for hashes +>|count|next|previous|results| +>|---|---|---|---| +>| 0 | | | | + + +### reversinglabs-a1000-upload-from-url-actions + +*** +Actions for uploading a sample from a URL and fetching the analysis results. + +#### Base Command + +`reversinglabs-a1000-upload-from-url-actions` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| action | Which action to perform. Upload a sample from URL, get the report for an sample or both actions combined. Possible values are: UPLOAD, GET REPORT, UPLOAD AND GET REPORT, CHECK ANALYSIS STATUS. | Required | +| file_url | URL to the file you want to submit for analysis. Used in UPLOAD and UPLOAD AND GET REPORT. | Optional | +| crawler | Which crawler to use - local or cloud. Used in UPLOAD and UPLOAD AND GET REPORT. Possible values are: local, cloud. | Optional | +| archive_password | Required if the sample is an archive and it has a password. Used in UPLOAD and UPLOAD AND GET REPORT. | Optional | +| sandbox_platform | Which sandbox platform to use. Check the A1000 documentation to see the current list of supported platforms. Used in UPLOAD and UPLOAD AND GET REPORT. | Optional | +| task_id | ID of the URL processing task. Used in GET REPORT. | Optional | +| retry | Utilize the retry mechanism for fetching the report. Used in GET REPORT and UPLOAD AND GET REPORT. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.a1000_upload_from_url_actions | Unknown | Actions for uploading a sample from a URL and fetching the analysis results. | + +#### Command example +```!reversinglabs-a1000-upload-from-url-actions action="UPLOAD" file_url="https://download.sublimetext.com/sublime_text_build_4169_x64_setup.exe" crawler="local" sandbox_platform="windows10"``` +#### Context Example +```json +{ + "ReversingLabs": { + "a1000_upload_from_url_actions": { + "code": 201, + "detail": { + "created": "2024-06-05T15:50:40.409482Z", + "filename": "https://download.sublimetext.com/sublime_text_build_4169_x64_setup.exe", + "id": 419, + "user": 1 + }, + "message": "Done." + } + } +} +``` + +#### Human Readable Output + +>## ReversingLabs A1000 URL sample actions - UPLOAD +>### Upload results +>|code|detail|message| +>|---|---|---| +>| 201 | id: 419
user: 1
created: 2024-06-05T15:50:40.409482Z
filename: https://download.sublimetext.com/sublime_text_build_4169_x64_setup.exe | Done. | + + + diff --git a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/command_examples.txt b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/command_examples.txt index a67ecfe2437e..bf96a752fc96 100644 --- a/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/command_examples.txt +++ b/Packs/ReversingLabs_A1000/Integrations/ReversingLabsA1000v2/command_examples.txt @@ -13,4 +13,16 @@ !reversinglabs-a1000-reanalyze hash="a94775deb818a4d68635eeed3d16abc7f7b8bdd6" !reversinglabs-a1000-upload-sample entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag" !reversinglabs-a1000-upload-sample-and-get-results entryId="7469@08d0efc0-7fc6-4c26-8ae9-f3bfc7b92a59" comment="this_is_a_comment" tags="one_tag" -!reversinglabs-a1000-url-report url="http://akiwinds.duckdns.org/chats/fre.php" \ No newline at end of file +!reversinglabs-a1000-url-report url="http://akiwinds.duckdns.org/chats/fre.php" +!reversinglabs-a1000-user-tags hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" tags="tag3,tag4" action="CREATE" +!reversinglabs-a1000-file-analysis-status hashes="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" analysis_status="processed" +!reversinglabs-a1000-pdf-report hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="CREATE REPORT" +!reversinglabs-a1000-static-analysis-report hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" +!reversinglabs-a1000-dynamic-analysis-report report_format="pdf" hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="CREATE REPORT" +!reversinglabs-a1000-sample-classification hash="0000a0a381d31e0dafcaa22343d2d7e40ff76e06" action="GET CLASSIFICATION" system="local" local_only="true" av_scanners="false" classification="malicious" +!reversinglabs-a1000-yara action="GET RULESETS" +!reversinglabs-a1000-yara-retro action="LOCAL SCAN STATUS" ruleset_name="get_money3" +!reversinglabs-a1000-list-containers sample_hashes="0000a0a381d31e0dafcaa22343d2d7e40ff76e06,661566e9131c39a1b34cabde9a14877d9bcb3d90" +!reversinglabs-a1000-upload-from-url-actions action="UPLOAD" file_url="https://download.sublimetext.com/sublime_text_build_4169_x64_setup.exe" crawler="local" sandbox_platform="windows10" + + From 77c77ee316f9295b1a7b92101104598ea33a5500 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 18:12:03 +0200 Subject: [PATCH 11/13] Add release notes --- .../ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md diff --git a/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md b/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md new file mode 100644 index 000000000000..0287f96e6eb0 --- /dev/null +++ b/Packs/ReversingLabs_TitaniumScale/ReleaseNotes/1_2_0.md @@ -0,0 +1,10 @@ +#### Integrations +##### ReversingLabs TitaniumScale +- Updated the Docker image to *demisto/reversinglabs-sdk-py3:2.0.0.96712*. + +Added new commands: +- ***reversinglabs-titaniumscale-list-processing-tasks*** +- ***reversinglabs-titaniumscale-get-processing-task-info*** +- ***reversinglabs-titaniumscale-delete-processing-task*** +- ***reversinglabs-titaniumscale-delete-multiple-tasks*** +- ***reversinglabs-titaniumscale-get-yara-id*** From 823fe5b8c190b9e154bd47385415af03008c7e87 Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 18:19:39 +0200 Subject: [PATCH 12/13] Add command_examples.txt --- .../ReversingLabsTitaniumScale/command_examples.txt | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/command_examples.txt diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/command_examples.txt b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/command_examples.txt new file mode 100644 index 000000000000..ee10f87909ca --- /dev/null +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/command_examples.txt @@ -0,0 +1,8 @@ +!reversinglabs-titaniumscale-upload-sample-and-get-results entryId="371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422" custom_token="a-custom-token" +!reversinglabs-titaniumscale-upload-sample entryId="371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422" custom_token="a-custom-token" +!reversinglabs-titaniumscale-get-results taskUrl="https://tiscale-worker-integrations-demo-01.rl.lan/api/tiscale/v1/task/40" +!reversinglabs-titaniumscale-list-processing-tasks age="60" custom_token="a-custom-token" +!reversinglabs-titaniumscale-get-processing-task-info task_id="40" +!reversinglabs-titaniumscale-delete-processing-task task_id="100" +!reversinglabs-titaniumscale-delete-multiple-tasks age="20" +!reversinglabs-titaniumscale-get-yara-id From 9e31bd40bebdbc4796689e34a72043c7aebe364a Mon Sep 17 00:00:00 2001 From: msever Date: Wed, 5 Jun 2024 18:22:13 +0200 Subject: [PATCH 13/13] Update the readme --- .../ReversingLabsTitaniumScale/README.md | 2186 ++++++----------- 1 file changed, 742 insertions(+), 1444 deletions(-) diff --git a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md index 32d958a7088b..5516443a3ae6 100644 --- a/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md +++ b/Packs/ReversingLabs_TitaniumScale/Integrations/ReversingLabsTitaniumScale/README.md @@ -1,1555 +1,853 @@ - -## Overview -This integration supports using ReversingLabs Advanced File Analysis to 'detonate file' on the TitaniumScale Advanced Malware -Analysis Appliance. - -The ReversingLabs TitaniumScale Appliance is powered by TitaniumCore, the malware analysis engine that performs -automated static analysis using the Active File Decomposition technology. - -TitaniumCore unpacks and recursively analyzes files without executing them, and extracts internal threat indicators to -classify files and determine their threat level. TitaniumCore is capable of identifying thousands of file format -families. It recursively unpacks hundreds of file format families, and fully repairs extracted files to enable further -analysis. - -* * * -## Prerequisites - -You need to obtain the following: - -* TitaniumScale instance -* TitaniumScale API Token +ReversingLabs advanced file decomposition appliance. ## Configure ReversingLabs TitaniumScale on Cortex XSOAR 1. Navigate to **Settings** > **Integrations** > **Servers & Services**. -2. Search for **Reversinglabs TitaniumScale**. +2. Search for ReversingLabs TitaniumScale. 3. Click **Add instance** to create and configure a new integration instance. | **Parameter** | **Required** | | --- | --- | | ReversingLabs TitaniumScale instance URL | True | - | API Token | True | - | Verify host certificates | True (default: False) | - | Reliability | True (default: C - Fairly reliable) - |Wait time between report fetching retries (seconds)| True (default: 2)| - |Number of report fetching retries| True (default: 30)| - | HTTP proxy address with the protocol and port number. | False | + | API Token | True | + | Verify host certificates | False | + | Reliability | False | + | Wait time between report fetching retries (seconds). Deafult is 2 seconds. | False | + | Number of report fetching retries. Default is 30. | False | + | HTTP proxy address with the protocol and port number | False | | HTTP proxy username | False | | HTTP proxy password | False | - | HTTPS proxy address with the protocol and port number. | False | + | HTTPS proxy address with the protocol and port number | False | | HTTPS proxy username | False | | HTTPS proxy password | False | -4. Click **Test** to validate connection. +4. Click **Test** to validate the URLs, token, and connection. ## Commands -You can execute these commands from the XSOAR CLI, as part of an automation, or in a playbook. + +You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. -For all commands, full report is saved as a part of the context and also returned as a downloadable file. -- [reversinglabs-titaniumscale-upload-sample-and-get-results](#reversinglabs-titaniumscale-upload-sample-and-get-results) -- [reversinglabs-titaniumscale-upload-sample](#reversinglabs-titaniumscale-upload-sample) -- [reversinglabs-titaniumscale-get-results](#reversinglabs-titaniumscale-get-results) +### reversinglabs-titaniumscale-upload-sample-and-get-results *** -## reversinglabs-titaniumscale-upload-sample-and-get-results -Upload sample to TitaniumScale instance and retrieve the analysis report. - -### Input +Upload sample to TitaniumScale and retrieve analysis report. -| **Argument Name** | **Description** | **Required** | -| --- | --- | --- | -| entryId | Entry ID of the sample to be uploaded | True | - -### Command Example -```!reversinglabs-titaniumscale-upload-sample-and-get-results entryId="3156@1651bd83-3242-43e4-8084-26de8937ca81"``` - -### Human Readable Output: -![Image](doc_imgs/upload-and-get.png) +#### Base Command -### Context Output +`reversinglabs-titaniumscale-upload-sample-and-get-results` -| **Path** | **Description** | -| --- | --- | -| File | File indicator | -| DBotScore | Score | -| ReversingLabs.tc_report | Full report in JSON | +#### Input +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| entryId | The file entry to upload. | Required | +| custom_token | A custom token for filtering processing tasks. | Optional | +| user_data | User-defined data in the form of a JSON string. This data is NOT included in file analysis reports. | Optional | +| custom_data | User-defined data in the form of a JSON string. This data is included in file analysis reports. | Optional | -
- -
Context Example: -

+#### Context Output +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| File.SHA256 | String | The SHA256 hash of the file. | +| File.SHA1 | String | The SHA1 hash of the file. | +| File.SHA512 | String | The SHA512 hash of the file. | +| File.Name | String | The name of the file. | +| File.EntryID | String | The Entry ID. | +| File.Info | String | Information about the file. | +| File.Type | String | The type of the file. | +| File.MD5 | String | MD5 hash of the file. | +| DBotScore.Score | Number | The actual score. | +| DBotScore.Type | String | The indicator type. | +| DBotScore.Indicator | String | The indicator that was tested. | +| DBotScore.Vendor | String | The vendor used to calculate the score. | +| ReversingLabs.tc_report | String | Full report. | + +#### Command example +```!reversinglabs-titaniumscale-upload-sample-and-get-results entryId="371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422" custom_token="a-custom-token"``` +#### Context Example ```json { - "Type": 1, - "ContentsFormat": "json", - "Contents": { + "DBotScore": { + "Indicator": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "Reliability": "C - Fairly reliable", + "Score": 3, + "Type": "file", + "Vendor": "ReversingLabs TitaniumScale" + }, + "File": { + "Hashes": [ + { + "type": "MD5", + "value": "a984de0ce47a8d5337ef569c812b57d0" + }, + { + "type": "SHA1", + "value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06" + }, + { + "type": "SHA256", + "value": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + } + ], + "MD5": "a984de0ce47a8d5337ef569c812b57d0", + "Malicious": { + "Description": "\n **Antivirus (based on the RCA Classify):** Win32.Downloader.Unruy", + "Vendor": "ReversingLabs TitaniumScale" + }, + "SHA1": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06", + "SHA256": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" + }, + "InfoFile": { + "EntryID": "398@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422", + "Info": "text/plain", + "Name": "Full report in JSON", + "Size": 19763, + "Type": "ASCII text" + }, + "ReversingLabs": { "tc_report": [ { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.18799192412328, - "file_type": "PE+", - "file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "hashes": [ - { - "name": "imphash", - "value": "71f37f91c14c4729e462a32b6b2ae9d4" - }, - { - "name": "md5", - "value": "b44251a2f532cc8835f6ad164491ebae" - }, - { - "name": "rha0", - "value": "e268f6a56d568c8b466dbb1f5671401a6898135e" - }, - { - "name": "sha1", - "value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5" - }, - { - "name": "sha256", - "value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f" - } - ], - "file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "size": 1653234 - } + "classification": { + "classification": 3, + "factor": 3, + "propagated": false, + "rca_factor": 8, + "result": "Win32.Downloader.Unruy", + "scan_results": [ + { + "classification": 3, + "factor": 3, + "ignored": false, + "name": "Antivirus (based on the RCA Classify)", + "rca_factor": 8, + "result": "Win32.Downloader.Unruy", + "type": "av", + "version": "2.91" + }, + { + "classification": 3, + "factor": 3, + "ignored": false, + "name": "TitaniumCore RHA1", + "rca_factor": 8, + "result": "Win32.Downloader.Unruy", + "type": "internal", + "version": "5.0.1.26" + }, + { + "classification": 3, + "factor": 1, + "ignored": false, + "name": "TitaniumCore Machine Learning", + "rca_factor": 6, + "result": "Win32.Malware.Heuristic", + "type": "internal", + "version": "5.0.1.26" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "drweb", + "rca_factor": 0, + "result": "Win32.HLLC.Asdas.7", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "vba32", + "rca_factor": 0, + "result": "SScope.TrojanInjector.MY", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "endgame", + "rca_factor": 0, + "result": "malicious (high confidence)", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "ahnlab", + "rca_factor": 0, + "result": "Trojan/Win32.Kazy.R3559", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "antivir", + "rca_factor": 0, + "result": "detected", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "avast", + "rca_factor": 0, + "result": "Win32:Unruy-Z [Trj]", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "bitdefender", + "rca_factor": 0, + "result": "Gen:Trojan.ProcessHijack.cqX@aaG5Soe", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "carbonblack", + "rca_factor": 0, + "result": "trojan", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "clamav", + "rca_factor": 0, + "result": "Win.Trojan.Powp-13", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "crowdstrike", + "rca_factor": 0, + "result": "win/malicious_confidence_100", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "mcafee_online", + "rca_factor": 0, + "result": "Downloader-CIS.c (trojan)", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "ffri", + "rca_factor": 0, + "result": "Detected", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "fireeye_online", + "rca_factor": 0, + "result": "Generic.mg.a984de0ce47a8d53", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "fortinet", + "rca_factor": 0, + "result": "W32/Powp.gen!tr", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "gdata", + "rca_factor": 0, + "result": "Gen:Trojan.ProcessHijack.cqX@aaG5Soe", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "ikarus", + "rca_factor": 0, + "result": "Trojan.Injector", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "k7computing", + "rca_factor": 0, + "result": "Riskware (0040eff71)", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "malwarebytes", + "rca_factor": 0, + "result": "Malware.AI.4098645872", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "mcafeegwedition_online", + "rca_factor": 0, + "result": "BehavesLike.Win32.VirRansom.pc", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "varist", + "rca_factor": 0, + "result": "W32/CeeInject.L.gen!Eldorado", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "mcafee_beta", + "rca_factor": 0, + "result": "Downloader-CIS.c (trojan)", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "sentinelone_online", + "rca_factor": 0, + "result": "DFI - Malicious PE", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "ahnlab_online", + "rca_factor": 0, + "result": "Trojan/Win32.Kazy.R3559", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "microsoft", + "rca_factor": 0, + "result": "TrojanDownloader:Win32/Unruy.H", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "microsoft_online", + "rca_factor": 0, + "result": "TrojanDownloader:Win32/Unruy.H", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "panda", + "rca_factor": 0, + "result": "Generic Suspicious", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "panda_online", + "rca_factor": 0, + "result": "Generic Malware", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "quickheal", + "rca_factor": 0, + "result": "VirTool.CeeInject.G", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "rising", + "rca_factor": 0, + "result": "Downloader.Unruy!1.679D", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "rising_online", + "rca_factor": 0, + "result": "Downloader.Unruy!1.679D", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "sonicwall", + "rca_factor": 0, + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "sophos_susi", + "rca_factor": 0, + "result": "Mal/EncPk-ZC", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "symantec", + "rca_factor": 0, + "result": "Trojan.Gen", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "symantec_beta", + "rca_factor": 0, + "result": "Trojan.Gen", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "symantec_online", + "rca_factor": 0, + "result": "Trojan.Gen", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "trendmicro", + "rca_factor": 0, + "result": "TROJ_UNRUY.SMJF", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "trendmicro_consumer", + "rca_factor": 0, + "result": "TROJ_UNRUY.SMJF", + "type": "av" + }, + { + "classification": 0, + "factor": 0, + "ignored": false, + "name": "mcafee", + "rca_factor": 0, + "result": "Downloader-CIS.c (trojan)", + "type": "av" + }, + { + "classification": 3, + "factor": 2, + "ignored": false, + "name": "Next-Generation Antivirus", + "rca_factor": 7, + "result": "Win32.Malware.Heuristic", + "type": "ng_av", + "version": "1.0" + } + ] }, + "index": 0, "indicators": [ { - "priority": 6, - "category": 10, - "description": "Executes a file." - }, - { - "priority": 5, - "category": 0, - "description": "Contains IP addresses." - }, - { - "priority": 5, - "category": 11, - "description": "Tampers with user/account privileges." - }, - { - "priority": 5, - "category": 22, - "description": "Writes to files in Windows system directories." - }, - { - "priority": 4, - "category": 22, - "description": "Creates/opens files in Windows system directories." - }, - { - "priority": 4, - "category": 13, - "description": "Enumerates system information." - }, - { - "priority": 4, "category": 4, - "description": "Possibly does process injection." - }, - { - "priority": 4, - "category": 22, - "description": "Reads from files in Windows system directories." - }, - { - "priority": 4, - "category": 11, - "description": "Requests permission required to lock physical pages in memory." - }, - { + "description": "Allocates additional memory in the calling process.", + "id": 17985, "priority": 3, - "category": 7, - "description": "Detects/enumerates process modules." + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: HeapAlloc", + "propagated": false + } + ], + "relevance": 0 }, { - "priority": 3, "category": 10, - "description": "Terminates a process/thread." - }, - { - "priority": 3, - "category": 1, - "description": "Uses anti-debugging methods." - }, - { - "priority": 3, - "category": 22, - "description": "Writes to files." - }, - { + "description": "Loads additional libraries.", + "id": 69, "priority": 2, - "category": 13, - "description": "Enumerates system variables." + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: LoadLibraryA", + "propagated": false + } + ], + "relevance": 1 }, { - "priority": 2, "category": 10, - "description": "Might load additional DLLs and APIs." - }, - { - "priority": 2, - "category": 12, - "description": "Monitors directory changes." - }, - { - "priority": 2, - "category": 22, - "description": "Reads from files." - }, - { + "description": "Loads additional APIs.", + "id": 70, "priority": 2, - "category": 10, - "description": "Uses pipes for interprocess communication." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to ntdll.dll which is NT Layer DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to powrprof.dll which is Power Profile Helper DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to psapi.dll which is Process Status Helper." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to document file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to source code file extensions." + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: GetProcAddress", + "propagated": false + }, + { + "category": "Indicator Match", + "description": "Matched another indicator that describes the following: Loads additional libraries.", + "propagated": false + } + ], + "relevance": 0 }, { + "category": 16, + "description": "Uses string related methods.", + "id": 18050, "priority": 1, - "category": 22, - "description": "Creates/Opens a file." - } - ], - "interesting_strings": [ - { - "category": "http", - "values": [ - "donate.v2.xmrig.com" - ] - }, - { - "category": "ipv4", - "values": [ - "0.0.0.0", - "127.0.0.1", - "3.120.209.58:8080" - ] - }, - { - "category": "mailto", - "values": [ - "pP0P@0.0.0.0" - ] + "reasons": [ + { + "category": "Imported API Name", + "description": "Imports the following function: lstrcatA", + "propagated": false + } + ], + "relevance": 0 } ], - "classification": { - "propagation_source": { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - "propagated": true, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - }, - { - "result": "Win64.Coinminer.Malxmr", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 4 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 827063294 - } - } - }, - { "info": { "file": { + "entropy": 7.222407502197507, + "file_name": "b26c8c3a-8d0e-459f-8f2c-c0b8783a8422_371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422", + "file_path": "b26c8c3a-8d0e-459f-8f2c-c0b8783a8422_371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422", "file_subtype": "Exe", - "entropy": 6.60580452906475, "file_type": "PE", - "file_name": "0", "hashes": [ + { + "name": "imphash", + "value": "054e4e5c28d6533b44ae24cbf3e08a15" + }, { "name": "md5", - "value": "8b84009488f7254a2be3c4409bcf286a" + "value": "a984de0ce47a8d5337ef569c812b57d0" }, { "name": "rha0", - "value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511" + "value": "6e60e6783d0e5104dab2311c93d6f9b42cebbf03" }, { "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" + "value": "0000a0a381d31e0dafcaa22343d2d7e40ff76e06" }, { "name": "sha256", - "value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc" + "value": "b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3" } ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0", - "size": 620530 - } - }, - "indicators": [ - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." + "size": 42544 } - ], - "classification": { - "propagated": false, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - } - ], - "classification": 3, - "factor": 5 }, "metadata": { "application": { - "capabilities": 0 - } - } - }, - { - "info": { - "file": { - "file_subtype": "XML", - "entropy": 4.9116145157351045, - "file_type": "Text", - "file_name": "1", - "hashes": [ - { - "name": "md5", - "value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61" - }, - { - "name": "rha0", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha1", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha256", - "value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1", - "size": 381 + "capabilities": 4255756 } - }, - "classification": { - "propagated": false, - "scan_results": [ - { - "type": "cloud", - "name": "TitaniumCloud", - "classification": 1, - "factor": 0 - } - ], - "classification": 1, - "factor": 0 } } ] + } +} +``` + +#### Human Readable Output + +>## ReversingLabs TitaniumScale upload sample and get results +> +> **Type:** PE/Exe +> **Size:** 42544 bytes +> +> **IMPHASH:** 054e4e5c28d6533b44ae24cbf3e08a15 +> **MD5:** a984de0ce47a8d5337ef569c812b57d0 +> **RHA0:** 6e60e6783d0e5104dab2311c93d6f9b42cebbf03 +> **SHA1:** 0000a0a381d31e0dafcaa22343d2d7e40ff76e06 +> **SHA256:** b25e707a78a472d92a99b08be5d0e55072f695275a7408d1e841a5344ca85dc3 +> +> **Status:** malicious +> **Antivirus (based on the RCA Classify):** Win32.Downloader.Unruy +> **DBot score:** 3 + + +### reversinglabs-titaniumscale-upload-sample + +*** +Upload sample to TitaniumScale for analysis. + +#### Base Command + +`reversinglabs-titaniumscale-upload-sample` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| entryId | The file entry to upload. | Required | +| custom_token | A custom token for filtering processing tasks. | Optional | +| user_data | User-defined data in the form of a JSON string. This data is NOT included in file analysis reports. | Optional | +| custom_data | User-defined data in the form of a JSON string. This data is included in file analysis reports. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.task_Url | Unknown | url to get report from. | + +#### Command example +```!reversinglabs-titaniumscale-upload-sample entryId="371@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422" custom_token="a-custom-token"``` +#### Context Example +```json +{ + "InfoFile": { + "EntryID": "403@b26c8c3a-8d0e-459f-8f2c-c0b8783a8422", + "Info": "text/plain", + "Name": "Full report in JSON", + "Size": 95, + "Type": "ASCII text" }, - "HumanReadable": "## ReversingLabs TitaniumScale get report\n\n **Type:** PE+/Exe\n **Size:** 1653234 bytes \n\n **IMPHASH:** 71f37f91c14c4729e462a32b6b2ae9d4\n **MD5:** b44251a2f532cc8835f6ad164491ebae\n **RHA0:** e268f6a56d568c8b466dbb1f5671401a6898135e\n **SHA1:** 277d75e0593937034e12ed185c91b6bb9bbdc3c5\n **SHA256:** 4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f\n\n **Status:** malicious\n **TitaniumCloud:** Win32.Trojan.Graftor\n **DBot score:** 3\n", - "EntryContext": { - "File(val.MD5 && val.MD5 == obj.MD5 || val.SHA1 && val.SHA1 == obj.SHA1 || val.SHA256 && val.SHA256 == obj.SHA256 || val.SHA512 && val.SHA512 == obj.SHA512 || val.CRC32 && val.CRC32 == obj.CRC32 || val.CTPH && val.CTPH == obj.CTPH || val.SSDeep && val.SSDeep == obj.SSDeep)": [ - { - "MD5": "b44251a2f532cc8835f6ad164491ebae", - "SHA1": "277d75e0593937034e12ed185c91b6bb9bbdc3c5", - "SHA256": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f", - "Malicious": { - "Vendor": "ReversingLabs TitaniumScale", - "Description": "\n **TitaniumCloud:** Win32.Trojan.Graftor" - } - } - ], - "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [ - { - "Indicator": "277d75e0593937034e12ed185c91b6bb9bbdc3c5", - "Type": "file", - "Vendor": "ReversingLabs TitaniumScale", - "Score": 3 - } - ], - "ReversingLabs": { - "tc_report": [ - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.18799192412328, - "file_type": "PE+", - "file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "hashes": [ - { - "name": "imphash", - "value": "71f37f91c14c4729e462a32b6b2ae9d4" - }, - { - "name": "md5", - "value": "b44251a2f532cc8835f6ad164491ebae" - }, - { - "name": "rha0", - "value": "e268f6a56d568c8b466dbb1f5671401a6898135e" - }, - { - "name": "sha1", - "value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5" - }, - { - "name": "sha256", - "value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f" - } - ], - "file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "size": 1653234 - } - }, - "indicators": [ - { - "priority": 6, - "category": 10, - "description": "Executes a file." - }, - { - "priority": 5, - "category": 0, - "description": "Contains IP addresses." - }, - { - "priority": 5, - "category": 11, - "description": "Tampers with user/account privileges." - }, - { - "priority": 5, - "category": 22, - "description": "Writes to files in Windows system directories." - }, - { - "priority": 4, - "category": 22, - "description": "Creates/opens files in Windows system directories." - }, - { - "priority": 4, - "category": 13, - "description": "Enumerates system information." - }, - { - "priority": 4, - "category": 4, - "description": "Possibly does process injection." - }, - { - "priority": 4, - "category": 22, - "description": "Reads from files in Windows system directories." - }, - { - "priority": 4, - "category": 11, - "description": "Requests permission required to lock physical pages in memory." - }, - { - "priority": 3, - "category": 7, - "description": "Detects/enumerates process modules." - }, - { - "priority": 3, - "category": 10, - "description": "Terminates a process/thread." - }, - { - "priority": 3, - "category": 1, - "description": "Uses anti-debugging methods." - }, - { - "priority": 3, - "category": 22, - "description": "Writes to files." - }, - { - "priority": 2, - "category": 13, - "description": "Enumerates system variables." - }, - { - "priority": 2, - "category": 10, - "description": "Might load additional DLLs and APIs." - }, - { - "priority": 2, - "category": 12, - "description": "Monitors directory changes." - }, - { - "priority": 2, - "category": 22, - "description": "Reads from files." - }, - { - "priority": 2, - "category": 10, - "description": "Uses pipes for interprocess communication." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to ntdll.dll which is NT Layer DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to powrprof.dll which is Power Profile Helper DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to psapi.dll which is Process Status Helper." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to document file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to source code file extensions." - }, - { - "priority": 1, - "category": 22, - "description": "Creates/Opens a file." - } - ], - "interesting_strings": [ - { - "category": "http", - "values": [ - "donate.v2.xmrig.com" - ] - }, - { - "category": "ipv4", - "values": [ - "0.0.0.0", - "127.0.0.1", - "3.120.209.58:8080" - ] - }, - { - "category": "mailto", - "values": [ - "pP0P@0.0.0.0" - ] - } - ], - "classification": { - "propagation_source": { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - "propagated": true, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - }, - { - "result": "Win64.Coinminer.Malxmr", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 4 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 827063294 - } - } - }, - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.60580452906475, - "file_type": "PE", - "file_name": "0", - "hashes": [ - { - "name": "md5", - "value": "8b84009488f7254a2be3c4409bcf286a" - }, - { - "name": "rha0", - "value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511" - }, - { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - { - "name": "sha256", - "value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0", - "size": 620530 - } - }, - "indicators": [ - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - } - ], - "classification": { - "propagated": false, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 0 - } - } - }, - { - "info": { - "file": { - "file_subtype": "XML", - "entropy": 4.9116145157351045, - "file_type": "Text", - "file_name": "1", - "hashes": [ - { - "name": "md5", - "value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61" - }, - { - "name": "rha0", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha1", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha256", - "value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1", - "size": 381 - } - }, - "classification": { - "propagated": false, - "scan_results": [ - { - "type": "cloud", - "name": "TitaniumCloud", - "classification": 1, - "factor": 0 - } - ], - "classification": 1, - "factor": 0 - } - } - ] - } - }, - "IndicatorTimeline": [], - "IgnoreAutoExtract": false, - "Note": false, - "Relationships": [] + "ReversingLabs": { + "tc_task_url": "https://tiscale-worker-integrations-demo-01.rl.lan/api/tiscale/v1/task/42" + } } - ``` -

-
+ +#### Human Readable Output + +>## ReversingLabs TitaniumScale upload sample +> **Titanium Scale task URL**: https://tiscale-worker-integrations-demo-01.rl.lan/api/tiscale/v1/task/42 + +### reversinglabs-titaniumscale-get-results *** -## reversinglabs-titaniumscale-upload-sample -Upload sample to TitaniumScale instance for analysis. Returns the taskUrl which can be later used to retrieve the report. +Retrieve report of a previously uploaded file from TitaniumScale. -### Input +#### Base Command + +`reversinglabs-titaniumscale-get-results` + +#### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| entryId | entryId of the sample to upload | True | +| taskUrl | The file entry to upload. | Required | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| File.SHA256 | String | The SHA256 hash of the file. | +| File.SHA1 | String | The SHA1 hash of the file. | +| File.SHA512 | String | The SHA512 hash of the file. | +| File.Name | String | The name of the file. | +| File.EntryID | String | The Entry ID. | +| File.Info | String | Information about the file. | +| File.Type | String | The type of the file. | +| File.MD5 | String | MD5 hash of the file. | +| DBotScore.Score | Number | The actual score. | +| DBotScore.Type | String | The indicator type. | +| DBotScore.Indicator | String | The indicator that was tested. | +| DBotScore.Vendor | String | The vendor used to calculate the score. | +| ReversingLabs.tc_report | String | Full report. | + +### reversinglabs-titaniumscale-list-processing-tasks + +*** +List active processing tasks. -### Command Example -```!reversinglabs-titaniumscale-upload-sample entryId="3156@1651bd83-3242-43e4-8084-26de8937ca81"``` +#### Base Command -### Human Readable Output: -![Image](doc_imgs/upload-sample.png) +`reversinglabs-titaniumscale-list-processing-tasks` -### Context Output +#### Input -| **Path** | **Description** | -| --- | --- | -| ReversingLabs.tc_task_url | URL to retrieve the report from| - -
+| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| age | Task age in seconds. | Optional | +| custom_token | A custom token for filtering processing tasks. | Optional | -
Context Example: -

+#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.list_processing_tasks | Unknown | Processing tasks. | +#### Command example +```!reversinglabs-titaniumscale-list-processing-tasks age="60" custom_token="a-custom-token"``` +#### Context Example ```json { - "Type": 1, - "ContentsFormat": "json", - "Contents": { - "tc_task_url": "https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795" - }, - "HumanReadable": "## ReversingLabs TitaniumScale file upload\n **Titanium Scale task URL**: https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795", - "EntryContext": { - "ReversingLabs": { - "tc_task_url": "https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15795" - } - }, - "IndicatorTimeline": [], - "IgnoreAutoExtract": false, - "Note": false, - "Relationships": [] + "ReversingLabs": { + "list_processing_tasks": [] + } } ``` -

-
+ +#### Human Readable Output + +>## ReversingLabs TitaniumScale List processing tasks +> ### Processing tasks +>**No entries.** + + +### reversinglabs-titaniumscale-get-processing-task-info *** -## reversinglabs-titaniumscale-get-results -Retrieve analysis report from TitaniumScale instance by taskUrl. +Retrieves information about a completed file processing task. -### Input +#### Base Command + +`reversinglabs-titaniumscale-get-processing-task-info` + +#### Input | **Argument Name** | **Description** | **Required** | | --- | --- | --- | -| taskUrl | URL to fetch the report from | True | +| task_id | Task ID. | Required | -### Command Example -```!reversinglabs-titaniumscale-get-results taskUrl="https://tiscale-worker-integrations-demo.rl.lan/api/tiscale/v1/task/15794"``` +#### Context Output -### Human Readable Output: -![Image](doc_imgs/get.png) +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.tc_report | Unknown | Full report. | -### Context Output -| **Path** | **Description** | -| --- | --- | -| File | File indicator | -| DBotScore | Score | -| ReversingLabs.tc_report | Full report in JSON | +### reversinglabs-titaniumscale-delete-processing-task -
+*** +Deletes a processing task. + +#### Base Command + +`reversinglabs-titaniumscale-delete-processing-task` -
Context Example: -

+#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| task_id | Task ID. | Required | +#### Context Output + +There is no context output for this command. +#### Command example +```!reversinglabs-titaniumscale-delete-processing-task task_id="100"``` +#### Human Readable Output + +>## ReversingLabs TitaniumScale delete processing task +> Task 100 deleted successfully. + +### reversinglabs-titaniumscale-delete-multiple-tasks + +*** +Deletes multiple processing tasks. + +#### Base Command + +`reversinglabs-titaniumscale-delete-multiple-tasks` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| age | Task age in seconds. | Required | + +#### Context Output + +There is no context output for this command. +#### Command example +```!reversinglabs-titaniumscale-delete-multiple-tasks age="20"``` +#### Human Readable Output + +>## ReversingLabs TitaniumScale delete multiple tasks +> Tasks of age 20 seconds or less deleted successfully. + +### reversinglabs-titaniumscale-get-yara-id + +*** +Retrieves the identifier of the current set of YARA rules on the TitaniumScale Worker instance. + +#### Base Command + +`reversinglabs-titaniumscale-get-yara-id` + +#### Input + +There are no input arguments for this command. + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| ReversingLabs.yara_id | Unknown | Identifier of the current set of YARA rules on the TitaniumScale Worker instance. | + +#### Command example +```!reversinglabs-titaniumscale-get-yara-id``` +#### Context Example ```json { - "Type": 1, - "ContentsFormat": "json", - "Contents": { - "tc_report": [ - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.18799192412328, - "file_type": "PE+", - "file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "hashes": [ - { - "name": "imphash", - "value": "71f37f91c14c4729e462a32b6b2ae9d4" - }, - { - "name": "md5", - "value": "b44251a2f532cc8835f6ad164491ebae" - }, - { - "name": "rha0", - "value": "e268f6a56d568c8b466dbb1f5671401a6898135e" - }, - { - "name": "sha1", - "value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5" - }, - { - "name": "sha256", - "value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f" - } - ], - "file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "size": 1653234 - } - }, - "indicators": [ - { - "priority": 6, - "category": 10, - "description": "Executes a file." - }, - { - "priority": 5, - "category": 0, - "description": "Contains IP addresses." - }, - { - "priority": 5, - "category": 11, - "description": "Tampers with user/account privileges." - }, - { - "priority": 5, - "category": 22, - "description": "Writes to files in Windows system directories." - }, - { - "priority": 4, - "category": 22, - "description": "Creates/opens files in Windows system directories." - }, - { - "priority": 4, - "category": 13, - "description": "Enumerates system information." - }, - { - "priority": 4, - "category": 4, - "description": "Possibly does process injection." - }, - { - "priority": 4, - "category": 22, - "description": "Reads from files in Windows system directories." - }, - { - "priority": 4, - "category": 11, - "description": "Requests permission required to lock physical pages in memory." - }, - { - "priority": 3, - "category": 7, - "description": "Detects/enumerates process modules." - }, - { - "priority": 3, - "category": 10, - "description": "Terminates a process/thread." - }, - { - "priority": 3, - "category": 1, - "description": "Uses anti-debugging methods." - }, - { - "priority": 3, - "category": 22, - "description": "Writes to files." - }, - { - "priority": 2, - "category": 13, - "description": "Enumerates system variables." - }, - { - "priority": 2, - "category": 10, - "description": "Might load additional DLLs and APIs." - }, - { - "priority": 2, - "category": 12, - "description": "Monitors directory changes." - }, - { - "priority": 2, - "category": 22, - "description": "Reads from files." - }, - { - "priority": 2, - "category": 10, - "description": "Uses pipes for interprocess communication." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to ntdll.dll which is NT Layer DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to powrprof.dll which is Power Profile Helper DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to psapi.dll which is Process Status Helper." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to document file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to source code file extensions." - }, - { - "priority": 1, - "category": 22, - "description": "Creates/Opens a file." - } - ], - "interesting_strings": [ - { - "category": "http", - "values": [ - "donate.v2.xmrig.com" - ] - }, - { - "category": "ipv4", - "values": [ - "0.0.0.0", - "127.0.0.1", - "3.120.209.58:8080" - ] - }, - { - "category": "mailto", - "values": [ - "pP0P@0.0.0.0" - ] - } - ], - "classification": { - "propagation_source": { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - "propagated": true, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - }, - { - "result": "Win64.Coinminer.Malxmr", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 4 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 827063294 - } - } - }, - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.60580452906475, - "file_type": "PE", - "file_name": "0", - "hashes": [ - { - "name": "md5", - "value": "8b84009488f7254a2be3c4409bcf286a" - }, - { - "name": "rha0", - "value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511" - }, - { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - { - "name": "sha256", - "value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0", - "size": 620530 - } - }, - "indicators": [ - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - } - ], - "classification": { - "propagated": false, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 0 - } - } - }, - { - "info": { - "file": { - "file_subtype": "XML", - "entropy": 4.9116145157351045, - "file_type": "Text", - "file_name": "1", - "hashes": [ - { - "name": "md5", - "value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61" - }, - { - "name": "rha0", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha1", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha256", - "value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1", - "size": 381 - } - }, - "classification": { - "propagated": false, - "scan_results": [ - { - "type": "cloud", - "name": "TitaniumCloud", - "classification": 1, - "factor": 0 - } - ], - "classification": 1, - "factor": 0 - } - } - ] - }, - "HumanReadable": "## ReversingLabs TitaniumScale get report\n\n **Type:** PE+/Exe\n **Size:** 1653234 bytes \n\n **IMPHASH:** 71f37f91c14c4729e462a32b6b2ae9d4\n **MD5:** b44251a2f532cc8835f6ad164491ebae\n **RHA0:** e268f6a56d568c8b466dbb1f5671401a6898135e\n **SHA1:** 277d75e0593937034e12ed185c91b6bb9bbdc3c5\n **SHA256:** 4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f\n\n **Status:** malicious\n **TitaniumCloud:** Win32.Trojan.Graftor\n **DBot score:** 3\n", - "EntryContext": { - "File(val.MD5 && val.MD5 == obj.MD5 || val.SHA1 && val.SHA1 == obj.SHA1 || val.SHA256 && val.SHA256 == obj.SHA256 || val.SHA512 && val.SHA512 == obj.SHA512 || val.CRC32 && val.CRC32 == obj.CRC32 || val.CTPH && val.CTPH == obj.CTPH || val.SSDeep && val.SSDeep == obj.SSDeep)": [ - { - "MD5": "b44251a2f532cc8835f6ad164491ebae", - "SHA1": "277d75e0593937034e12ed185c91b6bb9bbdc3c5", - "SHA256": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f", - "Malicious": { - "Vendor": "ReversingLabs TitaniumScale", - "Description": "\n **TitaniumCloud:** Win32.Trojan.Graftor" - } - } - ], - "DBotScore(val.Indicator && val.Indicator == obj.Indicator && val.Vendor == obj.Vendor && val.Type == obj.Type)": [ - { - "Indicator": "277d75e0593937034e12ed185c91b6bb9bbdc3c5", - "Type": "file", - "Vendor": "ReversingLabs TitaniumScale", - "Score": 3 - } - ], - "ReversingLabs": { - "tc_report": [ - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.18799192412328, - "file_type": "PE+", - "file_name": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "hashes": [ - { - "name": "imphash", - "value": "71f37f91c14c4729e462a32b6b2ae9d4" - }, - { - "name": "md5", - "value": "b44251a2f532cc8835f6ad164491ebae" - }, - { - "name": "rha0", - "value": "e268f6a56d568c8b466dbb1f5671401a6898135e" - }, - { - "name": "sha1", - "value": "277d75e0593937034e12ed185c91b6bb9bbdc3c5" - }, - { - "name": "sha256", - "value": "4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452f" - } - ], - "file_path": "/scratch/1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81", - "size": 1653234 - } - }, - "indicators": [ - { - "priority": 6, - "category": 10, - "description": "Executes a file." - }, - { - "priority": 5, - "category": 0, - "description": "Contains IP addresses." - }, - { - "priority": 5, - "category": 11, - "description": "Tampers with user/account privileges." - }, - { - "priority": 5, - "category": 22, - "description": "Writes to files in Windows system directories." - }, - { - "priority": 4, - "category": 22, - "description": "Creates/opens files in Windows system directories." - }, - { - "priority": 4, - "category": 13, - "description": "Enumerates system information." - }, - { - "priority": 4, - "category": 4, - "description": "Possibly does process injection." - }, - { - "priority": 4, - "category": 22, - "description": "Reads from files in Windows system directories." - }, - { - "priority": 4, - "category": 11, - "description": "Requests permission required to lock physical pages in memory." - }, - { - "priority": 3, - "category": 7, - "description": "Detects/enumerates process modules." - }, - { - "priority": 3, - "category": 10, - "description": "Terminates a process/thread." - }, - { - "priority": 3, - "category": 1, - "description": "Uses anti-debugging methods." - }, - { - "priority": 3, - "category": 22, - "description": "Writes to files." - }, - { - "priority": 2, - "category": 13, - "description": "Enumerates system variables." - }, - { - "priority": 2, - "category": 10, - "description": "Might load additional DLLs and APIs." - }, - { - "priority": 2, - "category": 12, - "description": "Monitors directory changes." - }, - { - "priority": 2, - "category": 22, - "description": "Reads from files." - }, - { - "priority": 2, - "category": 10, - "description": "Uses pipes for interprocess communication." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to api-ms-win-core-synch-l1-2-0.dll which is ApiSet Stub DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to kernel32.dll which is Windows NT BASE API Client DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to ntdll.dll which is NT Layer DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to powrprof.dll which is Power Profile Helper DLL." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to psapi.dll which is Process Status Helper." - }, - { - "priority": 1, - "category": 10, - "description": "Contains reference to user32.dll which is Multi-User Windows USER API Client DLL." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to document file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - }, - { - "priority": 1, - "category": 12, - "description": "Contains references to source code file extensions." - }, - { - "priority": 1, - "category": 22, - "description": "Creates/Opens a file." - } - ], - "interesting_strings": [ - { - "category": "http", - "values": [ - "donate.v2.xmrig.com" - ] - }, - { - "category": "ipv4", - "values": [ - "0.0.0.0", - "127.0.0.1", - "3.120.209.58:8080" - ] - }, - { - "category": "mailto", - "values": [ - "pP0P@0.0.0.0" - ] - } - ], - "classification": { - "propagation_source": { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - "propagated": true, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - }, - { - "result": "Win64.Coinminer.Malxmr", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 4 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 827063294 - } - } - }, - { - "info": { - "file": { - "file_subtype": "Exe", - "entropy": 6.60580452906475, - "file_type": "PE", - "file_name": "0", - "hashes": [ - { - "name": "md5", - "value": "8b84009488f7254a2be3c4409bcf286a" - }, - { - "name": "rha0", - "value": "42f8f3d9c5a7044a0895c89f27c1d9cdc2777511" - }, - { - "name": "sha1", - "value": "848899ad7d2afabfb64806cc9ef8d7d1a3f77641" - }, - { - "name": "sha256", - "value": "91ad1155d57e91caa994da40fff6048eb8c10fcf9a6c1b7d5a393f605d718acc" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/overlay/0", - "size": 620530 - } - }, - "indicators": [ - { - "priority": 1, - "category": 12, - "description": "Contains references to executable file extensions." - } - ], - "classification": { - "propagated": false, - "scan_results": [ - { - "result": "Win32.Trojan.Graftor", - "type": "cloud", - "name": "TitaniumCloud", - "classification": 3, - "factor": 5 - } - ], - "classification": 3, - "factor": 5 - }, - "metadata": { - "application": { - "capabilities": 0 - } - } - }, - { - "info": { - "file": { - "file_subtype": "XML", - "entropy": 4.9116145157351045, - "file_type": "Text", - "file_name": "1", - "hashes": [ - { - "name": "md5", - "value": "1e4a89b11eae0fcf8bb5fdd5ec3b6f61" - }, - { - "name": "rha0", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha1", - "value": "4260284ce14278c397aaf6f389c1609b0ab0ce51" - }, - { - "name": "sha256", - "value": "4bb79dcea0a901f7d9eac5aa05728ae92acb42e0cb22e5dd14134f4421a3d8df" - } - ], - "file_path": "1651bd83-3242-43e4-8084-26de8937ca81_31051651bd83-3242-43e4-8084-26de8937ca81/binary_layer/resource/1", - "size": 381 - } - }, - "classification": { - "propagated": false, - "scan_results": [ - { - "type": "cloud", - "name": "TitaniumCloud", - "classification": 1, - "factor": 0 - } - ], - "classification": 1, - "factor": 0 - } - } - ] + "ReversingLabs": { + "yara_id": { + "id": "f0a151ce303ae9b9e46b236492ac9196f3f72490" } - }, - "IndicatorTimeline": [], - "IgnoreAutoExtract": false, - "Note": false, - "Relationships": [] + } } ``` -

-
+#### Human Readable Output + +>## ReversingLabs TitaniumScale YARA ruleset ID +> **ID**: f0a151ce303ae9b9e46b236492ac9196f3f72490