User Guide

Synapse-HybridAnalysis User Guide

Synapse-HybridAnalysis adds new Storm commands to allow you to query the HybridAnalysis API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key.

Examples

Setting your personal API key

To set-up a personal use API key:

> hybridanalysis.setup.apikey --self myapikey
Setting Synapse-HybridAnalysis API key for the current user.

Query the Hybrid Analysis API by hash and ingest jobs

> hash:sha256#myhash | hybridanalysis.byhash --yield
it:exec:proc=93075c7da7808f7e4bcf55eceaf29962
        .created = 2024/04/22 19:55:46.643
        :host = 1c2a553239528f7302beab95b1f43007
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :time = 2021/05/13 11:00:24.000

Pivot to created inet:dns:request nodes.

> hash:sha256#myhash | hybridanalysis.byhash --yield | -> inet:dns:request | limit 2
inet:dns:request=ba77dc8461a9811270fba22d30de4344
        .created = 2024/04/22 19:55:46.779
        :host = 1c2a553239528f7302beab95b1f43007
        :proc = 93075c7da7808f7e4bcf55eceaf29962
        :query:name = maxcdn.bootstrapcdn.com
        :query:name:fqdn = maxcdn.bootstrapcdn.com
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :time = 2021/05/13 11:00:24.000
inet:dns:request=81a99b76ed8c9e674f1d0b159ce0f0f2
        .created = 2024/04/22 19:55:46.735
        :host = 1c2a553239528f7302beab95b1f43007
        :proc = 93075c7da7808f7e4bcf55eceaf29962
        :query:name = cdnjs.cloudflare.com
        :query:name:fqdn = cdnjs.cloudflare.com
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :time = 2021/05/13 11:00:24.000

Pivot to created inet:flow nodes.

> hash:sha256#myhash | hybridanalysis.byhash --yield | -> inet:flow | limit 2
inet:flow=eb577a40e63b54e60cfd61588d628549
        .created = 2024/04/22 19:55:46.948
        :dst:ipv4 = 168.61.159.114
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :src:host = 1c2a553239528f7302beab95b1f43007
        :src:proc = 93075c7da7808f7e4bcf55eceaf29962
        :time = 2021/05/13 11:00:24.000
inet:flow=6e360421d2d523dbea02a5756a756e2c
        .created = 2024/04/22 19:55:46.968
        :dst:ipv4 = 172.217.5.99
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :src:host = 1c2a553239528f7302beab95b1f43007
        :src:proc = 93075c7da7808f7e4bcf55eceaf29962
        :time = 2021/05/13 11:00:24.000

Query the Hybrid Analysis Report Summary API by hash and ingest detailed information about jobs

> hash:sha256#myhash | hybridanalysis.reportsummary --yield
it:av:scan:result=1c2a553239528f7302beab95b1f43007
        .created = 2024/04/22 19:55:48.383
        :signame = trojan.js.phishing
        :target:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
        :target:host = 1c2a553239528f7302beab95b1f43007
        :target:proc = 93075c7da7808f7e4bcf55eceaf29962
        :time = 2021/05/13 11:00:24.000
        :verdict = malicious

Pivot to created it:exec:file:add nodes.

> hash:sha256#myhash -> file:bytes -> it:exec:file:add | limit 3
it:exec:file:add=dba0e0b46533526f23a5063e9ad4f037
        .created = 2024/04/22 19:55:49.309
        :file = sha256:9018bd6aab62f2fcfa8d41c6bced3fd67a92565202bd68219ede9fed521152b7
        :host = 1c2a553239528f7302beab95b1f43007
        :path = %appdata%/microsoft/windows/cookies/j06ftz8k.txt
        :path:base = j06ftz8k.txt
        :path:dir = %appdata%/microsoft/windows/cookies
        :path:ext = txt
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
it:exec:file:add=59e70dcb681bddc93d04cdf263a28069
        .created = 2024/04/22 19:55:49.703
        :file = sha256:81ca5667daa430cc8929d079bc64051286ce03a461bed98ed722cfcd7202ef1d
        :host = 1c2a553239528f7302beab95b1f43007
        :path = %appdata%/microsoft/windows/cookies/zknofc5r.txt
        :path:base = zknofc5r.txt
        :path:dir = %appdata%/microsoft/windows/cookies
        :path:ext = txt
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8
it:exec:file:add=ed5e127a0537256825f648ff79d14d30
        .created = 2024/04/22 19:55:48.722
        :file = sha256:fd5116f4c4b995ca9c4c94dd3a473f57869bf6fb5e6bb6c38a1ad76b367e7a07
        :host = 1c2a553239528f7302beab95b1f43007
        :path = %appdata%/microsoft/windows/cookies/01g1kyvp.txt
        :path:base = 01g1kyvp.txt
        :path:dir = %appdata%/microsoft/windows/cookies
        :path:ext = txt
        :sandbox:file = sha256:4ae557c0c37615fd52a7071bfd81bc6de381e9859b6c533237c6817915ce13a8

Pivot to created it:mitre:attack:technique nodes used by the file.

> hash:sha256#myhash -> file:bytes -(uses)> it:mitre:attack:technique
it:mitre:attack:technique=T1043
        .created = 2024/04/22 19:55:50.970
        :name = commonly used port
        :url = https://attack.mitre.org/techniques/T1043
it:mitre:attack:technique=T1055
        .created = 2024/04/22 19:55:50.835
        :name = process injection
        :url = https://attack.mitre.org/techniques/T1055
it:mitre:attack:technique=T1010
        .created = 2024/04/22 19:55:50.914
        :name = application window discovery
        :url = https://attack.mitre.org/techniques/T1010
it:mitre:attack:technique=T1179
        .created = 2024/04/22 19:55:50.778
        :name = hooking
        :url = https://attack.mitre.org/techniques/T1179
it:mitre:attack:technique=T1114
        .created = 2024/04/22 19:55:50.942
        :name = email collection
        :url = https://attack.mitre.org/techniques/T1114

Query the Hybrid Analysis Overview API by file and ingest antivirus hits

> file:bytes#myfile | hybridanalysis.overview | -+> it:av:filehit
file:bytes=sha256:d88ea493cdd719ff2e2c02cea66dd15d358f914ea8741d6d6d3dd60b66adf923
        .created = 2024/04/22 19:55:51.384
        .seen = ('2021/03/25 13:12:55.000', '2021/08/08 21:36:15.000')
        :name = malware.bin
        :sha256 = d88ea493cdd719ff2e2c02cea66dd15d358f914ea8741d6d6d3dd60b66adf923
        :size = 37426
        #myfile
        #rep.hybridanalysis.apt
        #rep.hybridanalysis.malicious

Use of meta:source nodes

Synapse-HybridAnalysis uses a meta:source node and -(seen)> light weight edges to track nodes observed from the HybridAnalysis API.

> meta:source=11c862e1e63e9c28ca328aa29756f9fc
meta:source=11c862e1e63e9c28ca328aa29756f9fc
        .created = 2024/04/22 19:55:46.541
        :name = hybrid analysis api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-HybridAnalysis. The following example shows how to filter the results of a query to include only results observed by Synapse-HybridAnalysis:

> it:host +{ <(seen)- meta:source=11c862e1e63e9c28ca328aa29756f9fc }
it:host=1c2a553239528f7302beab95b1f43007
        .created = 2024/04/22 19:55:46.626
        :desc = Windows 7 32 bit