{ "Event": { "analysis": "2", "date": "2015-04-27", "extends_uuid": "", "info": "OSINT Attacks against Israeli & Palestinian interests by PwC", "publish_timestamp": "1517779424", "published": true, "threat_level_id": "2", "timestamp": "1517779399", "uuid": "553ea363-7aa4-426b-8f54-ad70950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168546", "to_ids": false, "type": "link", "uuid": "553ea3e2-9adc-4432-b00b-ba7f950d210b", "value": "http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168572", "to_ids": true, "type": "sha256", "uuid": "553ea3fc-c4a4-4b75-a18f-5c47950d210b", "value": "ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-c458-4826-a414-f38d950d210b", "value": "rotter2.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-9d08-4aab-880c-f38d950d210b", "value": "haartezenglish.strangled.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-f5f8-45a5-ab07-f38d950d210b", "value": "wallanews.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-9e28-4402-8ff5-f38d950d210b", "value": "ynet.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-79d4-4e9a-958d-f38d950d210b", "value": "safar.selfip.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168784", "to_ids": true, "type": "hostname", "uuid": "553ea4d0-d928-489f-a732-f38d950d210b", "value": "depka.sytes.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168833", "to_ids": true, "type": "sha256", "uuid": "553ea501-72f4-4d3b-98c4-ba7f950d210b", "value": "8993a516404c0dd62692f3ce5055d4ddee7e29ad4bb6aa29f67114eeeaee26b9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168833", "to_ids": true, "type": "sha256", "uuid": "553ea501-1dcc-4f72-9c81-ba7f950d210b", "value": "bfe727f2f238f11eb989e5b76efd24ad2b41df3cf7dabf7077dfaace834e7f03" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168833", "to_ids": true, "type": "sha256", "uuid": "553ea501-3c3c-471a-a77a-ba7f950d210b", "value": "dad34d2cb2aa9662d4a4148481ae018f5816498f30cc7aee4919e0e9fe6b9e08" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168833", "to_ids": true, "type": "sha256", "uuid": "553ea501-aa08-4dca-bb1e-ba7f950d210b", "value": "2cb9df0d52d09c98f0a97ce71eb8805f224945cadab7d615ef0257b7b09c80d3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168833", "to_ids": true, "type": "sha256", "uuid": "553ea501-fd98-4bc9-8e8b-ba7f950d210b", "value": "f53fd5389b09c6ad289736720e72392dd5f30a1f7822dbc8c7c2e2b655b4dad9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-892c-4052-a59a-ba7f950d210b", "value": "1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-cd08-4911-8ac1-ba7f950d210b", "value": "95b2f926ae173ab45d6dac4039f0b91eb24699e6d11b621bbcebd860752e5d5e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-1cc0-426e-baa7-ba7f950d210b", "value": "da63f6392ce6af83f6d944fa1bd3f28082345fec928647ee7ef9939fac7b2e6c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-a180-48a0-8f41-ba7f950d210b", "value": "a7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-e1d8-4fb1-8563-ba7f950d210b", "value": "2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-31e4-419a-ac77-ba7f950d210b", "value": "e945b055fb4057a396506c74f73b873694125e6178a40d10cabf24b2d89d598f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-03c8-44d2-9ae9-ba7f950d210b", "value": "c9e084eb1ce1066ee063f860c13a8f7d2ead97495036855fc956dacc9a24ea68" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-d2b4-4126-9e14-ba7f950d210b", "value": "047e8d542e2fcdf0f4dd45e2b19848771d01abc90d161d05242b79c52cdd248d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168834", "to_ids": true, "type": "sha256", "uuid": "553ea502-47b4-41f6-9ff5-ba7f950d210b", "value": "25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-b0c8-41b8-9796-ba7f950d210b", "value": "b0edbd0f44df72e0fad3fb73948444a4df5143ed954c9116eb1a7b606841f187" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-0b48-4cc0-8338-ba7f950d210b", "value": "de3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-60c0-4dfb-b454-ba7f950d210b", "value": "f969bf3b7a9821b3b2d5de889b5af7af25972b25ba59e4e9439f87fe90f1c404" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-7b94-42a9-a8b1-ba7f950d210b", "value": "14be3a9a2a4261cb365915e720486a0632dbebb06fe68fb669ae67aa9b18507b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-27c8-4b7c-813e-ba7f950d210b", "value": "488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-17fc-45d2-9e68-ba7f950d210b", "value": "b3a47e0bc0af49b46bc0c1158089bf200856ff462a5334df2b5c11e69c8b1ada" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-8774-40eb-a148-ba7f950d210b", "value": "324ce011b913feec4adb916f32c743a243f07dccb51b49c0122c4fa4a8e2bded" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168835", "to_ids": true, "type": "sha256", "uuid": "553ea503-8764-4007-996a-ba7f950d210b", "value": "d6df5943169b48ac58fc28bb665fe8800c265b65fff8a2217b70703a4d3a7277" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168836", "to_ids": true, "type": "sha256", "uuid": "553ea504-dd68-4ced-a258-ba7f950d210b", "value": "88e7a7e815565b92af81761ae7b9153b7507677df3d3b77e8ce68787ad1826d4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168836", "to_ids": true, "type": "sha256", "uuid": "553ea504-4424-4719-95ee-ba7f950d210b", "value": "f51d4155534e10c09b531acc41458e8ff3b7879f4ee7d3ee99f16180c4caf0ee" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168836", "to_ids": true, "type": "sha256", "uuid": "553ea504-a148-492d-bc71-ba7f950d210b", "value": "bc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168998", "to_ids": true, "type": "domain", "uuid": "553ea5a6-cf94-4fec-b254-f38d950d210b", "value": "cbbnews.tk" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168998", "to_ids": true, "type": "domain", "uuid": "553ea5a6-a648-4baa-a14b-f38d950d210b", "value": "chromeupdt.tk" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430168998", "to_ids": true, "type": "domain", "uuid": "553ea5a6-100c-4a1f-90a0-f38d950d210b", "value": "store-legal.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169007", "to_ids": true, "type": "hostname", "uuid": "553ea5af-75ec-4da4-a9f3-7df3950d210b", "value": "ajaxo.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-5ec0-439a-a136-7df3950d210b", "value": "backjadwer.bounceme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-1f80-471e-a215-7df3950d210b", "value": "bandao.publicvm.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-1df4-4954-a9d7-7df3950d210b", "value": "deapka.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-d1e4-4528-ad67-7df3950d210b", "value": "download.likescandy.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-6a6c-4de7-916c-7df3950d210b", "value": "downloadlog.linkpc.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-2748-47ba-8a3d-7df3950d210b", "value": "downloadmyhost.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-cbe8-4e49-9754-7df3950d210b", "value": "downloadskype.cf" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169008", "to_ids": true, "type": "hostname", "uuid": "553ea5b0-e890-4d0d-8da7-7df3950d210b", "value": "duntat.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-bd38-4152-995d-7df3950d210b", "value": "fastbingcom.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-4a9c-40f4-b633-7df3950d210b", "value": "gaonsmom.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-4770-487a-a2c2-7df3950d210b", "value": "haartezenglish.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-1b24-44a5-b4d7-7df3950d210b", "value": "help2014.linkpc.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-ff54-4d56-9f0d-7df3950d210b", "value": "kaliob.selfip.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-2aa0-44eb-a0b8-7df3950d210b", "value": "kaswer12.strangled.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-a00c-4d40-953b-7df3950d210b", "value": "kaswer13.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169009", "to_ids": true, "type": "hostname", "uuid": "553ea5b1-6898-456d-9d88-7df3950d210b", "value": "kolabdown.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-2d68-4aac-993d-7df3950d210b", "value": "lilian.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-bce0-45e2-879f-7df3950d210b", "value": "nazer.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-0c54-48ce-b636-7df3950d210b", "value": "noredirecto.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-828c-403e-8831-7df3950d210b", "value": "orango.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-3928-4247-86fd-7df3950d210b", "value": "redirectlnk.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-da54-47ca-9cc0-7df3950d210b", "value": "rotter2.publicvm.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-b9d8-4001-b6b5-7df3950d210b", "value": "safara.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169010", "to_ids": true, "type": "hostname", "uuid": "553ea5b2-636c-4895-ab17-7df3950d210b", "value": "safari.linkpc.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-2500-4957-9bf5-7df3950d210b", "value": "tango.zapto.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-cfd4-49c4-8a27-7df3950d210b", "value": "thenewupdate.chickenkiller.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-2680-4ef8-abfa-7df3950d210b", "value": "thenewupdatee.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-5980-4491-b72c-7df3950d210b", "value": "totoman.no-ip.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-3a8c-4000-bd10-7df3950d210b", "value": "wallanews.publicvm.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-6df4-439a-b3fb-7df3950d210b", "value": "webfile.myq-see.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169011", "to_ids": true, "type": "hostname", "uuid": "553ea5b3-07fc-4556-8e61-7df3950d210b", "value": "ynet.ignorelist.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-4f74-4b2e-8aef-069f950d210b", "value": "185.33.168.150" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-60a8-4e91-8a5e-069f950d210b", "value": "185.45.193.4" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-dfcc-4832-ab96-069f950d210b", "value": "167.114.62.213" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-e7a8-45d5-ad9c-069f950d210b", "value": "131.72.136.11" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-e79c-4df8-afa5-069f950d210b", "value": "131.72.136.171" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-5370-4b69-b208-069f950d210b", "value": "192.253.246.169" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-21b4-4d4f-99a0-069f950d210b", "value": "198.105.122.96" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169073", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f1-ff3c-4991-bce3-069f950d210b", "value": "131.72.136.124" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169074", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f2-38b4-45e5-af77-069f950d210b", "value": "107.168.129.29" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169074", "to_ids": true, "type": "ip-dst", "uuid": "553ea5f2-da38-44ad-8510-069f950d210b", "value": "198.105.122.9" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517779398", "to_ids": true, "type": "yara", "uuid": "553ea60d-1f7c-4bf6-8aa7-f38d950d210b", "value": "rule DownExecute_A {\r\nmeta:\r\n author = \"PwC Cyber Threat Operations :: @tlansec\"\r\n date = \"2015-04\"\r\n reference = \"http://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html\"\r\n description = \"Malware is often wrapped/protected, best to run on memory\"\r\n \r\nstrings:\r\n $winver1 = \"win 8.1\"\r\n $winver2 = \"win Server 2012 R2\"\r\n $winver3 = \"win Srv 2012\"\r\n $winver4 = \"win srv 2008 R2\"\r\n $winver5 = \"win srv 2008\"\r\n $winver6 = \"win vsta\"\r\n $winver7 = \"win srv 2003 R2\"\r\n $winver8 = \"win hm srv\"\r\n $winver9 = \"win Strg srv 2003\"\r\n $winver10 = \"win srv 2003\"\r\n $winver11 = \"win XP prof x64 edt\"\r\n $winver12 = \"win XP\"\r\n $winver13 = \"win 2000\"\r\n \r\n $pdb1 = \"D:\\\\Acms\\\\2\\\\docs\\\\Visual Studio 2013\\\\Projects\\\\DownloadExcute\\\\DownloadExcute\\\\Release\\\\DownExecute.pdb\"\r\n $pdb2 = \"d:\\\\acms\\\\2\\\\docs\\\\visual studio 2013\\\\projects\\\\downloadexcute\\\\downloadexcute\\\\downexecute\\\\json\\\\rapidjson\\\\writer.h\"\r\n $pdb3 = \":\\\\acms\\\\2\\\\docs\\\\visual studio 2013\\\\projects\\\\downloadexcute\\\\downloadexcute\\\\downexecute\\\\json\\\\rapidjson\\\\internal/stack.h\"\r\n $pdb4 = \"\\\\downloadexcute\\\\downexecute\\\\\"\r\n \r\n $magic1 = \" any any (msg:\"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/gtk)\"; flow:established,to_server; urilen:7; content:\"/dw/gtk\"; http_uri; depth:7; content:\"GET\" ; http_method; content:!\"User-Agent:\"; http_header; content:!\"Referer:\"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999901; rev:2015200401;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169246", "to_ids": true, "type": "snort", "uuid": "553ea69e-f448-4133-952a-7df4950d210b", "value": "alert http any any -> any any (msg:\"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute URI (/dw/setup)\"; flow:established,to_server; urilen:>8; content:\"/dw/setup\"; http_uri; depth:9; content:\"POST\" ; http_method; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999902; rev:2015200401;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169246", "to_ids": true, "type": "snort", "uuid": "553ea69e-3fe0-4239-81ac-7df4950d210b", "value": "alert http any any -> any any (msg:\"--[PwC CTD] -- Unclassified Middle Eastern Actor - DownExecute Headers\"; flow:established,to_server; urilen:>7; content:\"Accept */*\"; http_client_body; content:\"Content-Type: multipart/form-data\\; boundary=------------------------\"; http_header; content: \"ci_session=\"; http_cookie; depth:11; content: \"POST\"; http_method; content:!\"Referer:\"; http_header; content:!\"User-Agent:\"; http_header; reference:md5,4dd319a230ee3a0735a656231b4c9063; classtype:trojan-activity; metadata:tlp WHITE,author @ipsosCustodes; sid:99999903; rev:2015200401;)" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1430169321", "to_ids": false, "type": "link", "uuid": "553ea6e9-68bc-4fea-8b0d-ad6d950d210b", "value": "https://malwr.com/analysis/N2I1YmExMjNkMmM3NGQwMThlNjg5YmI4OGY3Mjc3ZmI" }, { "category": "Payload delivery", "comment": "Automatically added (via ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840102", "to_ids": true, "type": "md5", "uuid": "56c65b66-31cc-44b3-87d8-599d950d210f", "value": "360200d659519c5d398b05804975ebbe" }, { "category": "Payload delivery", "comment": "Automatically added (via 8993a516404c0dd62692f3ce5055d4ddee7e29ad4bb6aa29f67114eeeaee26b9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840104", "to_ids": true, "type": "md5", "uuid": "56c65b68-1028-4690-ad05-4bd6950d210f", "value": "89ff2642d8c6b0b49a009a36380495a7" }, { "category": "Payload delivery", "comment": "Automatically added (via dad34d2cb2aa9662d4a4148481ae018f5816498f30cc7aee4919e0e9fe6b9e08)", "deleted": false, "disable_correlation": false, "timestamp": "1455840106", "to_ids": true, "type": "md5", "uuid": "56c65b6a-fa68-4335-b1b2-599f950d210f", "value": "e540076f48d7069bacb6d607f2d389d9" }, { "category": "Payload delivery", "comment": "Automatically added (via 2cb9df0d52d09c98f0a97ce71eb8805f224945cadab7d615ef0257b7b09c80d3)", "deleted": false, "disable_correlation": false, "timestamp": "1455840108", "to_ids": true, "type": "md5", "uuid": "56c65b6c-6984-41f1-80f7-599d950d210f", "value": "77d43f0b32e30a3de6879610666f1b39" }, { "category": "Payload delivery", "comment": "Automatically added (via 1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840109", "to_ids": true, "type": "md5", "uuid": "56c65b6d-eb60-41d2-b66e-5ca1950d210f", "value": "ec05a45ebd201a83974229a79979a672" }, { "category": "Payload delivery", "comment": "Automatically added (via da63f6392ce6af83f6d944fa1bd3f28082345fec928647ee7ef9939fac7b2e6c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840111", "to_ids": true, "type": "md5", "uuid": "56c65b6f-0fe8-462a-921d-59a4950d210f", "value": "cb008f71eb83e68b9f601533910b6cc8" }, { "category": "Payload delivery", "comment": "Automatically added (via a7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4)", "deleted": false, "disable_correlation": false, "timestamp": "1455840113", "to_ids": true, "type": "md5", "uuid": "56c65b71-0c60-46ca-bc16-c650950d210f", "value": "bc42a09888de8b311f2e9ab0fc966c8c" }, { "category": "Payload delivery", "comment": "Automatically added (via 2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840115", "to_ids": true, "type": "md5", "uuid": "56c65b73-aac4-4165-8338-59a2950d210f", "value": "23108c347282ff101a2104bcf54204a8" }, { "category": "Payload delivery", "comment": "Automatically added (via e945b055fb4057a396506c74f73b873694125e6178a40d10cabf24b2d89d598f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840117", "to_ids": true, "type": "md5", "uuid": "56c65b75-278c-421b-9ac1-48b5950d210f", "value": "02305cc3da69cf8d5cd2f6f5ea0ec0e8" }, { "category": "Payload delivery", "comment": "Automatically added (via c9e084eb1ce1066ee063f860c13a8f7d2ead97495036855fc956dacc9a24ea68)", "deleted": false, "disable_correlation": false, "timestamp": "1455840118", "to_ids": true, "type": "md5", "uuid": "56c65b76-8798-4e2a-8e18-c652950d210f", "value": "9c85c9400f941c4f2c8a1833fbc9283f" }, { "category": "Payload delivery", "comment": "Automatically added (via 25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff)", "deleted": false, "disable_correlation": false, "timestamp": "1455840120", "to_ids": true, "type": "md5", "uuid": "56c65b78-c284-4c46-85d8-c654950d210f", "value": "27d3105273529cfca93f73865ee43a40" }, { "category": "Payload delivery", "comment": "Automatically added (via b0edbd0f44df72e0fad3fb73948444a4df5143ed954c9116eb1a7b606841f187)", "deleted": false, "disable_correlation": false, "timestamp": "1455840122", "to_ids": true, "type": "md5", "uuid": "56c65b7a-41b0-4394-8896-401d950d210f", "value": "b7b01ee8548d4097f528ae4280834667" }, { "category": "Payload delivery", "comment": "Automatically added (via de3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840123", "to_ids": true, "type": "md5", "uuid": "56c65b7b-b638-45c6-8805-457c950d210f", "value": "53754fc20891b33d600f57a6e5975a41" }, { "category": "Payload delivery", "comment": "Automatically added (via f969bf3b7a9821b3b2d5de889b5af7af25972b25ba59e4e9439f87fe90f1c404)", "deleted": false, "disable_correlation": false, "timestamp": "1455840126", "to_ids": true, "type": "md5", "uuid": "56c65b7e-2340-4582-8742-4ef7950d210f", "value": "c7063f0178ea48e02f54769c0da275b8" }, { "category": "Payload delivery", "comment": "Automatically added (via 14be3a9a2a4261cb365915e720486a0632dbebb06fe68fb669ae67aa9b18507b)", "deleted": false, "disable_correlation": false, "timestamp": "1455840127", "to_ids": true, "type": "md5", "uuid": "56c65b7f-b440-49df-8790-c651950d210f", "value": "699067ce203ab9893943905e5b76f106" }, { "category": "Payload delivery", "comment": "Automatically added (via 488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff)", "deleted": false, "disable_correlation": false, "timestamp": "1455840129", "to_ids": true, "type": "md5", "uuid": "56c65b81-9f28-4766-9da8-599f950d210f", "value": "b0f49c2c29d3966125dd322a504799c6" }, { "category": "Payload delivery", "comment": "Automatically added (via b3a47e0bc0af49b46bc0c1158089bf200856ff462a5334df2b5c11e69c8b1ada)", "deleted": false, "disable_correlation": false, "timestamp": "1455840131", "to_ids": true, "type": "md5", "uuid": "56c65b83-088c-4a6c-b26e-4eb5950d210f", "value": "3dcb43a83a53a965b40de316c1593bca" }, { "category": "Payload delivery", "comment": "Automatically added (via 324ce011b913feec4adb916f32c743a243f07dccb51b49c0122c4fa4a8e2bded)", "deleted": false, "disable_correlation": false, "timestamp": "1455840133", "to_ids": true, "type": "md5", "uuid": "56c65b85-3fd0-446d-b27e-599e950d210f", "value": "5e43b6ca1fa9536f31e09d9a418ac8c3" }, { "category": "Payload delivery", "comment": "Automatically added (via d6df5943169b48ac58fc28bb665fe8800c265b65fff8a2217b70703a4d3a7277)", "deleted": false, "disable_correlation": false, "timestamp": "1455840135", "to_ids": true, "type": "md5", "uuid": "56c65b87-3bf0-4bf8-9b1b-59a1950d210f", "value": "18d2222b56a499946e107721e5057a71" }, { "category": "Payload delivery", "comment": "Automatically added (via f51d4155534e10c09b531acc41458e8ff3b7879f4ee7d3ee99f16180c4caf0ee)", "deleted": false, "disable_correlation": false, "timestamp": "1455840136", "to_ids": true, "type": "md5", "uuid": "56c65b88-8ec8-4223-8876-5f51950d210f", "value": "6203dde9fad9da6f9a85d609397105f0" }, { "category": "Payload delivery", "comment": "Automatically added (via bc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b)", "deleted": false, "disable_correlation": false, "timestamp": "1455840138", "to_ids": true, "type": "md5", "uuid": "56c65b8a-e6e8-4d6d-a440-5ca1950d210f", "value": "7f684863780310a718254ff0f7f28ed2" }, { "category": "Payload delivery", "comment": "Automatically added (via ecc240f1983007177bc5bbecba50eea27b80fd3d14fd261bef6cda10b8ffe1e9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840103", "to_ids": true, "type": "sha1", "uuid": "56c65b67-02cc-4e07-ab72-c652950d210f", "value": "53c0008d517ca133be44f172f44c4b129d8e4c7a" }, { "category": "Payload delivery", "comment": "Automatically added (via 8993a516404c0dd62692f3ce5055d4ddee7e29ad4bb6aa29f67114eeeaee26b9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840104", "to_ids": true, "type": "sha1", "uuid": "56c65b68-8d98-45bb-a12e-4ad8950d210f", "value": "89e71644f5da253f5c22b86eb5914be20fb9b067" }, { "category": "Payload delivery", "comment": "Automatically added (via dad34d2cb2aa9662d4a4148481ae018f5816498f30cc7aee4919e0e9fe6b9e08)", "deleted": false, "disable_correlation": false, "timestamp": "1455840106", "to_ids": true, "type": "sha1", "uuid": "56c65b6a-7dfc-4cbf-b4eb-5f51950d210f", "value": "893723d32824802f95e77c81779c09dac0752b1d" }, { "category": "Payload delivery", "comment": "Automatically added (via 2cb9df0d52d09c98f0a97ce71eb8805f224945cadab7d615ef0257b7b09c80d3)", "deleted": false, "disable_correlation": false, "timestamp": "1455840108", "to_ids": true, "type": "sha1", "uuid": "56c65b6c-7518-408a-9df8-599c950d210f", "value": "e25d458c398b591bb6c6e6c8a3cfff17db2ea090" }, { "category": "Payload delivery", "comment": "Automatically added (via 1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9)", "deleted": false, "disable_correlation": false, "timestamp": "1455840110", "to_ids": true, "type": "sha1", "uuid": "56c65b6e-f1ec-4cd4-8003-408b950d210f", "value": "b5ec494f4f82bffbe6d8ddcaa927aabebe2fbd9d" }, { "category": "Payload delivery", "comment": "Automatically added (via da63f6392ce6af83f6d944fa1bd3f28082345fec928647ee7ef9939fac7b2e6c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840112", "to_ids": true, "type": "sha1", "uuid": "56c65b70-3e28-4f7e-8aec-c654950d210f", "value": "ce92d1c03fc8fc965134b9163fe450794580f120" }, { "category": "Payload delivery", "comment": "Automatically added (via a7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4)", "deleted": false, "disable_correlation": false, "timestamp": "1455840114", "to_ids": true, "type": "sha1", "uuid": "56c65b72-2fc4-4f2f-b527-c653950d210f", "value": "a0d914ee2a550f50f4d550863a23f724aab0f3ac" }, { "category": "Payload delivery", "comment": "Automatically added (via 2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840115", "to_ids": true, "type": "sha1", "uuid": "56c65b73-da4c-4630-bc08-59a1950d210f", "value": "278ab45a4c27ec3ba63dff735feccf0ef91132ed" }, { "category": "Payload delivery", "comment": "Automatically added (via e945b055fb4057a396506c74f73b873694125e6178a40d10cabf24b2d89d598f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840117", "to_ids": true, "type": "sha1", "uuid": "56c65b75-0c00-400e-ad78-4c81950d210f", "value": "49ec769c344a9dfbe3c40b0d4511be328c91d983" }, { "category": "Payload delivery", "comment": "Automatically added (via c9e084eb1ce1066ee063f860c13a8f7d2ead97495036855fc956dacc9a24ea68)", "deleted": false, "disable_correlation": false, "timestamp": "1455840119", "to_ids": true, "type": "sha1", "uuid": "56c65b77-c504-4b7f-b510-599e950d210f", "value": "6293a9dc5b161fe3c26db6bdecc9cba15fdbe50e" }, { "category": "Payload delivery", "comment": "Automatically added (via 25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff)", "deleted": false, "disable_correlation": false, "timestamp": "1455840121", "to_ids": true, "type": "sha1", "uuid": "56c65b79-cbd0-4b99-97e9-c651950d210f", "value": "5f0adbe4946e65ca32356e9dc68b6ccc5ef8b01a" }, { "category": "Payload delivery", "comment": "Automatically added (via b0edbd0f44df72e0fad3fb73948444a4df5143ed954c9116eb1a7b606841f187)", "deleted": false, "disable_correlation": false, "timestamp": "1455840122", "to_ids": true, "type": "sha1", "uuid": "56c65b7a-43c8-4f09-99c6-59a1950d210f", "value": "cd195f91a78e478f3b7bef77d4a7f93bccc36f20" }, { "category": "Payload delivery", "comment": "Automatically added (via de3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840124", "to_ids": true, "type": "sha1", "uuid": "56c65b7c-f558-467f-beaf-c654950d210f", "value": "830be8a5fefd30f2b2697f2c0dded59d9646d017" }, { "category": "Payload delivery", "comment": "Automatically added (via f969bf3b7a9821b3b2d5de889b5af7af25972b25ba59e4e9439f87fe90f1c404)", "deleted": false, "disable_correlation": false, "timestamp": "1455840126", "to_ids": true, "type": "sha1", "uuid": "56c65b7e-d13c-447d-847d-c653950d210f", "value": "89e37cb4324379165a3780bb57a2195ce67937ee" }, { "category": "Payload delivery", "comment": "Automatically added (via 14be3a9a2a4261cb365915e720486a0632dbebb06fe68fb669ae67aa9b18507b)", "deleted": false, "disable_correlation": false, "timestamp": "1455840128", "to_ids": true, "type": "sha1", "uuid": "56c65b80-145c-4b6a-9286-4696950d210f", "value": "cd2565d041bbb3563b605978f4603da78e98e4a0" }, { "category": "Payload delivery", "comment": "Automatically added (via 488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff)", "deleted": false, "disable_correlation": false, "timestamp": "1455840130", "to_ids": true, "type": "sha1", "uuid": "56c65b82-bae8-48d4-83c2-c651950d210f", "value": "498edcff006dbf86b36cea721c0541ac86e06d66" }, { "category": "Payload delivery", "comment": "Automatically added (via b3a47e0bc0af49b46bc0c1158089bf200856ff462a5334df2b5c11e69c8b1ada)", "deleted": false, "disable_correlation": false, "timestamp": "1455840132", "to_ids": true, "type": "sha1", "uuid": "56c65b84-d4ac-4702-8e6c-599d950d210f", "value": "b95e8757b6935745dab2f6f943c73de3fe7b6d0b" }, { "category": "Payload delivery", "comment": "Automatically added (via 324ce011b913feec4adb916f32c743a243f07dccb51b49c0122c4fa4a8e2bded)", "deleted": false, "disable_correlation": false, "timestamp": "1455840134", "to_ids": true, "type": "sha1", "uuid": "56c65b86-df2c-4d5a-afb9-59a2950d210f", "value": "0700d5b49f9a7f530874355e7c998407c8d21fc7" }, { "category": "Payload delivery", "comment": "Automatically added (via d6df5943169b48ac58fc28bb665fe8800c265b65fff8a2217b70703a4d3a7277)", "deleted": false, "disable_correlation": false, "timestamp": "1455840135", "to_ids": true, "type": "sha1", "uuid": "56c65b87-b28c-451d-865b-599c950d210f", "value": "c31d298a16a00f9d079afbb9f7f6d711bc96fdeb" }, { "category": "Payload delivery", "comment": "Automatically added (via f51d4155534e10c09b531acc41458e8ff3b7879f4ee7d3ee99f16180c4caf0ee)", "deleted": false, "disable_correlation": false, "timestamp": "1455840137", "to_ids": true, "type": "sha1", "uuid": "56c65b89-c7ec-4143-9e7e-c652950d210f", "value": "3ab9230f3e8e4af499040f2d88b9dda5fedbb888" }, { "category": "Payload delivery", "comment": "Automatically added (via bc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b)", "deleted": false, "disable_correlation": false, "timestamp": "1455840139", "to_ids": true, "type": "sha1", "uuid": "56c65b8b-dab0-4b90-a6d3-47d7950d210f", "value": "1088706ce7d3c623896c6fed3090eacdca832263" } ] } }