Uncover Unknown Malware Using SSDeep
This Playbook is part of the Uncover Unknown Malware Using SSDeep Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware. The playbook does the following:
- Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint.
- Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash.
- Links incidents that had any of the indicators which were found related based on the SSDeep hash similarity.
- Enriches the original hash to get the threat actor, malware family and VirusTotal community comments.
- Finds endpoints where occurrences of any of the similar hashes exists.
- Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious.
- Remediates the incident by blocking all the malicious hashes in the organization (with user approval).
These steps allow the analyst to find new files, incidents and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Intezer - Analyze by hash
- Retrieve File from Endpoint - Generic V3
- Block Indicators - Generic v3
- Search Endpoints By Hash - Generic V2
Integrations#
- VirusTotal (API v3)
Scripts#
- CreateIndicatorRelationship
- SetGridField
- DeleteContext
- SearchIndicatorRelationships
- SearchIncidentsV2
- SSDeepSimilarity
- Set
- SetAndHandleEmpty
- IsIntegrationAvailable
Commands#
- vt-comments-get
- findIndicators
- setIndicators
- linkIncidents
- enrichIndicators
- setIncident
- file
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| fileHash | The file hash to hunt for. Supported hash types are MD5 and SHA256. | incident.filehash | Required |
| SimilarityThreshold | SSDeep hashes with a similarity value equal to or greater than the value specified, will be considered as similar hashes. The SSDeep hashes are given a similarity value between 0 and 100. The similarity is calculated based on the linux "ssdeep" command which is based on the SpamSum program. It basically calculates how many character edits are needed to reach from one hash to the other hash. More information can be found in: https://www.samba.org/ftp/unpacked/junkcode/spamsum/README | 50 | Required |
| SearchFromDate | When looking for existing hashes in the system, this is the date that it will look for hashes from. The value should be in YYYY-MM-DDTHH:MM:SS. For example: 2022-02-15T08:31:00 | 2020-01-01 00:00:00 | Optional |
| EnrichExistingIndicators | Whether indicators found in XSOAR will be enriched using the enrichIndicators command. Note: this may use up quota in your threat intelligence products. This is used to increase the SSDeep pool size to improve the coverage when comparing the input hash against other SSDeeps in the system. | False | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
