Fhree99
commented
1 year ago MATCH (f:file WHERE f.hashes =\~ '.[0-9,a-z,A-Z]{64}.' OR f.hashes =\~ '.[0-9,a-z,A-Z]{32}.') RETURN f
Open Fhree99 opened 1 year ago
Fhree99
commented
1 year ago MATCH (f:file WHERE f.hashes =\~ '.[0-9,a-z,A-Z]{64}.' OR f.hashes =\~ '.[0-9,a-z,A-Z]{32}.') RETURN f
Fhree99
commented
1 year ago We might need to verify that our file objects (or indicators) are actually getting hash values (sha, etc)
Fhree99
commented
1 year ago While looking at cape2stix code
SHA256 MD5 IF TLSH, SSDeep Any Internal tags (implies) - perhaps throw it in a note object
Take Hashes in STIX bundles
Signatures Sys Calls Double Check Processes Take a look at the difference between the hashes of the main file and hashes of the dropped files.
Might need to remove this as it's nothing more difficult than a single query match, but file hashes are a common observable that is used in threat intelligence. I do not believe there is a way to compare file hashes for similarity within Neo4J. In fact I believe similarity comparison for file hashes they would have to be of a certain type (not MD5). @Rcooley might be able to give insight.Summary - Answering this question would tell us if this binary is considered ransomware.
Might need to remove this as it's nothing more difficult than a single query match, but file hashes are a common observable that is used in threat intelligence. I do not believe there is a way to compare file hashes for similarity within Neo4J. In fact I believe similarity comparison for file hashes they would have to be of a certain type (not MD5). @Rcooley might be able to give insight.