ReversingLabs A1000

Overview

Use the A1000 Malware Analysis Platform to support advanced hunting and investigations through high-speed automated static analysis. A1000 Malware Analysis Platform is integrated with file reputation services to provide in-depth rich context and threat classification on over 6B files and across all file types.

This integration was integrated and tested with ReversingLabs A1000 Malware Analysis Platform™, 3.7.1.4.


Use Cases

  • Supports automated analysis processes (Static Analysis) that includes unpacking and identifying the families of archives, installers, packers and compressors.
  • Extracts over 3,000 PTIs from extracted files for PE/Windows, ELF/Linux, Mac OS, iOS, Android, firmware, and documents.
  • Calculates file threat level using extracted information.

Helps in regulating the investigation process by uploading and downloading samples to A1000 cloud platform at any point in time. (File reputation data can also be retrieved from an A1000 appliance.)


Prerequisites

You need to obtain the following ReversingLabs A1000 platform information.

  • Base URL of the A1000 box (https://a1000.reversinglabs.com)
  • Authentication Token

Get Your ReversingLabs A1000 Authentication Token

  1. Log in to the ReversingLabs A1000 platform.
  2. Navigate to Administration and click the Tokens icon.
  3. On the Authentication Tokens page, click the red plus button to create a new token key.
  4. Select the necessary user, and click the Save button.
    The new key is listed on the token table.
  5. Copy the key (authentication token), which you will paste when you configure the integration on Demisto.

Configure ReversingLabs A1000 Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for ReversingLabs A1000.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Base URL of the A1000 box : https://a1000.reversinglabs.com
    • Authentication Token : paste the token that you copied.
  4. Click Test to validate the URLs and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Upload a sample to A1000 for analysis : reversinglabs-upload

Upload a sample to A1000 for analysis.

Command Example

!reversinglabs-upload entryId=" 126@331388d4-d045-4e89-843f-28569f05556e " cloud_analyze=" true "

Input

Parameter

Description

entryId

Entry ID of the file to be uploaded. (Once you upload a file on Demisto’s platform, click on the link(chain) icon to get the entry ID of that file)

comment

A comment for the file to be uploaded.

tags

A comma separated list of tags for the file.

cloud_analyze

Specifies if the sample is sent to TiCloud for scanning. By default the value is true .

  • True = sent to TiCloud
  • False = not sent to TiCloud

Human Readable Output

Raw Output

{
"code": 201,
 "message": "Done.",
 "detail": {
     "id": 604883,
     "sha1": "2fb56606463867310bbe853501d662cc21a7f6d9",
     "user": 585,
     "created": "2018-05-27T22:32:06.830474Z",
     "filename": "2018-05-24-Trickbot-malspam-1140-UTC.eml",
     "href": "/?q=2fb56606463867310bbe853501d662cc21a7f6d9"
 }
}

Reanalyze sample set: reversinglabs-analyze

Schedule a set of samples that were previously updated to the A1000 appliance to be reanalyzed.

Command Example

!reversinglabs-analyze hash=" 2fb56606463867310bbe853501d662cc21a7f6d9 "

Input

Parameter

Description

hash

The hash of a previously uploaded sample. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest.

Human Readable Output

 

Raw Output

{
     "code": 200,
     "message": "Sample is already queued for analysis.",
     "detail": {
     "sha1": "f3be1fe7a01b73f0a6eaef9b62945433fcf53d3c",
     "Sha256": "f474543f4dace1e830df2dcbed83aecd89a24069c99952f5d24cf0379c116195",
     "md5": "fdd22060f2680b46f2783b3b579e82d5"
     }
}

Download a sample to the investigation: reversinglabs-download

Download a sample that resides on A1000 to the investigation.

Command Example

!reversinglabs-download hash=" fdd22060f2680b46f2783b3b579e82d5 "

Input

Parameter

Description

hash

The hash of a sample that resides on A1000. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest.

Human Readable Output

Raw Output

There is no raw output for this command.

When the command runs successfully, you get a downloadable file.

When the command fails, you receive a notification with one of the following error codes.

  • 404 - Sample not found.
  • 401 - Unable to retrieve sample content.

Download samples obtained through the unpacking process : reversinglabs-download-unpacked

Download samples obtained through the unpacking process.

Command Example

!reversinglabs-download-unpacked hash=" 6bb767e20c25e4d37e73fc0733c7ef2fce4ac8c6 "

Input

Parameter

Description

hash

The hash of a sample that resides on A1000. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest

Human Readable Output

Raw Output

There is no raw output for this command.

When the command runs successfully, you get a downloadable file.

When the command fails, you are receive a notification with one of the following error codes.

  • 404 - Sample not found.
  • 401 - Unable to retrieve sample content.

List extracted files from a sample : reversinglabs-extracted-files

List extracted files from a sample

Command Example

!reversinglabs-extracted-files hash=" f3be1fe7a01b73f0a6eaef9b62945433fcf53d3c "

Input

Parameter

Description

hash

The hash of an already uploaded sample. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest

Human Readable Output

Raw Output

{
 "count": 5,
 "next": null,
 "previous": null,
 "results": [
   {
     "id": 197,
     "parent_relationship": null,
     "sample": {
     "id": 192,
     "sha1": "e906fa3d51e86a61741b3499145a114e9bfb7c56",
     "type_display": "PE/Exe",
     "category": "application",
     "file_type": "PE",
     "file_subtype": "Exe",
     "identification_name": "",
     "identification_version": "",
     "file_size": 267278,
     "extracted_file_count": 2,
     "local_first_seen": "2016-05-05T09:57:50.910412Z",
     "local_last_seen": "2016-05-05T13:43:21.282072Z",
     "threat_status": "malicious",
     "trust_factor": 5,
     "threat_level": 5,
     "threat_name": "Win32.Trojan.Bitman"
   },
 "filename": "DeVuongHoi.exe",
 "path": "DeVuongHoi.exe"
},
{
 "id": 198,
 "parent_relationship": null,
 "sample": {
   "id": 198,
   "sha1": "e654d39cd13414b5151e8cf0d8f5b166dddd45cb",
   "type_display": "PE/Exe",
   "category": "application",
   "file_type": "PE",
   "file_subtype": "Exe",
   "identification_name": "",
   "identification_version": "",
   "file_size": 290816,
ReversingLabs
123
   "extracted_file_count": 1,
   "local_first_seen": "2016-05-05T09:58:27.096525Z",
   "local_last_seen": "2016-05-05T09:58:27.096525Z",
   "threat_status": "malicious",
   "trust_factor": 5,
   "threat_level": 5,
   "threat_name": "Win32.Malware.YARA"
 },
 "filename": "DieGroupv8.exe",
 "path": "DieGroupv8.exe"
},
...

Delete an uploaded sample : reversinglabs-delete

Delete an uploaded sample for the specified hash value that resides A1000. All related data, including extracted samples and metadata, will be deleted.

Command Example

!reversinglabs-delete hash=" 942d85abb2e94a4e5205eae7efdc5677ee6a0881 "

Input

Parameter

Description

hash

The hash of a sample that resides on A1000. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest

Human Readable Output

Raw Output

{
     "code": 200,
     "message": "Sample deleted successfully.",
     "detail": {
     "sha1": "f3be1fe7a01b73f0a6eaef9b62945433fcf53d3c",
     "Sha256": "f474543f4dace1e830df2dcbed83aecd89a24069c99952f5d24cf0379c116195",
     "Sha512": "68d32e15df33735173ac457c948ed411e2f5aac1dc0d48feaafe5e38f1cd86fe5d67053dca7de36206beed4c9c6274d605a9dfcb19a6c48c8ceb2ffb0bc530d5"
     "md5": "fdd22060f2680b46f2783b3b579e82d5"
     }
}

Retrieve file reputation data from an A1000 appliance : file

Retrieve file reputation data from an A1000 appliance.

Command Example

!file file=" 8437682e44a764d0c0f610f6cb262a98 "

Input

Parameter

Description

file

The hash that you want to retrieve reputation data for. Hexadecimal representation of SHA-1, SHA-256, SHA-512, or MD5 digest.

Human Readable Output

Context Output

Parameter

Description

File.MD5

Bad hash detected.

File.SHA1

Bad hash SHA-1.

File.Malicious.Vendor

For malicious files, the vendor that made the decision.

File.Malicious.Detections

For malicious files, the total number of detections.

File.Malicious.TotalEngines

For malicious files, the total number of engines.

DBotScore.Indicator

The indicator that is being tested.

DBotScore.Type

Indicator type.

DBotScore.Vendor

Vendor used to calculate the score.

DBotScore.Score

The actual score

Raw Output

"results": [
{
          "category": "archive",
          "aliases": {
           "0": "2017-12-04-artifacts-from-Dridex-malspam-infection.zip"
          },
          "classification_origin":{
                    "imphash": "33259202a22c25d002be697749eb957e",
                    "md5": "dbf96ab40b728c12951d317642fbd9da",
                    "sha1": "38687e06f4f66a6a661b94aaf4e73d0012dfb8e3",
                    "sha256": "daab430bb5771eaa7af0fbd3417604e8af5f4693099a6393a4dc3b440863bced",
                    "sha512": "a49cc96651d01da5d6cbb833df36b7987eafb4f09cc9c516c10d0d812002d06ae8edee4e7256c84e300dc2eadad90f7bb37c797bccdee4bad16fcaf88277b381"
          }
          "classification_reason": "cloud",
          "extracted_file_count": 79,
          "file_size": 1525222,
          "file_subtype": "Archive",
          "file_type": "Binary",
          "identification_name": "ZIP",
          "identification_version": "Generic",
          "local_first_seen": "2018-05-27T22:50:27.414449Z",
          "local_last_seen": "2018-05-27T22:50:27.414449Z",
          "md5": "fdd22060f2680b46f2783b3b579e82d5",
          "sha1": "f3be1fe7a01b73f0a6eaef9b62945433fcf53d3c",
          "sha256": "f474543f4dace1e830df2dcbed83aecd89a24069c99952f5d24cf0379c116195",
          "sha512": "68d32e15df33735173ac457c948ed411e2f5aac1dc0d48feaafe5e38f1cd86fe5d67053dca7de36206beed4c9c6274d605a9dcb19a6c48c8ceb2ffb0bc530d5",
          "summary":{
                    "id": 8306112,
                    "indicators": []
          }
          "sha1": "f3be1fe7a01b73f0a6eaef9b62945433fcf53d3c",
          "threat_level": 5,
          "threat_name": Win32.Trojan.Dridex,
          "threat_status": malicious,
          "ticloud": {
                    "first_seen": "2018-05-27T22:50:32Z",
                    "last_seen": "2018-05-27T22:55:00Z",
                    "threat_level": 0,
                    "threat_name": null,
                    "threat_status": "known",
                    "trust_factor": 5,
                    "Trust_factor" 5
          }
}