The Dynamic Report
This is the Go structure definition of the Behavioral JSON report that Triage creates.
// Copyright (C) 2019-2022 Hatching B.V.
// All rights reserved.
package triage
type (
TriageReport struct {
Version string `json:"version"`
Sample TargetDesc `json:"sample"`
Task TargetDesc `json:"task"`
Errors []ReportedFailure `json:"errors,omitempty"`
Analysis ReportAnalysisInfo `json:"analysis,omitempty"`
Processes []Process `json:"processes,omitempty"`
Signatures []Signature `json:"signatures"`
Network NetworkReport `json:"network"`
Debug map[string]interface{} `json:"debug,omitempty"`
Dumped []Dump `json:"dumped,omitempty"`
Extracted []Extract `json:"extracted,omitempty"`
}
TargetDesc struct {
ID string `json:"id,omitempty"`
CompatScore int `json:"score,omitempty"`
Submitted string `json:"submitted,omitempty"`
CompatCompleted string `json:"completed,omitempty"`
Target string `json:"target,omitempty"`
Pick string `json:"pick,omitempty"`
Type string `json:"type,omitempty"`
Size int64 `json:"size,omitempty"`
MD5 string `json:"md5,omitempty"`
SHA1 string `json:"sha1,omitempty"`
SHA256 string `json:"sha256,omitempty"`
SHA512 string `json:"sha512,omitempty"`
Filetype string `json:"filetype,omitempty"`
StaticTags []string `json:"static_tags,omitempty"`
}
ReportedFailure struct {
Task string `json:"task,omitempty"`
Backend string `json:"backend,omitempty"`
Reason string `json:"reason"`
}
ReportAnalysisInfo struct {
Score int `json:"score,omitempty"`
Tags []string `json:"tags"`
TTP []string `json:"ttp,omitempty"`
Features []string `json:"features,omitempty"`
Submitted string `json:"submitted,omitempty"`
Reported string `json:"reported,omitempty"`
MaxTimeNetwork int64 `json:"max_time_network,omitempty"`
MaxTimeKernel uint32 `json:"max_time_kernel,omitempty"`
Backend string `json:"backend,omitempty"`
Resource string `json:"resource,omitempty"`
ResourceTags []string `json:"resource_tags,omitempty"`
Platform string `json:"platform,omitempty"`
}
Process struct {
ProcID int32 `json:"procid,omitempty"`
ParentProcID int32 `json:"procid_parent,omitempty"`
PID uint64 `json:"pid"`
PPID uint64 `json:"ppid"`
Cmd interface{} `json:"cmd"`
Image string `json:"image,omitempty"`
Orig bool `json:"orig"`
System bool `json:"-"`
Started uint32 `json:"started"`
Terminated uint32 `json:"terminated,omitempty"`
}
Signature struct {
Label string `json:"label,omitempty"`
Name string `json:"name"`
Score int `json:"score,omitempty"`
TTP []string `json:"ttp,omitempty"`
Tags []string `json:"tags,omitempty"`
Indicators []Indicator `json:"indicators,omitempty"`
YaraRule string `json:"yara_rule,omitempty"`
Description string `json:"desc,omitempty"`
URL string `json:"url,omitempty"`
}
NetworkReport struct {
Flows []NetworkFlow `json:"flows,omitempty"`
Requests []NetworkRequest `json:"requests,omitempty"`
}
Dump struct {
At uint32 `json:"at"`
PID uint64 `json:"pid,omitempty"`
ProcID int32 `json:"procid,omitempty"`
Path string `json:"path,omitempty"`
Name string `json:"name,omitempty"`
Kind string `json:"kind,omitempty"`
Addr uint64 `json:"addr,omitempty"`
Length uint64 `json:"length,omitempty"`
MD5 string `json:"md5,omitempty"`
SHA1 string `json:"sha1,omitempty"`
SHA256 string `json:"sha256,omitempty"`
SHA512 string `json:"sha512,omitempty"`
}
Extract struct {
DumpedFile string `json:"dumped_file,omitempty"`
Resource string `json:"resource,omitempty"`
Config *Config `json:"config,omitempty"`
Path string `json:"path,omitempty"`
RansomNote *Ransom `json:"ransom_note,omitempty"`
Dropper *Dropper `json:"dropper,omitempty"`
Credentials *Credentials `json:"credentials,omitempty"`
}
Indicator struct {
IOC string `json:"ioc,omitempty"`
Description string `json:"description,omitempty"`
At uint32 `json:"at,omitempty"`
SourcePID uint64 `json:"pid,omitempty"`
SourceProcID int32 `json:"procid,omitempty"`
TargetPID uint64 `json:"pid_target,omitempty"`
TargetProcID int32 `json:"procid_target,omitempty"`
Flow int `json:"flow,omitempty"`
DumpFile string `json:"dump_file,omitempty"`
Resource string `json:"resource,omitempty"`
YaraRule string `json:"yara_rule,omitempty"`
}
NetworkFlow struct {
ID int `json:"id,omitempty"`
Source string `json:"src,omitempty"`
Dest string `json:"dst,omitempty"`
Proto string `json:"proto,omitempty"`
PID uint64 `json:"pid,omitempty"`
ProcID int32 `json:"procid,omitempty"`
FirstSeen int64 `json:"first_seen,omitempty"`
LastSeen int64 `json:"last_seen,omitempty"`
RxBytes uint64 `json:"rx_bytes,omitempty"`
RxPackets uint64 `json:"rx_packets,omitempty"`
TxBytes uint64 `json:"tx_bytes,omitempty"`
TxPackets uint64 `json:"tx_packets,omitempty"`
Protocols []string `json:"protocols,omitempty"`
Domain string `json:"domain,omitempty"`
JA3 string `json:"tls_ja3,omitempty"`
JA3S string `json:"tls_ja3s,omitempty"`
SNI string `json:"tls_sni,omitempty"`
Country string `json:"country,omitempty"`
AS string `json:"as_num,omitempty"`
Org string `json:"as_org,omitempty"`
}
NetworkRequest struct {
Flow int `json:"flow,omitempty"`
Index int `json:"index,omitempty"`
At uint32 `json:"at,omitempty"`
DomainReq *NetworkDomainRequest `json:"dns_request,omitempty"`
DomainResp *NetworkDomainResponse `json:"dns_response,omitempty"`
WebReq *NetworkWebRequest `json:"http_request,omitempty"`
WebResp *NetworkWebResponse `json:"http_response,omitempty"`
}
Config struct {
Family string `json:"family,omitempty"`
Tags []string `json:"tags,omitempty"`
Rule string `json:"rule,omitempty"`
C2 []string `json:"c2,omitempty"`
Version string `json:"version,omitempty"`
Botnet string `json:"botnet,omitempty"`
Campaign string `json:"campaign,omitempty"`
Mutex []string `json:"mutex,omitempty"`
Decoy []string `json:"decoy,omitempty"`
DNS []string `json:"dns,omitempty"`
Keys []Key `json:"keys,omitempty"`
Webinject []string `json:"webinject,omitempty"`
CommandLines []string `json:"command_lines,omitempty"`
ListenAddr string `json:"listen_addr,omitempty"`
ListenPort int `json:"listen_port,omitempty"`
ListenFor []string `json:"listen_for,omitempty"`
Shellcode [][]byte `json:"shellcode,omitempty"`
ExtractedPE []string `json:"extracted_pe,omitempty"`
Credentials []Credentials `json:"credentials,omitempty"`
Attributes interface{} `json:"attr,omitempty"`
}
Ransom struct {
Family string `json:"family,omitempty"`
Target string `json:"target,omitempty"`
Emails []string `json:"emails,omitempty"`
Wallets []string `json:"wallets,omitempty"`
URLs []string `json:"urls,omitempty"`
Contact []string `json:"contact,omitempty"`
Note string `json:"note"`
}
Dropper struct {
Family string `json:"family,omitempty"`
Language string `json:"language"`
Source string `json:"source"`
Deobf string `json:"deobfuscated"`
URLs []DropperURL `json:"urls"`
}
Credentials struct {
Flow int `json:"flow,omitempty"`
Protocol string `json:"protocol"`
Host string `json:"host,omitempty"`
Port int `json:"port,omitempty"`
User string `json:"username"`
Pass string `json:"password"`
}
NetworkDomainRequest struct {
Domains []string `json:"domains,omitempty"`
Questions []DNSEntry `json:"questions,omitempty"`
}
NetworkDomainResponse struct {
Domains []string `json:"domains,omitempty"`
IP []string `json:"ip,omitempty"`
Answers []DNSEntry `json:"answers,omitempty"`
}
NetworkWebRequest struct {
Method string `json:"method,omitempty"`
URL string `json:"url"`
Request string `json:"request"`
Headers []string `json:"headers,omitempty"`
}
NetworkWebResponse struct {
Status string `json:"status"`
Response string `json:"response"`
Headers []string `json:"headers,omitempty"`
}
Key struct {
Kind string `json:"kind"`
Key string `json:"key"`
Value interface{} `json:"value"`
}
DropperURL struct {
Type string `json:"type"`
URL string `json:"url"`
}
DNSEntry struct {
Name string `json:"name"`
Type string `json:"type"`
Value string `json:"value,omitempty"`
}
)