Handling malware as zip protected file

[axpatito]

Hi all,

How would a use case be if I need to upload files that are password zipped and contain malware?

Sometimes I get samples from external sources that are delivered as compressed files with password in order to avoid AV detection. Is there a functionality that would allow me to upload the file AS IS to TheHive and extract the artifacts from it, creating the necessary observables?

Can this be done automagically?

[nadouani]

Hello,

this is not supported in the current TheHive version, but could be a good idea.
I don't know when this could be added but, it's definitely a good feature request

[AustinHaigh]

Hi @axpatito and @nadouani,

Just want to be clarify what you are looking for, in terms of observables and what you mean by “extract the artifacts”. I am presuming that we simply want to identify accessible metadata about the content, versus actually extracting/unzipping the live malware content.

With that in mind, some useful metadata might include:

• Filenames
• Directory structure
• Original file size
• Compressed file size
• CRC/Checksum data
• Dates/Times
• Compression type
• etc.

Would having access this type of information meet the need for this feature request?

[saadkadhi]

Hi @AustinHaigh. In fact it's much simpler than that. As an analyst, you may receive password- protected zipped malware (or suspicious file that need to be analyzed). In the current version of TheHive, you'll have to:

• unzip the password-protected archive in a location that is not scanned by your endpoint's AV and by taking extra precautions to avoid accidentally infect your machine
• add the file as an observable to TheHive
• analyze it using Cortex etc.

The feature request should allow analysts to have access to a new datatype (for ex. protected zip) and when they import the archive, they can specify the password needed to open it and TheHive should extract all files (if more than one) and add them as file observables while, if possible, adding the original zip file as-is for the audit trail.

[AustinHaigh]

Okay, thanks for the clarification. I have implemented a proof of concept, would someone mind taking a look at it and providing some comments/feedback?

The code extracts each file from the zip archive and submits the archive and each file as separate observables (with the same tags and description).

• IF the archive is password protected it checks for a tag beginning with ‘password:’ and uses the string after the colon as the password.
• IF it doesn’t find such a tag it pulls the datastore.attachment.password configuration option which is used by AttachmentCtrl when a user downloads a file observable as an encrypted zip archive (and defaults to ‘malware’).”

https://github.com/AustinHaigh/TheHive/tree/zipFileUpload

[axpatito]

I can jump into it. I'll do some tests tomorrow.

[axpatito]

@AustinHaigh I've been doing test and I can't get the code base to work. I tried with various files compressed with both malware and benign files, also from different compressing software (7zip, winrar, native linux, zip command con centos and ubuntu) IMO we should add unit test to this feature before creating a PR.

[AustinHaigh]

I'm sorry, I forgot to mention I added a new datatype called 'zipfile', and only files uploaded with the 'zipfile' datatype are automatically uncompressed. Are you using the right datatype? I added the datatype to thehive-backend/app/models/Migration.scala but it only gets created when the database is being initialized. Is there something else I need to do to add the datatype to an already initialized database? Maybe increment a version number?

[axpatito]

Hey @AustinHaigh I confirm that this feature actually works as expected. Sorry it took so long, I got caught in another PR I'm working on. Are you gonna open a PR?

[AustinHaigh]

No problem. I'll open a PR now.