Class: HybridAnalysis::Clients::QuickScan

Inherits:

Client

• Object
• Client
• HybridAnalysis::Clients::QuickScan

Defined in:

lib/hybridanalysis/clients/quick_scan.rb

Constant Summary

Constants inherited from Client

Client::BASE_URL, Client::DEFAULT_UA, Client::HOST, Client::VERSION

Instance Attribute Summary

Attributes inherited from Client

#key

Instance Method Summary

• #convert_to_full(id, environment_id:, no_hash_lookup: nil, action_script: nil, hybrid_analysis: nil, experimental_anti_evasion: nil, script_logging: nil, input_sample_tampering: nil, tor_enabled_analysis: nil, offline_analysis: nil, email: nil, comment: nil, custom_date_time: nil, custom_cmd_line: nil, custom_run_time: nil, submit_name: nil, document_password: nil, environment_variable: nil) ⇒ Hash

  convert quick scan to sandbox report.

• #file(scan_type:, file:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil) ⇒ Hash

  submit a file for quick scan, you can check results in overview endpoint.

• #get(id) ⇒ Hash

  some scanners need time to process file, if in response ‘finished` is set to false, then you need use this endpoint to get final results.

• #state ⇒ Array

  return list of available scanners.

• #url(scan_type:, url:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil) ⇒ Hash

  submit a website’s url or url with file for analysis.

Methods inherited from Client

#initialize

Constructor Details

This class inherits a constructor from HybridAnalysis::Clients::Client

Instance Method Details

#convert_to_full(id, environment_id:, no_hash_lookup: nil, action_script: nil, hybrid_analysis: nil, experimental_anti_evasion: nil, script_logging: nil, input_sample_tampering: nil, tor_enabled_analysis: nil, offline_analysis: nil, email: nil, comment: nil, custom_date_time: nil, custom_cmd_line: nil, custom_run_time: nil, submit_name: nil, document_password: nil, environment_variable: nil) ⇒ Hash

convert quick scan to sandbox report

Parameters:

• id (String) —

  ID of quick scan to convert

• environment_id (Integer, nil) —

  Environment ID. Available environments ID: <strong>300</strong>: ‘Linux (Ubuntu 16.04, 64 bit)’, <strong>200</strong>: ‘Android Static Analysis’, <strong>120</strong>: ‘Windows 7 64 bit’, <strong>110</strong>: ‘Windows 7 32 bit (HWP Support)’, <strong>100</strong>: ‘Windows 7 32 bit’

• no_hash_lookup (Boolean, nil) (defaults to: nil) —

  Default: false

• action_script (String, nil) (defaults to: nil) —

  Optional custom runtime action script. Available runtime scripts: default, default_maxantievasion, default_randomfiles, default_randomtheme, default_openie

• hybrid_analysis (Boolean, nil) (defaults to: nil) —

  When set to ‘false’, no memory dumps or memory dump analysis will take place. Default: true

• experimental_anti_evasion (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, will set all experimental anti-evasion options of the Kernelmode Monitor. Default: false

• script_logging (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, will set the in-depth script logging engine of the Kernelmode Monitor. Default: false

• input_sample_tampering (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, will allow experimental anti-evasion options of the Kernelmode Monitor that tamper with the input sample. Default: false

• tor_enabled_analysis (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, will route the network traffic for the analysis via TOR (if properly configured on the server). Default: false

• offline_analysis (Boolean, nil) (defaults to: nil) —

  When set to “true”, will disable outbound network traffic for the guest VM (takes precedence over ‘tor_enabled_analysis’ if both are provided). Default: false

• email (String, nil) (defaults to: nil) —

  Optional E-Mail address that may be associated with the submission for notification

• comment (String, nil) (defaults to: nil) —

  Optional comment text that may be associated with the submission/sample (Note: you can use #tags here)

• custom_date_time (String, nil) (defaults to: nil) —

  Optional custom date/time that can be set for the analysis system. Expected format: yyyy-MM-dd HH:mm

• custom_cmd_line (String, nil) (defaults to: nil) —

  Optional commandline that should be passed to the analysis file

• custom_run_time (Integer, nil) (defaults to: nil) —

  Optional runtime duration (in seconds)

• submit_name (String, nil) (defaults to: nil) —

  Optional ‘submission name’ field that will be used for file type detection and analysis

• document_password (String, nil) (defaults to: nil) —

  Optional document password that will be used to fill-in Adobe/Office password prompts

• environment_variable (String, nil) (defaults to: nil) —

  Optional system environment value. The value is provided in the format: name=value

Returns:

• (Hash)

# File 'lib/hybridanalysis/clients/quick_scan.rb', line 101

def convert_to_full(id, environment_id:, no_hash_lookup: nil, action_script: nil, hybrid_analysis: nil, experimental_anti_evasion: nil, script_logging: nil, input_sample_tampering: nil, tor_enabled_analysis: nil, offline_analysis: nil, email: nil, comment: nil, custom_date_time: nil, custom_cmd_line: nil, custom_run_time: nil, submit_name: nil, document_password: nil, environment_variable: nil)
  params = {
    environment_id: environment_id,
    no_hash_lookup: no_hash_lookup,
    action_script: action_script,
    hybrid_analysis: hybrid_analysis,
    experimental_anti_evasion: experimental_anti_evasion,
    script_logging: script_logging,
    input_sample_tampering: input_sample_tampering,
    tor_enabled_analysis: tor_enabled_analysis,
    offline_analysis: offline_analysis,
    email: email,
    comment: comment,
    custom_date_time: custom_date_time,
    custom_cmd_line: custom_cmd_line,
    custom_run_time: custom_run_time,
    submit_name: submit_name,
    document_password: document_password,
    environment_variable: environment_variable
  }.compact

  _post("/quick-scan/#{id}/convert-to-full", params) { |json| json }
end

#file(scan_type:, file:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil) ⇒ Hash

submit a file for quick scan, you can check results in overview endpoint

Parameters:

• scan_type (String) —

  Type of scan, please see /quick-scan/state to see available scanners

• file (String) —

  File to submit

• no_share_third_party (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, the sample is never shared with any third party. Default: true

• allow_community_access (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, the sample will be available for the community. Default: true (Note: when ‘no_share_third_party’ is set to ‘false’, it won’t be possible to set different value than ‘true’)

• comment (String, nil) (defaults to: nil) —

  Optional comment text that may be associated with the submission/sample (Note: you can use #tags here)

• submit_name (String, nil) (defaults to: nil) —

  Optional ‘submission name’ field that will be used for file type detection and analysis

Returns:

• (Hash)

# File 'lib/hybridanalysis/clients/quick_scan.rb', line 27

def file(scan_type:, file:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil)
  name = File.basename(file)
  data = File.read(file)

  params = {
    scan_type: scan_type,
    no_share_third_party: no_share_third_party,
    allow_community_access: allow_community_access,
    comment: comment,
    submit_name: submit_name
  }.compact

  _post_with_file("/quick-scan/file", file: data, filename: name, params: params) { |json| json }
end

#get(id) ⇒ Hash

some scanners need time to process file, if in response ‘finished` is set to false, then you need use this endpoint to get final results

Parameters:

• id (String) —

  id of scan

Returns:

• (Hash)

# File 'lib/hybridanalysis/clients/quick_scan.rb', line 73

def get(id)
  _get("/quick-scan/#{id}") { |json| json }
end

#state ⇒ Array

return list of available scanners

Returns:

• (Array)

# File 'lib/hybridanalysis/clients/quick_scan.rb', line 11

def state
  _get("/quick-scan/state") { |json| json }
end

#url(scan_type:, url:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil) ⇒ Hash

submit a website’s url or url with file for analysis

Parameters:

• scan_type (String) —

  type of scan, please see /quick-scan/state to see available scanners

• url (String) —

  website’s url or url with file to submit

• no_share_third_party (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, the sample is never shared with any third party. Default: true

• allow_community_access (Boolean, nil) (defaults to: nil) —

  When set to ‘true’, the sample will be available for the community. Default: true (Note: when ‘no_share_third_party’ is set to ‘false’, it won’t be possible to set different value than ‘true’)

• comment (String, nil) (defaults to: nil) —

  Optional comment text that may be associated with the submission/sample (Note: you can use #tags here)

• submit_name (String, nil) (defaults to: nil) —

  Optional ‘submission name’ field that will be used for file type detection and analysis

Returns:

• (Hash)

# File 'lib/hybridanalysis/clients/quick_scan.rb', line 54

def url(scan_type:, url:, no_share_third_party: nil, allow_community_access: nil, comment: nil, submit_name: nil)
  params = {
    scan_type: scan_type,
    url: url,
    no_share_third_party: no_share_third_party,
    allow_community_access: allow_community_access,
    comment: comment,
    submit_name: submit_name
  }.compact
  _post("/quick-scan/url", params) { |json| json }
end