User Guide
Synapse-HybridAnalysis User Guide
Synapse-HybridAnalysis adds new Storm commands to allow you to query the HybridAnalysis API using your existing API key.
Getting Started
Check with your Admin to enable permissions and find out if you need a personal API key.
Examples
Setting your personal API key
To set-up a personal use API key:
> hybridanalysis.setup.apikey --self myapikey
Setting Synapse-HybridAnalysis API key for the current user.
Query the Hybrid Analysis API by hash and ingest jobs
> hash:sha256#myhash | hybridanalysis.byhash --yield
it:exec:proc=93075c7da7808f7e4bcf55eceaf29962
.created = 2024/12/20 18:04:12.550
:host = 1c2a553239528f7302beab95b1f43007
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:time = 2021/05/13 11:00:24.000
Pivot to created inet:dns:request
nodes.
> hash:sha256#myhash | hybridanalysis.byhash --yield | -> inet:dns:request | limit 2
inet:dns:request=ba77dc8461a9811270fba22d30de4344
.created = 2024/12/20 18:04:12.696
:host = 1c2a553239528f7302beab95b1f43007
:proc = 93075c7da7808f7e4bcf55eceaf29962
:query:name = maxcdn.bootstrapcdn.com
:query:name:fqdn = maxcdn.bootstrapcdn.com
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:time = 2021/05/13 11:00:24.000
inet:dns:request=81a99b76ed8c9e674f1d0b159ce0f0f2
.created = 2024/12/20 18:04:12.648
:host = 1c2a553239528f7302beab95b1f43007
:proc = 93075c7da7808f7e4bcf55eceaf29962
:query:name = cdnjs.cloudflare.com
:query:name:fqdn = cdnjs.cloudflare.com
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:time = 2021/05/13 11:00:24.000
Pivot to created inet:flow
nodes.
> hash:sha256#myhash | hybridanalysis.byhash --yield | -> inet:flow | limit 2
inet:flow=eb577a40e63b54e60cfd61588d628549
.created = 2024/12/20 18:04:12.875
:dst:ipv4 = 168.61.159.114
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:src:host = 1c2a553239528f7302beab95b1f43007
:src:proc = 93075c7da7808f7e4bcf55eceaf29962
:time = 2021/05/13 11:00:24.000
inet:flow=6e360421d2d523dbea02a5756a756e2c
.created = 2024/12/20 18:04:12.895
:dst:ipv4 = 172.217.5.99
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:src:host = 1c2a553239528f7302beab95b1f43007
:src:proc = 93075c7da7808f7e4bcf55eceaf29962
:time = 2021/05/13 11:00:24.000
Query the Hybrid Analysis Report Summary API by hash and ingest detailed information about jobs
> hash:sha256#myhash | hybridanalysis.reportsummary --yield
it:av:scan:result=1c2a553239528f7302beab95b1f43007
.created = 2024/12/20 18:04:14.401
:signame = trojan.js.phishing
:target:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
:target:host = 1c2a553239528f7302beab95b1f43007
:target:proc = 93075c7da7808f7e4bcf55eceaf29962
:time = 2021/05/13 11:00:24.000
:verdict = malicious
Pivot to created it:exec:file:add
nodes.
> hash:sha256#myhash -> file:bytes -> it:exec:file:add | limit 3
it:exec:file:add=dba0e0b46533526f23a5063e9ad4f037
.created = 2024/12/20 18:04:15.391
:file = sha256:9018bd6aab62f2fcfa8d41c6bced3fd67a92565202bd68219ede9fed521152b7
:host = 1c2a553239528f7302beab95b1f43007
:path = %appdata%/microsoft/windows/cookies/j06ftz8k.txt
:path:base = j06ftz8k.txt
:path:dir = %appdata%/microsoft/windows/cookies
:path:ext = txt
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
it:exec:file:add=59e70dcb681bddc93d04cdf263a28069
.created = 2024/12/20 18:04:15.814
:file = sha256:81ca5667daa430cc8929d079bc64051286ce03a461bed98ed722cfcd7202ef1d
:host = 1c2a553239528f7302beab95b1f43007
:path = %appdata%/microsoft/windows/cookies/zknofc5r.txt
:path:base = zknofc5r.txt
:path:dir = %appdata%/microsoft/windows/cookies
:path:ext = txt
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
it:exec:file:add=ed5e127a0537256825f648ff79d14d30
.created = 2024/12/20 18:04:14.760
:file = sha256:fd5116f4c4b995ca9c4c94dd3a473f57869bf6fb5e6bb6c38a1ad76b367e7a07
:host = 1c2a553239528f7302beab95b1f43007
:path = %appdata%/microsoft/windows/cookies/01g1kyvp.txt
:path:base = 01g1kyvp.txt
:path:dir = %appdata%/microsoft/windows/cookies
:path:ext = txt
:sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
Pivot to created it:mitre:attack:technique
nodes used by the file.
> hash:sha256#myhash -> file:bytes -(uses)> it:mitre:attack:technique
it:mitre:attack:technique=T1043
.created = 2024/12/20 18:04:17.179
:name = commonly used port
:url = https://attack.mitre.org/techniques/T1043
it:mitre:attack:technique=T1055
.created = 2024/12/20 18:04:17.035
:name = process injection
:url = https://attack.mitre.org/techniques/T1055
it:mitre:attack:technique=T1010
.created = 2024/12/20 18:04:17.120
:name = application window discovery
:url = https://attack.mitre.org/techniques/T1010
it:mitre:attack:technique=T1179
.created = 2024/12/20 18:04:16.973
:name = hooking
:url = https://attack.mitre.org/techniques/T1179
it:mitre:attack:technique=T1114
.created = 2024/12/20 18:04:17.149
:name = email collection
:url = https://attack.mitre.org/techniques/T1114
Query the Hybrid Analysis Overview API by file and ingest antivirus hits
> file:bytes#myfile | hybridanalysis.overview | -+> it:av:filehit
file:bytes=sha256:d88ea493cdd719ff2e2c02cea66dd15d358f914ea8741d6d6d3dd60b66adf923
.created = 2024/12/20 18:04:17.620
.seen = ('2021/03/25 13:12:55.000', '2021/08/08 21:36:15.000')
:name = malware.bin
:sha256 = d88ea493cdd719ff2e2c02cea66dd15d358f914ea8741d6d6d3dd60b66adf923
:size = 37426
#myfile
#rep.hybridanalysis.apt
#rep.hybridanalysis.malicious
Use of meta:source
nodes
Synapse-HybridAnalysis uses a meta:source
node and -(seen)>
light
weight edges to track nodes observed from the HybridAnalysis API.
> meta:source=11c862e1e63e9c28ca328aa29756f9fc
meta:source=11c862e1e63e9c28ca328aa29756f9fc
.created = 2024/12/20 18:04:12.441
:name = hybrid analysis api
Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-HybridAnalysis. The following example shows how to filter the results of a query to include only results observed by Synapse-HybridAnalysis:
> it:host +{ <(seen)- meta:source=11c862e1e63e9c28ca328aa29756f9fc }
it:host=1c2a553239528f7302beab95b1f43007
.created = 2024/12/20 18:04:12.531
:desc = Windows 7 32 bit