{ "Event": { "analysis": "0", "date": "2023-04-20", "extends_uuid": "", "info": "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible", "publish_timestamp": "1687419940", "published": true, "threat_level_id": "1", "timestamp": "1684937230", "uuid": "207feacb-6379-484d-8bea-b7281114b381", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#075300", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Digital Certificates - T1588.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Install Digital Certificate - T1608.003\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"", "relationship_type": "" }, { "colour": "#053a00", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#064b00", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"", "relationship_type": "" }, { "colour": "#065000", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"", "relationship_type": "" }, { "colour": "#064700", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Language Discovery - T1614.001\"", "relationship_type": "" }, { "colour": "#075700", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#064500", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Manipulation - T1565\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:backdoor=\"POOLRAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"POOLRAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"IconicStealer\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"ICONICSTEALER\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"DAVESHELL\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"SIGFLIP\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:backdoor=\"VEILEDSIGNAL\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"COLDCAT\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"TAXHAUL\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1682598807", "to_ids": false, "type": "snort", "uuid": "726049e7-9805-44ee-a0bc-65c50ba1a1bb", "value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"raw.githubusercontent.com/IconStorages/images/main/\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1682598807", "to_ids": false, "type": "snort", "uuid": "a555296d-3c37-415f-8745-b3c68a1496fe", "value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"3cx_auth_id=%s\\;3cx_auth_token_content=%s\\;__tutma=true\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1682598807", "to_ids": false, "type": "snort", "uuid": "72986e52-7181-482d-add1-d79c32b22c96", "value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1682598807", "to_ids": false, "type": "snort", "uuid": "487ed5ed-71b9-4029-baa0-8e1b1e98da01", "value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutmc\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1683108136", "to_ids": true, "type": "md5", "uuid": "f6027cce-03d8-4a41-aa37-202458d4fc64", "value": "c6441c961dcad0fe127514a918eaabd4" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1683108136", "to_ids": true, "type": "url", "uuid": "2f7a8f74-a0ee-40d7-9e05-1c4908ad0664", "value": "www.tradingtechnologies.com/trading/order-management" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1683204346", "to_ids": true, "type": "hostname", "uuid": "6b0e7a84-17ce-42fe-8a63-8bee1ec4255d", "value": "www.tradingtechnologies.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1683207715", "to_ids": true, "type": "md5", "uuid": "aea819dd-d381-49c3-aee2-d9b81ca94bf1", "value": "451c23709ecd5a8461ad060f6346930c" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1682509494", "uuid": "ffe5d3e8-741f-43b0-8414-8af137482627", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1682509494", "to_ids": false, "type": "link", "uuid": "49106857-2ef9-433c-83a3-d96bc057fff5", "value": "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1682509494", "to_ids": false, "type": "text", "uuid": "3ca7b986-49fe-4352-9e3b-889f9a0d0f58", "value": "Blog" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682587388", "uuid": "bf154df5-cd9c-4867-a76b-2122be53198e", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682587388", "to_ids": true, "type": "yara", "uuid": "9521a1e1-903f-4a15-966c-d0999a2890e1", "value": "rule M_Hunting_3CXDesktopApp_Key {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects a key found in a malicious 3CXDesktopApp file\"\r\n\r\n\u202f\u202f\u202f md5 = \"74bc2d0b6680faa1a5a76b27e5479cbc\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/29\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $key = \"3jB(2bsG#@c7\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f $key\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682587388", "to_ids": false, "type": "text", "uuid": "9406e1bb-a404-439c-b67f-64f3778bcb54", "value": "M_Hunting_3CXDesktopApp_Key" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682587511", "uuid": "b589edd7-0f8d-4c01-8eb7-7119b9a9b718", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682587511", "to_ids": true, "type": "yara", "uuid": "e7b39492-a458-4cb5-b385-29ec96f84f3e", "value": "rule M_Hunting_3CXDesktopApp_Export {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects an export used in 3CXDesktopApp malware\"\r\n\r\n\u202f\u202f\u202f md5 = \"7faea2b01796b80d180399040bb69835\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/31\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $str1 = \"DllGetClassObject\" wide ascii\r\n\r\n\u202f\u202f\u202f $str2 = \"3CXDesktopApp\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f all of ($str*)\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682587511", "to_ids": false, "type": "text", "uuid": "0b9de3e7-5648-403c-b09d-32818d853cd3", "value": "M_Hunting_3CXDesktopApp_Export" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682587655", "uuid": "2c9c3600-a5e3-49eb-a53d-34480e340b41", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682587655", "to_ids": true, "type": "yara", "uuid": "9ac291ed-fb3a-402b-81ff-097a5bc548c1", "value": "rule TAXHAUL\r\n{\r\n\u202f meta:\r\n\u202f author = \"Mandiant\"\r\n\u202f created = \"04/03/2023\"\r\n\u202f modified = \"04/03/2023\"\r\n\u202f version = \"1.0\"\r\n\u202f strings:\r\n\u202f\u202f\u202f $p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n\u202f\u202f\u202f $p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\n\u202f condition:\r\n\u202f\u202f\u202f uint16(0) == 0x5A4D and any of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682587655", "to_ids": false, "type": "text", "uuid": "7d365f5f-2353-4f56-89fb-728b3e64c03f", "value": "TAXHAUL" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588366", "uuid": "e591c3ee-02d0-438f-89ff-cf300e43d799", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588366", "to_ids": true, "type": "yara", "uuid": "482b3caa-594a-4c9e-b739-62c22f863b62", "value": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588366", "to_ids": false, "type": "text", "uuid": "d34aa070-1978-4a64-b5cd-1ae0fb5eba3d", "value": "M_Hunting_MSI_Installer_3CX_1" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588428", "uuid": "acdd9039-c804-4b19-8206-e53b552cc1c2", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588428", "to_ids": true, "type": "yara", "uuid": "047625c7-cd6d-49cc-b1c4-1d6036845705", "value": "rule M_Hunting_SigFlip_SigLoader_Native\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for strings present in SigLoader (Native)\"\r\n\r\nmd5 = \"a3ccc48db9eabfed7245ad6e3a5b203f\"\r\n\r\nstrings:\r\n\r\n$s1 = \"[*]: Basic Loader...\" ascii wide\r\n\r\n$s2 = \"[!]: Missing PE path or Encryption Key...\" ascii wide\r\n\r\n$s3 = \"[!]: Usage: %s \" ascii wide\r\n\r\n$s4 = \"[*]: Loading/Parsing PE File '%s'\" ascii wide\r\n\r\n$s5 = \"[!]: Could not read file %s\" ascii wide\r\n\r\n$s6 = \"[!]: '%s' is not a valid PE file\" ascii wide\r\n\r\n$s7 = \"[+]: Certificate Table RVA %x\" ascii wide\r\n\r\n$s8 = \"[+]: Certificate Table Size %d\" ascii wide\r\n\r\n$s9 = \"[*]: Tag Found 0x%x%x%x%x\" ascii wide\r\n\r\n$s10 = \"[!]: Could not locate data/shellcode\" ascii wide\r\n\r\n$s11 = \"[+]: Encrypted/Decrypted Data Size %d\" ascii wide\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588428", "to_ids": false, "type": "text", "uuid": "3a498c7c-aedc-43c4-80d3-378bf95a5697", "value": "M_Hunting_SigFlip_SigLoader_Native" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588570", "uuid": "72b98f0f-932a-4705-b155-24749dacf208", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588570", "to_ids": true, "type": "yara", "uuid": "387a3373-5e01-467e-9a60-780fad94cbde", "value": "rule M_Hunting_Raw64_DAVESHELL_Bootstrap\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL\"\r\n\r\nmd5 = \"8a34adda5b981498234be921f86dfb27\"\r\n\r\nstrings:\r\n\r\n$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\n$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and any of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588570", "to_ids": false, "type": "text", "uuid": "f9130426-5fd4-4afc-b997-5b9c817ed9e3", "value": "M_Hunting_Raw64_DAVESHELL_Bootstrap" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588610", "uuid": "e2929d32-2c8d-4998-b7e1-c877dad4a15e", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588610", "to_ids": true, "type": "yara", "uuid": "9364b556-cdcd-4a73-9dce-fe677eab0f40", "value": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588610", "to_ids": false, "type": "text", "uuid": "6b92134a-52ef-4bac-af67-2e1f69c425a4", "value": "M_Hunting_MSI_Installer_3CX_1" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588637", "uuid": "b7b9e0d9-9e7b-4308-a3c5-ea0119e22854", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588637", "to_ids": true, "type": "yara", "uuid": "3256e877-5056-4f7b-a5e4-a6a4714ff3b2", "value": "rule M_Hunting_VEILEDSIGNAL_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }\r\n\r\n$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}\r\n\r\n$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }\r\n\r\n$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }\r\n\r\ncondition:\r\n\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588637", "to_ids": false, "type": "text", "uuid": "b3e8c72e-6ce3-4a59-8fb4-3cd66d4cb940", "value": "M_Hunting_VEILEDSIGNAL_1" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588662", "uuid": "3cdb37a4-67e3-498d-8718-cbd9e2ef9543", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588662", "to_ids": true, "type": "yara", "uuid": "5f89c788-d148-4660-a1c3-5c403d30d481", "value": "rule M_Hunting_VEILEDSIGNAL_2\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428\"\r\n\r\nstrings:\r\n\r\n$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }\r\n\r\n$si1 = \"CryptBinaryToStringA\" fullword\r\n\r\n$si2 = \"BCryptGenerateSymmetricKey\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$ss1 = \"ChainingModeGCM\" wide\r\n\r\n$ss2 = \"__tutma\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588662", "to_ids": false, "type": "text", "uuid": "0debd5f6-2c54-4962-b08f-8dc04f98314b", "value": "M_Hunting_VEILEDSIGNAL_2" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682588716", "uuid": "345f4ba2-569c-4993-ade9-a12f3a160082", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682588716", "to_ids": true, "type": "yara", "uuid": "e634f810-56e6-4415-afc4-6aed3a1760ff", "value": "rule M_Hunting_VEILEDSIGNAL_3\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }\r\n\r\n$si1 = \"HttpSendRequestW\" fullword\r\n\r\n$si2 = \"CreateNamedPipeW\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682588716", "to_ids": false, "type": "text", "uuid": "3cfb9223-df0a-4a6c-83ae-1d837828bf23", "value": "M_Hunting_VEILEDSIGNAL_3" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682589005", "uuid": "7e9ba136-4f4a-4357-8642-ffde5864be7e", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682589005", "to_ids": true, "type": "yara", "uuid": "e8443379-0e0e-4d81-9b6a-adca81cefdd5", "value": "rule M_Hunting_VEILEDSIGNAL_4\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }\r\n\r\n$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }\r\n\r\n$si1 = \"CreateThread\" fullword\r\n\r\n$si2 = \"MultiByteToWideChar\" fullword\r\n\r\n$si3 = \"LocalAlloc\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682589005", "to_ids": false, "type": "text", "uuid": "c0815995-13d1-401e-9989-92770dced361", "value": "M_Hunting_VEILEDSIGNAL_4" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682589173", "uuid": "39a85650-5607-4aba-b874-75bb1ea6d63b", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682589173", "to_ids": true, "type": "yara", "uuid": "e1a4f52e-3c35-4e46-b77e-617ead7108e0", "value": "rule M_Hunting_VEILEDSIGNAL_5\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"6727284586ecf528240be21bb6e97f88\"\r\n\r\nstrings:\r\n\r\n$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }\r\n\r\n$ss1 = \"chrome.exe\" wide fullword\r\n\r\n$ss2 = \"firefox.exe\" wide fullword\r\n\r\n$ss3 = \"msedge.exe\" wide fullword\r\n\r\n$ss4 = \"\\\\\\\\.\\\\pipe\\\\*\" ascii fullword\r\n\r\n$ss5 = \"FindFirstFileA\" ascii fullword\r\n\r\n$ss6 = \"Process32FirstW\" ascii fullword\r\n\r\n$ss7 = \"RtlAdjustPrivilege\" ascii fullword\r\n\r\n$ss8 = \"GetCurrentProcess\" ascii fullword\r\n\r\n$ss9 = \"NtWaitForSingleObject\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682589173", "to_ids": false, "type": "text", "uuid": "a8d4eba5-f14b-4766-8db2-0ccaa350926b", "value": "M_Hunting_VEILEDSIGNAL_5" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682589931", "uuid": "222cef9b-fd08-4b98-b804-eda0f9237624", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682589931", "to_ids": true, "type": "yara", "uuid": "b93f1f3a-1ca5-4875-92f3-ef0e1e1b2762", "value": "rule M_Hunting_VEILEDSIGNAL_6\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"00a43d64f9b5187a1e1f922b99b09b77\"\r\n\r\nstrings:\r\n\r\n$ss1 = \"C:\\\\Programdata\\\\\" wide\r\n\r\n$ss2 = \"devobj.dll\" wide fullword\r\n\r\n$ss3 = \"msvcr100.dll\" wide fullword\r\n\r\n$ss4 = \"TpmVscMgrSvr.exe\" wide fullword\r\n\r\n$ss5 = \"\\\\Microsoft\\\\Windows\\\\TPM\" wide fullword\r\n\r\n$ss6 = \"CreateFileW\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682589931", "to_ids": false, "type": "text", "uuid": "d1de7271-8a0f-4b3d-8427-4d61e33086dc", "value": "M_Hunting_VEILEDSIGNAL_6" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682589951", "uuid": "c8d27f3a-5439-4121-b4f6-5c73d0ae65fd", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682589951", "to_ids": true, "type": "yara", "uuid": "09d0bd7d-fea4-4a22-bda5-df6fa77fcc10", "value": "rule M_Hunting_POOLRAT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Detects strings found in POOLRAT. \"\r\n\r\nmd5 = \"451c23709ecd5a8461ad060f6346930c\"\r\n\r\nstrings:\r\n\r\n$hex1 = { 6e 61 6d 65 3d 22 75 69 64 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni1 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 75 00 69 00 64 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex2 = { 6e 61 6d 65 3d 22 73 65 73 73 69 6f 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni2 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 73 00 65 00 73 00 73 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex3 = { 6e 61 6d 65 3d 22 61 63 74 69 6f 6e 22 25 73 25 73 25 73 25 73 }\r\n\r\n$hex_uni3 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 61 00 63 00 74 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 }\r\n\r\n$hex4 = { 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni4 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 74 00 6f 00 6b 00 65 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$str1 = \"--N9dLfqxHNUUw8qaUPqggVTpX-\" wide ascii nocase\r\n\r\ncondition:\r\n\r\nany of ($hex*) or any of ($hex_uni*) or $str1\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682589951", "to_ids": false, "type": "text", "uuid": "9b57bc87-0703-47c8-acd8-24b71237aedb", "value": "M_Hunting_POOLRAT" } ] }, { "comment": "", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "6", "timestamp": "1682590080", "uuid": "702a3733-669e-4ca5-ad86-c73c36d3d9f9", "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1682590081", "to_ids": true, "type": "yara", "uuid": "94edac12-8a21-4b8a-83ab-3116f8ea12a4", "value": "rule M_Hunting_FASTREVERSEPROXY\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \"Mandiant\"\r\n\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n md5 = \"19dbffec4e359a198daf4ffca1ab9165\"\r\n\r\n strings:\r\n\r\n $ss1 = \"Go build ID:\" fullword\r\n\r\n $ss2 = \"Go buildinf:\" fullword\r\n\r\n $ss3 = \"net/http/httputil.(*ReverseProxy).\" ascii\r\n\r\n $ss4 = \"github.com/fatedier/frp/client\" ascii\r\n\r\n $ss5 = \"\\\"server_port\\\"\" ascii\r\n\r\n $ss6 = \"github.com/armon/go-socks5.proxy\" ascii\r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1682590081", "to_ids": false, "type": "text", "uuid": "fd446cd7-e9de-4a89-9c51-1a0a53491206", "value": "M_Hunting_FASTREVERSEPROXY" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1683108044", "uuid": "a74a8de1-8907-4d1e-8760-85ad05bb3f9c", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1683108044", "to_ids": true, "type": "md5", "uuid": "83a9e914-6a59-4343-8106-9481eed16a50", "value": "ef4ab22e565684424b4142b1294f1f4d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1683108044", "to_ids": true, "type": "filename", "uuid": "d48c0917-5764-46b0-a3d9-e4c9849d8f06", "value": "X_TRADER_r7.17.90p608.exe" } ] }, { "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1683275801", "uuid": "6f374c9e-e55a-4f2d-ae2a-4a0cb7f4e090", "Attribute": [ { "category": "Network activity", "comment": "UNC4469", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1683275796", "to_ids": true, "type": "domain", "uuid": "d15a50b0-7459-430d-8694-71e64a4fdbfe", "value": "curvefinances.com" }, { "category": "Network activity", "comment": "UNC4736", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1683275801", "to_ids": true, "type": "domain", "uuid": "c4d3ae0f-ccc6-4d7b-a176-00ac4380b65e", "value": "pbxphonenetwork.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1683275711", "to_ids": true, "type": "ip-dst", "uuid": "c6c74dcc-a9eb-48d8-aad9-fdb080d5db37", "value": "89.45.67.160" } ] }, { "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1683275812", "uuid": "99124b56-d511-49d3-aecc-39163ec44f88", "Attribute": [ { "category": "Network activity", "comment": "UNC4736", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1683275807", "to_ids": true, "type": "domain", "uuid": "cb44dce7-1d42-485d-8965-a5c3715233ea", "value": "journalide.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1683275739", "to_ids": true, "type": "ip-dst", "uuid": "43110f07-e14f-412f-9319-7ea6904e98db", "value": "172.93.201.88" }, { "category": "Network activity", "comment": "UNC3782", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1683275812", "to_ids": true, "type": "domain", "uuid": "67659020-a084-40a3-a2c0-86d7a69c1bd7", "value": "nxmnv.site" } ] }, { "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "11", "timestamp": "1683275853", "uuid": "531b631e-1e99-4292-a5df-f2414baaabdb", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1683275842", "to_ids": true, "type": "ip-dst", "uuid": "35e00a06-2121-46ec-aa41-95a982ed0bd2", "value": "185.38.151.11" }, { "category": "Network activity", "comment": "UNC4736", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1683275847", "to_ids": true, "type": "domain", "uuid": "8dc4fe32-0a79-4ad4-ac42-e6b60542442f", "value": "msedgepackageinfo.com" }, { "category": "Network activity", "comment": "UNC4469", "deleted": false, "disable_correlation": false, "object_relation": "hostname", "timestamp": "1683275853", "to_ids": true, "type": "hostname", "uuid": "244da4c6-622d-4f3e-899d-4de8491f003a", "value": "apollo-crypto.org.shilaerc20.com" } ] } ] } }