User Guide

Synapse-VMRay User Guide

Synapse-VMRay adds new Storm commands to allow you to query the VMRay API using your existing API key.

Getting Started

Check with your Admin to enable permissions and find out if you need a personal API key or a person API endpoint.

Examples

Setting your personal API key

To set-up a personal use API key:

> vmray.setup.apikey --self myapikey
Setting Synapse-VMRay API key for the current user.

Setting your personal API Endpoint

To configure what URL to issue queries to:

> vmray.setup.endpoint --self "https://us.cloud.vmray.com"
Setting Synapse-VMRay Endpoint for the current user.

Retrieve IOCs and Metadata for a Sample

Fetch a VMRay IOC report for a given sample ID

> vmray.sample.iocs --id 280144 --yield
file:bytes=sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        .created = 2024/12/20 18:17:29.480
        :md5 = 54d2154a9b330065a3e12f2904851be8
        :mime = application/vnd.ms-word.document.macroenabled.12
        :name = ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019docm
        :sha1 = 62b6109424a2dd79e4b2b7072460ca9471fb3767
        :sha256 = ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :size = 20902
        #rep.vmray.classification.injector
        #rep.vmray.verdict.malicious
file:bytes=sha256:1b3cb2b1ed10462530587d4a53f20b6e3d1de940d11cb0c2eceea58e605b50cc
        .created = 2024/12/20 18:17:29.684
        :md5 = 7eafed5b5704913af5aa901fdf3050ae
        :mime = text/html
        :sha1 = cdb27cd26e15949056f308eb2bf5d9d7a92bc586
        :sha256 = 1b3cb2b1ed10462530587d4a53f20b6e3d1de940d11cb0c2eceea58e605b50cc
        :size = 218
file:bytes=sha256:d630f73860b791c72bc8b603ecbf473fd2599176bc13cbe33ea2fd80306c77f9
        .created = 2024/12/20 18:17:29.718
        :md5 = 8aaca4d7fed9cbf2d9cb37763a6ec780
        :mime = application/octet-stream
        :sha1 = 75ac6f0338054e99bc621d61b19030751972e7bd
        :sha256 = d630f73860b791c72bc8b603ecbf473fd2599176bc13cbe33ea2fd80306c77f9
        :size = 128
file:bytes=sha256:d0e5af70f036cc99f4a2dbe464e968f47dacb03f90ef0c6c4c7f91133cad1a13
        .created = 2024/12/20 18:17:29.751
        :md5 = 0bb44f13e2430b799be172937a1e67e1
        :mime = application/octet-stream
        :sha1 = efa73b71e55f559b932bbaea82bf835768b5cf0c
        :sha256 = d0e5af70f036cc99f4a2dbe464e968f47dacb03f90ef0c6c4c7f91133cad1a13
        :size = 128
file:subfile=('sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019', 'sha256:c015277d91276f474b6b7587dd0a8a8fe537d27b9cf43106805548a66f81974a')
        .created = 2024/12/20 18:17:29.820
        :child = sha256:c015277d91276f474b6b7587dd0a8a8fe537d27b9cf43106805548a66f81974a
        :parent = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :path = vbaproject.bin
file:bytes=sha256:c015277d91276f474b6b7587dd0a8a8fe537d27b9cf43106805548a66f81974a
        .created = 2024/12/20 18:17:29.784
        :md5 = b2f49d0d81163d2c6ce9a0e8ec9f0e4f
        :mime = application/cdfv2
        :name = vbaproject.bin
        :sha1 = fda2fe81ea318c54e63614c6e5ae18d3a4c03aa9
        :sha256 = c015277d91276f474b6b7587dd0a8a8fe537d27b9cf43106805548a66f81974a
        :size = 18432
inet:flow=7daa7e1af352158dcc209cd0da160034
        .created = 2024/12/20 18:17:30.063
        :dst:ipv4 = 209.250.252.41
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :src:host = bd8439f21cec1ca142f46160d2ac4abc
        :src:proc = f005fcd1395bc2f5438f535062efb616
inet:flow=7637d6878398481823322e9a0feaaa9c
        .created = 2024/12/20 18:17:30.150
        :dst:ipv4 = 209.250.252.41
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :src:host = 258f05ed665bb1b2445c80e340002572
        :src:proc = 86d864a5f3794aeb6687e3499eb293e9
inet:flow=497381516b973547c1e411e84f3ccb2a
        .created = 2024/12/20 18:17:30.305
        :dst:ipv4 = 209.250.252.41
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :src:host = 4250402b93cc4463acb687d65f8ce59f
        :src:proc = cb74990a3d1921919e4a9a5e268df128
it:exec:proc=f005fcd1395bc2f5438f535062efb616
        .created = 2024/12/20 18:17:30.064
        :cmd = C:\Windows\\SysWOW64\\rundll32.exe
        :host = bd8439f21cec1ca142f46160d2ac4abc
        :path = c:/windows/syswow64/rundll32.exe
        :path:base = rundll32.exe
        :pid = 210
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=86d864a5f3794aeb6687e3499eb293e9
        .created = 2024/12/20 18:17:30.151
        :cmd = C:\Windows\\SysWOW64\\rundll32.exe
        :host = 258f05ed665bb1b2445c80e340002572
        :path = c:/windows/syswow64/rundll32.exe
        :path:base = rundll32.exe
        :pid = 152
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=cb74990a3d1921919e4a9a5e268df128
        .created = 2024/12/20 18:17:30.306
        :cmd = C:\Windows\\System32\\rundll32.exe
        :host = 4250402b93cc4463acb687d65f8ce59f
        :path = c:/windows/system32/rundll32.exe
        :path:base = rundll32.exe
        :pid = 139
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=c2c192c27bfffb6a2e93b4dc205f64f4
        .created = 2024/12/20 18:17:30.556
        :cmd = "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n
        :host = 4250402b93cc4463acb687d65f8ce59f
        :path = c:/program files/microsoft office/office16/winword.exe
        :path:base = winword.exe
        :pid = 164
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=de6457e3783ead80c50054ab646fd59f
        .created = 2024/12/20 18:17:30.681
        :cmd = "C:\Program Files\Microsoft Office\Office16\WINWORD.EXE" /n
        :host = 222bff98ca5fa7b412b3db2ae05f44e0
        :path = c:/program files/microsoft office/office16/winword.exe
        :path:base = winword.exe
        :pid = 136
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=ce204e636702f7cba54375912e0c5220
        .created = 2024/12/20 18:17:30.740
        :cmd = "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n
        :host = 258f05ed665bb1b2445c80e340002572
        :path = c:/program files (x86)/microsoft office/office16/winword.exe
        :path:base = winword.exe
        :pid = 206
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:proc=b504fcaba6f339edbbb4a1b4b2eb46bf
        .created = 2024/12/20 18:17:30.798
        :cmd = "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /n
        :host = bd8439f21cec1ca142f46160d2ac4abc
        :path = c:/program files (x86)/microsoft office/office16/winword.exe
        :path:base = winword.exe
        :pid = 147
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
it:exec:url=c3f8fc10068622f9d81ad7753e290b68
        .created = 2024/12/20 18:17:30.926
        :host = bd8439f21cec1ca142f46160d2ac4abc
        :proc = f005fcd1395bc2f5438f535062efb616
        :sandbox:file = sha256:ebd0d73d0350f9745746b234712e7e9f561d4a90240ddd670ea980493afb6019
        :url = http://209.250.252.41/i5nP
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json

Fetch only the registry IOCS for a sample:

> vmray.sample.iocs --id 5876 --type registry --size 5 --yield
it:exec:reg:get=53092210bf27e385ce2839746c907ff3
        .created = 2024/12/20 18:17:31.741
        :host = bbeca8973774b17db52a70f0e38ebdfe
        :proc = fd9087b3d4f624236ef35855d87a88d7
        :reg = bc097f1b2ed4ec52fdff4f01b43c43f5
        :sandbox:file = sha256:f77f744cbc14d9abf55c5dad2676854534d00684bd1c493d47daba4c5f1a076a
it:exec:reg:get=551e276b49d4eeeb6fa722038e08f577
        .created = 2024/12/20 18:17:31.848
        :host = bbeca8973774b17db52a70f0e38ebdfe
        :proc = ed66b3ec7f9118a743fc2a329ccbebef
        :reg = bc097f1b2ed4ec52fdff4f01b43c43f5
        :sandbox:file = sha256:f77f744cbc14d9abf55c5dad2676854534d00684bd1c493d47daba4c5f1a076a
it:exec:reg:get=37db7e86d4300bb970593daf1d77e685
        .created = 2024/12/20 18:17:31.949
        :host = bbeca8973774b17db52a70f0e38ebdfe
        :proc = cbe2cd6f3f4a247d2f2e7d981900d9bb
        :reg = bc097f1b2ed4ec52fdff4f01b43c43f5
        :sandbox:file = sha256:f77f744cbc14d9abf55c5dad2676854534d00684bd1c493d47daba4c5f1a076a
it:exec:reg:get=177953fd1fca77ba05d3c626d59c8cd1
        .created = 2024/12/20 18:17:32.055
        :host = bbeca8973774b17db52a70f0e38ebdfe
        :proc = cbe2cd6f3f4a247d2f2e7d981900d9bb
        :reg = 185a1d35af8f8fdc32e908c71f2e2a80
        :sandbox:file = sha256:f77f744cbc14d9abf55c5dad2676854534d00684bd1c493d47daba4c5f1a076a
it:exec:reg:get=355ec4bacd8a191ed1ae41db94dd8023
        .created = 2024/12/20 18:17:32.233
        :host = 8f6911ed84072f168ddcec62c95799c3
        :proc = 4b2f1e077422e71e518a88abafa2b715
        :reg = 77d04b01d181d354e844a91d549a5112
        :sandbox:file = sha256:f77f744cbc14d9abf55c5dad2676854534d00684bd1c493d47daba4c5f1a076a

Fetch only the IOCS marked as suspicious by VMRay for a sample:

> vmray.sample.iocs --id 464921 --severity suspicious --yield
file:bytes=sha256:f8d46a594bb5d8ec7b473b89437c1e1fdad970f30292a843f9d2b8815ce01b6a
        .created = 2024/12/20 18:17:32.805
        :md5 = f023bc93a3c5fa00d42400498046ee00
        :mime = application/pdf
        :sha1 = 2b90938eb7180bb6b6352c0c553572b7da232dc4
        :sha256 = f8d46a594bb5d8ec7b473b89437c1e1fdad970f30292a843f9d2b8815ce01b6a
        :size = 11961
file:bytes=sha256:08f799f032ef7a775fbb065a652723a4037fd25b91976f3a94c6aaf12e55868c
        .created = 2024/12/20 18:17:32.847
        :md5 = 6b14b65238aa01a36eb2f4b45fd5a146
        :mime = application/pdf
        :sha1 = 7fb4a41fff61d01ca0c2bd19a1ae6fc972256941
        :sha256 = 08f799f032ef7a775fbb065a652723a4037fd25b91976f3a94c6aaf12e55868c
        :size = 14099
it:exec:proc=88fff54ec9a1f1bc69b8352079f7a355
        .created = 2024/12/20 18:17:32.999
        :cmd = /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\2XC7u663GxWc\AppData\Roaming\Microsoft\Network\mstsca.exe"
        :host = 165ff89c1b64ae10caa3a8527ca47e8a
        :path = c:/windows/system32/schtasks.exe
        :path:base = schtasks.exe
        :pid = 148
        :sandbox:file = sha256:469017951eec682bea313ac5984afb0b647317cc39670c2f51af15d7ce9a8313
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json

Fetch only the Mutex IOCS marked as clean by VMRay for a sample:

> vmray.sample.iocs --id 464931 --type mutexes --severity clean --yield
it:exec:mutex=ab72ff9a40e6ea7a963d04e6b2d79245
        .created = 2024/12/20 18:17:33.613
        :host = 8d6f599cbf77a3ddde501b5fc674d43c
        :name = 2XC7u663GxWc987uh4b36teeorinthj
        :proc = 8b06cdf97640b69f73b8ee1d79e9a9bd
        :sandbox:file = sha256:ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914
it:exec:mutex=4dd82e1b63fb3b445afe12485f8b62a8
        .created = 2024/12/20 18:17:33.760
        :host = 25eec5cdfed3c4d43b3ef87dbfcee0c6
        :name = WhuOXYsD987uh4b36teeorinthj
        :proc = 6c6561aad4cadb70958662488b0930a4
        :sandbox:file = sha256:ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json
WARNING: (Archive) VMRay API returned bad status code of 404, mesg=(), filename=logs/summary_v2.json

Fetch the file IOCs for a given file:

> [file:bytes=ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914] | vmray.sample.iocs --type files --yield --size 2
file:subfile=('sha256:4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97', 'sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b')
        .created = 2024/12/20 18:17:34.365
        :child = sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        :parent = sha256:4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97
        :path = c:/users/whuoxysd/appdata/locallow/ad1rf3am8r/api-ms-win-crt-runtime-l1-1-0.dll
file:bytes=sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        .created = 2024/12/20 18:17:34.330
        :md5 = 41a348f9bedc8681fb30fa78e45edb24
        :mime = application/vnd.microsoft.portable-executable
        :sha1 = 66e76c0574a549f293323dd6f863a8a5b54f3f9b
        :sha256 = c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        :size = 22840

Fetch the IOCs generated by VMRay analyzing a URL:

> [inet:url="https://www.bmlkochi.com/service/account/update/signin/?country.x=US&locale.x=en_EN"] | vmray.sample.iocs --yield --size 3
inet:dns:a=('bmlkochi.com', '192.185.100.208')
        .created = 2024/12/20 18:17:34.685
        :fqdn = bmlkochi.com
        :ipv4 = 192.185.100.208
inet:http:request=d4138b1d0194bf3ef9fb6354bd78853d
        .created = 2024/12/20 18:17:34.851
        :host = edbf7003846358256ce9dc9c7f689877
        :url = https://bmlkochi.com
inet:dns:a=('t.paypal.com', '23.60.194.245')
        .created = 2024/12/20 18:17:35.005
        :fqdn = t.paypal.com
        :ipv4 = 23.60.194.245

Fetch the IOCs for a given FQDN:

> [inet:fqdn=mail.bruising-intellect.ml] | vmray.sample.iocs --yield --size 2
inet:dns:a=('mail.bruising-intellect.ml', '206.166.251.141')
        .created = 2024/12/20 18:17:35.296
        :fqdn = mail.bruising-intellect.ml
        :ipv4 = 206.166.251.141
inet:dns:request=9673820ac09fdd9cb5063fdc522229bc
        .created = 2024/12/20 18:17:35.462
        :host = cfb23162b6de928f4c296df891046e14
        :query:name = mail.bruising-intellect.ml
        :query:name:fqdn = mail.bruising-intellect.ml

Synapse-VMRay stores the relationship between the file:bytes of a sample report and its IOCs via a refs light edges, and you can query the cortex for them like so:

> file:bytes=ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914 -(refs)> *
file:subfile=('sha256:4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97', 'sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b')
        .created = 2024/12/20 18:17:34.365
        :child = sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        :parent = sha256:4cfada7eb51a6c0cb26283f9c86784b2b2587c59c46a5d3dc0f06cad2c55ee97
        :path = c:/users/whuoxysd/appdata/locallow/ad1rf3am8r/api-ms-win-crt-runtime-l1-1-0.dll
it:exec:mutex=4dd82e1b63fb3b445afe12485f8b62a8
        .created = 2024/12/20 18:17:33.760
        :host = 25eec5cdfed3c4d43b3ef87dbfcee0c6
        :name = WhuOXYsD987uh4b36teeorinthj
        :proc = 6c6561aad4cadb70958662488b0930a4
        :sandbox:file = sha256:ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914
file:bytes=sha256:c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        .created = 2024/12/20 18:17:34.330
        :md5 = 41a348f9bedc8681fb30fa78e45edb24
        :mime = application/vnd.microsoft.portable-executable
        :sha1 = 66e76c0574a549f293323dd6f863a8a5b54f3f9b
        :sha256 = c9bbc07a033bab6a828ecc30648b501121586f6f53346b1cd0649d7b648ea60b
        :size = 22840
it:exec:mutex=ab72ff9a40e6ea7a963d04e6b2d79245
        .created = 2024/12/20 18:17:33.613
        :host = 8d6f599cbf77a3ddde501b5fc674d43c
        :name = 2XC7u663GxWc987uh4b36teeorinthj
        :proc = 8b06cdf97640b69f73b8ee1d79e9a9bd
        :sandbox:file = sha256:ada9a5c4e57492c3d26314837a7341b16b3095f2fbc9b390cbc48458c8df8914

Retrieve the VMRay Threat Indicators for a Sample

Download the VMRay Threat Indicator list for a sample id:

> vmray.sample.vtis --id 95487 --yield --size 5
meta:rule=2f9fd85e18b5696adbd339f4ec99f3ae
        .created = 2024/12/20 18:17:35.998
        :desc = VMRay - Heuristics - Contains suspicious meta data
meta:rule=962f5b3b6c504f95df4d175ba13f2edf
        .created = 2024/12/20 18:17:36.497
        :desc = VMRay - Reputation - Contacts known malicious URL
meta:rule=014155979a0cba18733e01ebd3bd91b6
        .created = 2024/12/20 18:17:36.770
        :desc = VMRay - Execution - Document tries to create process
meta:rule=9ea2789776b08ff8f59e921d436bb7c0
        .created = 2024/12/20 18:17:37.042
        :desc = VMRay - Reputation - Known malicious file
meta:rule=dadebd6b9a1720ff06142c8c1f09a9b6
        .created = 2024/12/20 18:17:37.380
        :desc = VMRay - Mutex - Creates mutex

Download the VMRay Threat Indicator list for a given file:

> [file:bytes=413081e822500ceec0508640a488c77ac68960e76ca31257ba1ba2d1d536d2eb] | vmray.sample.vtis --yield --size 5
meta:rule=30ddff45ba6db26dbc2bd35b0d971899
        .created = 2024/12/20 18:17:37.827
        :desc = VMRay - Obfuscation - Resolves API functions dynamically
meta:rule=55e90693b967baae98febdece995bd5e
        .created = 2024/12/20 18:17:38.114
        :desc = VMRay - Network Connection - Performs DNS request
meta:rule=7df4a19079be32f034738a662d2cf3b1
        .created = 2024/12/20 18:17:38.320
        :desc = VMRay - Persistence - Installs system startup script or application
meta:rule=dd76a1bf6c906324ffe7ebb394dc13b7
        .created = 2024/12/20 18:17:38.525
        :desc = VMRay - Network Connection - Connects to remote host
meta:rule=9ea2789776b08ff8f59e921d436bb7c0
        .created = 2024/12/20 18:17:37.042
        :desc = VMRay - Reputation - Known malicious file

Download the VMRay Threat Indicator list for a given url:

> [inet:url="https://www.bmlkochi.com/service/account/update/signin/?country.x=US&locale.x=en_EN"] | vmray.sample.vtis --yield --size 3
meta:rule=d457a06114c2a5e48615933e55572641
        .created = 2024/12/20 18:17:38.993
        :desc = VMRay - Heuristics - Page presents itself as a logon page
meta:rule=1ca6e648dc92a516fc211ce8919958e4
        .created = 2024/12/20 18:17:39.044
        :desc = VMRay - Masquerade - Page uses exact favicon of an online financial service
meta:rule=35ca5bca52e33fc46670fc7ca97a6296
        .created = 2024/12/20 18:17:39.087
        :desc = VMRay - Masquerade - Page uses exact same title as that of a popular online service

Download the VMRay Threat Indicator list for a given fqdn:

> [inet:fqdn=mail.bruising-intellect.ml] | vmray.sample.vtis --yield --size 3
meta:rule=e520c93b6eb90fb3d60dd0f6064f5d23
        .created = 2024/12/20 18:17:39.307
        :desc = VMRay - Reputation - Known malicious URL
meta:rule=962f5b3b6c504f95df4d175ba13f2edf
        .created = 2024/12/20 18:17:36.497
        :desc = VMRay - Reputation - Contacts known malicious URL
meta:rule=e9cff74a19ec7c996683abb2a06dfcf3
        .created = 2024/12/20 18:17:39.398
        :desc = VMRay - Reputation - Resolves known malicious domain

Retrieve the list of meta:rule matches for a sample:

> inet:fqdn=mail.bruising-intellect.ml <(matches)- *
meta:rule=e520c93b6eb90fb3d60dd0f6064f5d23
        .created = 2024/12/20 18:17:39.307
        :desc = VMRay - Reputation - Known malicious URL
meta:rule=962f5b3b6c504f95df4d175ba13f2edf
        .created = 2024/12/20 18:17:36.497
        :desc = VMRay - Reputation - Contacts known malicious URL
meta:rule=e9cff74a19ec7c996683abb2a06dfcf3
        .created = 2024/12/20 18:17:39.398
        :desc = VMRay - Reputation - Resolves known malicious domain

Retrieve the MITRE ATT&CK Indicators for a Sample

Download the MITRE ATT&CK Techniques VMRay flagged for a sample ID:

> vmray.sample.mitre --id 95487 --yield --size 5
it:mitre:attack:technique=T1057
        .created = 2024/12/20 18:17:39.903
        :name = process discovery
it:mitre:attack:technique=T1071
        .created = 2024/12/20 18:17:40.111
        :name = standard application layer protocol
it:mitre:attack:technique=T1105
        .created = 2024/12/20 18:17:40.278
        :name = remote file copy
it:mitre:attack:technique=T1115
        .created = 2024/12/20 18:17:40.435
        :name = clipboard data
it:mitre:attack:technique=T1027
        .created = 2024/12/20 18:17:40.603
        :name = obfuscated files or information

Download the MITRE ATT&CK Techniques VMRay flagged for a sample file:

> [file:bytes=6d65ede163fc7cce8c38979d9f80a821487859ada1ed4fa83e1e6491c3c397a2] | vmray.sample.mitre --yield --size 5
it:mitre:attack:technique=T1486
        .created = 2024/12/20 18:17:41.341
        :name = data encrypted for impact
it:mitre:attack:technique=T1016
        .created = 2024/12/20 18:17:41.479
        :name = system network configuration discovery
it:mitre:attack:technique=T1057
        .created = 2024/12/20 18:17:39.903
        :name = process discovery
it:mitre:attack:technique=T1060
        .created = 2024/12/20 18:17:41.737
        :name = registry run keys / startup folder
it:mitre:attack:technique=T1049
        .created = 2024/12/20 18:17:41.866
        :name = system network connections discovery

Query the Cortex for all the files that use MITRE ATT&CK techniques:

> it:mitre:attack:technique <(uses)- * | uniq
file:bytes=sha256:6d65ede163fc7cce8c38979d9f80a821487859ada1ed4fa83e1e6491c3c397a2
        .created = 2024/12/20 18:17:40.750
        :md5 = 914dcb08b6c1484f7d9a5750e9626542
        :name = 6d65ede163fc7cce8c38979d9f80a821487859ada1ed4fa83e1e6491c3c397a2exe
        :sha1 = 66b7a6502721b20dcabf1f16886600d541143db2
        :sha256 = 6d65ede163fc7cce8c38979d9f80a821487859ada1ed4fa83e1e6491c3c397a2
        :size = 840192
        #rep.vmray.classification.ransomware
        #rep.vmray.verdict.malicious
file:bytes=sha256:dd6a5782cb05511209d6848f75652c9c9e2a41fdc75bc074141b3511484231ed
        .created = 2024/12/20 18:17:35.691
        :md5 = 951d2b772ffeb027748d1b36f99a9a55
        :name = dd6a5782cb05511209d6848f75652c9c9e2a41fdc75bc074141b3511484231edxlsx
        :sha1 = c57b39d0a84720fbc19ab035177e66a267de5a2d
        :sha256 = dd6a5782cb05511209d6848f75652c9c9e2a41fdc75bc074141b3511484231ed
        :size = 359936
        #rep.vmray.classification.downloader
        #rep.vmray.classification.exploit
        #rep.vmray.classification.injector
        #rep.vmray.classification.pua
        #rep.vmray.classification.spyware
        #rep.vmray.verdict.malicious
        #rep.vmray.vtis.398447
        #rep.vmray.vtis.398457
        #rep.vmray.vtis.398459
        #rep.vmray.vtis.398475
        #rep.vmray.vtis.398504

Get all the MITRE ATT&CK techniques a file uses:

> file:bytes=dd6a5782cb05511209d6848f75652c9c9e2a41fdc75bc074141b3511484231ed -(uses)> *
it:mitre:attack:technique=T1105
        .created = 2024/12/20 18:17:40.278
        :name = remote file copy
it:mitre:attack:technique=T1057
        .created = 2024/12/20 18:17:39.903
        :name = process discovery
it:mitre:attack:technique=T1071
        .created = 2024/12/20 18:17:40.111
        :name = standard application layer protocol
it:mitre:attack:technique=T1115
        .created = 2024/12/20 18:17:40.435
        :name = clipboard data
it:mitre:attack:technique=T1027
        .created = 2024/12/20 18:17:40.603
        :name = obfuscated files or information

Submitting a Sample to VMRay

To submit a document to VMRay for analysis, specifying the password that the docx was locked with:

> [file:bytes=19d56d03926af33e3d98149a144f57f7743be3dd4ab8c51966153c241a20c46e] | vmray.sample.submit --passwd testpass
WARNING: (Submit) VMRay API returned bad status code of -1, mesg=('NoSuchFile', {'efile': 'axon.py', 'eline': 979, 'esrc': "raise s_exc.NoSuchFile(mesg='Axon does not contain the requested file.', sha256=s_common.ehex(sha256))", 'ename': '_reqHas', 'mesg': 'Axon does not contain the requested file.', 'sha256': '19d56d03926af33e3d98149a144f57f7743be3dd4ab8c51966153c241a20c46e'})
file:bytes=sha256:19d56d03926af33e3d98149a144f57f7743be3dd4ab8c51966153c241a20c46e
        .created = 2024/12/20 18:17:42.123
        :sha256 = 19d56d03926af33e3d98149a144f57f7743be3dd4ab8c51966153c241a20c46e

To submit a password protected archive file to VMRay, specifying both the password and to run static analysis only:

> [file:bytes=14cdaae1ceb0f33eb1091267f9de9edca52e0292c6aa7e843c727cd5a938bc64] | vmray.sample.submit --passwd infected --archive-action compound_sample --static-only
WARNING: (Submit) VMRay API returned bad status code of -1, mesg=('NoSuchFile', {'efile': 'axon.py', 'eline': 979, 'esrc': "raise s_exc.NoSuchFile(mesg='Axon does not contain the requested file.', sha256=s_common.ehex(sha256))", 'ename': '_reqHas', 'mesg': 'Axon does not contain the requested file.', 'sha256': '14cdaae1ceb0f33eb1091267f9de9edca52e0292c6aa7e843c727cd5a938bc64'})
file:bytes=sha256:14cdaae1ceb0f33eb1091267f9de9edca52e0292c6aa7e843c727cd5a938bc64
        .created = 2024/12/20 18:17:42.288
        :sha256 = 14cdaae1ceb0f33eb1091267f9de9edca52e0292c6aa7e843c727cd5a938bc64

Use of meta:source nodes

Synapse-VMRay uses a meta:source node and -(seen)> light weight edges to track nodes observed from the VMRay API.

> meta:source=1bdf989b062545cf4c5abcc229de643d
meta:source=1bdf989b062545cf4c5abcc229de643d
        .created = 2024/12/20 18:17:29.419
        :name = vmray api

Storm can be used to filter nodes to include/exclude nodes which have been observed by Synapse-VMRay. The following example shows how to filter the results of a query to include only results observed by Synapse-VMRay:

> #cool.tag.lift +{ <(seen)- meta:source=1bdf989b062545cf4c5abcc229de643d }