Uncover Unknown Malware Using SSDeep

Details
Content
Dependencies
Version History

Leverages SSDeep hashes to find similarities between indicators and incidents.

This pack allows you to uncover malware that was previously unknown to you, by comparing its SSDeep hash to other SSDeep hashes.

What does this pack do?

Once the user creates an incident of type Uncover Unknown Malware Using SSDeep and provides an MD5 or SHA256 hash, or a file, the playbook will do the following:

Enrich the input MD5 / SHA256 hash to get its respective other hash types, including its SSDeep hash, or retrieve the file from an endpoint to obtain those hashes.
Enrich existing indicators in the system, and create a pool of known SSDeep hashes.
Enrich the input hash to get the malware family, verdict and analysis report from Intezer, and the community comments from VirusTotal.
Compare the SSDeep hash of the original hash against the pool of known SSDeep hashes to find similarities to other files.
Create relationships between all other hash types of the SSDeep hashes that are similar to the orihinal hash.
Search for incidents with any similar hashes which were detected based on the similarity of their SSDeep hashes, and link them.
Aggregate the relationships of similar hashes to other indicators and display them in the layout.
If the input hash or similar hashes were found as malicious - mark the rest of them as malicious too.
Remediate the incident by blocking indicators that were found as malicious.

Pack Image

This pack allows you to uncover malware that was previously unknown to you, by comparing its SSDeep hash to other SSDeep hashes.

What does this pack do?

Once the user creates an incident of type Uncover Unknown Malware Using SSDeep and provides an MD5 or SHA256 hash, or a file, the playbook will do the following:

Enrich the input MD5 / SHA256 hash to get its respective other hash types, including its SSDeep hash, or retrieve the file from an endpoint to obtain those hashes.
Enrich existing indicators in the system, and create a pool of known SSDeep hashes.
Enrich the input hash to get the malware family, verdict and analysis report from Intezer, and the community comments from VirusTotal.
Compare the SSDeep hash of the original hash against the pool of known SSDeep hashes to find similarities to other files.
Create relationships between all other hash types of the SSDeep hashes that are similar to the orihinal hash.
Search for incidents with any similar hashes which were detected based on the similarity of their SSDeep hashes, and link them.
Aggregate the relationships of similar hashes to other indicators and display them in the layout.
If the input hash or similar hashes were found as malicious - mark the rest of them as malicious too.
Remediate the incident by blocking indicators that were found as malicious.

Pack Image

Layouts

Name	Description
Uncover Unknown Malware Using SSDeep

Incident Fields

Name	Description
Similar File Hashes Based on SSDeep

Incident Types

Name	Description
Uncover Unknown Malware Using SSDeep

Playbooks

Name	Description
Uncover Unknown Malware Using SSDeep	This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware. The playbook does the following: Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint. Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash. Links incidents that had any of the indicators which were found related based on the SSDeep hash similarity. Enriches the original hash to get the threat actor, malware family and VirusTotal community comments. Finds endpoints where occurences of any of the similar hashes exists. Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious. Remediates the incident by blocking all the malicious hashes in the organization (with user approval). These steps allow the analyst to find new files, incidents and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.

Name

Description

Uncover Unknown Malware Using SSDeep

This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware.
The playbook does the following:

Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint.
Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash.
Links incidents that had any of the indicators which were found related based on the SSDeep hash similarity.
Enriches the original hash to get the threat actor, malware family and VirusTotal community comments.
Finds endpoints where occurences of any of the similar hashes exists.
Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious.
Remediates the incident by blocking all the malicious hashes in the organization (with user approval).

These steps allow the analyst to find new files, incidents and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.

Incident Fields

Name	Description
Similar File Hashes Based on SSDeep

Incident Types

Name	Description
Uncover Unknown Malware Using SSDeep

Playbooks

Name	Description
Uncover Unknown Malware Using SSDeep	This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware. The playbook does the following: Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint. Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash. Links alerts that had any of the indicators which were found related based on the SSDeep hash similarity. Enriches the original hash to get the threat actor, malware family and VirusTotal community comments. Finds endpoints where occurences of any of the similar hashes exists. Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious. Remediates the alert by blocking all the malicious hashes in the organization (with user approval). These steps allow the analyst to find new files, alerts and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.

Name

Description

Uncover Unknown Malware Using SSDeep

This playbook leverages the case management and TIM aspects of XSOAR to uncover unknown malware.
The playbook does the following:

Gets the SSDeep hash of a known malicious MD5 or SHA256 hash by enriching the hash via VirusTotal, and attempting to retrieve the related file from an endpoint.
Creates relationships between otherwise unknown indicators - based on their correspondence to the SSDeep that was deemed similar to the original SSDeep of the malicious hash.
Links alerts that had any of the indicators which were found related based on the SSDeep hash similarity.
Enriches the original hash to get the threat actor, malware family and VirusTotal community comments.
Finds endpoints where occurences of any of the similar hashes exists.
Sets detected similar hashes and original hash as malicious, if one of them is detected as malicious.
Remediates the alert by blocking all the malicious hashes in the organization (with user approval).

These steps allow the analyst to find new files, alerts and endpoints which could be related to the the original hash that was searched simply based on the similarity of SSDeep hashes.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
VirusTotal	By: VirusTotal
Common Playbooks	By: Cortex XSOAR
Intezer	By: Intezer

Optional Content Packs (2)

Pack Name	Pack By
Common Types	By: Cortex XSOAR
Malware Core	By: Cortex XSOAR

All level dependencies (8)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
VirusTotal	By: VirusTotal
Intezer	By: Intezer

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Supported By	Community
Created	November 29, 2022
Last Release	May 2, 2023

Malware

Hunting

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.