Skip to content

Commit

Permalink
Docs update
Browse files Browse the repository at this point in the history
  • Loading branch information
Hatching Docs committed Sep 13, 2024
0 parents commit aae25bf
Show file tree
Hide file tree
Showing 1,087 changed files with 89,655 additions and 0 deletions.
496 changes: 496 additions & 0 deletions about/index.html

Large diffs are not rendered by default.

383 changes: 383 additions & 0 deletions blog/2021-09-16-triage-thursday/index.html

Large diffs are not rendered by default.

329 changes: 329 additions & 0 deletions blog/2021-09-23-triage-thursday/index.html

Large diffs are not rendered by default.

321 changes: 321 additions & 0 deletions blog/2021-09-30-triage-thursday/index.html

Large diffs are not rendered by default.

374 changes: 374 additions & 0 deletions blog/2021-10-14-triage-thursday/index.html

Large diffs are not rendered by default.

302 changes: 302 additions & 0 deletions blog/2021-10-21-triage-thursday/index.html

Large diffs are not rendered by default.

367 changes: 367 additions & 0 deletions blog/2021-11-04-triage-thursday/index.html

Large diffs are not rendered by default.

454 changes: 454 additions & 0 deletions blog/2021-review/index.html

Large diffs are not rendered by default.

351 changes: 351 additions & 0 deletions blog/acquisition-recorded-future/index.html

Large diffs are not rendered by default.

317 changes: 317 additions & 0 deletions blog/analysis-log-view/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,317 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="robots" content="index, follow">
<meta name="description" content="Automated malware analysis with Hatching Triage, the high-volume sandbox solution for SOCs, CERTs, SOARs, and MSSPs.">
<meta name="keywords" content="Hatching, Hatching Triage, Sandbox, Malware Analysis, Automated Malware Analysis">
<meta name="viewport" content="width=device-width, minimum-scale=1.0, maximum-scale=1.0">
<meta name="revisit-after" content="3 days">
<meta name="twitter:card" content="summary">
<meta name="twitter:site" content="@hatching_io">
<meta name="twitter:title" content="Hatching - Automated malware analysis solutions">
<meta property="og:title" content="Hatching - Automated malware analysis solutions">
<meta property="og:description" content="Automated malware analysis with Hatching Triage, the high-volume sandbox solution for SOCs, CERTs, SOARs, and MSSPs.">
<meta property="og:url" content="https://www.hatching.io">
<link rel="manifest" href="/static/manifest.json">

<meta property="og:image" content="https://www.hatching.io/static/images/backgrounds/resized-82.jpg">
<meta name="twitter:image" content="https://www.hatching.io/static/images/backgrounds/resized-82.jpg">


<script async src="https://www.googletagmanager.com/gtag/js?id=UA-123677703-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());

gtag('config', 'UA-123677703-1');
</script>
<link rel="stylesheet" href="https://hatching.io/static/css/index.css?1726233262">
<link rel="icon" type="image/png" sizes="32x32" href="https://hatching.io/static/images/favicon-32x32.png?v=21">
<link rel="icon" type="image/png" sizes="16x16" href="https://hatching.io/static/images/favicon-16x16.png?v=21">
<title>Analysis Log View</title>
</head>
<body>
<nav class="site-menu">
<ul>
<li><a href="/">Home</a></li>
<li><a href="/about/">About</a></li>
<li><a href="/triage/">Triage</a></li>
<li><a class="active" href="/blog/">Blog</a></li>
<li><a href="https://boards.greenhouse.io/recordedfuture" rel="nofollow">Jobs</a></li>
<li><a href="https://go.recordedfuture.com/enterprise-sandbox-contact-us" target="_blank">Contact</a></li>
</ul>
</nav>
<header class="site-nav headroom theme-light">
<div class="logo">
<a href="/">
<img width="210px" src="https://hatching.io/static/images/rf-hatching-black.svg" width="164">
</a>
</div>
<div>
<a href="#" class="toggle-menu">
Menu
<span></span>
<span></span>
<span></span>
</a>
</div>
</header>


<section class="scheme-1 view-context blog-fold blog-article-head" id="fold" data-keep="true">
<div class="view-context__body">
<div>
<div>

<h5>Triage Updates</h5>

<h2>Analysis Log View</h2>
</div>
<ul>
<li>Share this:</li>
<li class="social">
<a href="https://twitter.com/hatching_io" target="_blank">
<i class="icon-twitter"></i>
</a>
<a href="https://www.linkedin.com/company/hatching" target="_blank">
<i class="icon-linkedin"></i>
</a>
<a href="https://www.github.com/hatching" target="_blank">
<i class="icon-github"></i>
</a>
</li>
</ul>
</div>
<div>
<h1>Blog.</h1>
</div>
</div>
<div class="background-graphic">

<div class="image" style="background-image: url('/static/images/backgrounds/resized-82.jpg');"></div>

</div>
</section>

<article class="view-context blog-article">
<header class="blog-article-meta">
<div class="blog-article-general">
<p><time datetime="2020-03-09T00:00:00Z">2020-03-09</time></p>

<ul class="blog-article-tags">
<li><p><a href="/blog/#category=triage">triage</a></p>
</ul>

</div>
<div class="blog-article-author">
<div class="avatar">
<img src="/static/images/avatars/pete.svg" />
</div>
<div>
<h5>Written by <br />Pete Cowman</h5>
</div>
</div>
</header>
<section class="blog-article-body">

<p>Since the initial opening of <a href="https://tria.ge/">tria.ge</a> to the public, a number of users have got in touch to request extra features. We&rsquo;ve been listening, and today we&rsquo;re delighted to announce the release of an experimental &lsquo;Analysis Log View&rsquo; in the report UI. This serves as an overview of all interesting actions which have taken place during the analysis, not just those which have resulted in signature matches.</p>
<figure><img src="../../static/images/blog/analysis-log-view/analysis-log-view-overview.png"><figcaption>
<h4>Screenshot of new &#39;Analysis Log View&#39; UI</h4>
</figcaption>
</figure>

<p>This information was already partially available <a href="https://tria.ge/docs/cloud-api/samples/#get-samplessampleidtaskidlogsonemonjson">via the API</a>, but this should make it easier to quickly refer to the data.</p>
<p>There is also a search feature within the overview which allows the finding of specific IoCs within the (sometimes quite large) dataset. Every field is searchable, so you can use paths, operation types, process names etc.</p>
<p>This feature is still very much a work-in-progress. We&rsquo;ll be pushing updates to this over the coming weeks, including things like whitelisting certain actions to remove noise from background processes on the system.</p>
<p>Check out the examples below for a better idea of the information available. We hope you like this update! As usual, feel free to get in touch with us to give us any feedback on this or other aspects of Triage. Follow us on Twitter (<a href="https://twitter.com/hatching_io">@hatching_io</a>) for news on the latest changes as they are released.</p>
<p>Not signed up yet? Head on over to <a href="https://tria.ge/">https://tria.ge/</a> to request early access to the platform!</p>
<hr>
<h3 id="1-lockbit-ransomware">1. Lockbit Ransomware</h3>
<p><a href="https://tria.ge/reports/200309-6c8mjplfjs/behavioral1">Link to analysis</a></p>
<p>Lockbit uses a rename operation to add its file extension to files after encrypting them. We can search for this to see only encrypted files, and identify the extension (in the case of Lockbit, this is always .lockbit).</p>
<figure><img src="../../static/images/blog/analysis-log-view/lockbit-renames.png"><figcaption>
<h4>Search for &#39;rename&#39; showing files encrypted by Lockbit (notice the source/destination paths).</h4>
</figcaption>
</figure>

<p>Alternatively, to filter by .txt files in search of ransomnotes:</p>
<figure><img src="../../static/images/blog/analysis-log-view/lockbit-ransomnote.png"><figcaption>
<h4>Search for &#39;.txt&#39; showing ransom notes dropped by Lockbit.</h4>
</figcaption>
</figure>

<h3 id="2-remcos-rat">2. Remcos RAT</h3>
<p><a href="https://tria.ge/reports/200309-nerxz72er2/behavioral1">Link to analysis</a></p>
<p>This example clearly shows the mutexes checked/created during the execution of a Remcos RAT sample.</p>
<figure><img src="../../static/images/blog/analysis-log-view/remcos-mutex.png"><figcaption>
<h4>Remcos mutex example.</h4>
</figcaption>
</figure>

<p>Signatures report that the sample writes to the Startup directory. This can be verified with a search on the Analysis Log View.</p>
<figure><img src="../../static/images/blog/analysis-log-view/remcos-startup.png"><figcaption>
<h4>Search for &#39;Startup&#39; showing relevant file operations.</h4>
</figcaption>
</figure>

<h3 id="3-agenttesla">3. AgentTesla</h3>
<p><a href="https://tria.ge/reports/200309-kydas7c2t6/behavioral1">Link to analysis</a></p>
<p>AgentTesla is an infostealer which looks for and exfiltrates user data such as saved browser passwords, FTP credentials, email credentials from local clients, etc.</p>
<figure><img src="../../static/images/blog/analysis-log-view/remcos-startup.png"><figcaption>
<h4>Search for profiles.ini (common path for browser storage)</h4>
</figcaption>
</figure>

<h3 id="4-sodinokibi-ransomware">4. Sodinokibi Ransomware</h3>
<p><a href="https://tria.ge/reports/200309-e38sr5wka6/behavioral1">Link to analysis</a></p>
<p>Sodinokibi, also known as REvil or Sodin, contains configuration settings defined by the specific campaign operator. During operation it generally writes a number of these values to the registry for future use as shown here.</p>
<figure><img src="../../static/images/blog/analysis-log-view/sodin-recfg.png"><figcaption>
<h4>Registry writes for Sodin&#39;s configuration settings</h4>
</figcaption>
</figure>

<p>Unlike Lockbit, Sodinokibi uses a randomly-generated string as its encrypted file extension. Searching for &lsquo;rename&rsquo; actions shows the string created during this analysis.</p>
<figure><img src="../../static/images/blog/analysis-log-view/sodin-renames.png"><figcaption>
<h4>Files being renamed by Sodinokibi after encryption</h4>
</figcaption>
</figure>



</section>
</article>


<section class="view-context blog-recommendations">
<article class="view-context__body">
<h2>You may also like:</h2>

<ul>

<li>
<h3>New UI Features and Additions to Family Detections</h3>
<br>
<a class="button button-variant-3" href="https://hatching.io/blog/tt-2021-01-21/">Read</a>
</li>

<li>
<h3>Blogs</h3>
<br>
<a class="button button-variant-3" href="https://hatching.io/blog/">Read</a>
</li>

<li>
<h3>Triage Thursday Ep. 91</h3>
<br>
<a class="button button-variant-3" href="https://hatching.io/blog/tt-2022-12-01/">Read</a>
</li>

<li>
<h3>Ep. 147: Triage Thursday</h3>
<br>
<a class="button button-variant-3" href="https://hatching.io/blog/tt-2024-09-05/">Read</a>
</li>

</ul>
</article>
</section>
<footer class="scheme-4 view-context footer" id="contact">
<article class="view-context__body">
<h2>Want to know more?<br />Get in touch!</h2>
<a class="button button-variant-1" target="_blank" href="https://go.recordedfuture.com/enterprise-sandbox-contact-us" i>Contact us</a>
<ul>
<li>
<ul>
<li class="logo"><img src="https://hatching.io/static/images/rf-hatching-white.svg" alt="hatching"/></li>
<li class="social">
<a href="https://twitter.com/hatching_io" target="_blank">
<i class="icon-twitter"></i>
</a>
<a href="https://www.linkedin.com/company/hatching" target="_blank">
<i class="icon-linkedin"></i>
</a>
<a href="https://www.github.com/hatching" target="_blank">
<i class="icon-github"></i>
</a>
</li>
</ul>
</li>
<li>
Hatching International B.V.<br />
The Netherlands<br/>
<br />
Email us: <a href="mailto:info@hatching.io">info@hatching.io</a>
</li>
<li>
IBAN: NL52 INGB 0006 9672 73<br />
BIC: INGBNL2A<br />
ING Groep N.V.<br />
Amsterdam-Zuidoost<br />
<br />
REG: 64146707<br />
VAT: NL855541891B01
</li>
</ul>
</article>
<div class="form hidden">
<div class="form-logo">
<img src="https://hatching.io/static/images/rf-hatching-white.svg" alt="Hatching"/>
</div>
<a href="#" class="form-close" title="Close (or press esc)"></a>

<div class="container">
<h1>Contact us</h1>
<h3>Feel free to inquire or request about our services.</h3>
<form>
<fieldset>
<div class="field">
<div class="input is-required">
<input id="form-name" name="name" placeholder="Name" />
</div>
</div>
<div class="field">
<div class="input is-required">
<input id="form-email" name="email" placeholder="Email" />
</div>
</div>
<div class="field">
<div class="input">
<input id="form-phone" name="phone" placeholder="Phone number" />
</div>
</div>
<div class="field">
<div class="input">
<input id="form-company" name="company" placeholder="Company" />
</div>
</div>
</fieldset>
<fieldset>
<div class="input required">
<textarea id="form-message" name="message" placeholder="Write a message"></textarea>
</div>
<div class="button-group">
<button type="reset" class="button button-variant-2 button-transparent">Reset</button>
<button type="submit" class="button button-variant-1">Send</button>
</div>
</fieldset>
</form>
</div>

</div>
</footer>
<script src="https://hatching.io/static/js/hatching.js?1726233262"></script>
<script>
document.addEventListener('DOMContentLoaded', () => {
if(window.main && window.main instanceof Function) {
window.main();
}
initForm();



});
</script>
</body>
</html>
Loading

0 comments on commit aae25bf

Please sign in to comment.