2023-04-21 13:25:09 +00:00
|
|
|
{
|
2023-12-14 14:30:15 +00:00
|
|
|
"Event": {
|
|
|
|
"analysis": "2",
|
|
|
|
"date": "2015-04-03",
|
|
|
|
"extends_uuid": "",
|
|
|
|
"info": "OSINT Additional yara rules for Equation Drug by Florian Roth",
|
|
|
|
"publish_timestamp": "1456150857",
|
|
|
|
"published": true,
|
|
|
|
"threat_level_id": "1",
|
|
|
|
"timestamp": "1428090970",
|
|
|
|
"uuid": "551e7bc4-ed74-4ff2-aef7-1888950d210b",
|
|
|
|
"Orgc": {
|
|
|
|
"name": "CthulhuSPRL.be",
|
|
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
|
|
},
|
|
|
|
"Tag": [
|
|
|
|
{
|
|
|
|
"colour": "#004646",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "type:OSINT",
|
|
|
|
"relationship_type": ""
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"colour": "#ffffff",
|
2024-04-05 12:15:17 +00:00
|
|
|
"local": false,
|
2023-12-14 14:30:15 +00:00
|
|
|
"name": "tlp:white",
|
|
|
|
"relationship_type": ""
|
|
|
|
}
|
|
|
|
],
|
|
|
|
"Attribute": [
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061141",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "551e7bd5-a208-44a8-9173-1a0e950d210b",
|
|
|
|
"value": "Equation Drug"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061168",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "551e7bf0-2c14-45cb-8ef2-1879950d210b",
|
|
|
|
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/spy_equation_fiveeyes.yar"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061168",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "551e7bf0-d148-470e-8c28-1879950d210b",
|
|
|
|
"value": "https://github.com/Neo23x0/Loki/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061223",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "link",
|
|
|
|
"uuid": "551e7c27-fa3c-4646-a4b1-948e950d210b",
|
|
|
|
"value": "http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061245",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "551e7c3d-1d24-422b-996f-9144950d210b",
|
|
|
|
"value": "EquationGroup"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "External analysis",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061245",
|
|
|
|
"to_ids": false,
|
|
|
|
"type": "text",
|
|
|
|
"uuid": "551e7c3d-09e4-4a83-ab3a-9144950d210b",
|
|
|
|
"value": "Equation Group"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061266",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7c52-33e8-448c-9e48-13b6950d210b",
|
|
|
|
"value": "rule EquationDrug_NetworkSniffer1 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Backdoor driven by network sniffer - mstcp32.sys, fat32.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"26e787997a338d8111d96c9a4c103cf8ff0201ce\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"sys\\\\mstcp32.dbg\" fullword ascii\r\n\t\t$s7 = \"mstcp32.sys\" fullword wide\r\n\t\t$s8 = \"p32.sys\" fullword ascii\r\n\t\t$s9 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s10 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061280",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7c60-0274-44b9-b508-1888950d210b",
|
|
|
|
"value": "rule EquationDrug_CompatLayer_UnilayDLL {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Unilay.DLL\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"a3a31937956f161beba8acac35b96cb74241cd0f\"\r\n\tstrings:\r\n\t\t$mz = { 4d 5a }\r\n\t\t$s0 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\t( $mz at 0 ) and $s0\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061293",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7c6d-def0-43c3-86fb-7455950d210b",
|
|
|
|
"value": "rule EquationDrug_HDDSSD_Op {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - HDD/SSD firmware operation - nls_933w.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ff2b50f371eb26f22eb8a2118e9ab0e015081500\"\r\n\tstrings:\r\n\t\t$s0 = \"nls_933w.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061309",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7c7d-cce8-4854-8048-948e950d210b",
|
|
|
|
"value": "rule EquationDrug_NetworkSniffer2 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"7e3cd36875c0e5ccb076eb74855d627ae8d4627f\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"sys\\\\tdip.dbg\" fullword ascii\r\n\t\t$s4 = \"dip.sys\" fullword ascii\r\n\t\t$s5 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s6 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s7 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061329",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7c91-544c-4776-95f9-0d4d950d210b",
|
|
|
|
"value": "rule EquationDrug_NetworkSniffer3 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network Sniffer - tdip.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"14599516381a9646cd978cf962c4f92386371040\"\r\n\tstrings:\r\n\t\t$s0 = \"Corporation. All rights reserved.\" fullword wide\r\n\t\t$s1 = \"IP Transport Driver\" fullword wide\r\n\t\t$s2 = \"tdip.sys\" fullword wide\r\n\t\t$s3 = \"tdip.pdb\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061349",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7ca5-b9a4-4ef2-84f1-9144950d210b",
|
|
|
|
"value": "rule EquationDrug_VolRec_Driver {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Collector plugin for Volrec - msrstd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"ee2b504ad502dc3fed62d6483d93d9b1221cdd6c\"\r\n\tstrings:\r\n\t\t$s0 = \"msrstd.sys\" fullword wide\r\n\t\t$s1 = \"msrstd.pdb\" fullword ascii\r\n\t\t$s2 = \"msrstd driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061365",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7cb5-5f8c-45d5-be4b-4dc2950d210b",
|
|
|
|
"value": "rule EquationDrug_KernelRootkit {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Kernel mode stage 0 and rootkit (Windows 2000 and above) - msndsrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"597715224249e9fb77dc733b2e4d507f0cc41af6\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"Parmsndsrv.dbg\" fullword ascii\r\n\t\t$s2 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s3 = \"msndsrv.sys\" fullword wide\r\n\t\t$s5 = \"\\\\REGISTRY\\\\MACHINE\\\\System\\\\CurrentControlSet\\\\Control\\\\Windows\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s7 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s9 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061381",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7cc5-36b8-465f-bc94-8c54950d210b",
|
|
|
|
"value": "rule EquationDrug_Keylogger {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Key/clipboard logger driver - msrtvd.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"b93aa17b19575a6e4962d224c5801fb78e9a7bb5\"\r\n\tstrings:\r\n\t\t$s0 = \"\\\\registry\\\\machine\\\\software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\" fullword wide\r\n\t\t$s2 = \"\\\\registry\\\\machine\\\\SYSTEM\\\\ControlSet001\\\\Control\\\\Session Manager\\\\En\" wide\r\n\t\t$s3 = \"\\\\DosDevices\\\\Gk\" fullword wide\r\n\t\t$s5 = \"\\\\Device\\\\Gk0\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061401",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7cd9-b65c-4be1-959b-13b6950d210b",
|
|
|
|
"value": "rule EquationDrug_NetworkSniffer4 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"cace40965f8600a24a2457f7792efba3bd84d9ba\"\r\n\tstrings:\r\n\t\t$s0 = \"Copyright 1999 RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s1 = \"\\\\systemroot\\\\\" fullword ascii\r\n\t\t$s2 = \"RAVISENT Technologies Inc.\" fullword wide\r\n\t\t$s3 = \"Created by VIONA Development\" fullword wide\r\n\t\t$s4 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s5 = \"\\\\device\\\\harddiskvolume\" fullword wide\r\n\t\t$s7 = \"ATMDKDRV.SYS\" fullword wide\r\n\t\t$s8 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s9 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s10 = \"CineMaster C 1.1 WDM Main Driver\" fullword wide\r\n\t\t$s11 = \"\\\\Device\\\\%ws\" fullword wide\r\n\t\t$s13 = \"CineMaster C 1.1 WDM\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061417",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7ce9-b7c0-4bf8-97c3-948e950d210b",
|
|
|
|
"value": "rule EquationDrug_PlatformOrchestrator {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Platform orchestrator - mscfg32.dll, svchost32.dll\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"febc4f30786db7804008dc9bc1cebdc26993e240\"\r\n\tstrings:\r\n\t\t$s0 = \"SERVICES.EXE\" fullword wide\r\n\t\t$s1 = \"\\\\command.com\" fullword wide\r\n\t\t$s2 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s3 = \"LSASS.EXE\" fullword wide\r\n\t\t$s4 = \"Windows Configuration Services\" fullword wide\r\n\t\t$s8 = \"unilay.dll\" fullword ascii\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061437",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7cfd-bd28-489c-a56a-7455950d210b",
|
|
|
|
"value": "rule EquationDrug_NetworkSniffer5 {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Network-sniffer/patcher - atmdkdrv.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"09399b9bd600d4516db37307a457bc55eedcbd17\"\r\n\tstrings:\r\n\t\t$s0 = \"Microsoft(R) Windows (TM) Operating System\" fullword wide\r\n\t\t$s1 = \"\\\\Registry\\\\User\\\\CurrentUser\\\\\" fullword wide\r\n\t\t$s2 = \"atmdkdrv.sys\" fullword wide\r\n\t\t$s4 = \"\\\\Device\\\\%ws_%ws\" fullword wide\r\n\t\t$s5 = \"\\\\DosDevices\\\\%ws\" fullword wide\r\n\t\t$s6 = \"\\\\Device\\\\%ws\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061452",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "yara",
|
|
|
|
"uuid": "551e7d0c-9254-4e05-8fb7-13b6950d210b",
|
|
|
|
"value": "rule EquationDrug_FileSystem_Filter {\r\n\tmeta:\r\n\t\tdescription = \"EquationDrug - Filesystem filter driver \u00e2\u20ac\u201c volrec.sys, scsi2mgr.sys\"\r\n\t\tauthor = \"Florian Roth @4nc4p\"\r\n\t\treference = \"http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/\"\r\n\t\tdate = \"2015/03/11\"\r\n\t\thash = \"57fa4a1abbf39f4899ea76543ebd3688dcc11e13\"\r\n\tstrings:\r\n\t\t$s0 = \"volrec.sys\" fullword wide\r\n\t\t$s1 = \"volrec.pdb\" fullword ascii\r\n\t\t$s2 = \"Volume recognizer driver\" fullword wide\r\n\tcondition:\r\n\t\tall of them\r\n}"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061599",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7d9f-449c-4b11-b116-1a0e950d210b",
|
|
|
|
"value": "26e787997a338d8111d96c9a4c103cf8ff0201ce"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061599",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7d9f-90b4-495d-a76f-1a0e950d210b",
|
|
|
|
"value": "a3a31937956f161beba8acac35b96cb74241cd0f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061599",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7d9f-e820-4991-a88b-1a0e950d210b",
|
|
|
|
"value": "ff2b50f371eb26f22eb8a2118e9ab0e015081500"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-6554-48c1-9789-1a0e950d210b",
|
|
|
|
"value": "7e3cd36875c0e5ccb076eb74855d627ae8d4627f"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-2538-4b10-9773-1a0e950d210b",
|
|
|
|
"value": "14599516381a9646cd978cf962c4f92386371040"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-ed30-41a0-b60e-1a0e950d210b",
|
|
|
|
"value": "ee2b504ad502dc3fed62d6483d93d9b1221cdd6c"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-fa2c-4124-bc52-1a0e950d210b",
|
|
|
|
"value": "597715224249e9fb77dc733b2e4d507f0cc41af6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-e87c-460b-8a4d-1a0e950d210b",
|
|
|
|
"value": "b93aa17b19575a6e4962d224c5801fb78e9a7bb5"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-cb54-4d83-bd6f-1a0e950d210b",
|
|
|
|
"value": "cace40965f8600a24a2457f7792efba3bd84d9ba"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-5eb4-4489-98a0-1a0e950d210b",
|
|
|
|
"value": "febc4f30786db7804008dc9bc1cebdc26993e240"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-5a10-440a-a4ce-1a0e950d210b",
|
|
|
|
"value": "09399b9bd600d4516db37307a457bc55eedcbd17"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1428061600",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha1",
|
|
|
|
"uuid": "551e7da0-b430-43bf-b5fa-1a0e950d210b",
|
|
|
|
"value": "57fa4a1abbf39f4899ea76543ebd3688dcc11e13"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839505",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65911-1c7c-4ca9-860f-59a1950d210f",
|
|
|
|
"value": "74de13b5ea68b3da24addc009f84baee"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839507",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65913-45f0-437c-afe4-59a2950d210f",
|
|
|
|
"value": "ef4405930e6071ae1f7f6fa7d4f3397d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839509",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65915-1a88-47c3-a14f-59a4950d210f",
|
|
|
|
"value": "11fb08b9126cdb4668b3f5135cf7a6c5"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839511",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65917-cb64-415e-a117-599e950d210f",
|
|
|
|
"value": "20506375665a6a62f7d9dd22d1cc9870"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839513",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65919-a364-49c2-8632-c650950d210f",
|
|
|
|
"value": "60dab5bb319281747c5863b44c5ac60d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839515",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c6591b-ec0c-4ef9-a84c-599d950d210f",
|
|
|
|
"value": "15d39578460e878dd89e8911180494ff"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839517",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c6591d-a640-4716-8bf4-5f51950d210f",
|
|
|
|
"value": "c4f8671c1f00dab30f5f88d684af1927"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839519",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c6591f-28dc-40be-9925-c654950d210f",
|
|
|
|
"value": "f6bf3ed3bcd466e5fd1cbaf6ba658716"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839521",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65921-3ee8-4e94-b03a-c651950d210f",
|
|
|
|
"value": "214f7a2c95bdc265888fbcd24e3587da"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839522",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65922-3ac8-4f0c-b172-432f950d210f",
|
|
|
|
"value": "5767b9d851d0c24e13eca1bfd16ea424"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839524",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65924-bc08-4ddc-b84a-c653950d210f",
|
|
|
|
"value": "8d87a1845122bf090b3d8656dc9d60a8"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839527",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "md5",
|
|
|
|
"uuid": "56c65927-6c14-408b-81bb-599c950d210f",
|
|
|
|
"value": "c17e16a54916d3838f63d208ebab9879"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 26e787997a338d8111d96c9a4c103cf8ff0201ce)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839506",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65912-dab8-4b67-aa47-5f51950d210f",
|
|
|
|
"value": "26215bc56dc31d2466d72f1f4e1b6388e62606e9949bc41c28968fcb9a9d60a6"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via a3a31937956f161beba8acac35b96cb74241cd0f)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839508",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65914-4cb0-4ff7-84e0-c653950d210f",
|
|
|
|
"value": "1c376452b451e05363dd39c56994bd3414e02ffecf89dbc40461eb6e2fe9e51e"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via ff2b50f371eb26f22eb8a2118e9ab0e015081500)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839510",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65916-6540-4e43-a359-4dfb950d210f",
|
|
|
|
"value": "83d14ce2dcfc852791d20cd78066ba5a2b39eb503e12e33f2ef0b1a46c68de73"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 7e3cd36875c0e5ccb076eb74855d627ae8d4627f)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839512",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65918-64ac-4501-bbe1-5f51950d210f",
|
|
|
|
"value": "a5ec4d102d802ada7c5083af53fd9d3c9b5aa83be9de58dbb4fac7876faf6d29"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 14599516381a9646cd978cf962c4f92386371040)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839514",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c6591a-e1f0-4015-a784-c651950d210f",
|
|
|
|
"value": "318bb5ca29ac1f647f78a5cf1124d6849fadf52e5bc7193fa05922d36a8db4e5"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via ee2b504ad502dc3fed62d6483d93d9b1221cdd6c)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839515",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c6591b-0f40-4f75-819b-4aed950d210f",
|
|
|
|
"value": "c3f92c8b2b11c170879fafa29b698d76a5ea4ed37e01674848c63a911d76bece"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 597715224249e9fb77dc733b2e4d507f0cc41af6)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839518",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c6591e-7c58-4732-8dcf-c650950d210f",
|
|
|
|
"value": "9f1b82e6c2e9760284c53c5377a054d6cfcb2bd5e36329e0f7c395aa02d79d0d"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via b93aa17b19575a6e4962d224c5801fb78e9a7bb5)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839520",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65920-d184-482b-99e8-59a3950d210f",
|
|
|
|
"value": "63a3b1d2e234481bcee6d95ff8e4d7ebf1967009e32fda35a675bffbd8e4c4aa"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via cace40965f8600a24a2457f7792efba3bd84d9ba)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839522",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65922-8c08-40ea-b58c-599f950d210f",
|
|
|
|
"value": "d0a4b7d09d36459b07552c0269eeed450fb016a1192088bfb13cf50fba7f92cf"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via febc4f30786db7804008dc9bc1cebdc26993e240)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839523",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65923-7868-4115-8eaf-49ed950d210f",
|
|
|
|
"value": "9df733c565cf3c98878911af11ff17f8788c06e56466db6eaab81f8fa80344e4"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 09399b9bd600d4516db37307a457bc55eedcbd17)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839525",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65925-b8b8-4f8c-9be2-5f51950d210f",
|
|
|
|
"value": "897489999ff2c360678cdba9a40a6613fc042f346ccfb325fdc0fa46ac42d00e"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"category": "Artifacts dropped",
|
|
|
|
"comment": "Automatically added (via 57fa4a1abbf39f4899ea76543ebd3688dcc11e13)",
|
|
|
|
"deleted": false,
|
|
|
|
"disable_correlation": false,
|
|
|
|
"timestamp": "1455839528",
|
|
|
|
"to_ids": true,
|
|
|
|
"type": "sha256",
|
|
|
|
"uuid": "56c65928-b2d8-4247-924b-59a4950d210f",
|
|
|
|
"value": "355e5643c5a04c18d831b942ef65a21d1cdb1d93ea328b0203a38876cef3f93e"
|
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
]
|
2023-12-14 14:30:15 +00:00
|
|
|
}
|
2023-04-21 13:25:09 +00:00
|
|
|
}
|