Malware can be uploaded to ThreatConnect® for the purpose of analysis. For security reasons, this task can be accomplished only by encrypting and zipping the malware and then creating it as a Document Group in ThreatConnect.
- Select a malware file and convert it to a password-protected, encrypted, and compressed (.zip) format.
- From the top navigation bar (Figure 1), place the cursor over CREATE (Figure 2) and then over the GROUP option.
- Click on the DOCUMENT object, and the Create Document screen will appear with the Details section selected (Figure 3).
- Type: The Type drop-down menu can be used to select a different Group type if desired. Keep the selection as Document.
- Owner: Select the Owner of the malware Document.
- Summary: Use this section to provide a name for the Document. For Malware Vault Documents, the name should be the filename of the original malware sample, including the file extension, inside the password-protected .zip folder (e.g., bad.exe).
- Upload Document: Use this section to upload the Document. Once the Document has been uploaded, the filename will appear underneath the orange malware warning, along with a checkbox labeled Add to Malware Vault (Figure 4). Click the box to check it.
- Password: Enter the password needed to unencrypt the file.
NOTE: “TCinfected” is the default, and preferred, password for any malicious files uploaded to the malware vault.
- Description: Provide a general description of the Group, such as the types of actors it comprises; tactics, techniques, and procedures (TTPs); etc.
- Apply Description to Associations: Check this box to apply the Description to the Group’s Associations.
- Tags: Enter Tags for the Group.
- Apply Tags to Associations: Check this box to apply the Tags to the Group’s Associations.
Organization Administrators and higher can prevent users from accidentally uploading malware. To do so, hover the cursor over the Settings icon on the top navigation bar (Figure 1), choose ORG SETTINGS, and select the Communities/Sources tab. Then click on a community to view the Information screen for the Community (Figure 6).
Check the Restrict Document Storage to Malware Vault checkbox to ensure that all documents users upload will be placed automatically in the Malware Vault. This restriction is enforced in three locations: the Create Document screen (Figure 3 and Figure 4), when uploading a file to an existing Document on the Document’s Details screen, and API Document creation for Documents in Communities.