2023-06-24 09:36:52 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "0" ,
"date" : "2023-04-20" ,
"extends_uuid" : "" ,
"info" : "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible" ,
"publish_timestamp" : "1687419940" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1684937230" ,
"uuid" : "207feacb-6379-484d-8bea-b7281114b381" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "tlp:clear" ,
"relationship_type" : ""
} ,
{
"colour" : "#075300" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Digital Certificates - T1588.004\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Install Digital Certificate - T1608.003\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#053a00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064b00" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#065000" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064700" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"System Language Discovery - T1614.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#075700" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#064500" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Data Manipulation - T1565\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:backdoor=\"POOLRAT\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:malpedia=\"POOLRAT\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:malpedia=\"IconicStealer\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"ICONICSTEALER\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"DAVESHELL\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"SIGFLIP\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:backdoor=\"VEILEDSIGNAL\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"COLDCAT\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
2024-04-05 12:15:17 +00:00
"local" : false ,
2023-12-14 14:30:15 +00:00
"name" : "misp-galaxy:tool=\"TAXHAUL\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1682598807" ,
"to_ids" : false ,
"type" : "snort" ,
"uuid" : "726049e7-9805-44ee-a0bc-65c50ba1a1bb" ,
"value" : "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"raw.githubusercontent.com/IconStorages/images/main/\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1682598807" ,
"to_ids" : false ,
"type" : "snort" ,
"uuid" : "a555296d-3c37-415f-8745-b3c68a1496fe" ,
"value" : "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"3cx_auth_id=%s\\;3cx_auth_token_content=%s\\;__tutma=true\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1682598807" ,
"to_ids" : false ,
"type" : "snort" ,
"uuid" : "72986e52-7181-482d-add1-d79c32b22c96" ,
"value" : "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1682598807" ,
"to_ids" : false ,
"type" : "snort" ,
"uuid" : "487ed5ed-71b9-4029-baa0-8e1b1e98da01" ,
"value" : "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutmc\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1683108136" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "f6027cce-03d8-4a41-aa37-202458d4fc64" ,
"value" : "c6441c961dcad0fe127514a918eaabd4"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1683108136" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "2f7a8f74-a0ee-40d7-9e05-1c4908ad0664" ,
"value" : "www.tradingtechnologies.com/trading/order-management"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1683204346" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "6b0e7a84-17ce-42fe-8a63-8bee1ec4255d" ,
"value" : "www.tradingtechnologies.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1683207715" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "aea819dd-d381-49c3-aee2-d9b81ca94bf1" ,
"value" : "451c23709ecd5a8461ad060f6346930c"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1682509494" ,
"uuid" : "ffe5d3e8-741f-43b0-8414-8af137482627" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1682509494" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "49106857-2ef9-433c-83a3-d96bc057fff5" ,
"value" : "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1682509494" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3ca7b986-49fe-4352-9e3b-889f9a0d0f58" ,
"value" : "Blog"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682587388" ,
"uuid" : "bf154df5-cd9c-4867-a76b-2122be53198e" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682587388" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "9521a1e1-903f-4a15-966c-d0999a2890e1" ,
"value" : "rule M_Hunting_3CXDesktopApp_Key {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects a key found in a malicious 3CXDesktopApp file\"\r\n\r\n\u202f\u202f\u202f md5 = \"74bc2d0b6680faa1a5a76b27e5479cbc\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/29\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $key = \"3jB(2bsG#@c7\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f $key\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682587388" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9406e1bb-a404-439c-b67f-64f3778bcb54" ,
"value" : "M_Hunting_3CXDesktopApp_Key"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682587511" ,
"uuid" : "b589edd7-0f8d-4c01-8eb7-7119b9a9b718" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682587511" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e7b39492-a458-4cb5-b385-29ec96f84f3e" ,
"value" : "rule M_Hunting_3CXDesktopApp_Export {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects an export used in 3CXDesktopApp malware\"\r\n\r\n\u202f\u202f\u202f md5 = \"7faea2b01796b80d180399040bb69835\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/31\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $str1 = \"DllGetClassObject\" wide ascii\r\n\r\n\u202f\u202f\u202f $str2 = \"3CXDesktopApp\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f all of ($str*)\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682587511" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0b9de3e7-5648-403c-b09d-32818d853cd3" ,
"value" : "M_Hunting_3CXDesktopApp_Export"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682587655" ,
"uuid" : "2c9c3600-a5e3-49eb-a53d-34480e340b41" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682587655" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "9ac291ed-fb3a-402b-81ff-097a5bc548c1" ,
"value" : "rule TAXHAUL\r\n{\r\n\u202f meta:\r\n\u202f author = \"Mandiant\"\r\n\u202f created = \"04/03/2023\"\r\n\u202f modified = \"04/03/2023\"\r\n\u202f version = \"1.0\"\r\n\u202f strings:\r\n\u202f\u202f\u202f $p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n\u202f\u202f\u202f $p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\n\u202f condition:\r\n\u202f\u202f\u202f uint16(0) == 0x5A4D and any of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682587655" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7d365f5f-2353-4f56-89fb-728b3e64c03f" ,
"value" : "TAXHAUL"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588366" ,
"uuid" : "e591c3ee-02d0-438f-89ff-cf300e43d799" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588366" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "482b3caa-594a-4c9e-b739-62c22f863b62" ,
"value" : "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588366" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d34aa070-1978-4a64-b5cd-1ae0fb5eba3d" ,
"value" : "M_Hunting_MSI_Installer_3CX_1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588428" ,
"uuid" : "acdd9039-c804-4b19-8206-e53b552cc1c2" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588428" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "047625c7-cd6d-49cc-b1c4-1d6036845705" ,
"value" : "rule M_Hunting_SigFlip_SigLoader_Native\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for strings present in SigLoader (Native)\"\r\n\r\nmd5 = \"a3ccc48db9eabfed7245ad6e3a5b203f\"\r\n\r\nstrings:\r\n\r\n$s1 = \"[*]: Basic Loader...\" ascii wide\r\n\r\n$s2 = \"[!]: Missing PE path or Encryption Key...\" ascii wide\r\n\r\n$s3 = \"[!]: Usage: %s <PE_PATH> <Encryption_Key>\" ascii wide\r\n\r\n$s4 = \"[*]: Loading/Parsing PE File '%s'\" ascii wide\r\n\r\n$s5 = \"[!]: Could not read file %s\" ascii wide\r\n\r\n$s6 = \"[!]: '%s' is not a valid PE file\" ascii wide\r\n\r\n$s7 = \"[+]: Certificate Table RVA %x\" ascii wide\r\n\r\n$s8 = \"[+]: Certificate Table Size %d\" ascii wide\r\n\r\n$s9 = \"[*]: Tag Found 0x%x%x%x%x\" ascii wide\r\n\r\n$s10 = \"[!]: Could not locate data/shellcode\" ascii wide\r\n\r\n$s11 = \"[+]: Encrypted/Decrypted Data Size %d\" ascii wide\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588428" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3a498c7c-aedc-43c4-80d3-378bf95a5697" ,
"value" : "M_Hunting_SigFlip_SigLoader_Native"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588570" ,
"uuid" : "72b98f0f-932a-4705-b155-24749dacf208" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588570" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "387a3373-5e01-467e-9a60-780fad94cbde" ,
"value" : "rule M_Hunting_Raw64_DAVESHELL_Bootstrap\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL\"\r\n\r\nmd5 = \"8a34adda5b981498234be921f86dfb27\"\r\n\r\nstrings:\r\n\r\n$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\n$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and any of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588570" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "f9130426-5fd4-4afc-b997-5b9c817ed9e3" ,
"value" : "M_Hunting_Raw64_DAVESHELL_Bootstrap"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588610" ,
"uuid" : "e2929d32-2c8d-4998-b7e1-c877dad4a15e" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588610" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "9364b556-cdcd-4a73-9dce-fe677eab0f40" ,
"value" : "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588610" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6b92134a-52ef-4bac-af67-2e1f69c425a4" ,
"value" : "M_Hunting_MSI_Installer_3CX_1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588637" ,
"uuid" : "b7b9e0d9-9e7b-4308-a3c5-ea0119e22854" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588637" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "3256e877-5056-4f7b-a5e4-a6a4714ff3b2" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }\r\n\r\n$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}\r\n\r\n$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }\r\n\r\n$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }\r\n\r\ncondition:\r\n\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588637" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b3e8c72e-6ce3-4a59-8fb4-3cd66d4cb940" ,
"value" : "M_Hunting_VEILEDSIGNAL_1"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588662" ,
"uuid" : "3cdb37a4-67e3-498d-8718-cbd9e2ef9543" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588662" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "5f89c788-d148-4660-a1c3-5c403d30d481" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_2\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428\"\r\n\r\nstrings:\r\n\r\n$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }\r\n\r\n$si1 = \"CryptBinaryToStringA\" fullword\r\n\r\n$si2 = \"BCryptGenerateSymmetricKey\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$ss1 = \"ChainingModeGCM\" wide\r\n\r\n$ss2 = \"__tutma\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588662" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0debd5f6-2c54-4962-b08f-8dc04f98314b" ,
"value" : "M_Hunting_VEILEDSIGNAL_2"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682588716" ,
"uuid" : "345f4ba2-569c-4993-ade9-a12f3a160082" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682588716" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e634f810-56e6-4415-afc4-6aed3a1760ff" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_3\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }\r\n\r\n$si1 = \"HttpSendRequestW\" fullword\r\n\r\n$si2 = \"CreateNamedPipeW\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682588716" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3cfb9223-df0a-4a6c-83ae-1d837828bf23" ,
"value" : "M_Hunting_VEILEDSIGNAL_3"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682589005" ,
"uuid" : "7e9ba136-4f4a-4357-8642-ffde5864be7e" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682589005" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e8443379-0e0e-4d81-9b6a-adca81cefdd5" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_4\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }\r\n\r\n$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }\r\n\r\n$si1 = \"CreateThread\" fullword\r\n\r\n$si2 = \"MultiByteToWideChar\" fullword\r\n\r\n$si3 = \"LocalAlloc\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682589005" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c0815995-13d1-401e-9989-92770dced361" ,
"value" : "M_Hunting_VEILEDSIGNAL_4"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682589173" ,
"uuid" : "39a85650-5607-4aba-b874-75bb1ea6d63b" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682589173" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "e1a4f52e-3c35-4e46-b77e-617ead7108e0" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_5\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"6727284586ecf528240be21bb6e97f88\"\r\n\r\nstrings:\r\n\r\n$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }\r\n\r\n$ss1 = \"chrome.exe\" wide fullword\r\n\r\n$ss2 = \"firefox.exe\" wide fullword\r\n\r\n$ss3 = \"msedge.exe\" wide fullword\r\n\r\n$ss4 = \"\\\\\\\\.\\\\pipe\\\\*\" ascii fullword\r\n\r\n$ss5 = \"FindFirstFileA\" ascii fullword\r\n\r\n$ss6 = \"Process32FirstW\" ascii fullword\r\n\r\n$ss7 = \"RtlAdjustPrivilege\" ascii fullword\r\n\r\n$ss8 = \"GetCurrentProcess\" ascii fullword\r\n\r\n$ss9 = \"NtWaitForSingleObject\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682589173" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a8d4eba5-f14b-4766-8db2-0ccaa350926b" ,
"value" : "M_Hunting_VEILEDSIGNAL_5"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682589931" ,
"uuid" : "222cef9b-fd08-4b98-b804-eda0f9237624" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682589931" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "b93f1f3a-1ca5-4875-92f3-ef0e1e1b2762" ,
"value" : "rule M_Hunting_VEILEDSIGNAL_6\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"00a43d64f9b5187a1e1f922b99b09b77\"\r\n\r\nstrings:\r\n\r\n$ss1 = \"C:\\\\Programdata\\\\\" wide\r\n\r\n$ss2 = \"devobj.dll\" wide fullword\r\n\r\n$ss3 = \"msvcr100.dll\" wide fullword\r\n\r\n$ss4 = \"TpmVscMgrSvr.exe\" wide fullword\r\n\r\n$ss5 = \"\\\\Microsoft\\\\Windows\\\\TPM\" wide fullword\r\n\r\n$ss6 = \"CreateFileW\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682589931" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d1de7271-8a0f-4b3d-8427-4d61e33086dc" ,
"value" : "M_Hunting_VEILEDSIGNAL_6"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682589951" ,
"uuid" : "c8d27f3a-5439-4121-b4f6-5c73d0ae65fd" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682589951" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "09d0bd7d-fea4-4a22-bda5-df6fa77fcc10" ,
"value" : "rule M_Hunting_POOLRAT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Detects strings found in POOLRAT. \"\r\n\r\nmd5 = \"451c23709ecd5a8461ad060f6346930c\"\r\n\r\nstrings:\r\n\r\n$hex1 = { 6e 61 6d 65 3d 22 75 69 64 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni1 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 75 00 69 00 64 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex2 = { 6e 61 6d 65 3d 22 73 65 73 73 69 6f 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni2 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 73 00 65 00 73 00 73 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex3 = { 6e 61 6d 65 3d 22 61 63 74 69 6f 6e 22 25 73 25 73 25 73 25 73 }\r\n\r\n$hex_uni3 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 61 00 63 00 74 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 }\r\n\r\n$hex4 = { 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni4 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 74 00 6f 00 6b 00 65 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$str1 = \"--N9dLfqxHNUUw8qaUPqggVTpX-\" wide ascii nocase\r\n\r\ncondition:\r\n\r\nany of ($hex*) or any of ($hex_uni*) or $str1\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682589951" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9b57bc87-0703-47c8-acd8-24b71237aedb" ,
"value" : "M_Hunting_POOLRAT"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "6" ,
"timestamp" : "1682590080" ,
"uuid" : "702a3733-669e-4ca5-ad86-c73c36d3d9f9" ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1682590081" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "94edac12-8a21-4b8a-83ab-3116f8ea12a4" ,
"value" : "rule M_Hunting_FASTREVERSEPROXY\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \"Mandiant\"\r\n\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n md5 = \"19dbffec4e359a198daf4ffca1ab9165\"\r\n\r\n strings:\r\n\r\n $ss1 = \"Go build ID:\" fullword\r\n\r\n $ss2 = \"Go buildinf:\" fullword\r\n\r\n $ss3 = \"net/http/httputil.(*ReverseProxy).\" ascii\r\n\r\n $ss4 = \"github.com/fatedier/frp/client\" ascii\r\n\r\n $ss5 = \"\\\"server_port\\\"\" ascii\r\n\r\n $ss6 = \"github.com/armon/go-socks5.proxy\" ascii\r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1682590081" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "fd446cd7-e9de-4a89-9c51-1a0a53491206" ,
"value" : "M_Hunting_FASTREVERSEPROXY"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1683108044" ,
"uuid" : "a74a8de1-8907-4d1e-8760-85ad05bb3f9c" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1683108044" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "83a9e914-6a59-4343-8106-9481eed16a50" ,
"value" : "ef4ab22e565684424b4142b1294f1f4d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1683108044" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d48c0917-5764-46b0-a3d9-e4c9849d8f06" ,
"value" : "X_TRADER_r7.17.90p608.exe"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1683275801" ,
"uuid" : "6f374c9e-e55a-4f2d-ae2a-4a0cb7f4e090" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "UNC4469" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1683275796" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "d15a50b0-7459-430d-8694-71e64a4fdbfe" ,
"value" : "curvefinances.com"
} ,
{
"category" : "Network activity" ,
"comment" : "UNC4736" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1683275801" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "c4d3ae0f-ccc6-4d7b-a176-00ac4380b65e" ,
"value" : "pbxphonenetwork.com"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1683275711" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "c6c74dcc-a9eb-48d8-aad9-fdb080d5db37" ,
"value" : "89.45.67.160"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1683275812" ,
"uuid" : "99124b56-d511-49d3-aecc-39163ec44f88" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "UNC4736" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1683275807" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "cb44dce7-1d42-485d-8965-a5c3715233ea" ,
"value" : "journalide.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1683275739" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "43110f07-e14f-412f-9319-7ea6904e98db" ,
"value" : "172.93.201.88"
} ,
{
"category" : "Network activity" ,
"comment" : "UNC3782" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1683275812" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "67659020-a084-40a3-a2c0-86d7a69c1bd7" ,
"value" : "nxmnv.site"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "11" ,
"timestamp" : "1683275853" ,
"uuid" : "531b631e-1e99-4292-a5df-f2414baaabdb" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1683275842" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "35e00a06-2121-46ec-aa41-95a982ed0bd2" ,
"value" : "185.38.151.11"
} ,
{
"category" : "Network activity" ,
"comment" : "UNC4736" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1683275847" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "8dc4fe32-0a79-4ad4-ac42-e6b60542442f" ,
"value" : "msedgepackageinfo.com"
} ,
{
"category" : "Network activity" ,
"comment" : "UNC4469" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1683275853" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "244da4c6-622d-4f3e-899d-4de8491f003a" ,
"value" : "apollo-crypto.org.shilaerc20.com"
}
]
}
2023-06-24 09:36:52 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-06-24 09:36:52 +00:00
}
