API Functions
The available APIs for the current Juniper ATP Appliance release are provided in the following sections. This list of APIs is updated as new features are developed.
Note:
Use of the return values "monitored" and "scanned" are deprecated in this release; refer instead to outputs for offered_traffic or inspected_traffic.
add_incident_comments
https://HOST/cyadmin/api.php?op=add_incident_comments
HTTP Post Parameters |
Description |
last_status |
Last incident status information |
status |
Current Status: options are “new,” “acknowledged,” “in_progress” or “complete” |
comments |
Comment or update |
incident_id |
ID of the incident for which a comment is to be added or updated |
Example
curl -k -H "Authorization:0d5b240487eb5abcaf987ab04e8a1411" "https://192.168.2.25/cyadmin/api.php?op=add_incident_comments" --data "last_status=new&status;=complete&comments;=Test%20Comment&incident_id;=134”
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any configured User to generate or obtain their API Key.
Sample Response
{"session_timeout_sec":36000,"status":0}
add_license
This API adds a product or support license to the current Juniper ATP Appliance system.
https://HOST/cyadmin/api.php?op=add_license
HTTP Post Parameters |
Description |
filename |
Name of the license key file to be uploaded and added as a new license |
license_type |
Product or Support license type |
Example
curl -k -b SESSID=fhffc90prmu9dte2bu4mv3od11 -d
“filename=licenseKey&license_type=product”
“https://HOST/cyadmin/api.php?op=add_license”
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any configured User to generate or obtain their API Key.
Sample Response
There is no response for this API request.
add_user
This API adds a new user to the Juniper ATP Appliance system.
https://HOST/cyadmin/api.php?op=add_user
HTTP Post Parameters |
Description |
user_name |
Username of new user to be added to system |
full_name |
Full name of the new user |
is_admin |
New user’s admin access profile; 1 is enabled |
has_debug |
New user’s debug access privilege; 1 is enabled |
generate_api_key |
0 for no; 1 for yes |
api_key |
key definition or _is_disabled if not enabled |
password |
Password for the new user |
csrf_token |
unique token ID for the new user |
remote_authentication |
Valid values are true or false.This key determines whether the user being created will be authenticated using the remote system or not. |
remote_authorization |
Valid values are true or false.This key determines whether the user being created will be authorized using the remote system or not. |
Example
curl -k -H "Authorization:d7e6d14140fc944fc4ba287f88f42d45" "https://10.2.20.107/cyadmin/api.php?op=add_user" -d user_name=test2 -d full_name=test2 -d role_name='Default Admin Role' -d generate_api_key=0 -d api_key_is_disabled=0 -d password=JATP1z2 -d remote_authentication=false -d remote_authorization=false
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
Sample Response
There is no response from this API call.
analysis_details
Use the analysis_details API to retrieve the analysis details associated with a particular file object. The analysis_details API takes either an event_id, md5sum or sha1sum as a parameter.
Tip:
As of Release 4.1.1 and later, Juniper ATP Appliance now limits the upload to the actual processing limit and throws an error if the file is greater than 16MB.
Unlike the “event” API, analysis_details does not return any context about how and when the file object was discovered.
An additional boolean parameter “get_components” set to 1 will cause the return of all the components of the specified file. This option is only meaningful if the md5sum/sha1sum corresponds to a zip, tar, or other archive.
https://HOST/cyadmin/api.php?op=analysis_details
HTTP Post Parameters |
Description |
event_id or md5sum/ sha1sum |
[Required] Unique identifier for this event. One of these parameters is a mandatory parameter. Get this from the output of the API https://<Host>/cyadmin/api.php?op=events The md5sum & sha1sum are the hashes of the objects. |
get_components |
1 indicates components are available When the get_components value is set, analysis details for all the subcomponents are also returned. |
API Access: To demonstrate the analysis_details API from the Central Manager Web UI Incidents page: select an incident from the Incidents table then scroll down the page and click Downloads or Uploads tab. Expand the row to view details and with this action, you will see a call to the analysis_details API .
See also; behavior_details
Example
curl -k -H "Authorization:7c71c218662411a5c857042053acca8f" "https://10.2.20.37/cyadmin/api.php?op=analysis_details" -d event_id=672
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
Note:
The request should include one of event-id or md5 or sha1. If both are specified, then the server only considers the event-id.
Sample Response
{
analysis_array:
[
1]
0:
{
local_path: "/var/spool/c-icap/download/CI_TMPFP9jYz"
file_md5_string: "7be866d691c3da79f51240bf8963e210"
file_sha1_string:
"1f707b2fe77691ee91aa5da0a326aec40182bb0d"
file_sha256_string:
"fada509542437360aeaa73a6256a9f1c8
8764e823f0f0a6a78fb66e419b5f389"
file_size: "893977"
file_type_string: "PE32 executable (GUI) Intel 80386,
for MS Windows"
file_suffix: "exe"
mime_type_string: "FILE_UPLOAD"
has_components: null
packer_name: null
malware_name: "TROJAN_YAKES.CY"
malware_severity: "0.75"
malware_category: "Trojan_Generic"
malware_classname: "malware"
has_static_detection: "1"
has_behavioral_detection: "0"
user_whitelisted: null
JATP_whitelisted: null
has_cnc: null
dig_cert_name: null
analysis_start_time: "2016-06-02 08:34:40.513488+00"
analysis_done_time: "2016-06-02 08:35:03.877626+00"
source_url_rank: "-1"
reputation_score: "35"
microsoft_name: "None"
has_behavior_log: "1"
screen_shots:
[
3]
0: "/analysis/897/qemu-results/screenshotswinxp/
screenshot_00.jpg"
1: "/analysis/897/qemu-results/screenshotswinxp/
screenshot_01.jpg"
2: "/analysis/897/qemu-results/screenshotswinxp
-
}
-
-
analysis_details:
{
local_path: "/var/spool/c-icap/download/CI_TMPFP9jYz"
file_md5_string: "7be866d691c3da79f51240bf8963e210"
file_sha1_string: "1f707b2fe77691ee91aa5da0a326aec40182bb0d"
file_sha256_string: "fada509542437360aeaa73a6256a9f1c88
764e823f0f0a6a78fb66e419b5f389"
file_size: "893977"
file_type_string: "PE32 executable (GUI) Intel 80386, for MS
Windows"
file_suffix: "exe"
mime_type_string: "FILE_UPLOAD"
has_components: null
packer_name: null
malware_name: "TROJAN_YAKES.CY"
malware_severity: "0.75"
malware_category: "Trojan_Generic"
malware_classname: "malware"
has_static_detection: "1"
has_behavioral_detection: "0"
user_whitelisted: null
JATP_whitelisted: null
has_cnc: null
dig_cert_name: null
analysis_start_time: "2016-06-02 08:34:40.513488+00"
analysis_done_time: "2016-06-02 08:35:03.877626+00"
source_url_rank: "-1"
reputation_score: "35"
microsoft_name: "None"
has_behavior_log: "1"
screen_shots:
[
3]
0: "/analysis/897/qemu-results/screenshots-winxp/
screenshot_00.jpg"
1: "/analysis/897/qemu-results/screenshots-winxp/
screenshot_01.jpg"
2: "/analysis/897/qemu-results/screenshots-winxp/
screenshot_02.jpg"
-
}
-
status: 0
}backup
Use this API performs a backup of the running config for the current Juniper ATP Appliance system.
This API uses no parameters, and the response for this API is the file containing the backup.
https://HOST/cyadmin/api.php?op=backup
Example
curl -k -v –b "Authorization:7c71c218662411a5c857042053acca8f"-d “https://HOST/cyadmin/api.php?op=backup”
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
Sample Response
There is no response generated for this API.
behavior_details
This API retrieves per-event analysis details from the Juniper ATP Appliance behavior analysis engine. Use this API to capture all behavioral analysis details for a selected incident event, including all registry changes, mutexes created, and so on.
HTTP Post Parameters |
Description |
event_id |
[Required] Obtain this ID from the of the API https://<Host>/cyadmin/api.php?op=events |
collector_id |
ID of the Collector that processed the malicious traffic. |
API Access: To demonstrate the behavior_details API from the Central Manager Web UI Incidents page: select an incident from the Incidents table then scroll down the page and click Downloads or Uploads tab. Expand the row to view details and with this action, you will see a call to the behavior_details API.
See also; analysis_details
Example
curl -k -H "Authorization:7c71c218662411a5c857042053acca8f" "https://10.2.20.37/cyadmin/api.php?op=behavior_details" -d event_id=672&collector_id=aaaa-bbbb-cccc-ddddd”
Authorization - The device user API key.
Obtain from Config > System Profiles > Users > Click on any User to obtain an API Key.
NEW: Additional JSON objects are available for obtaining third party ingestion vendor information:
memory_artifact_details This contains all the memory artifact strings that are recognized for the executable from which Juniper ATP Appliance is able to take a memory dump when certain Windows API calls are used. This corresponds to Memory Artifacts information displayed in the Juniper ATP Appliance Central Manager Web UI incident displays.
behavior_details uses an object called malware_actions that lists all the actions exhibited by detected malware. This corresponds to the Malware Traits information displayed in the Juniper ATP Appliance Central Manager Web UI incident displays.
Sample Output
curl'https://10.2.25.21/cyadmin/’ api.php?op=behavior_details&sha1sum=c174ed87d658110b1596e30a827a810f0 e1bc102' -H 'Host: 10.2.25.24' -H "Authorization:292fef0472b25dd9e1c032c69a4c9a18" --insecure | json_pp
{
"behavior_details": {
"has_ivp": true,
"cnc_array": [
{
"host": "teredo.ipv6.microsoft.com",
"string": "port 53 DNS",
"response": ""
}
],
"registry_changes": [
{
"key_path":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"was_created": 0
},
{
"key_path":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"was_created": 0
},
{
"key_path":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"was_created": 0
},
{
"key_path":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"was_created": 0
},
{
"key_path":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"was_created": 0
},
{
"key_path": "\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"was_created": 0
},
{
"key_path":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"was_created": 0
}
],
"malware_actions": [
{
"line_number": 10,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 11,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 13,
"new_pid": null,
"description": "Accesses a suspicious registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 100,
"pid": 1556,
"group_name": "suspicious_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Suspicious Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 14,
"new_pid": null,
"description": "Checks the System BIOS/Processor registry key to
see if it contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 16,
"new_pid": null,
"description": "Accesses a registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 130,
"pid": 1556,
"group_name": "other_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"group_description": "All Other Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 17,
"new_pid": null,
"description": "Checks the ProductId/InstallDate to see if it's
on the known sandbox list",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 19,
"new_pid": null,
"description": "Checks to see if the Just In Time debugger is set
(also known as post mortem debugger)",
"file_name": "JATP-000-1556.txt",
"group_priority": 30,
"pid": 1556,
"group_name": "anti_debug",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Anti Debug",
"action_name": "regkey_open"
},
{
"line_number": 21,
"new_pid": null,
"description": "Checks the registry to get a list of installed
apps",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 24,
"new_pid": null,
"description": "Creates a new file",
"file_name": "JATP-000-1556.txt",
"group_priority": 110,
"pid": 1556,
"group_name": "misc_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe",
"group_description": "All Other File Drops",
"action_name": "new_file"
},
{
"line_number": 35,
"new_pid": null,
"description": "Creates a new file",
"file_name": "JATP-000-1556.txt",
"group_priority": 110,
"pid": 1556,
"group_name": "misc_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\svnhost.exe",
"group_description": "All Other File Drops",
"action_name": "new_file"
},
{
"line_number": 46,
"new_pid": null,
"description": "Creates a new file",
"file_name": "JATP-000-1556.txt",
"group_priority": 110,
"pid": 1556,
"group_name": "misc_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\isass.exe",
"group_description": "All Other File Drops",
"action_name": "new_file"
},
{
"line_number": 57,
"new_pid": null,
"description": "Allocates committed memory with execute bit set -
could be a process of injecting code",
"file_name": "JATP-000-1556.txt",
"group_priority": 105,
"pid": 1556,
"group_name": "code_injection",
"value_details": "4096",
"group_description": "Suspicious Code Injection Behaviors",
"action_name": "allocate_committed_mem_exec"
},
{
"line_number": 59,
"new_pid": null,
"description": "Sets a page of memory to enable execution",
"file_name": "JATP-000-1556.txt",
"group_priority": 105,
"pid": 1556,
"group_name": "code_injection",
"value_details": null,
"group_description": "Suspicious Code Injection Behaviors",
"action_name": "set_mem_execute"
},
{
"line_number": 10,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-001-1268.txt",
"group_priority": 20,
"pid": 1268,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 11,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-001-1268.txt",
"group_priority": 20,
"pid": 1268,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 13,
"new_pid": null,
"description": "Accesses a suspicious registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 100,
"pid": 1268,
"group_name": "suspicious_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Suspicious Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 14,
"new_pid": null,
"description": "Checks the System BIOS/Processor registry key to
see if it contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-001-1268.txt",
"group_priority": 20,
"pid": 1268,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 16,
"new_pid": null,
"description": "Accesses a registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 130,
"pid": 1268,
"group_name": "other_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"group_description": "All Other Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 17,
"new_pid": null,
"description": "Checks the ProductId/InstallDate to see if it's
on the known sandbox list",
"file_name": "JATP-001-1268.txt",
"group_priority": 20,
"pid": 1268,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 19,
"new_pid": null,
"description": "Checks to see if the Just In Time debugger is set
(also known as post mortem debugger)",
"file_name": "JATP-001-1268.txt",
"group_priority": 30,
"pid": 1268,
"group_name": "anti_debug",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Anti Debug",
"action_name": "regkey_open"
},
{
"line_number": 21,
"new_pid": null,
"description": "Checks the registry to get a list of installed
apps",
"file_name": "JATP-001-1268.txt",
"group_priority": 20,
"pid": 1268,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 10,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-003-1044.txt",
"group_priority": 20,
"pid": 1044,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 11,
"new_pid": null,
"description": "Checks the disk enum registry key to see if it
contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-003-1044.txt",
"group_priority": 20,
"pid": 1044,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 13,
"new_pid": null,
"description": "Accesses a suspicious registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 100,
"pid": 1044,
"group_name": "suspicious_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Suspicious Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 14,
"new_pid": null,
"description": "Checks the System BIOS/Processor registry key to
see if it contains virtual, vmware, vbox, qemu, etc.",
"file_name": "JATP-003-1044.txt",
"group_priority": 20,
"pid": 1044,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 16,
"new_pid": null,
"description": "Accesses a registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 130,
"pid": 1044,
"group_name": "other_reg_access",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion",
"group_description": "All Other Registry Accesses",
"action_name": "regkey_open"
},
{
"line_number": 17,
"new_pid": null,
"description": "Checks the ProductId/InstallDate to see if it's
on the known sandbox list",
"file_name": "JATP-003-1044.txt",
"group_priority": 20,
"pid": 1044,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Anti Sandbox",
"action_name": "regval_query"
},
{
"line_number": 19,
"new_pid": null,
"description": "Checks to see if the Just In Time debugger is set
(also known as post mortem debugger)",
"file_name": "JATP-003-1044.txt",
"group_priority": 30,
"pid": 1044,
"group_name": "anti_debug",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Anti Debug",
"action_name": "regkey_open"
},
{
"line_number": 21,
"new_pid": null,
"description": "Checks the registry to get a list of installed
apps",
"file_name": "JATP-003-1044.txt",
"group_priority": 20,
"pid": 1044,
"group_name": "anti_sandbox",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Anti Sandbox",
"action_name": "regkey_open"
},
{
"line_number": 7,
"new_pid": null,
"description": "Checks to see if a remote debugger is attached",
"file_name": "JATP-000-1556.txt",
"group_priority": 30,
"pid": 1556,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "check_remote_debugger"
},
{
"line_number": 7,
"new_pid": null,
"description": "Checks to see if a remote debugger is attached",
"file_name": "JATP-001-1268.txt",
"group_priority": 30,
"pid": 1268,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "check_remote_debugger"
},
{
"line_number": 7,
"new_pid": null,
"description": "Checks to see if a remote debugger is attached",
"file_name": "JATP-003-1044.txt",
"group_priority": 30,
"pid": 1044,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "check_remote_debugger"
},
{
"line_number": 57,
"new_pid": null,
"description": "Sets a page of memory to enable execution",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details": "4096",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 59,
"new_pid": null,
"description": "Sets a page of memory to enable execution",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details": null,
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 43,
"new_pid": 1344,
"description": "Creates a spoofed system process",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details": "svnhost.exe",
"group_description": "Suspicious Processes",
"action_name": "fake_system_process"
},
{
"line_number": 54,
"new_pid": 1044,
"description": "Creates a spoofed system process",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details": "isass.exe",
"group_description": "Suspicious Processes",
"action_name": "fake_system_process"
},
{
"line_number": 32,
"new_pid": null,
"description": "Creates a spoofed system process from a nonstandard
path",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe",
"group_description": "Suspicious Processes",
"action_name": "known_process_not_in_known_path"
},
{
"line_number": 11,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 14,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 17,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 11,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 14,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 17,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 11,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum\\\"
0\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 14,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System\\\"SystemBiosVers
ion\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 17,
"new_pid": null,
"description": "Queries suspicious registry value - anti-vm/antisandbox
behaviors",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\\"ProductId\"",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 57,
"new_pid": null,
"description": "Allocates and commits memory",
"file_name": "JATP-000-1556.txt",
"group_priority": 140,
"pid": 1556,
"group_name": "other_behavior",
"value_details": null,
"group_description": "All Other Behaviors",
"action_name": "allocate_committed_mem"
},
{
"line_number": 61,
"new_pid": null,
"description": "Calls sleep API",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details": null,
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 8,
"new_pid": null,
"description": "Outputs to debug port",
"file_name": "JATP-000-1556.txt",
"group_priority": 30,
"pid": 1556,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "output_debug_string"
},
{
"line_number": 8,
"new_pid": null,
"description": "Outputs to debug port",
"file_name": "JATP-001-1268.txt",
"group_priority": 30,
"pid": 1268,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "output_debug_string"
},
{
"line_number": 8,
"new_pid": null,
"description": "Outputs to debug port",
"file_name": "JATP-003-1044.txt",
"group_priority": 30,
"pid": 1044,
"group_name": "anti_debug",
"value_details": null,
"group_description": "Anti Debug",
"action_name": "output_debug_string"
},
{
"line_number": 32,
"new_pid": null,
"description": "Creates a process that runs in a suspicious
path",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe",
"group_description": "Suspicious Processes",
"action_name": "create_process_in_suspicious_path"
},
{
"line_number": 43,
"new_pid": null,
"description": "Creates a process that runs in a suspicious
path",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\svnhost.exe",
"group_description": "Suspicious Processes",
"action_name": "create_process_in_suspicious_path"
},
{
"line_number": 54,
"new_pid": null,
"description": "Creates a process that runs in a suspicious
path",
"file_name": "JATP-000-1556.txt",
"group_priority": 40,
"pid": 1556,
"group_name": "suspicious_processes",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\isass.exe",
"group_description": "Suspicious Processes",
"action_name": "create_process_in_suspicious_path"
},
{
"line_number": 24,
"new_pid": null,
"description": "Creates a suspicious file",
"file_name": "JATP-000-1556.txt",
"group_priority": 50,
"pid": 1556,
"group_name": "suspicious_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe",
"group_description": "Suspicious File Drops",
"action_name": "new_suspicious_file"
},
{
"line_number": 35,
"new_pid": null,
"description": "Creates a suspicious file",
"file_name": "JATP-000-1556.txt",
"group_priority": 50,
"pid": 1556,
"group_name": "suspicious_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\svnhost.exe",
"group_description": "Suspicious File Drops",
"action_name": "new_suspicious_file"
},
{
"line_number": 46,
"new_pid": null,
"description": "Creates a suspicious file",
"file_name": "JATP-000-1556.txt",
"group_priority": 50,
"pid": 1556,
"group_name": "suspicious_file_creation",
"value_details":
"C:\\Users\\John\\AppData\\Local\\Temp\\isass.exe",
"group_description": "Suspicious File Drops",
"action_name": "new_suspicious_file"
},
{
"line_number": 61,
"new_pid": null,
"description": "Sleeps for an excessive amount of time",
"file_name": "JATP-000-1556.txt",
"group_priority": 20,
"pid": 1556,
"group_name": "anti_sandbox",
"value_details": null,
"group_description": "Anti Sandbox",
"action_name": "sleep_5min+"
},
{
"line_number": 10,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 13,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 19,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 21,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-000-1556.txt",
"group_priority": 109,
"pid": 1556,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 10,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 13,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 19,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 21,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-001-1268.txt",
"group_priority": 109,
"pid": 1268,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 10,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\Disk\\Enum",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 13,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\HARDWARE\\DESCRIPTION\\System",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 19,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\AeDebug",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
},
{
"line_number": 21,
"new_pid": null,
"description": "Opens suspicious registry key",
"file_name": "JATP-003-1044.txt",
"group_priority": 109,
"pid": 1044,
"group_name": "misc_suspicious_behavior",
"value_details":
"\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\U
ninstall",
"group_description": "Other Suspicious Behaviors",
"action_name": "suspicious_action"
}
],
"cook_env": "win7-winapi",
"processes_spawned": [
{
"command_ppid": 1556,
"command_pid": 1268,
"command_name": "csrss.exe",
"command_args": "C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe
--anti-sandbox",
"command_path":
"C:\\Users\\John\\AppData\\Local\\Temp\\csrss.exe"
},
{
"command_ppid": 1556,
"command_pid": 1344,
"command_name": "svnhost.exe",
"command_args":
"C:\\Users\\John\\AppData\\Local\\Temp\\svnhost.exe --do-nothing",
"command_path":
"C:\\Users\\John\\AppData\\Local\\Temp\\svnhost.exe"
},
{
"command_ppid": 1556,
"command_pid": 1044,
"command_name": "isass.exe",
"command_args": "C:\\Users\\John\\AppData\\Local\\Temp\\isass.exe
--anti-sandbox",
"command_path":
"C:\\Users\\John\\AppData\\Local\\Temp\\isass.exe"
}
],
"os_type": "win7",
"sha1sum": "c174ed87d658110b1596e30a827a810f0e1bc102"
},
"memory_artifact_details": {
"JATPdump-000-1556-CreateProcessInternalW.windump": {
"display_names": {
"security_tools": "Security Tools Detected",
"ips": "IP Strings",
"vm_tools": "Virtual Machines Detected",
"urls": "URL Strings",
"embedded_public_key": "Encryption Keys"
},
"embedded_public_key": "",
"vm_tools": [],
"ips": [],
"urls": [],
"security_tools": []
}
},
"session_timeout_sec": 18000,
"status": 0,
"server_ip": "10.2.25.21",
"server_name": "10.2.25.21",
"max_cook_size": 15000001,
"status_fc_on": 0,
"status_sigeng_on": 1,
"status_hre_on": 1,
"status_sc_on": 1,
"status_correlation_on": 1,
"status_internet_on": 1,
"status_mode": 0,
"status_web_collector": 0,
"status_downstream_web_collector": 0
}