topic Using new MineMeld file hash indicators? in General Topics

Using new MineMeld file hash indicators?

DrewDixon — Fri, 18 Nov 2016 22:33:21 GMT

I see that new indicator types for file hashes (MD5, SHA256, SHA1, SSDEEP) were added in MineMeld 0.9.26 this is awesome, but should those indicator types be selectable from the ( NODES > ADD INDICATOR > TYPE ) drop down menu? I don't see them listed so I'm just trying to figure out how to employ the use of these new indicator types. I'm still very new to MineMeld so still getting familiar and testing it out so my apologies if this is off-base...

Also, does anyone know if we will be able to export AutoFocus file hashes into export lists to leverage them in MineMeld?

Re: Using new MineMeld file hash indicators?

lmori — Sat, 19 Nov 2016 12:59:36 GMT

Hi @DrewDixon,

currently the only Miner producing hashes is the VirusTotal retrohunt Miner.

Next release (0.9.30) will have better coverage for hashes.

Do you have suggestions for new feeds of hashes we should cover ?

Thanks,

luigi

Re: Using new MineMeld file hash indicators?

DrewDixon — Mon, 21 Nov 2016 15:32:25 GMT

Hi @lmori,

First I just wanted to say thanks for all the great work creating MineMeld and for your part in making it open source!

Would you perhaps have any more info on the VirusTotal retrohunt Miner? Does this pull *all* of the malicious file hashes from VirusTotal or some or how does that work?

Thanks for asking on suggestions, I absolutely have a few:

1.) Team Cymru Malware hash registry would be a great one to have a miner available, it looks like they want open source uses/implementations to reach out to them first like they state here in this page (http://www.team-cymru.org/MHR.html)

2.) It would be *Phenomenal* if an update for AutoFocus subscribers (those of us that have an AutoFocus license) could export file hashes from AutoFocus into export lists to be used with MineMeld (in bulk, if possible, currently we can't add file hashes to export lists it seems..), I'm not sure how/if Palo Alto Networks might feel about that but it certianly would be probably the most epic known malware file hash feed! Do you think this might be possible?

Thoughts?

Thank you,

-Drew

Re: Using new MineMeld file hash indicators?

lmori — Tue, 22 Nov 2016 17:36:29 GMT

Hi @DrewDixon,

VirusTotal retro hunt is a subscription based feature of VT where you can define Yara rules and be notified every time a new sample uploaded to VT matches one of those rules.

1) I will look into this, thanks !

2) about AutoFocus, a feed containing all the billions of hashes known to AF wouldn't be super useful. But I see your point.

Thanks and please let us know any suggestion you have,

luigi

Re: Using new MineMeld file hash indicators?

Jerin — Fri, 11 Aug 2017 14:16:25 GMT

Luigi, i am on VERSION: 0.9.40 (AF)

1) is hashes includeded in the export miner ?

2) is there a miner that i can use to add hashes from nodes->add indicator.

i can only see a miner for virus total. please let me know .

thanks

Re: Using new MineMeld file hash indicators?

lmori — Mon, 14 Aug 2017 09:43:01 GMT

Hi @Jerin,

1) hashes are exported by output nodes, which Miner are you using ? The autofocus.samplesMiner support hashes

2) you will be able to do it in the next release (0.9.42)

Thanks,

luigi

Re: Using new MineMeld file hash indicators?

Jerin — Mon, 14 Aug 2017 17:00:14 GMT

Thanks Luigi .

i am able to get hash from autofocus.samplesminer. wondering if "Export List Miner" support hash too?

i see only IPv4, URL, and domain indicators.

Thanks

Jerin

Re: Using new MineMeld file hash indicators?

lmori — Wed, 23 Aug 2017 12:48:00 GMT

Hi @Jerin,

you can't add hashes to export list. Please, could you provide more details about your use case ?

Thanks,

luigi