Backing up data on Malware Analysis Appliance using RAPI

book

Article ID: 168196

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

Resolution

You can use the API to gather these. The RAPI system returns data in JSON format, with some exceptions.
Note: The API is usually authenticated via token, but if you SSH into the appliance and use 'localhost' for the queries, you don't need to supply an API token.

1)    To get a list of configured users
$ curl http://localhost/rapi/system/users

2)    List of samples (whether analyzed or not)
$ curl http://localhost/rapi/samples

Detail on a specific sample
$ curl http://localhost/rapi/samples/<sample_id>

3)    Retreive/save a sample's resource (file)

The above API calls in #2 return a list of samples. Each sample resource includes this metadata among others:

"sample_resources_md5": "aa6d071db6632244489850ff626eb510",
"sample_resources_resource_id": 10,
"sample_resources_resource_name": "ChromeSetup.exe",


The file is stored on the filesystem, named after the sample_id (in this case, 10) and the MD5 hash:

/opt/mag2/store/sample_resources/<first two digits of MD5 hash>/<next two digits of MD5>/<sample_id>-<MD5 hash>

So the ChromeSetup.exe sample above would be stored as:

/opt/mag2/store/sample_resources/aa/6d/10-aa6d071db6632244489850ff626eb510

You can pull files off of the appliance using SCP. If you get the entire list of samples (curl http://localhost/rapi/samples) and the entire /opt/mat2/store/sample_resources folder, you've got them all.

4)      Retrieve previous analysis –

a.    List of tasks that were run
$ curl http://localhost/rapi/tasks

b.    Info about specific tasks, including the resulting risk score (task_global_risk_score) and the sample_id that was analyzed so you can link it up with the samples above
$ curl http://localhost/rapi/tasks/<task_id>

c.    All the found events for a task (HTML formatted)
$ curl http://localhost/rapi/widgets/task_report/<task_id>

d.    All the found events for a task (JSON)
$ curl http://localhost/rapi/tasks/<task_id>/events