Malware can be uploaded to ThreatConnect® for the purpose of analysis. For security reasons, this task can be accomplished only by encrypting and zipping the malware and then creating it as a Document Group in ThreatConnect.
Uploading a File to the Malware Vault
- Select a malware file and convert it to a password-protected, encrypted, and compressed (.zip) format.
- From the top navigation bar (Figure 1), place the cursor over Create and then over the Group option. Select the Document object, and the Create Document screen will be displayed with the Details section selected (Figure 2).
- Type: The Type dropdown menu is used to select a different Group type. Keep the selection as Document.
- Owner: Use the dropdown menu to select the Owner of the malware Document.
- Summary: Enter a name for the Document. For Malware Vault Documents, the name should be the filename of the original malware sample, including the file extension, inside the password-protected .zip folder (e.g., bad.exe).
- Upload Document: Use this section to upload the Document. Once the Document has been uploaded, the filename will appear underneath the orange malware warning, along with a checkbox labeled Add to Malware Vault, which should be selected so that the Document is added to the Malware Vault (Figure 3).
- Password: Enter the password needed to unencrypt the file.
NOTE: “TCinfected” is the default, and preferred, password for any malicious files uploaded to the malware vault.
- Description: Provide a general description of the Group, such as the types of actors it comprises; tactics, techniques, and procedures (TTPs); etc.
- Apply Description to Associations: Check this box to apply the Description to the Group’s Associations.
- Tags: Enter Tags for the Group.
- Apply Tags to Associations: Check this box to apply the Tags to the Group’s Associations.
Organization Administrators and higher can prevent users in Communities from accidentally uploading malware. To do so, hover the cursor over the Settings icon on the top navigation bar (Figure 1), choose Org Settings, and select the Communities/Sources tab. Then click on a Community to view its Information screen (Figure 5).
Ensure that the Restrict Document Storage to Malware Vault checkbox is selected so that all documents that Community contributors upload will be placed automatically in the Malware Vault. This restriction is enforced in three locations: the Create Document screen (Figure 2 and Figure 3), when uploading a file to an existing Document on the Document’s Details screen, and API Document creation for Documents in Communities.
NOTE: Community Editors and Community Directors will not be affected by the restriction.