{ "Event": { "analysis": "2", "date": "2016-04-18", "extends_uuid": "", "info": "OSINT - ASERT Threat Intelligence Report 2016-03 The Four-Element Sword Engagement", "publish_timestamp": "1484165655", "published": true, "threat_level_id": "2", "timestamp": "1467971098", "uuid": "57153590-f73c-49fa-be4b-4737950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461007775", "to_ids": false, "type": "link", "uuid": "5715359f-6c3c-49f6-9447-4a6b950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/04/ASERT-Threat-Intelligence-Report-2016-03-The-Four-Element-Sword-Engagement.pdf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461007824", "to_ids": false, "type": "vulnerability", "uuid": "571535d0-050c-4c6f-9eee-4b3c950d210f", "value": "CVE-2012-0158" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461007824", "to_ids": false, "type": "vulnerability", "uuid": "571535d0-ee34-47e6-8ae9-4c82950d210f", "value": "CVE-2012-1856" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461007824", "to_ids": false, "type": "vulnerability", "uuid": "571535d0-b898-4ab7-80f4-4555950d210f", "value": "CVE-2015-1641" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461007824", "to_ids": false, "type": "vulnerability", "uuid": "571535d0-c074-4f8b-b2dc-4fb9950d210f", "value": "CVE-2015-1770" }, { "category": "Network activity", "comment": "On port 7386", "deleted": false, "disable_correlation": false, "timestamp": "1461007906", "to_ids": true, "type": "ip-dst", "uuid": "57153622-b0fc-4002-ae3c-3e3c950d210f", "value": "198.55.120.143" }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1461067343", "to_ids": true, "type": "ip-dst", "uuid": "5715eae1-b6f0-46c6-af87-40de950d210f", "value": "180.169.28.58" }, { "category": "Payload delivery", "comment": "spearfish", "deleted": false, "disable_correlation": false, "timestamp": "1461056206", "to_ids": true, "type": "md5", "uuid": "5715f2ce-b55c-4357-bdfe-43d5950d210f", "value": "7d4f8341b58602a17184bc5c07311e8b" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461056207", "to_ids": true, "type": "md5", "uuid": "5715f2cf-ee4c-4585-a40e-4d6c950d210f", "value": "c674ae90f686d831cffc223a55782a93" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461056735", "to_ids": true, "type": "filename|md5", "uuid": "5715f2cf-8de8-4475-a716-4de1950d210f", "value": "IEChecker.exe|46c7d064a34c4e02bb2df56e0f8470c0" }, { "category": "Payload delivery", "comment": "spearfish", "deleted": false, "disable_correlation": false, "timestamp": "1461057398", "to_ids": true, "type": "sha256", "uuid": "5715f3b3-6998-40e7-9235-4b3e950d210f", "value": "bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461056715", "to_ids": true, "type": "filename|sha256", "uuid": "5715f3b4-c4f0-4b6b-8661-494f950d210f", "value": "IEChecker.exe|7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461056523", "to_ids": false, "type": "sha256", "uuid": "5715f40b-36e0-4bcc-935b-4c64950d210f", "value": "af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461057163", "to_ids": false, "type": "hostname", "uuid": "5715f500-cff4-42db-a2d9-44b1950d210f", "value": "goodnewspaper.f3322.org" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461057168", "to_ids": false, "type": "hostname", "uuid": "5715f500-5c34-42da-bd1f-497f950d210f", "value": "20080628.3322.org" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461057112", "to_ids": true, "type": "hostname", "uuid": "5715f658-9c1c-4a06-9273-4785950d210f", "value": "goodnewspaper.3322.org" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461057157", "to_ids": false, "type": "hostname", "uuid": "5715f659-3464-4c20-9622-489c950d210f", "value": "goodnewspaper.gicp.net" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058034", "to_ids": false, "type": "hostname", "uuid": "5715f9f2-4e18-46a8-a304-4aaf950d210f", "value": "uyguhr.sov.te" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058034", "to_ids": false, "type": "hostname", "uuid": "5715f9f2-de84-4c91-8d98-4f9c950d210f", "value": "oyghur.yebhio.net" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058035", "to_ids": false, "type": "hostname", "uuid": "5715f9f3-44bc-457b-90cb-40a1950d210f", "value": "www.uyghuri.mrface.com" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058035", "to_ids": false, "type": "hostname", "uuid": "5715f9f3-f55c-4519-b36f-4547950d210f", "value": "uyghuri.mrface.com" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058035", "to_ids": false, "type": "hostname", "uuid": "5715f9f3-818c-4fdd-bd6f-45a4950d210f", "value": "uygur.elcp.net" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058035", "to_ids": false, "type": "hostname", "uuid": "5715f9f3-61e4-431c-96da-426e950d210f", "value": "uyguhr1.webhop.net" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058036", "to_ids": false, "type": "hostname", "uuid": "5715f9f4-3954-463f-8012-48a4950d210f", "value": "uygur.51vip.biz" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058036", "to_ids": false, "type": "hostname", "uuid": "5715f9f4-1008-435d-b573-431d950d210f", "value": "uyguhr.epac.to" }, { "category": "Network activity", "comment": "Associated with 180.169.28.58 TCP/8080", "deleted": false, "disable_correlation": false, "timestamp": "1461058036", "to_ids": false, "type": "hostname", "uuid": "5715f9f4-2cd0-4d29-827e-40fc950d210f", "value": "xinxin20080628.gicp.net" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461058335", "to_ids": false, "type": "ip-dst", "uuid": "5715fb1f-18ec-4ed6-8a25-4abd950d210f", "value": "114.60.106.156" }, { "category": "Payload delivery", "comment": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333", "deleted": false, "disable_correlation": false, "timestamp": "1461058711", "to_ids": true, "type": "sha256", "uuid": "5715fc97-a5a4-4538-bf86-4bcc950d210f", "value": "14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461067672", "to_ids": true, "type": "hostname", "uuid": "5715fd00-807c-4ce8-8f27-437d950d210f", "value": "humanbeing2009.gicp.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461064172", "to_ids": true, "type": "email-attachment", "uuid": "5715feb0-6a48-44c4-b1ba-4a57950d210f", "value": "\u00e8\u02c6\u2021\u00e5\u00a4\u00a9\u00e7\u00a9\u00ba\u00e6\u0153\u2030\u00e7\u00b4\u201e!12\u00e5\u20ac\u20392016\u00e5\u00b9\u00b4\u00e4\u00b8\u008d\u00e5\u008f\u00af\u00e9\u0152\u00af\u00e9\u0081\u017d\u00e7\u0161\u201e\u00e5\u00a4\u00a9\u00e6\u2013\u2021\u00e7\u008f\u00be\u00e8\u00b1\u00a1mm.doc" }, { "category": "Payload delivery", "comment": "spearfish", "deleted": false, "disable_correlation": false, "timestamp": "1461059770", "to_ids": true, "type": "md5", "uuid": "571600ba-b0b0-4adb-bd01-43ef950d210f", "value": "b6e22968461bfb2934c556fc44d0baf0" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461059771", "to_ids": true, "type": "md5", "uuid": "571600bb-a9b4-4883-ac7d-4d5a950d210f", "value": "74a4fe17dc7101dbb2bb8f0c41069057" }, { "category": "Payload delivery", "comment": "~tmp.doc", "deleted": false, "disable_correlation": false, "timestamp": "1461059771", "to_ids": true, "type": "md5", "uuid": "571600bb-045c-4cbc-b0d6-43da950d210f", "value": "fcfe3867e4fa17d52c51235cf68a86c2" }, { "category": "Payload delivery", "comment": "spearfish", "deleted": false, "disable_correlation": false, "timestamp": "1461059771", "to_ids": true, "type": "sha256", "uuid": "571600bb-54f0-43d7-83cb-4b3c950d210f", "value": "4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461059772", "to_ids": true, "type": "sha256", "uuid": "571600bc-6348-4e1e-b96d-4cf2950d210f", "value": "0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49" }, { "category": "Payload delivery", "comment": "~tmp.doc", "deleted": false, "disable_correlation": false, "timestamp": "1461059772", "to_ids": true, "type": "sha256", "uuid": "571600bc-8178-4d6f-b5fd-47a4950d210f", "value": "60ef10cce9974cdc8a453d8fdd8ddf0cad49c6f07d2c4d095ff483998685b421" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461067666", "to_ids": true, "type": "hostname", "uuid": "571610cd-4774-4e4e-bd0a-4407950d210f", "value": "webmonder.gicp.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461064617", "to_ids": false, "type": "email-src", "uuid": "571613a9-3a2c-478a-a180-43a1950d210f", "value": "hkhumanrights.asia@gmail.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461064643", "to_ids": false, "type": "email-subject", "uuid": "571613c3-5d04-4eea-9690-4b95950d210f", "value": "US Congress sanctions $6 million fund for Tibetans in Nepal anf India" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461064661", "to_ids": false, "type": "email-attachment", "uuid": "571613d5-dc64-43bc-9481-42d0950d210f", "value": "US Congress sanctions $6 million fund for Tibetans in Nepal anf India.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461066519", "to_ids": false, "type": "email-src", "uuid": "57161b17-23b8-4631-96fd-4bad950d210f", "value": "bill_clay6801@yahoo.com" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461066538", "to_ids": false, "type": "email-subject", "uuid": "57161b2a-89a0-4f7c-9258-4f93950d210f", "value": "[BULK] TIBET, OUR BELOVED NATION AND WILL NEVER FORGET IT." }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461066559", "to_ids": false, "type": "email-attachment", "uuid": "57161b3f-f344-447f-804d-4be4950d210f", "value": "brochure .rar" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461069222", "to_ids": true, "type": "filename", "uuid": "57161c89-443c-40bb-a5f8-4cbb950d210f", "value": "brochure .doc" }, { "category": "Network activity", "comment": "On port 8080; Located in Honk Kong", "deleted": false, "disable_correlation": false, "timestamp": "1461067319", "to_ids": true, "type": "ip-dst", "uuid": "57161e37-fe5c-4f2a-b9ec-4eea950d210f", "value": "103.240.203.232" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461067457", "to_ids": true, "type": "filename", "uuid": "57161ec1-1d00-4ab1-b71d-4cd4950d210f", "value": "uhfx.dat" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461067503", "to_ids": false, "type": "filename", "uuid": "57161eef-6108-4bf2-9029-4966950d210f", "value": "yxsrhsxhxdbldkc.dat" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461067697", "to_ids": false, "type": "pdb", "uuid": "57161f87-c9ec-4f8f-a2ee-48ef950d210f", "value": "Q:\\Projects\\Br2012\\Release\\svc.pdb" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461067794", "to_ids": true, "type": "md5", "uuid": "57162012-72b8-433b-b5e2-4651950d210f", "value": "a0dc5723d3e20e93b48a960b31c984c0" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461067795", "to_ids": true, "type": "sha256", "uuid": "57162013-7804-4691-ac9e-4a15950d210f", "value": "185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461067951", "to_ids": true, "type": "hostname", "uuid": "571620af-e57c-4008-80f2-4933950d210f", "value": "akm.epac.to" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461067952", "to_ids": true, "type": "domain", "uuid": "571620b0-7c50-43ef-9724-4c76950d210f", "value": "gugehotel.cn" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461067952", "to_ids": true, "type": "url", "uuid": "571620b0-5e38-4e8c-9c29-416d950d210f", "value": "107.183.86" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068769", "to_ids": true, "type": "md5", "uuid": "571623e1-aaf8-4d39-a018-4a6e950d210f", "value": "937c13f5915a103aec8d28bdec7cc769" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1461068769", "to_ids": true, "type": "ip-dst", "uuid": "571623e1-3bb0-4f0b-8543-4483950d210f", "value": "203.160.247.21" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068769", "to_ids": true, "type": "md5", "uuid": "571623e1-44e0-4808-9333-4c60950d210f", "value": "19b2ed8ab09a43151c9951ff0432a861" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068770", "to_ids": true, "type": "sha256", "uuid": "571623e2-1a50-4035-927b-4453950d210f", "value": "9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068770", "to_ids": true, "type": "md5", "uuid": "571623e2-80e4-4864-a72c-4ca1950d210f", "value": "b2ae8c02163dcee142afe71188914321" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068770", "to_ids": true, "type": "hostname", "uuid": "571623e2-0aa4-44a7-9198-4cc1950d210f", "value": "wins.microsoftmse.com" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068866", "to_ids": true, "type": "md5", "uuid": "57162442-63f4-4891-9148-4876950d210f", "value": "0566703ccda6c60816ef1d8d917aa7b0" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068866", "to_ids": true, "type": "sha256", "uuid": "57162442-3070-40ac-8735-4c27950d210f", "value": "766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068923", "to_ids": true, "type": "hostname", "uuid": "5716247b-2390-4de2-951c-4bc2950d210f", "value": "adc.microsoftmse.com" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461068924", "to_ids": true, "type": "ip-dst", "uuid": "5716247c-22d4-421d-9e0e-4f80950d210f", "value": "122.10.9.121" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461069906", "to_ids": false, "type": "yara", "uuid": "57162852-bbe8-4aa9-a420-4f3a950d210f", "value": "rule kivars_service {\r\n\r\nmeta:\r\n\r\n\tdescription = \"Detects instances of Kivars malware when installed as a service\"\r\n\tauthor = \"cwilson@arbor.net\"\r\n\tSHA\u00e2\u20ac\u0090256 = \"443d24d719dec79a2e1be682943795b617064d86f2ebaec7975978f0b1f6950d\"\r\n\tSHA-256 = \"44439e2ae675c548ad193aa67baa8e6abff5cc60c8a4c843a5c9f0c13ffec2d8\"\r\n\tSHA\u00c2\u00ad-256 = \"74ed059519573a393aa7562e2a2afaf046cf872ea51f708a22b58b85c98718a8\"\r\n\tSHA\u00c2\u00ad\u00e2\u20ac\u0090256 = \"80748362762996d4b23f8d4e55d2ef8ca2689b84cc0b5984f420afbb73acad1f\"\r\n\tSHA\u00e2\u20ac\u0090256 = \"9ba14273bfdd4a4b192c625d900b29e1fc3c8673154d3b4c4c3202109e918c8d\"\r\n\tSHA-256 = \"fba3cd920165b47cb39f3c970b8157b4e776cc062c74579a252d8dd2874b2e6b\"\r\n\r\nstrings:\r\n\r\n\t$s1 = \"\\\\Projects\\\\Br2012\\\\Release\\\\svc.pdb\"\r\n\t$s2 = \"This is a flag\"\r\n\t$s3 = \"svc.dll\"\r\n\t$s4 = \"ServiceMain\"\r\n\t$s5 = \"winsta0\"\r\n\r\ncondition:\r\n\r\n\tuint16(0) == 0x5A4D and < 1000000 and (all of ($s*))\r\n\r\n}" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070490", "to_ids": true, "type": "md5", "uuid": "57162a9a-7fd8-4e15-91ac-4ad5950d210f", "value": "905d1cd328c8cfc378fb00bfa38f0427" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071212", "to_ids": true, "type": "imphash", "uuid": "57162a9b-e1e0-444f-bab2-46e3950d210f", "value": "fea5902afa6e504a798c73a09b83df5e" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070491", "to_ids": true, "type": "filename|md5", "uuid": "57162a9b-3828-4d68-8917-4d4f950d210f", "value": "tnyjs.dll|5bc954d76342d2860192398f186f3310" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070492", "to_ids": true, "type": "filename|md5", "uuid": "57162a9c-162c-42a2-b2aa-4af9950d210f", "value": "uhfx.dll|6db7ad23186f445c410f59a41e7f8ac5" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070493", "to_ids": true, "type": "sha256", "uuid": "57162a9d-6488-4e2c-852c-4ec9950d210f", "value": "18219708781208889af05842ea6d563e56910424ec97ef8f695c0c7a82610a23" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070619", "to_ids": true, "type": "filename|sha256", "uuid": "57162b1b-f190-45e8-a60c-4b3d950d210f", "value": "tnyjs.dll|5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070650", "to_ids": true, "type": "filename|sha256", "uuid": "57162b3a-443c-40f1-9f45-40cb950d210f", "value": "uhfx.dll|a46905252567ed2fe17a407d8ae14036fde180f0a42756304109f34d1e8ad872" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070729", "to_ids": true, "type": "filename|md5", "uuid": "57162b62-5d5c-4a71-a20b-458b950d210f", "value": "brochure .rar|c8c6365bf21d947e8e986d4766a9fc16" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070743", "to_ids": true, "type": "filename|md5", "uuid": "57162b63-ecd8-4688-aa03-45bc950d210f", "value": "brochure .doc|835fee42132feebe9b3231297e5e71a8" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461070890", "to_ids": true, "type": "filename|sha256", "uuid": "57162be0-4da4-41ff-a407-440d950d210f", "value": "brochure .rar|e8af4f3504b0e1cf165dfd1070342b831fd7b5b45da94c6f2a25c28dd6eb3c4a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070939", "to_ids": true, "type": "filename|sha256", "uuid": "57162be0-b2b0-4a8d-83be-4446950d210f", "value": "brochure .doc|0ed325b841a2beb446c5e9a6825deaa021651c8b627aa7147d89edde05af6598" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776", "deleted": false, "disable_correlation": false, "timestamp": "1461070829", "to_ids": true, "type": "sha1", "uuid": "57162bed-1bfc-4f65-bb04-4e8a02de0b81", "value": "c3a1b57a062bfd27ea9a56f6439193369970e336" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070830", "to_ids": false, "type": "link", "uuid": "57162bee-b524-49ab-9591-43a702de0b81", "value": "https://www.virustotal.com/file/9d69221584a5c6f8147479282eae3017c2884ae5138d3b910c36a2a38039c776/analysis/1436830597/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f", "deleted": false, "disable_correlation": false, "timestamp": "1461070830", "to_ids": true, "type": "sha1", "uuid": "57162bee-44f4-423e-9c17-4a6202de0b81", "value": "83d3bb544e0542dd9c4168350adef928e4205e69" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070830", "to_ids": false, "type": "link", "uuid": "57162bee-05b0-4a80-af98-436002de0b81", "value": "https://www.virustotal.com/file/766e0c75bb13986f6a18f9f6af422dbda8c6717becc9b02cc4046943a960d21f/analysis/1457068422/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d", "deleted": false, "disable_correlation": false, "timestamp": "1461070831", "to_ids": false, "type": "sha1", "uuid": "57162bef-5094-438d-b933-46c902de0b81", "value": "26f1e48f5e05f6d1f923e3a74219ca7bfa7c0995" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070831", "to_ids": false, "type": "link", "uuid": "57162bef-6dcc-4dc2-9a86-419402de0b81", "value": "https://www.virustotal.com/file/af2cc5bb8d97bf019280c80e2891103a8a1d5e5f8c6305b6f6c4dd83ec245a7d/analysis/1453438981/" }, { "category": "Payload delivery", "comment": "spearfish - Xchecked via VT: bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1", "deleted": false, "disable_correlation": false, "timestamp": "1461070831", "to_ids": true, "type": "sha1", "uuid": "57162bef-6e34-4ad3-964f-40aa02de0b81", "value": "c1e63556e2bb088b15d2ccb1c0fe6c9ce29cf4e6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070832", "to_ids": false, "type": "link", "uuid": "57162bf0-8618-4bdb-9e83-4d3102de0b81", "value": "https://www.virustotal.com/file/bacc4edb5e775d2c957022ad8360946c19f9f75ef2709c1db2d6708d53ec2cd1/analysis/1455727175/" }, { "category": "Payload delivery", "comment": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333 - Xchecked via VT: 14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4", "deleted": false, "disable_correlation": false, "timestamp": "1461070832", "to_ids": true, "type": "sha1", "uuid": "57162bf0-b654-42a6-92c0-4cb202de0b81", "value": "256ede6a7bff266589aaf996a47bf3eedcd8b980" }, { "category": "Payload delivery", "comment": "malicious RTF targeting CVE-\u00c2\u00ad2010\u00e2\u20ac\u00903333 - Xchecked via VT: 14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4", "deleted": false, "disable_correlation": false, "timestamp": "1461070832", "to_ids": true, "type": "md5", "uuid": "57162bf0-fb5c-4756-810e-4a9f02de0b81", "value": "c7c4a469ddf4bef2daf9bacc7711f0ae" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070833", "to_ids": false, "type": "link", "uuid": "57162bf1-3924-4392-ab1e-48a302de0b81", "value": "https://www.virustotal.com/file/14fcfccb0ae8988f95924256a38477fcc5c2c213d8a55e5a83c8c1bb67a4b6d4/analysis/1457552893/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: 0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49", "deleted": false, "disable_correlation": false, "timestamp": "1461070833", "to_ids": true, "type": "sha1", "uuid": "57162bf1-6a38-4c76-89ec-441502de0b81", "value": "133f5b9bb5d344109c9c628f5dce248b838c257b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070833", "to_ids": false, "type": "link", "uuid": "57162bf1-1d44-4294-9d0e-412b02de0b81", "value": "https://www.virustotal.com/file/0683fac0b564fe5d2096e207b374a238a811e67b87856fc19bdf8eb3d6f76b49/analysis/1453026661/" }, { "category": "Payload delivery", "comment": "spearfish - Xchecked via VT: 4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872", "deleted": false, "disable_correlation": false, "timestamp": "1461070833", "to_ids": true, "type": "sha1", "uuid": "57162bf1-b520-4634-bdc0-4bd202de0b81", "value": "9a794b18a1452269adfcc8315520959b512d1c37" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070834", "to_ids": false, "type": "link", "uuid": "57162bf2-324c-4447-9a59-4ed702de0b81", "value": "https://www.virustotal.com/file/4f52292a2136eb7f9538230ae54a323c518fa44cf6de5d10ca7a04ecb6a77872/analysis/1455729543/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6", "deleted": false, "disable_correlation": false, "timestamp": "1461070834", "to_ids": true, "type": "sha1", "uuid": "57162bf2-96bc-4f65-8358-454502de0b81", "value": "6fdd47a2a9dcddd93d9b8ee8a9bb2a28632df58b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070834", "to_ids": false, "type": "link", "uuid": "57162bf2-f18c-491d-8c87-475102de0b81", "value": "https://www.virustotal.com/file/185fc01ec8adbaa94da741c4c1cf1b83185ae63899f14ce9949553c5dac3ecf6/analysis/1453280584/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39", "deleted": false, "disable_correlation": false, "timestamp": "1461070835", "to_ids": true, "type": "sha1", "uuid": "57162bf3-3e24-4b6c-997e-498202de0b81", "value": "09b7e38aa3279eab002f8528c9cae52601bb1038" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070835", "to_ids": false, "type": "link", "uuid": "57162bf3-afb4-4ac7-b466-4e8902de0b81", "value": "https://www.virustotal.com/file/5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39/analysis/1456612300/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6", "deleted": false, "disable_correlation": false, "timestamp": "1461070835", "to_ids": true, "type": "sha1", "uuid": "57162bf3-5e1c-4c4a-a19e-424002de0b81", "value": "c6fe39647f6e902ed7737f4ed057fdda419d5bb3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070836", "to_ids": false, "type": "link", "uuid": "57162bf4-0c00-4b36-ad3d-4a8802de0b81", "value": "https://www.virustotal.com/file/7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6/analysis/1452693896/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 937c13f5915a103aec8d28bdec7cc769", "deleted": false, "disable_correlation": false, "timestamp": "1461070836", "to_ids": true, "type": "sha256", "uuid": "57162bf4-6bf4-435d-92cc-493902de0b81", "value": "51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 937c13f5915a103aec8d28bdec7cc769", "deleted": false, "disable_correlation": false, "timestamp": "1461070836", "to_ids": true, "type": "sha1", "uuid": "57162bf4-a518-4dd7-8c8b-4b6902de0b81", "value": "2a09888223879b1c44ed1780edf48d089a9925f7" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070837", "to_ids": false, "type": "link", "uuid": "57162bf5-7020-440e-94b6-4d4f02de0b81", "value": "https://www.virustotal.com/file/51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010/analysis/1458152391/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b2ae8c02163dcee142afe71188914321", "deleted": false, "disable_correlation": false, "timestamp": "1461070837", "to_ids": true, "type": "sha256", "uuid": "57162bf5-f478-4079-b265-40bc02de0b81", "value": "4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b2ae8c02163dcee142afe71188914321", "deleted": false, "disable_correlation": false, "timestamp": "1461070837", "to_ids": true, "type": "sha1", "uuid": "57162bf5-af2c-4d7f-8068-4c6402de0b81", "value": "08d7b5b8c9375e6d8ed7201dcb40d741d4d7866c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070838", "to_ids": false, "type": "link", "uuid": "57162bf6-0ef8-4188-9ac9-45d202de0b81", "value": "https://www.virustotal.com/file/4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849/analysis/1414340059/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: c8c6365bf21d947e8e986d4766a9fc16", "deleted": false, "disable_correlation": false, "timestamp": "1461070838", "to_ids": true, "type": "sha1", "uuid": "57162bf6-6068-46fd-a2fe-49ef02de0b81", "value": "e12e06f42cbdf05e91b89e364ed4319dd257fc71" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070838", "to_ids": false, "type": "link", "uuid": "57162bf6-8e08-4388-865b-42b102de0b81", "value": "https://www.virustotal.com/file/e8af4f3504b0e1cf165dfd1070342b831fd7b5b45da94c6f2a25c28dd6eb3c4a/analysis/1451715280/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 835fee42132feebe9b3231297e5e71a8", "deleted": false, "disable_correlation": false, "timestamp": "1461070839", "to_ids": true, "type": "sha1", "uuid": "57162bf7-00c0-407d-bd0a-48c102de0b81", "value": "3370ec0c71056a6fc6860c54dee96675ffb85b92" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461070839", "to_ids": false, "type": "link", "uuid": "57162bf7-3248-4844-84a2-44aa02de0b81", "value": "https://www.virustotal.com/file/0ed325b841a2beb446c5e9a6825deaa021651c8b627aa7147d89edde05af6598/analysis/1456325644/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071176", "to_ids": true, "type": "md5", "uuid": "57162d48-9f6c-4250-b463-4c73950d210f", "value": "ba77d50870756d247a580b8a3a56722c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071177", "to_ids": true, "type": "md5", "uuid": "57162d49-a7fc-4dc4-9fc7-46a4950d210f", "value": "1c4e3c4df094c32faf0c30f6a613c63e" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071177", "to_ids": true, "type": "md5", "uuid": "57162d49-fa0c-4103-ab37-4905950d210f", "value": "89e4cff1496aafa0776619729a75d4ab" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071178", "to_ids": true, "type": "md5", "uuid": "57162d4a-afa8-4668-812a-4191950d210f", "value": "f25634becd08d5298db1f3014e477e00" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071178", "to_ids": true, "type": "sha256", "uuid": "57162d4a-fbac-4e6d-9bce-427e950d210f", "value": "ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071178", "to_ids": true, "type": "sha256", "uuid": "57162d4a-ffc8-4fe8-ae07-4722950d210f", "value": "f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071179", "to_ids": true, "type": "sha256", "uuid": "57162d4b-fea8-47c9-b704-447a950d210f", "value": "8dfcae0eb358f48fc30163e58c75823117f6fd501a48f3dfeb19a06d1c21aa51" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461071179", "to_ids": true, "type": "sha256", "uuid": "57162d4b-cb90-49de-8706-4258950d210f", "value": "f8a18e8b8e6606617e3a63ee5a3050a1b30361703c9a7d9e2d5cc94090c9907b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461071840", "to_ids": false, "type": "pdb", "uuid": "57162fe0-9dd8-4d4b-b5db-4511950d210f", "value": "D:\\WORK\\T9000\\N_Inst_User_M1\\Release\\N_Inst_User32.pdb" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072137", "to_ids": true, "type": "url", "uuid": "57163109-be58-4cc7-89c1-4446950d210f", "value": "igfxtray.exe" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072137", "to_ids": true, "type": "url", "uuid": "57163109-6304-413e-9884-4a42950d210f", "value": "Data/dtl.dat" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072137", "to_ids": true, "type": "url", "uuid": "57163109-1e04-4ef4-bf92-480b950d210f", "value": "Data/glp.uin" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072625", "to_ids": true, "type": "url", "uuid": "571632f1-d2f8-4e0c-9322-4370950d210f", "value": "http://198.55.120.143:7386/B/ResN32.dll" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461072625", "to_ids": true, "type": "md5", "uuid": "571632f1-9d80-4532-9288-4598950d210f", "value": "fdb6543bfb77aa6ddff0f4dfe07e442f" }, { "category": "Payload delivery", "comment": "T9000 main binary", "deleted": false, "disable_correlation": false, "timestamp": "1461072626", "to_ids": true, "type": "md5", "uuid": "571632f2-4d40-4809-af5e-411a950d210f", "value": "d8d70851641efbdfce8d561e6b1a2f29" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072626", "to_ids": true, "type": "filename|md5", "uuid": "571632f2-5290-46c4-bd6b-48d3950d210f", "value": "Elevate.dll|1d335f6a58cb9fab503a9b9cb371f57b" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072627", "to_ids": true, "type": "filename|md5", "uuid": "571632f3-f5b8-4fe6-bff3-4e11950d210f", "value": "QQMgr.dll|b9c584c7c34d14599de8cd3b72f2074b" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072627", "to_ids": true, "type": "filename|md5", "uuid": "571632f3-63a8-43a2-9260-43b9950d210f", "value": "QQMgr.inf|8ac933be588f49560179c26ddbc6a753" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072628", "to_ids": true, "type": "filename|md5", "uuid": "571632f4-d0a0-4595-9c2d-46fa950d210f", "value": "ResN32.dat|50753c28878ce10a748fbd7b831ecbe1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072629", "to_ids": true, "type": "filename|md5", "uuid": "571632f5-2e3c-4637-95ce-46db950d210f", "value": "ResN32.dll|a45e5c32fc2bc7be9d6e4bba8b2807bf" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072629", "to_ids": true, "type": "filename|md5", "uuid": "571632f5-6a74-4bfc-bb34-499a950d210f", "value": "hccutils.dll|2299fb8268f47294eb2b18282540a955" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072630", "to_ids": true, "type": "filename|md5", "uuid": "571632f6-743c-4e90-8619-4c5a950d210f", "value": "hccutils.inf|2f31ef1a8fca047ed0d623010d569857" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072631", "to_ids": true, "type": "filename|md5", "uuid": "571632f7-b1dc-4a7e-98d1-43c3950d210f", "value": "hjwe.dat|d3601a5160b8d122261989d147221eb7" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072631", "to_ids": true, "type": "filename|md5", "uuid": "571632f7-ba34-4fde-b022-499e950d210f", "value": "qhnj.dat|a9de62186cb8d0e23b0dc75e1ae373ac" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072632", "to_ids": true, "type": "filename|md5", "uuid": "571632f8-ba50-40d4-b668-40b6950d210f", "value": "tyeu.dat|29ec20f5fa1817dc9250c434e61420ea" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461072632", "to_ids": true, "type": "filename|md5", "uuid": "571632f8-b0ac-45b2-b300-4acd950d210f", "value": "vnkd.dat|35f4ce864c3a3dc016fea3459d6402a9" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461072966", "to_ids": true, "type": "sha256", "uuid": "571633f1-ceac-4898-af6f-4077950d210f", "value": "8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141" }, { "category": "Payload delivery", "comment": "T9000 man binary", "deleted": false, "disable_correlation": false, "timestamp": "1461072994", "to_ids": true, "type": "sha256", "uuid": "571633f2-853c-4d2a-99c0-4157950d210f", "value": "7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073261", "to_ids": true, "type": "filename|sha256", "uuid": "5716356d-8e44-44e0-bdbe-43e8950d210f", "value": "Elevate.dll|9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073285", "to_ids": true, "type": "filename|sha256", "uuid": "57163585-4fa0-4a17-9aab-46c2950d210f", "value": "QQMgr.dll|bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073322", "to_ids": true, "type": "filename|sha256", "uuid": "571635aa-1d00-4b7f-b330-4030950d210f", "value": "ResN32.dat|5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073346", "to_ids": true, "type": "filename|sha256", "uuid": "571635c2-8fb0-46d1-ba3d-4861950d210f", "value": "QQMgr.inf|ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073418", "to_ids": true, "type": "filename|sha256", "uuid": "5716360a-2a3c-429e-82dd-49d2950d210f", "value": "ResN32.dll|1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073467", "to_ids": true, "type": "filename|sha256", "uuid": "5716363b-7a90-44eb-92d5-46e3950d210f", "value": "hccutils.dll|3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073483", "to_ids": true, "type": "filename|sha256", "uuid": "5716364b-1940-4d7c-a2ee-4ba3950d210f", "value": "hccutils.inf|f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073500", "to_ids": true, "type": "filename|sha256", "uuid": "5716365c-65b4-4d71-9618-4d3c950d210f", "value": "hjwe.dat|bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073515", "to_ids": true, "type": "filename|sha256", "uuid": "5716366b-7980-4c53-a04c-44ae950d210f", "value": "vnkd.dat|c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073533", "to_ids": true, "type": "filename|sha256", "uuid": "5716367d-2b88-45b5-a3bb-4915950d210f", "value": "tyeu.dat|e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461073550", "to_ids": true, "type": "filename|sha256", "uuid": "5716368e-b1b0-4184-aa05-445c950d210f", "value": "qhnj.dat|c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461073848", "to_ids": true, "type": "md5", "uuid": "571637b8-b8a0-472d-982f-49ac950d210f", "value": "fb1e8c42d11e3a2de97814e451ee3375" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461073849", "to_ids": true, "type": "sha256", "uuid": "571637b9-a1d4-47e7-924c-478d950d210f", "value": "d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461074276", "to_ids": true, "type": "md5", "uuid": "57163938-0878-4bcb-a764-4f47950d210f", "value": "da97c88858214242374f27d32e27d957" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461074233", "to_ids": true, "type": "filename|md5", "uuid": "57163939-db08-4130-8859-4246950d210f", "value": "E804.tmp|e4e8493898d94f737ff4dc8fab743a4a" }, { "category": "Payload delivery", "comment": "bait file", "deleted": false, "disable_correlation": false, "timestamp": "1461074289", "to_ids": true, "type": "md5", "uuid": "5716393a-be40-4cea-860e-4198950d210f", "value": "9ae498307da6c2e677a97a458bff1aea" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461074314", "to_ids": true, "type": "sha256", "uuid": "5716393a-59ec-46a8-be9f-4729950d210f", "value": "647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b" }, { "category": "Payload delivery", "comment": "bait file", "deleted": false, "disable_correlation": false, "timestamp": "1461074339", "to_ids": true, "type": "sha256", "uuid": "5716393a-9718-4575-b267-4c6d950d210f", "value": "4f1784a4e4181b4c80f8d77675a267cbdd0e35ea1756c9fdb82294251bef1d28" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461074368", "to_ids": true, "type": "filename|sha256", "uuid": "571639c0-0f48-454b-b4f5-4f8e950d210f", "value": "E804.tmp|5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461074701", "to_ids": true, "type": "md5", "uuid": "57163b0d-9214-43d4-9c9f-4d5f950d210f", "value": "e1269c22ad1e057b9c91523498b4b04d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461074701", "to_ids": true, "type": "sha256", "uuid": "57163b0d-3c58-4378-b036-4eea950d210f", "value": "b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461134495", "to_ids": true, "type": "hostname", "uuid": "5717249f-c33c-4b52-926b-4475950d210f", "value": "yeaton.xicp.net" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461134866", "to_ids": true, "type": "filename|md5", "uuid": "57172612-830c-44ef-8b61-4f00950d210f", "value": "BC29.tmp|e4e8493898d94f737ff4dc8fab743a4a" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461134867", "to_ids": true, "type": "filename|md5", "uuid": "57172613-bf60-445b-b242-4473950d210f", "value": "~tmp.doc|751196ce79dacd906eec9b5a1c92890b" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135278", "to_ids": true, "type": "filename|md5", "uuid": "571727ae-9478-46db-87bb-4241950d210f", "value": "~tmp.doc|e6ad959a18725954a56a7954d3f47671" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135278", "to_ids": true, "type": "filename|md5", "uuid": "571727ae-ef9c-4de4-af85-4e73950d210f", "value": "iuso.exe|07eb4867e436bbef759a9877402af994" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135279", "to_ids": true, "type": "filename|md5", "uuid": "571727af-0e74-4f10-9b4c-4965950d210f", "value": "wget.bat|47e60e347b5791d5f17939f9c97fee01" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135280", "to_ids": true, "type": "filename|md5", "uuid": "571727b0-16e0-45d6-a286-4a06950d210f", "value": "wget.exe|f9f8d1c53d312f17c6f830e7b4e6651d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135280", "to_ids": true, "type": "filename|md5", "uuid": "571727b0-e65c-469d-a368-4a7f950d210f", "value": "wthk.txt|d579d7a42ff140952da57264614c37bc" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135281", "to_ids": true, "type": "filename|md5", "uuid": "571727b1-66c8-4be7-8ee1-43c3950d210f", "value": "conhost.exe|f70b295c6a5121b918682310ce0c2165" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135282", "to_ids": true, "type": "filename|md5", "uuid": "571727b2-5eb0-4dce-98b8-4dba950d210f", "value": "SBieDll.dll|f80edbb0fcfe7cec17592f61a06e4df2" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135282", "to_ids": true, "type": "filename|md5", "uuid": "571727b2-c0ec-413f-abe2-467c950d210f", "value": "dll2.xor|ce8ec932be16b69ffa06626b3b423395" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135283", "to_ids": true, "type": "filename|md5", "uuid": "571727b3-cc50-4e24-8329-49c8950d210f", "value": "maindll.dll|d8ede9e6c3a1a30398b0b98130ee3b38" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135284", "to_ids": true, "type": "filename|md5", "uuid": "571727b4-a3b8-4cbc-be4a-4ebc950d210f", "value": "nvsvc.exe|e0eb981ad6be0bd16246d5d442028687" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135285", "to_ids": true, "type": "filename|md5", "uuid": "571727b5-f7e8-45ce-b313-4df9950d210f", "value": "runas.exe|6a541de84074a2c4ff99eb43252d9030" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461135892", "to_ids": true, "type": "md5", "uuid": "57172a14-7bd8-4080-9f8a-4167950d210f", "value": "983333e2c878a62d95747c36748198f0" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b", "deleted": false, "disable_correlation": false, "timestamp": "1461136137", "to_ids": true, "type": "sha1", "uuid": "57172b09-ec08-4253-84d9-497402de0b81", "value": "5ff7e8bd99466159e0285a2029cd3bdd3fed220b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136138", "to_ids": false, "type": "link", "uuid": "57172b0a-fb18-45f2-8f9d-4ac102de0b81", "value": "https://www.virustotal.com/file/b9914fb8c645e0c41d497db303c1ffa594da709686252fccb8d28dffac86275b/analysis/1395781579/" }, { "category": "Payload delivery", "comment": "T9000 man binary - Xchecked via VT: 7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec", "deleted": false, "disable_correlation": false, "timestamp": "1461136138", "to_ids": true, "type": "sha1", "uuid": "57172b0a-c39c-4fb0-ad04-437302de0b81", "value": "94be2b286a5b0bfe1a0aa575153f919cb3e1d4d9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136138", "to_ids": false, "type": "link", "uuid": "57172b0a-3154-4f7c-9b4a-473702de0b81", "value": "https://www.virustotal.com/file/7c04286734718300e2c0691be9b6622f2d2525ca07ab27102a424af6f8cc3aec/analysis/1456141482/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: 8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141", "deleted": false, "disable_correlation": false, "timestamp": "1461136139", "to_ids": true, "type": "sha1", "uuid": "57172b0b-c0ac-4958-9e53-420a02de0b81", "value": "e4007951cfbc27216e9c81eb75bff9ddac9d6f7c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136139", "to_ids": false, "type": "link", "uuid": "57172b0b-1d78-4aae-939a-4a6d02de0b81", "value": "https://www.virustotal.com/file/8e4de6fb35ce4cd47e06b48fb86b7da3eba02031cfd8ae714e25f8f7903f0141/analysis/1457170420/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c", "deleted": false, "disable_correlation": false, "timestamp": "1461136139", "to_ids": true, "type": "sha1", "uuid": "57172b0b-0a64-4adf-bf72-441802de0b81", "value": "2552c92922e2391246e761dcfc1e4b930fc4ae2f" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136140", "to_ids": false, "type": "link", "uuid": "57172b0c-83d0-4f34-9174-4a5e02de0b81", "value": "https://www.virustotal.com/file/d5fa43be20aa94baf1737289c5034e2235f1393890fb6f4e8d4104565be52d8c/analysis/1455281121/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: 647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b", "deleted": false, "disable_correlation": false, "timestamp": "1461136140", "to_ids": true, "type": "sha1", "uuid": "57172b0c-8a80-4cb3-a81d-44ed02de0b81", "value": "b57c11f3f3b272d3ac49cc6ef684ccebe48ebf15" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136140", "to_ids": false, "type": "link", "uuid": "57172b0c-49a0-4108-813f-4ef302de0b81", "value": "https://www.virustotal.com/file/647b443ecaa38d2834e5681f20540fa84a5cf2b7e1bee6a2524ce59783cb8d1b/analysis/1453199270/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6", "deleted": false, "disable_correlation": false, "timestamp": "1461136141", "to_ids": true, "type": "sha1", "uuid": "57172b0d-b1fc-4e7a-af10-416702de0b81", "value": "a44f10783544927137fe94d998523c4ac9a45b92" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136141", "to_ids": false, "type": "link", "uuid": "57172b0d-78a8-457f-af6d-446f02de0b81", "value": "https://www.virustotal.com/file/f6bc895b36446d172c4a99be2587376b48fa3b1b0f6150eb8ab83f649f7b8bc6/analysis/1452679497/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae", "deleted": false, "disable_correlation": false, "timestamp": "1461136142", "to_ids": true, "type": "sha1", "uuid": "57172b0e-7aa4-49ce-aeb6-43b002de0b81", "value": "2dcb8061c8473c48a6877b26a8704d1b764e7ece" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136142", "to_ids": false, "type": "link", "uuid": "57172b0e-2518-42b2-a3f1-40e902de0b81", "value": "https://www.virustotal.com/file/ad251fd7427c0334f34aabe100a216b4af48b1ab4a01705f44b3421edd0be6ae/analysis/1453200173/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3", "deleted": false, "disable_correlation": false, "timestamp": "1461136142", "to_ids": true, "type": "sha1", "uuid": "57172b0e-0ba8-4133-bb81-4bf902de0b81", "value": "cbac437a51f5b0942ddd4999eeee83dabd8f4304" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136143", "to_ids": false, "type": "link", "uuid": "57172b0f-0068-4f9d-8aa1-414002de0b81", "value": "https://www.virustotal.com/file/c61dbc7b51caab1d0353cbba9a8f51f65ef167459277c1c16f15eb6c7025cfe3/analysis/1458792067/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926", "deleted": false, "disable_correlation": false, "timestamp": "1461136143", "to_ids": true, "type": "sha1", "uuid": "57172b0f-cc1c-49b9-8bae-4bf302de0b81", "value": "9f99c171532faec90ac1371ff077423b3cb64613" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136143", "to_ids": false, "type": "link", "uuid": "57172b0f-e398-420a-a136-49d302de0b81", "value": "https://www.virustotal.com/file/e52b5ed63719a2798314a9c49c42c0ed4eb22a1ac4a2ad30e8bfc899edcea926/analysis/1459253251/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465", "deleted": false, "disable_correlation": false, "timestamp": "1461136144", "to_ids": true, "type": "sha1", "uuid": "57172b10-07e0-4001-a6d8-4fac02de0b81", "value": "c25ac5e3c7739cb404d38437933539d082ed0919" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136144", "to_ids": false, "type": "link", "uuid": "57172b10-30a4-4633-9876-46b902de0b81", "value": "https://www.virustotal.com/file/c22b40db7f9f8ebdbde4e5fc3a44e15449f75c40830c88932f9abd541cc78465/analysis/1457523266/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b", "deleted": false, "disable_correlation": false, "timestamp": "1461136145", "to_ids": true, "type": "sha1", "uuid": "57172b11-b8f4-4ba3-8482-4f6e02de0b81", "value": "5842ba2f51517d3276f5662398d6d3f19e44a345" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136145", "to_ids": false, "type": "link", "uuid": "57172b11-45b0-42ab-9d84-41a302de0b81", "value": "https://www.virustotal.com/file/bb73261072d2ef220b8f87c6bb7488ad2da736790898d61f33a5fb7747abf48b/analysis/1454685259/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27", "deleted": false, "disable_correlation": false, "timestamp": "1461136145", "to_ids": true, "type": "sha1", "uuid": "57172b11-b554-4a57-9917-474502de0b81", "value": "c2c49007a99b79f6e74382fa22ed595602a24130" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136146", "to_ids": false, "type": "link", "uuid": "57172b12-f8e0-43a0-b10f-469802de0b81", "value": "https://www.virustotal.com/file/f05cd0353817bf6c2cab396181464c31c352d6dea07e2d688def261dd6542b27/analysis/1461046893/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9", "deleted": false, "disable_correlation": false, "timestamp": "1461136146", "to_ids": true, "type": "sha1", "uuid": "57172b12-ccb4-414a-892f-4d1602de0b81", "value": "cb57196bde3f520e87c948b4676bf487c0fd513e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136146", "to_ids": false, "type": "link", "uuid": "57172b12-b1d4-4cb1-a6d8-48ee02de0b81", "value": "https://www.virustotal.com/file/3dfc94605daf51ebd7bbccbb3a9049999f8d555db0999a6a7e6265a7e458cab9/analysis/1459165746/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7", "deleted": false, "disable_correlation": false, "timestamp": "1461136147", "to_ids": true, "type": "sha1", "uuid": "57172b13-c430-4759-beca-4a0e02de0b81", "value": "fb7eba5de0304aa81711e645d6f3f203a1092613" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136147", "to_ids": false, "type": "link", "uuid": "57172b13-f4b0-42e3-94e1-4fa402de0b81", "value": "https://www.virustotal.com/file/1cea4e49bd785378d8beb863bb8eb662042dffd18c85b8c14c74a0367071d9a7/analysis/1455281133/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a", "deleted": false, "disable_correlation": false, "timestamp": "1461136148", "to_ids": true, "type": "sha1", "uuid": "57172b14-295c-4018-8c0b-4ff702de0b81", "value": "d9296175d7894bdbd5db1b7b477bdd39b8652ac6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136148", "to_ids": false, "type": "link", "uuid": "57172b14-4674-4191-94f8-4a8802de0b81", "value": "https://www.virustotal.com/file/ace7e3535f2f1fe32e693920a9f411eea21682c87a8e6661d3b67330cd221a2a/analysis/1461046904/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14", "deleted": false, "disable_correlation": false, "timestamp": "1461136148", "to_ids": true, "type": "sha1", "uuid": "57172b14-6408-4a0d-83f5-4e9b02de0b81", "value": "6f3c21da298db324b7d2c299c219bd75c49d9dfd" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136149", "to_ids": false, "type": "link", "uuid": "57172b15-8988-4d9e-a32e-420602de0b81", "value": "https://www.virustotal.com/file/5b90fa081e3ac29a7339995f9b087dab9981409ff62e3215eb558908c6b96b14/analysis/1461046903/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f", "deleted": false, "disable_correlation": false, "timestamp": "1461136149", "to_ids": true, "type": "sha1", "uuid": "57172b15-ae10-4a05-a760-470702de0b81", "value": "73160d3a59db4a5858cd51ef7428a444caaf7cc4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136149", "to_ids": false, "type": "link", "uuid": "57172b15-61e4-481c-be10-44b702de0b81", "value": "https://www.virustotal.com/file/bf1b00b7430899d33795ef3405142e880ef8dcbda8aab0b19d80875a14ed852f/analysis/1456141391/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95", "deleted": false, "disable_correlation": false, "timestamp": "1461136150", "to_ids": true, "type": "sha1", "uuid": "57172b16-3340-4e35-97a0-4bd902de0b81", "value": "b8f03d78c139faee34293a727e7be74ad0a511d9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136150", "to_ids": false, "type": "link", "uuid": "57172b16-0ce0-4c6f-b784-454502de0b81", "value": "https://www.virustotal.com/file/9c23febc49c7b17387767844356d38d5578727ee1150956164883cf555fe7f95/analysis/1456962260/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c", "deleted": false, "disable_correlation": false, "timestamp": "1461136151", "to_ids": true, "type": "sha1", "uuid": "57172b17-5f24-4f62-b72b-4c2002de0b81", "value": "d22394046ee36dce7ca64ff95d095cdb02c88629" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136151", "to_ids": false, "type": "link", "uuid": "57172b17-4414-4f3f-8fc8-49ea02de0b81", "value": "https://www.virustotal.com/file/5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c/analysis/1454953266/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 983333e2c878a62d95747c36748198f0", "deleted": false, "disable_correlation": false, "timestamp": "1461136151", "to_ids": true, "type": "sha256", "uuid": "57172b17-868c-4c3b-b79d-45aa02de0b81", "value": "ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 983333e2c878a62d95747c36748198f0", "deleted": false, "disable_correlation": false, "timestamp": "1461136152", "to_ids": true, "type": "sha1", "uuid": "57172b18-fe4c-41b3-abfe-4c5602de0b81", "value": "b27957884d6506b24751b3d81fb243fb4d97afe5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136152", "to_ids": false, "type": "link", "uuid": "57172b18-ec7c-4e74-b032-49e302de0b81", "value": "https://www.virustotal.com/file/ef97f13f49266a170f4d334482376bb31335fc323ed80917b9943207ff75f750/analysis/1385566211/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 6a541de84074a2c4ff99eb43252d9030", "deleted": false, "disable_correlation": false, "timestamp": "1461136152", "to_ids": true, "type": "sha256", "uuid": "57172b18-d2dc-423c-ba45-49a002de0b81", "value": "5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 6a541de84074a2c4ff99eb43252d9030", "deleted": false, "disable_correlation": false, "timestamp": "1461136153", "to_ids": true, "type": "sha1", "uuid": "57172b19-ab98-403b-bea6-44ce02de0b81", "value": "c2ffd2f81a33e962b48df1b39c296a163e34aeea" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136153", "to_ids": false, "type": "link", "uuid": "57172b19-c660-45a5-8c0d-4d5802de0b81", "value": "https://www.virustotal.com/file/5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab/analysis/1456856209/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e0eb981ad6be0bd16246d5d442028687", "deleted": false, "disable_correlation": false, "timestamp": "1461136153", "to_ids": true, "type": "sha256", "uuid": "57172b19-bd24-4c48-9f17-44cb02de0b81", "value": "ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e0eb981ad6be0bd16246d5d442028687", "deleted": false, "disable_correlation": false, "timestamp": "1461136154", "to_ids": true, "type": "sha1", "uuid": "57172b1a-48e0-4588-acb3-48fa02de0b81", "value": "cbeffef7965a081490171ad36e3001bd74e4123b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136154", "to_ids": false, "type": "link", "uuid": "57172b1a-3d00-4a32-a155-4a8f02de0b81", "value": "https://www.virustotal.com/file/ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00/analysis/1456856205/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: d8ede9e6c3a1a30398b0b98130ee3b38", "deleted": false, "disable_correlation": false, "timestamp": "1461136155", "to_ids": true, "type": "sha256", "uuid": "57172b1b-bda4-481e-91aa-4f1a02de0b81", "value": "5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: d8ede9e6c3a1a30398b0b98130ee3b38", "deleted": false, "disable_correlation": false, "timestamp": "1461136155", "to_ids": true, "type": "sha1", "uuid": "57172b1b-dc30-447b-898a-458202de0b81", "value": "7536c344b450af882910ce8c9620d0254aff294c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136155", "to_ids": false, "type": "link", "uuid": "57172b1b-43d4-40b6-baac-41e702de0b81", "value": "https://www.virustotal.com/file/5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d/analysis/1461075979/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f80edbb0fcfe7cec17592f61a06e4df2", "deleted": false, "disable_correlation": false, "timestamp": "1461136156", "to_ids": true, "type": "sha256", "uuid": "57172b1c-b8d0-4a48-bb1d-46da02de0b81", "value": "2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f80edbb0fcfe7cec17592f61a06e4df2", "deleted": false, "disable_correlation": false, "timestamp": "1461136156", "to_ids": true, "type": "sha1", "uuid": "57172b1c-4444-48d9-b21d-408b02de0b81", "value": "e11c82def33edf7162c6b3b24546af341069f4f4" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136156", "to_ids": false, "type": "link", "uuid": "57172b1c-dfbc-4ceb-af43-40ed02de0b81", "value": "https://www.virustotal.com/file/2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd/analysis/1461089261/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f70b295c6a5121b918682310ce0c2165", "deleted": false, "disable_correlation": false, "timestamp": "1461136157", "to_ids": true, "type": "sha256", "uuid": "57172b1d-edf0-4761-baab-4b6902de0b81", "value": "4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f70b295c6a5121b918682310ce0c2165", "deleted": false, "disable_correlation": false, "timestamp": "1461136157", "to_ids": true, "type": "sha1", "uuid": "57172b1d-add4-4872-8f43-46aa02de0b81", "value": "367c0e93dc97478e2f0101e23cae084467932cb2" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136157", "to_ids": false, "type": "link", "uuid": "57172b1d-0d80-4dbf-80b8-4b8202de0b81", "value": "https://www.virustotal.com/file/4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f/analysis/1461046897/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: d579d7a42ff140952da57264614c37bc", "deleted": false, "disable_correlation": false, "timestamp": "1461136158", "to_ids": true, "type": "sha256", "uuid": "57172b1e-faac-4a67-a2ff-472802de0b81", "value": "5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: d579d7a42ff140952da57264614c37bc", "deleted": false, "disable_correlation": false, "timestamp": "1461136158", "to_ids": true, "type": "sha1", "uuid": "57172b1e-d608-4814-bd1c-4a7502de0b81", "value": "62d16dc7335729e2d3508335b12787865f4f6035" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136158", "to_ids": false, "type": "link", "uuid": "57172b1e-dd84-43fe-b7c0-4adf02de0b81", "value": "https://www.virustotal.com/file/5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d/analysis/1452527131/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f9f8d1c53d312f17c6f830e7b4e6651d", "deleted": false, "disable_correlation": false, "timestamp": "1461136159", "to_ids": true, "type": "sha256", "uuid": "57172b1f-add0-49b0-adfa-4e4e02de0b81", "value": "bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f9f8d1c53d312f17c6f830e7b4e6651d", "deleted": false, "disable_correlation": false, "timestamp": "1461136159", "to_ids": true, "type": "sha1", "uuid": "57172b1f-3090-4011-a9e9-444902de0b81", "value": "6b3eb6069b69fbcfa6e1e9c231ce95674d698f51" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136160", "to_ids": false, "type": "link", "uuid": "57172b20-0268-42e0-9264-4cd902de0b81", "value": "https://www.virustotal.com/file/bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749/analysis/1461046900/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 47e60e347b5791d5f17939f9c97fee01", "deleted": false, "disable_correlation": false, "timestamp": "1461136160", "to_ids": true, "type": "sha256", "uuid": "57172b20-9494-4e9e-9e67-40e902de0b81", "value": "9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 47e60e347b5791d5f17939f9c97fee01", "deleted": false, "disable_correlation": false, "timestamp": "1461136160", "to_ids": true, "type": "sha1", "uuid": "57172b20-f1b0-4c9a-b746-484102de0b81", "value": "86ba123a6c28df4a470de09c5fdc5ac5ae3d24ce" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136161", "to_ids": false, "type": "link", "uuid": "57172b21-3880-4218-9131-437a02de0b81", "value": "https://www.virustotal.com/file/9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692/analysis/1461046910/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 07eb4867e436bbef759a9877402af994", "deleted": false, "disable_correlation": false, "timestamp": "1461136161", "to_ids": true, "type": "sha256", "uuid": "57172b21-5834-47e6-a2c7-41f402de0b81", "value": "cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 07eb4867e436bbef759a9877402af994", "deleted": false, "disable_correlation": false, "timestamp": "1461136161", "to_ids": true, "type": "sha1", "uuid": "57172b21-2738-44d4-857b-426e02de0b81", "value": "4d758a60b57d2f693fc4a87cbc74ec1744a644ce" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136162", "to_ids": false, "type": "link", "uuid": "57172b22-3068-4484-8cfd-444602de0b81", "value": "https://www.virustotal.com/file/cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082/analysis/1452794663/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e6ad959a18725954a56a7954d3f47671", "deleted": false, "disable_correlation": false, "timestamp": "1461136162", "to_ids": true, "type": "sha256", "uuid": "57172b22-7284-4c9d-a29e-49e902de0b81", "value": "f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: e6ad959a18725954a56a7954d3f47671", "deleted": false, "disable_correlation": false, "timestamp": "1461136162", "to_ids": true, "type": "sha1", "uuid": "57172b22-8e80-4eab-ae04-417102de0b81", "value": "62fbb1ed89888cbe7ffa7d01537545574c244bfd" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461136163", "to_ids": false, "type": "link", "uuid": "57172b23-045c-4ba6-8d54-41c502de0b81", "value": "https://www.virustotal.com/file/f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616/analysis/1461046885/" }, { "category": "Network activity", "comment": "On port 8008", "deleted": false, "disable_correlation": false, "timestamp": "1461136212", "to_ids": true, "type": "ip-dst", "uuid": "57172b54-6d44-460d-ac20-40a7950d210f", "value": "59.188.12.123" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461136297", "to_ids": true, "type": "md5", "uuid": "57172ba9-9b28-4af8-91e6-44e4950d210f", "value": "09ddd70517cb48a46d9f93644b29c72f" }, { "category": "Payload delivery", "comment": "RAR", "deleted": false, "disable_correlation": false, "timestamp": "1461136298", "to_ids": true, "type": "md5", "uuid": "57172baa-a0c4-40e6-8de2-4c99950d210f", "value": "d8becbd6f188e3fb2c4d23a2d36d137b" }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1461137412", "to_ids": true, "type": "url", "uuid": "57173004-40c8-44cc-a582-464a950d210f", "value": "www.whitewall.top" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461137413", "to_ids": true, "type": "filename|md5", "uuid": "57173005-f2dc-43f4-bd30-48b8950d210f", "value": "fsguidll.exe|2d7a648ebe64e536944c011c8dcbb375" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461137414", "to_ids": true, "type": "filename|md5", "uuid": "57173006-1804-4885-b572-44a9950d210f", "value": "fslapi.dll|13d3d0699562a57cf575dd7f969b3141" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461137414", "to_ids": true, "type": "filename|md5", "uuid": "57173006-d0c4-47fc-903c-4f7f950d210f", "value": "fslapi.dll.gui|894c251a3aad150f80a8af2539baf9d1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138386", "to_ids": true, "type": "md5", "uuid": "571733d2-a0fc-4909-8c81-44ea950d210f", "value": "533cd66cf420e8919329ee850077319c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138386", "to_ids": true, "type": "sha256", "uuid": "571733d2-f430-45fa-b095-4a07950d210f", "value": "0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138386", "to_ids": true, "type": "md5", "uuid": "571733d2-0f0c-4b63-9c9a-4615950d210f", "value": "e327abcfd09be4e8f64ef35026309747" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138387", "to_ids": true, "type": "sha256", "uuid": "571733d3-ce08-4636-9f75-41cb950d210f", "value": "8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138387", "to_ids": true, "type": "md5", "uuid": "571733d3-7fe4-430d-a31d-44aa950d210f", "value": "103873e3fa8dfc2360bb5c22761da04a" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461138387", "to_ids": true, "type": "sha256", "uuid": "571733d3-a8e4-4198-aecd-4594950d210f", "value": "40099e0f13ba47bd4ea4f3f49228ac8cffdf07700c4ef8089e3b5d8013e914a3" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461140878", "to_ids": true, "type": "md5", "uuid": "57173d6f-0adc-4af5-b8c1-45ce950d210f", "value": "98bcd226890c5c2694ef9a34a23c9fbf" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461141045", "to_ids": true, "type": "sha256", "uuid": "57173e35-4b34-4a16-8442-478c950d210f", "value": "e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461141066", "to_ids": true, "type": "domain", "uuid": "57173e4a-4b18-4646-9a26-4712950d210f", "value": "softinc.pw" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461141066", "to_ids": true, "type": "hostname", "uuid": "57173e4a-99b8-4146-b38d-48df950d210f", "value": "www.tibetimes.com" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461141143", "to_ids": true, "type": "sha256", "uuid": "57173e97-6cd4-47eb-92ad-46c2950d210f", "value": "a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461141168", "to_ids": true, "type": "md5", "uuid": "57173eb0-68b4-4ad0-a243-4022950d210f", "value": "b51dd4d5731b71c1a191294466cc8288" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461141182", "to_ids": true, "type": "filename|md5", "uuid": "57173ebe-e2f8-49b3-b75c-4275950d210f", "value": "90t69cf82.dll|86ebcbb3bdd8af257b52daa869ddd6c1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461141183", "to_ids": true, "type": "filename|md5", "uuid": "57173ebf-7e30-489d-bd92-4eb3950d210f", "value": "B412.tmp|111273c8cba88636a036e250c2626b12" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461141196", "to_ids": true, "type": "hostname", "uuid": "57173ecc-4858-4e78-a121-4223950d210f", "value": "manhaton.123nat.com" }, { "category": "Network activity", "comment": "On port 8030", "deleted": false, "disable_correlation": false, "timestamp": "1461141197", "to_ids": true, "type": "ip-dst", "uuid": "57173ecd-ff54-4b11-921f-46fb950d210f", "value": "122.10.112.126" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461142620", "to_ids": true, "type": "sha256", "uuid": "5717445c-4344-4af2-8fe9-4151950d210f", "value": "58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142701", "to_ids": true, "type": "url", "uuid": "571744ad-ea7c-4e0f-b713-4893950d210f", "value": "www.turkistanuyghur.top" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142701", "to_ids": true, "type": "url", "uuid": "571744ad-c1f8-4606-b0b2-45bc950d210f", "value": "www.yawropauyghur.top" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142702", "to_ids": true, "type": "url", "uuid": "571744ae-aee8-4190-98ae-426d950d210f", "value": "www.japanuyghur.top" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142702", "to_ids": true, "type": "url", "uuid": "571744ae-7ae4-4ddc-bf3c-45ef950d210f", "value": "www.hotansft.top" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142702", "to_ids": true, "type": "url", "uuid": "571744ae-1af4-4757-8408-42d7950d210f", "value": "www.amerikauyghur.top" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142703", "to_ids": true, "type": "domain", "uuid": "571744af-a4b8-4e3c-9228-49b4950d210f", "value": "turkiyeuyghur.com" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142790", "to_ids": true, "type": "filename|md5", "uuid": "57174506-afbc-44f1-b90c-45d6950d210f", "value": "Micbt/BTFly.dump|f7c04e8b188fa38d0f62f620e3bf01dc" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142830", "to_ids": true, "type": "filename|md5", "uuid": "5717452e-22d8-4278-b18b-40c3950d210f", "value": "Micbt/CltID.ini|54afa267dd5acef3858dd6dbea609cd9" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142830", "to_ids": true, "type": "filename|md5", "uuid": "5717452e-f668-4202-bc83-4fcc950d210f", "value": "Micbt/IconConfigBt.DAT|516774cb0d5d56b300c402f63fe47523" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142831", "to_ids": true, "type": "filename|md5", "uuid": "5717452f-e860-4d6e-be0a-412d950d210f", "value": "Micbt/MemoryLoad.dump|db0f8ba69aa71e9404b52d951458b97c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142831", "to_ids": true, "type": "filename|md5", "uuid": "5717452f-bc28-48f8-a88f-4621950d210f", "value": "Micbt/RasTls.dll|1e9e9ce1445a13c1ff4bf82f4a38de0d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461142832", "to_ids": true, "type": "filename|md5", "uuid": "57174530-8628-4ec1-945e-4f28950d210f", "value": "Micbt/RasTls.exe|62944e26b36b1dcace429ae26ba66164" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143026", "to_ids": true, "type": "filename|sha256", "uuid": "571745f2-29dc-4434-8a4e-4f24950d210f", "value": "fsguidll.exe|5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143027", "to_ids": true, "type": "filename|sha256", "uuid": "571745f3-0710-48a7-8a66-4f4b950d210f", "value": "fslapi.dll|2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143028", "to_ids": true, "type": "filename|sha256", "uuid": "571745f4-eab8-481e-bfbc-41b7950d210f", "value": "fslapi.dll.gui|dc4dac22d58ed7c0cadb13a621f42cb9a01851385ca0dc5b94a73c91677a0739" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143045", "to_ids": true, "type": "filename|sha256", "uuid": "57174605-6328-49df-a999-4ad9950d210f", "value": "BC29.tmp|5f3d0a319ecc875cc64a40a34d2283cb329abcf79ad02f487fbfd6bef153943c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143046", "to_ids": true, "type": "filename|sha256", "uuid": "57174606-b230-42b0-b806-47f2950d210f", "value": "~tmp.doc|76d54a0c8ed8d9a0b02f52d2400c8e74a9473e9bc92aeb558b2f4c894da1b88f" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143075", "to_ids": true, "type": "filename|sha256", "uuid": "57174623-6d50-40d8-9fb3-47c6950d210f", "value": "~tmp.doc|f0b5336b6f890e2029ac242ad2b613cad535828f7b7004a2284683f3195b7616" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143076", "to_ids": true, "type": "filename|sha256", "uuid": "57174624-8aa0-4072-bc11-4657950d210f", "value": "iuso.exe|cf717a646a015ee72f965488f8df2dd3c36c4714ccc755c295645fe8d150d082" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143076", "to_ids": true, "type": "filename|sha256", "uuid": "57174624-a420-4946-be1d-473e950d210f", "value": "wget.bat|9b6053e784c5762fdb9931f9064ba6e52c26c2d4b09efd6ff13ca87bbb33c692" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143077", "to_ids": true, "type": "filename|sha256", "uuid": "57174625-257c-43c7-a6a6-4b5f950d210f", "value": "wget.exe|bedfbfe249b4a2be35bbfb1cf166d2119e132ee7c608909d34238e9eba6c9749" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143078", "to_ids": true, "type": "filename|sha256", "uuid": "57174626-4614-4979-b6a0-41d4950d210f", "value": "wthk.txt|5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143078", "to_ids": true, "type": "filename|sha256", "uuid": "57174626-632c-4e4f-ad7f-42ff950d210f", "value": "conhost.exe|4849af113960f473749acf71d11d56854589cf21d623e66c7408bebd5ad0608f" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143079", "to_ids": true, "type": "filename|sha256", "uuid": "57174627-93e4-4f5c-8c97-4251950d210f", "value": "SbieDll.dll|2ac69633da711f244377483d99fac53089ec6614a61d8a1492a0e7228cbb8ffd" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143080", "to_ids": true, "type": "filename|sha256", "uuid": "57174628-8e70-4cc8-9987-4952950d210f", "value": "dll2.xor|c3fee1c7d402f144023dade4e63dc65db42fc4d6430f9885ece6aa7fa77cade0" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143080", "to_ids": true, "type": "filename|sha256", "uuid": "57174628-caf4-49ba-86d9-40a2950d210f", "value": "maindll.dll|5838582ea26312cc60b43da555189b439d3688597a705e3a52dc4d935517f69d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143081", "to_ids": true, "type": "filename|sha256", "uuid": "57174629-38f4-4809-b539-4fd9950d210f", "value": "nvsvc.exe|ec05e37230e6534fa148b8e022f797ad0afe80f699fbd222a46672118663cf00" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143082", "to_ids": true, "type": "filename|sha256", "uuid": "5717462a-b1b0-4b33-bf15-45c2950d210f", "value": "runas.exe|5b34b3365eb6a6c700b391172849a2668d66a167669018ae3b9555bc2d1e54ab" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143265", "to_ids": true, "type": "filename|sha256", "uuid": "571746e1-8018-47cf-8445-4d2a950d210f", "value": "90t69cf82.dll|afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143266", "to_ids": true, "type": "filename|sha256", "uuid": "571746e2-b3b8-4478-9c44-4c84950d210f", "value": "B512.tmp|cdb1d2f843ce797084cfc90107a2582e4861f4051aab0f6ac374468f491232a5" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143266", "to_ids": true, "type": "filename|sha256", "uuid": "571746e2-5f40-4465-a168-4030950d210f", "value": "~tmp.doc|aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143267", "to_ids": true, "type": "filename|sha256", "uuid": "571746e3-9830-4503-8e36-475c950d210f", "value": "Micbt/BTFly.dump|3b828a81ff5b0766c99284524b18fcd10d553191741bc1ed89904cdaa79baae1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143267", "to_ids": true, "type": "filename|sha256", "uuid": "571746e3-489c-4e77-afe4-43b8950d210f", "value": "Micbt/CltID.ini|1590a42e67fe02892dfeb6f29e0e6ae91c503d4ea91b550557c513e92f5ac7eb" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143268", "to_ids": true, "type": "filename|sha256", "uuid": "571746e4-9dd0-4067-8ec7-4fba950d210f", "value": "Micbt/IconConfigBt.DAT|0a47bd32b83f09be1ea5a29dce6b7d307de7b3cdd69f836e0c810fd578f85c7c" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143269", "to_ids": true, "type": "filename|sha256", "uuid": "571746e5-e05c-451b-9a26-4efa950d210f", "value": "Micbt/MemoryLoad.dump|aace766acea06845c29b306a9e080edcb3407635398007f3b9b5e053198b54f4" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143270", "to_ids": true, "type": "filename|sha256", "uuid": "571746e6-c760-4569-96ff-4d91950d210f", "value": "Micbt/RasTls.dll|bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143270", "to_ids": true, "type": "filename|sha256", "uuid": "571746e6-e8b4-4c80-8fe4-430e950d210f", "value": "Micbt/RasTls.exe|f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68" }, { "category": "Payload delivery", "comment": "recognized as Gh0stRAT", "deleted": false, "disable_correlation": false, "timestamp": "1461143400", "to_ids": true, "type": "filename|md5", "uuid": "57174768-a980-4cfc-adce-4ef9950d210f", "value": "~tmp.doc|e538ad13417b773714b75b5d602e4c6e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461143448", "to_ids": true, "type": "filename|sha256", "uuid": "57174798-6d98-4b70-b485-4cca950d210f", "value": "~1|df50ea33616c916720c81d65563175d998a2c606360eeb3c8b727a482de3a4fc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461143464", "to_ids": true, "type": "filename|md5", "uuid": "571747a8-e860-46cd-b1b3-44c1950d210f", "value": "~1|b901f0b4aa6a3a6875235f96fce15839" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143659", "to_ids": true, "type": "filename|md5", "uuid": "5717486b-e948-4e87-b418-42fe950d210f", "value": "One Tibetan Protester is Freed, Two Others Are Jailed.doc|facd2fbf26e974bdeae3e4db19753f03" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461143659", "to_ids": true, "type": "filename|sha256", "uuid": "5717486b-ac80-4461-911a-49fc950d210f", "value": "One Tibetan Protester is Freed, Two Others Are Jailed.doc|1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c" }, { "category": "Payload delivery", "comment": "RTF", "deleted": false, "disable_correlation": false, "timestamp": "1461144013", "to_ids": true, "type": "sha256", "uuid": "571748d1-aef0-4c8b-991b-4c00950d210f", "value": "41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2" }, { "category": "Payload delivery", "comment": "RAR \r\n8EC7.tmp", "deleted": false, "disable_correlation": false, "timestamp": "1461144007", "to_ids": true, "type": "sha256", "uuid": "571748d2-03c0-4806-a97b-4b36950d210f", "value": "ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144071", "to_ids": true, "type": "pehash", "uuid": "57174a07-2508-4ee1-a57b-4894950d210f", "value": "ffb7a38174aab4744cc4a509e34800aee9be8e57" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144196", "to_ids": true, "type": "ip-dst", "uuid": "57174a84-d848-4ef3-8677-43fa950d210f", "value": "118.193.240.195" }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1461144196", "to_ids": true, "type": "url", "uuid": "57174a84-7878-4c38-ac38-4c38950d210f", "value": "http://www.whitewall.top:8080/850D3011FA326CBB6F57A965" }, { "category": "Network activity", "comment": "On port 995", "deleted": false, "disable_correlation": false, "timestamp": "1461144197", "to_ids": true, "type": "url", "uuid": "57174a85-8a24-41d6-bc55-4eef950d210f", "value": "http://www.whitewall.top:995/5724DD3DCC4A19E8416E5691" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144234", "to_ids": true, "type": "md5", "uuid": "57174aaa-2894-4f79-83c3-48bb950d210f", "value": "ee49bd5f35cc3012b5b606aca9b0f561" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144424", "to_ids": true, "type": "ssdeep", "uuid": "57174b68-2ef8-49f4-82fc-4e38950d210f", "value": "6144:NwOD0nTHfnxBl7p01yDn8FJD1O6JN0MrvVburdr3QM5o1Zx0a4VgLjv9uM+yb3Hx:ZbqQM5oBfv9uMt5yGg" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144473", "to_ids": false, "type": "pdb", "uuid": "57174b99-21b4-4881-8088-44f2950d210f", "value": "Y:/UDPSbieDLL/Release/SBieDLL.pdb" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144549", "to_ids": true, "type": "filename", "uuid": "57174be5-742c-456a-a9be-4030950d210f", "value": "2016\u00e7\u00b8\u00bd\u00e7\u00b5\u00b1\u00e9\u0081\u00b8\u00e8\u02c6\u2030\u00e6\u00b0\u2018\u00e6\u0192\u2026\u00e4\u00b8\u00ad\u00e5\u00bf\u0192\u00e9\u00a0\u0090\u00e6\u00b8\u00ac\u00e5\u20ac\u00bc.doc" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144549", "to_ids": true, "type": "url", "uuid": "57174be5-2e14-46d9-a003-4125950d210f", "value": "www.kcico.com.tw/data/openwebmail/doc/wthk.txt" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1461144549", "to_ids": true, "type": "filename", "uuid": "57174be5-41e0-41d6-a2e5-4294950d210f", "value": "\u00e4\u00b8\u00ad\u00e5\u203a\u00bd\u00e5\u203a\u00bd\u00e5\u00ae\u00b6\u00e5\u00ae\u2030\u00e5\u2026\u00a8\u00e5\u00a7\u201d\u00e5\u2018\u02dc\u00e4\u00bc\u0161\u00e6\u0153\u00ba\u00e6\u017e\u201e\u00e8\u00ae\u00be\u00e7\u00bd\u00ae\u00e5\u2019\u0152\u00e4\u00ba\u00ba\u00e5\u2018\u02dc\u00e5\u0090\u008d\u00e5\u008d\u2022\u00e6\u008f\u0090\u00e5\u2030\u008d\u00e6\u203a\u009d\u00e5\u2026\u2030.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144573", "to_ids": false, "type": "filename", "uuid": "57174bfd-9390-4ea8-b4fd-4a39950d210f", "value": "One Tibetan Protester is Freed, Two Others Are Jailed.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144589", "to_ids": false, "type": "filename", "uuid": "57174c0d-7a14-496d-81b4-4e90950d210f", "value": "HUMAN RIGHTS SITUATION IN TIBET.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144659", "to_ids": false, "type": "filename", "uuid": "57174c53-7610-4095-b503-4f52950d210f", "value": "[tibethouse] Upcoming Program Announcemet Last Week of December.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144815", "to_ids": false, "type": "filename|sha256", "uuid": "57174cef-6628-4d5c-a692-4a51950d210f", "value": "PlugX|40099e0f13ba47bd4ea4f3f49228ac8cffdf07700c4ef8089e3b5d8013e914a3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144831", "to_ids": false, "type": "filename|sha256", "uuid": "57174cff-aa9c-441c-8d64-4493950d210f", "value": "ufbidruosivibuted|a78ea84acf57e0c54d5b1e5e3bd5eec31cc5935f16d9575e049e161420736e32" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144850", "to_ids": false, "type": "filename|md5", "uuid": "57174d12-942c-4080-977e-4467950d210f", "value": "PlugX|103873e3fa8dfc2360bb5c22761da04a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461144866", "to_ids": false, "type": "filename|md5", "uuid": "57174d22-fcec-4be8-9b94-44a9950d210f", "value": "ufbidruosivibuted|caefdd6ca90ff791cdeff9313136972e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145048", "to_ids": false, "type": "filename", "uuid": "57174dd8-3f30-4838-af62-400a950d210f", "value": "keylog" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145073", "to_ids": false, "type": "filename", "uuid": "57174df1-3968-479d-85d5-4e03950d210f", "value": "xx6.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145087", "to_ids": false, "type": "filename", "uuid": "57174dff-78ac-400f-bbd4-4c75950d210f", "value": "xx3.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145098", "to_ids": false, "type": "filename", "uuid": "57174e0a-10e0-4022-9a31-4ba1950d210f", "value": "xx1.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145117", "to_ids": false, "type": "filename", "uuid": "57174e1d-32dc-46d5-b717-41c3950d210f", "value": "srvlic.dll" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145133", "to_ids": false, "type": "filename", "uuid": "57174e2d-4558-4971-aa84-4d5a950d210f", "value": "conhost.log" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145146", "to_ids": false, "type": "filename", "uuid": "57174e3a-3abc-4d57-b5f7-449b950d210f", "value": "xx4.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145160", "to_ids": false, "type": "filename", "uuid": "57174e48-e2dc-4f15-9ae2-4adb950d210f", "value": "xx2.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145172", "to_ids": false, "type": "filename", "uuid": "57174e54-5018-495b-b18a-48eb950d210f", "value": "xx5.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461145194", "to_ids": false, "type": "filename", "uuid": "57174e6a-c71c-4c48-a9f4-444b950d210f", "value": "up.dat" }, { "category": "Payload delivery", "comment": "RAR \r\n8EC7.tmp - Xchecked via VT: ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30", "deleted": false, "disable_correlation": false, "timestamp": "1461159925", "to_ids": true, "type": "sha1", "uuid": "571787f5-98d0-4631-b8c7-4f0102de0b81", "value": "b3d8f4587f40a598d19ed23c552c02120fd3c0ce" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159925", "to_ids": false, "type": "link", "uuid": "571787f5-31d0-4bc2-986d-4bd102de0b81", "value": "https://www.virustotal.com/file/ddc05b9f39f579f64742980980ca9820b83a243889bbc5baa37f5c2c1c4beb30/analysis/1458560144/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: 41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2", "deleted": false, "disable_correlation": false, "timestamp": "1461159926", "to_ids": true, "type": "sha1", "uuid": "571787f6-6d58-4685-aa4c-4b1e02de0b81", "value": "4782223722758b1281f31b77f1eb0f8da38af258" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159926", "to_ids": false, "type": "link", "uuid": "571787f6-b9e4-4e7f-812f-476102de0b81", "value": "https://www.virustotal.com/file/41d05788d844b59f8eb79aeb2060dd5b7bdcad01e8d720f4b8b80d552e41cfe2/analysis/1458273608/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: 58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589", "deleted": false, "disable_correlation": false, "timestamp": "1461159927", "to_ids": true, "type": "sha1", "uuid": "571787f7-5640-43a9-a1f8-42d202de0b81", "value": "5ec656d194a15d41b831de750a37e40b28b19c45" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159927", "to_ids": false, "type": "link", "uuid": "571787f7-ed70-43ad-84b7-428702de0b81", "value": "https://www.virustotal.com/file/58f8a906b49711d2a6aaed0b59e1c1b7fcf5757666e0567fe50e996bfe0a4589/analysis/1458825268/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb", "deleted": false, "disable_correlation": false, "timestamp": "1461159928", "to_ids": true, "type": "sha1", "uuid": "571787f8-d818-4455-aec2-4cf002de0b81", "value": "f44dc6b644d7534276c18d8f43420f6f9dac4ef3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159928", "to_ids": false, "type": "link", "uuid": "571787f8-0bc0-4113-bd2a-446d02de0b81", "value": "https://www.virustotal.com/file/a0da9887b4c5af009a41b783db7ffedf949013abc70777c0ec539299628a51eb/analysis/1456924149/" }, { "category": "Payload delivery", "comment": "RTF - Xchecked via VT: e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49", "deleted": false, "disable_correlation": false, "timestamp": "1461159928", "to_ids": true, "type": "sha1", "uuid": "571787f8-6338-476e-8153-44af02de0b81", "value": "ca8fa4afeeae67ef57dcb22ff2326734f119a8d6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159929", "to_ids": false, "type": "link", "uuid": "571787f9-1f18-4b3a-ac70-482102de0b81", "value": "https://www.virustotal.com/file/e13a0357cd51795100dbce25fe846783fbb7fd22c5efe438d9059edc10492f49/analysis/1452944526/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78", "deleted": false, "disable_correlation": false, "timestamp": "1461159929", "to_ids": true, "type": "sha1", "uuid": "571787f9-5f08-4091-97a4-40e702de0b81", "value": "b8ea4d22bd988c021bc45c3a3e84362edca91e78" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159930", "to_ids": false, "type": "link", "uuid": "571787fa-074c-4412-a3f1-4c2302de0b81", "value": "https://www.virustotal.com/file/8b6ef2f4e2af608c755b3114e98ab78ac89e089db5b0bece7f2dc68bd1026a78/analysis/1459770897/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360", "deleted": false, "disable_correlation": false, "timestamp": "1461159930", "to_ids": true, "type": "sha1", "uuid": "571787fa-81e4-400a-8f49-4e9902de0b81", "value": "0bdd3484e69af639c3564aa7ab679defc4434def" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159930", "to_ids": false, "type": "link", "uuid": "571787fa-e10c-4ac1-ac7d-4c5b02de0b81", "value": "https://www.virustotal.com/file/0ba814941a0adb344cbf2a90552a66b52faa99a24d3107735da1db5a0e1f8360/analysis/1459770252/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159931", "to_ids": false, "type": "link", "uuid": "571787fb-44bc-4692-b11b-4b2502de0b81", "value": "https://www.virustotal.com/file/5b875ecf0b7f67a4429aeaa841eddf8e6b58771e16dbdb43ad6918aa7a5b582d/analysis/1461148223/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159931", "to_ids": false, "type": "link", "uuid": "571787fb-7fcc-4e67-bed8-429a02de0b81", "value": "https://www.virustotal.com/file/51c0d075067709c9f8794a25a7e3920bf69f8c755a1794e857acd818ea8a1010/analysis/1461146860/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159932", "to_ids": false, "type": "link", "uuid": "571787fc-cb4c-49f7-991d-45d002de0b81", "value": "https://www.virustotal.com/file/4a5d864f69aff245793606b694bcbc5243b81e0b018596bce85ecab0e12ac849/analysis/1461147529/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c", "deleted": false, "disable_correlation": false, "timestamp": "1461159932", "to_ids": true, "type": "sha1", "uuid": "571787fc-b710-46bc-a454-496202de0b81", "value": "6dd646bd56e04c6d394f87c97976ccd04ed613df" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159932", "to_ids": false, "type": "link", "uuid": "571787fc-b338-4b49-a732-473902de0b81", "value": "https://www.virustotal.com/file/1140e06fa8580cf869744b01cc037c2d2d2b5af7f26f5b3448d9a536674d681c/analysis/1452854114/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68", "deleted": false, "disable_correlation": false, "timestamp": "1461159933", "to_ids": true, "type": "sha1", "uuid": "571787fd-6dc4-4c44-82c0-43d602de0b81", "value": "2616da1697f7c764ee7fb558887a6a3279861fac" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159933", "to_ids": false, "type": "link", "uuid": "571787fd-9b0c-4c22-98cb-41c302de0b81", "value": "https://www.virustotal.com/file/f9ebf6aeb3f0fb0c29bd8f3d652476cd1fe8bd9a0c11cb15c43de33bbce0bf68/analysis/1461070473/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1", "deleted": false, "disable_correlation": false, "timestamp": "1461159934", "to_ids": true, "type": "sha1", "uuid": "571787fe-2ed8-4e88-8cba-4b9002de0b81", "value": "90c9b15d6f5943c515b41d7f306a7bd6eef1845a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159934", "to_ids": false, "type": "link", "uuid": "571787fe-bf88-4d38-b4a9-47d702de0b81", "value": "https://www.virustotal.com/file/bc2f7ebcad10aa48a69680f14fc57434436b821d5e7f2666a0f6d8795b0d37d1/analysis/1455192800/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c", "deleted": false, "disable_correlation": false, "timestamp": "1461159934", "to_ids": true, "type": "sha1", "uuid": "571787fe-7404-450d-a9bd-415a02de0b81", "value": "79cc8f5b155179360a7a2de772ed1f3945aaf49c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159935", "to_ids": false, "type": "link", "uuid": "571787ff-8ac4-41cb-bbfe-43b102de0b81", "value": "https://www.virustotal.com/file/aecd3e146632e9dfa0a92f486855144df0f87181feb67ac414a618fd52960c8c/analysis/1455797633/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d", "deleted": false, "disable_correlation": false, "timestamp": "1461159935", "to_ids": true, "type": "sha1", "uuid": "571787ff-3858-4bdc-bd8f-430e02de0b81", "value": "cd8581dc95a92bab7f8025fcc5908d27c183b425" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159935", "to_ids": false, "type": "link", "uuid": "571787ff-9184-46e3-bda4-460202de0b81", "value": "https://www.virustotal.com/file/afd0eae5065a689f8fc48c0cfc5b87f4caecc2fb6b1cef4c5e977fc2cc98509d/analysis/1454375598/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083", "deleted": false, "disable_correlation": false, "timestamp": "1461159936", "to_ids": true, "type": "sha1", "uuid": "57178800-8b30-4513-b981-431902de0b81", "value": "c6f146def58b701f406a73958cdaacbe53860090" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159936", "to_ids": false, "type": "link", "uuid": "57178800-8760-437a-8ecf-494b02de0b81", "value": "https://www.virustotal.com/file/2a6ef9dde178c4afe32fe676ff864162f104d85fac2439986de32366625dc083/analysis/1455406891/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635", "deleted": false, "disable_correlation": false, "timestamp": "1461159937", "to_ids": true, "type": "sha1", "uuid": "57178801-c614-4982-8611-42d002de0b81", "value": "f1ec39dddb224a6a1e40d55c8f6877c908f92bcf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159937", "to_ids": false, "type": "link", "uuid": "57178801-e5fc-46db-9b1c-41d802de0b81", "value": "https://www.virustotal.com/file/5c5e3201d6343e0536b86cb4ab0831c482a304c62cd09c01ac8bdeee5755f635/analysis/1461046907/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159937", "to_ids": false, "type": "link", "uuid": "57178801-90c4-4fad-b307-420c02de0b81", "value": "https://www.virustotal.com/file/5676c0b2d3c139dbef5bafa0184576bd1a4ccbd3f7d40b4a6a099a1e61bc2a39/analysis/1461146345/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1461159938", "to_ids": false, "type": "link", "uuid": "57178802-d774-4018-b499-4c2002de0b81", "value": "https://www.virustotal.com/file/7a200c4df99887991c638fe625d07a4a3fc2bdc887112437752b3df5c8da79b6/analysis/1461146164/" }, { "category": "Network activity", "comment": "Some SNORT IDS Rule.", "deleted": false, "disable_correlation": false, "timestamp": "1467971098", "to_ids": false, "type": "snort", "uuid": "577f761a-5ec4-4532-9e7b-093bc0a8f687", "value": "alert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - www.amerikauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|amerikauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016101; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - dge.123nat.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|dge|06|123nat|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016102; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT LURK0 C&C Domain - manhaton.123nat.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|08|manhaton|06|123nat|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016103; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - bsnl.wang\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|04|bsnl|04|wang\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016104; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.onebook.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|07|onebook|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016105; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.togolaga.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|08|togolaga|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016106; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - unisers.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|07|unisers|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016107; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.dicemention.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|dicemention|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016108; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.updatenewes.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|updatenewes|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016109; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - softinc.pw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|07|softinc|02|pw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016110; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT Saker C&C Domain - www.notebookhk.net\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0a|notebookhk|03|net\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016111; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX C&C Domain - www.whitewall.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|09|whitewall|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016112; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - www.kcico.com.tw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|05|kcico|03|com|02|tw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016113; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - www.tibetimes.com\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|09|tibetimes|03|com\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016114; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-T9000 Win32/Agent.XST Domain - softinc.pw\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|07|softinc|02|pw\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016115; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"NF - Win32/Agent.XST Checkin\"; flow:established,to_server; content:\"POST\"; http_method; content:!\"Referer|3a|\"; http_header; content:!\"Accept|3a|\"; http_header; content:\"Content-Type|3a 20|text/html|0d 0a|\"; http_header; content:\"this is UP\"; depth:10; http_client_body; fast_pattern; content:\"|00 00 00 00|\"; http_client_body; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016116; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"NF - Win32/Agent.XST Keepalive\"; flow:established,to_server; content:\"POST|20|\"; depth:5; content:\".asp|20|HTTP/1.\"; distance:0; content:!\"Referer|3a|\"; distance:0; content:!\"Accept|3a|\"; distance:0; content:\"Content-Length|3a 20|2|0d 0a|\"; distance:0; fast_pattern; content:\"Content-Type|3a 20|text/html|0d 0a|\"; content:\"|0d 0a 0d 0a|ok\"; distance:0; threshold: type limit, count 1, seconds 60, track by_src; reference:url,asert.arbornetworks.com/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-Uncovering-the-Seven-Pointed-Dagger.pdf; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016117; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:\"NF - Win32/Agent.XST/UP007 Checkin 2\"; flow:established,to_server; content:\"POST\"; http_method; content:!\"Referer|3a|\"; http_header; content:!\"Accept|3a|\"; http_header; content:\"Content-Type|3a 20|text/html|0d 0a|\"; http_header; content:\"this is UP\"; depth:10; http_client_body; fast_pattern; content:\"|00 00 00 00|\"; http_client_body; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016118; rev:1;)\r\n\r\nalert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:\"NF - Win32/Agent.XST/UP007 Keepalive 2\"; flow:established,to_server; content:\"POST|20|\"; depth:5; content:\".asp|20|HTTP/1.\"; distance:0; content:!\"Referer|3a|\"; distance:0; content:!\"Accept|3a|\"; distance:0; content:\"Content-Length|3a 20|5|0d 0a|\"; distance:0; fast_pattern; content:\"Content-Type|3a 20|text/html|0d 0a|\"; content:\"|0d 0a 0d 0a|READY\"; distance:0; threshold:type limit, count 1, seconds 60, track by_src; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016119; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0F|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016120; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.yawropauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|yawropauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016121; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.japanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0b|japanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016122; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.hotansft.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|08|hotansft|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016123; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.amerikauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|amerikauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016124; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.yawropauyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0d|yawropauyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016125; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0f|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016126; rev:1;)\r\n\r\nalert udp any any -> any 53 (msg:\"NF - APT-PlugX Related Domain - www.turkistanuyghur.top\"; content:\"|01 00 00 01 00 00 00 00 00 00|\"; depth:10; offset:2; content:\"|03|www|0f|turkistanuyghur|03|top\"; fast_pattern; nocase; distance:0; reference:url,researchcenter.paloaltonetworks.com/2016/06/unit42-recent-mnkit-exploit-activity-reveals-some-common-threads/#more-15097; reference:url,networkforensic.dk; metadata:06072016; priority:1; sid:888016127; rev:1;)" } ] } }