Skip to main content

Cyware Orchestrate

Hybrid Analysis

App Vendor: Hybrid Analysis

App Category: Data Enrichment & Threat Intelligence, Forensics & Malware Analysis

Connector version: 1.2.0

API Version: 2.0.0

About App

Hybrid Analysis is a cloud-based sandboxing solution. In Orchestrate, Hybrid Analysis allows the users to analyze the files and identify the malicious nature of the file that is uploaded to the service in a virtual sandbox environment. Users can also lookup file hash to get details about the API key or malware samples.

The Hybrid Analysis app is configured with the Orchestrate application to perform the following actions:

Action Name

Description

Quick File Scan

This action performs a Quick File Scan using the path of the file and scan type provided by the hybrid analysis sandbox application.

Quick URL Scan

This action performs a Quick URL Scan using URL and additional fields from the hybrid analysis sandbox application.

Get Report Status of Sandbox Submission

This action obtains the report status of a sandbox submission.

Get a Report of Sandbox Submission

This action obtains a report summary of the sandbox submission.

File Submission for Sandbox Analysis

This action submits a file for sandbox analysis.

Get Historical Hash from URL

This action determines a SHA256 that an online file or URL submission will have when being processed by the system.

URL Submission for Sandbox Analysis

This action submits a URL for scanning in sandbox analysis.

Search Hash Details

This action searches for hash details and the summary of a file hash.

Get Hash Overview

This action obtains an overview of the SHA256 hash.

Get the Summary of Hash

This action obtains the summary of the SHA256 hash.

Get the Result of a Quick Scan

This action obtains the result of a quick scan using scan ID.

Get Latest Feeds

This action retrieves a list of feeds. Retrieves the recent 250 reports logged in the last 24 hours.

Submit File Content for Sandbox Analysis

This action submits a file content for sandbox analysis.

Configuration Parameters

The following configuration parameters are required for the Hybrid Analysis app to communicate with the Hybrid Analysis enterprise application. The parameters can be configured by creating instances in the app.

This URL must be whitelisted to use Hybrid Analysis from a proxied environment. https://www.hybrid-analysis.com/api/v2.

Parameter

Description

Field Type

Required/Optional

Comments

API Key

Enter the hybrid analysis sandbox API key.

Text

Required

Action: Quick File Scan

This action performs a quick file scan using URL and additional fields from the hybrid analysis sandbox application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File path

Enter the file path.

Example:

"/home/anna/statusReport"

Text

Required

Scan type

Enter the scan type.

Text

Optional

Allowed values:

  • all_lookup

  • all_scan

  • lookup_ha

  • scan_crowdstrike_ml

  • scan_urlscanio

  • scan_metadefender

  • lookup_virustotal

  • lookup_whitelists_internal

  • lookup_whitelists

Default value:

all

Additional fields

Enter the additional fields

Key Value

Optional

Allowed values:

  • no_share_third_party(boolean). By default, the value is set as true

  • allow_community_access(boolean). By default, the value is set as true

  • comment(str);

  • submit_name(str).

Example Request 

{     
   "file_path": "/home/anna/statusReport",      
   "scan_type": "all",      
   "additional_fields": {}   
}
Action: Quick URL Scan

This action performs a quick URL scan using URL and additional fields from the hybrid analysis sandbox application.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL.

Example:

"www.google.com"

Text

Required

Scan type

Enter the scan type.

Text

Optional

Allowed values:

  • all (default)

  • all_lookup

  • all_scan

  • lookup_ha

  • scan_crowdstrike_ml

  • scan_urlscanio

  • scan_metadefender

  • lookup_virustotal

  • lookup_whitelists_internal

  • lookup_whitelists.

Additional fields

Enter the additional fields.

Key Value

Optional

Allowed values:

  • scan_type(str)

  • all_lookup

  • all_scan

  • lookup_ha

  • scan_crowdstrike_ml

  • scan_urlscanio

  • scan_metadefender

  • lookup_virustotal

  • lookup_whitelists_internal

  • lookup_whitelists

  • no_share_third_party(boolean);Default value: "true"

  • allow_community_access(boolean); Default value: "true"

  • comment(str)

  • submit_name(str)

Example Request 

{      
   "url": "trenz.pl.com",      
   "scan_type": "all",      
   "extra_params": {}   
}
Action: Get Report Status of Sandbox Submission

This action obtains the report status of a sandbox submission.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID.

Example:

"5e9dbc86193b8430af5fbb1b"

Text

Required

You can generate the Job ID using the "File sub for sandbox analysis" and "URL sub for sandbox analysis" action.

Example Request 

{
   "job_id": "5e9dbc86193b8430af5fbb1b"
}
Action: Get a Report of Sandbox Submission

This action obtains a report summary of the sandbox submission.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Job ID

Enter the job ID.

Example:

"5f48d6650286fb07773753d2"

Text

Required

You can generate the Job ID using the "File sub for sandbox analysis" and "URL sub for sandbox analysis" action.

Example Request 

{
   "job_id": "5f48d6650286fb07773753d2"
}
Action: File Submission for Sandbox Analysis

This action submits a file for sandbox analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File path

Enter the file path with the file extension.

Example:

"/tmp/0ce98d6d-be4c-47dd-a3e0-8cd41d992e61/Kaspersky_Endpoint_Security_for_Enterprise.pdf"

Text

Required

Environment ID

Enter the environment ID.

Integer

Optional

Allowed values:

  • 300: 'Linux (Ubuntu 16.04, 64 bit)',

  • 200: 'Android Static Analysis’,

  • 120: 'Windows 7 64 bit’,

    • 110: 'Windows 7 32 bit (HWP Support)'; Default value:100: ‘Windows 7 32 bit’

Additional fields

Enter the additional fields.

Key Value

Optional

Allowed values:

  • no_share_third_party(bool); Default value: "true";

  • allow_community_access(bool); Default value: "true";

  • comment(str);

  • submit_name(str);

  • environment_variable(key:value);

  • document_password(str);

  • custom_run_time(int in second);

  • custom_cmd_line(str);

  • custom_date_time(yyyy-MM-dd HH:mm);

  • email(str);

  • offline_analysis(bool); Default value: "false";

  • tor_enabled_analysis(bool); Default value: "false";

  • input_sample_tampering(bool); Default value: "false";

  • script_logging(bool); Default value: "false";

  • experimental_anti_evasion(bool); Default value: "false";

  • hybrid_analysis(bool); Default value: "false";

  • action_script(str): default, default_maxantievasion,default_randomfiles, default_randomtheme, default_openie;

  • no_hash_lookup(bool); Default value: "false".

Example Request 

{      
   "file_path": "/tmp/0ce98d6d-be4c-47dd-a3e0-8cd41d992e61/Kaspersky_Endpoint_Security_for_Enterprise.pdf",      
   "extra_params":       
  {           
     “no_share_third_party”: false,           
     “no_hash_lookup”: false,           
     “tor_enabled_analysis“: false,           
     “no_hash_lookup“: false       
  } 
}
Action: Get Historical Hash from URL

This action determines a SHA256 that an online file or URL submission will have when being processed by the system.

Note: This action is useful when the user looks up URL analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL.

Example:

"http://jusdermas.com/jessie%20l%20campbell/mazon/"

Text

Required

Example Request 

{      
   "url": "http://jusdermas.com/Jessie L Campbell/amazon/"   
}
Action: URL Submission for Sandbox Analysis

This action submits a URL for scanning in sandbox analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

URL

Enter the URL.

Example:

"trenz.pl.com"

Text

Required

Environment ID

Enter the environment ID.

Integer

Optional

Allowed values:

  • 300: 'Linux (Ubuntu 16.04, 64 bit)',

  • 200: 'Android Static Analysis’,

  • 120: 'Windows 7 64 bit’,

  • 110: 'Windows 7 32 bit (HWP Support)',

Default value: 100; ‘Windows 7 32 bit’.

Additional fields

Enter the additional fields.

Key Value

Optional

Allowed values:

  • no_share_third_party(bool); Default value: "true";

  • allow_community_access(bool); Default value: "true";

  • comment(str);

  • submit_name(str);

  • environment_variable(key:value);

  • document_password(str);

  • custom_run_time(int in second);

  • custom_cmd_line(str);

  • custom_date_time(yyyy-MM-dd HH:mm);

  • email(str);

  • offline_analysis(bool); Default value: false";

  • tor_enabled_analysis(bool; Default value: "false";

  • input_sample_tampering(bool); Default value: "false";

  • script_logging(bool); Default value: "false";

  • experimental_anti_evasion(bool); Default value: "false";

  • hybrid_analysis(bool); Default value: "false";

  • action_script(str): default, default_maxantievasion,default_randomfiles, default_randomtheme, default_openie;

  • no_hash_lookup(bool); Default value: "false"

  • priority(int): 0 (default) and 100 (highest)

Example Request 

{      
   "url": "trenz.pl.com",      
   "extra_params": {},      
   "environment_id": 110   
}
Action: Search Hash Details

This action searches for hash details and the summary of the file hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File hash

Enter the file hash.

Example:

"83d965138a2fc05f5a403d43c994c64037f0f848467e22"

Text

Required

Allowed value types:

  • md5

  • sha1

  • sha256

Example Request 

{      
   "file_hash": "83d965138a2fc05f5a403d43c9425afc1360eb793b3d94c64037f0f848467e22"   
}
Action: Get a Hash Overview

This action obtains an overview of the SHA256 hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

SHA256

Enter the SHA256 hash.

Example:

"83d965138a2fc05f5a403d43c9425afc1360eb793b3d94c64037f0f848467e22"

Text

Required

Example Request 

[   
   {      
     "SHA256": "83d965138a2fc05f5a403d43c9425afc1360eb793b3d94c64037f0f848467e22"   
   }
]
Action: Get the Summary of Hash

This action obtains the summary of SHA256 hash.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

SHA256

Enter the SHA256 hash.

Example:

"d4e8e1248fb1ff3d8f69eabb18199fb1c6cbd7f6fab3465593e0daa44525c3ef"

Text

Required

Example Request 

[   
   {      
     "SHA256": "83d965138a2fc05f5a403d43c9425afc1360eb793b3d94c64037f0f848467e22"   
   }
]
Action: Get the Result of a Quick Scan

This action obtains the result of a quick scan using scan ID.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Scan ID

Enter the scan ID.

Example:

"5f51b7034f95ba26df08fbbc"

Text

Required

You can generate a Scan ID using the Quick file scan and Quick URL scan action.

Example Request 

{      
   "scan_id": "5f4bdb83b23d773af8721296"   
}
Action: Get the Latest Feeds

This action retrieves a list of feeds. Retrieves the recent 250 reports logged in the last 24 hours.

Action Input Parameters

This action does not require any input parameter.

Action: Submit File Content for Sandbox Analysis

This action submits a file content for Sandbox analysis.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

File Content

Enter the file content

Example:

"123.33.33.33\\n22.22.22.22\\n"

Text

Required

Environment ID

Enter the Environment ID.

Example:

120

Integer

Optional

Default value:

100: indicates Windows 7 32 bit

Allowed values:

  • 300: indicates Linux (Ubuntu 16.04, 64 bit)

  • 200: indicates Android Static Analysis

  • 120: indicates Windows 7 64 bit

  • 110: indicates Windows 7 32 bit (HWP Support)

Additional Fields

Enter the additional fields.

Key Value

Optional

Allowed values: -

  • no_share_third_party (boolean): By default, the value is set as "true"

  • allow_community_access (boolean): By default, the value is set as "true"

  • comment (text)

  • submit_name (text)

  • environment_variable (key-value)

  • document_password (text)

  • custom_run_time (integer in second)

  • custom_cmd_line (text)

  • custom_date_time (yyyy-MM-dd HH:mm)

  • email (text)

  • offline_analysis (boolean): By default, the value is set as "false"

  • tor_enabled_analysis (boolean): By default, the value is set as "false";

  • input_sample_tampering (boolean): By default, the value is set as "false"

  • script_logging (boolean): By default, the value is set as "false"

  • experimental_anti_evasion (boolean): By default, the value is set as "false"

  • hybrid_analysis (boolean): By default, the value is set as "false"

  • action_script (text): default, default_maxantievasion, default_randomfiles, default_randomtheme, default_openie

  • no_hash_lookup (boolean): By default, the value is set as "false".

For more information on additional fields, see Additional Fields

Example Request 

[
   {
        "file_content": "123.33.33.33\\n22.22.22.22\\n",
        "environment_id": 120
    }
]