{ "Event": { "analysis": "2", "date": "2016-07-28", "extends_uuid": "", "info": "OSINT Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight by ProofPoint", "publish_timestamp": "1493405850", "published": true, "threat_level_id": "3", "timestamp": "1493403458", "uuid": "57a89cb0-1a80-4f24-a85b-43d4950d210f", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "OSINT" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470667994", "to_ids": false, "type": "link", "uuid": "57a89cda-502c-4c00-872c-4a2e950d210f", "value": "https://www.proofpoint.com/us/threat-insight/post/massive-adgholas-malvertising-campaigns-use-steganography-and-file-whitelisting-to-hide-in-plain-sight" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668135", "to_ids": true, "type": "domain", "uuid": "57a89d67-90f4-4ecd-94cf-4fe3950d210f", "value": "brainram.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668135", "to_ids": true, "type": "domain", "uuid": "57a89d67-a718-4757-9714-4c32950d210f", "value": "cleanerzoomer.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668135", "to_ids": true, "type": "domain", "uuid": "57a89d67-b980-4c96-98cd-49d4950d210f", "value": "cruzame.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668136", "to_ids": true, "type": "domain", "uuid": "57a89d68-4270-4382-8191-4e03950d210f", "value": "ec-centre.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668136", "to_ids": true, "type": "domain", "uuid": "57a89d68-1038-4f62-8001-4694950d210f", "value": "emaxing.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668136", "to_ids": true, "type": "domain", "uuid": "57a89d68-da14-49b0-bfd0-4da6950d210f", "value": "iipus.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668136", "to_ids": true, "type": "domain", "uuid": "57a89d68-afb0-4700-9591-45aa950d210f", "value": "mamaniaca.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668136", "to_ids": true, "type": "domain", "uuid": "57a89d68-6164-4769-81be-4f7f950d210f", "value": "merovinjo.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668137", "to_ids": true, "type": "domain", "uuid": "57a89d69-c0d8-4caf-ba31-4882950d210f", "value": "moyeuvelo.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668137", "to_ids": true, "type": "domain", "uuid": "57a89d69-e450-46a2-8c02-4741950d210f", "value": "ponteblue.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668137", "to_ids": true, "type": "domain", "uuid": "57a89d69-a9e8-474c-9860-4641950d210f", "value": "sensecreator.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668137", "to_ids": true, "type": "domain", "uuid": "57a89d69-f0f0-43db-9991-44af950d210f", "value": "tjprofile.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668137", "to_ids": true, "type": "domain", "uuid": "57a89d69-6ddc-4e3a-95fa-4616950d210f", "value": "xuwakix.com" }, { "category": "Network activity", "comment": "Domain shadowing", "deleted": false, "disable_correlation": false, "timestamp": "1470668152", "to_ids": true, "type": "hostname", "uuid": "57a89d78-73b8-4bdf-94c7-4dee950d210f", "value": "a.stylefinishdesign.com.au" }, { "category": "Network activity", "comment": "Domain shadowing", "deleted": false, "disable_correlation": false, "timestamp": "1470668153", "to_ids": true, "type": "hostname", "uuid": "57a89d79-fb18-4d5e-a545-4b5f950d210f", "value": "ads.avodirect.ca" }, { "category": "Network activity", "comment": "Domain shadowing", "deleted": false, "disable_correlation": false, "timestamp": "1470668153", "to_ids": true, "type": "hostname", "uuid": "57a89d79-ff64-4fc0-8c91-45d3950d210f", "value": "ads.boxerbuilding.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668171", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8b-d4e8-4e15-a1c0-4cee950d210f", "value": "162.247.14.213" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668171", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8b-6814-4875-94fb-406b950d210f", "value": "179.43.147.195" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668171", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8b-12d4-4382-833b-47fb950d210f", "value": "179.43.147.242" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668171", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8b-3c2c-4a1a-9d96-4b7f950d210f", "value": "192.240.97.164" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668171", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8b-f15c-4025-9bee-4984950d210f", "value": "193.109.69.212" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-b1c4-4231-95f3-4255950d210f", "value": "5.187.5.206" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-8b50-4e83-b456-4dca950d210f", "value": "50.7.124.160" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-9f10-43b7-8bb8-4e7d950d210f", "value": "50.7.124.184" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-2560-4076-b500-4bc6950d210f", "value": "50.7.124.215" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-0480-4e00-9e29-4bd2950d210f", "value": "50.7.143.14" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668172", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8c-6e94-4bbb-9f0c-4a66950d210f", "value": "50.7.143.70" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668173", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8d-7dc8-4433-8ed1-41ae950d210f", "value": "95.154.199.135" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668173", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8d-c7e8-490f-93cf-4646950d210f", "value": "95.154.199.181" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668173", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8d-4138-4acf-9696-4e09950d210f", "value": "95.154.199.182" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668173", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8d-abb0-4604-9cc9-4e9e950d210f", "value": "95.154.199.67" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668173", "to_ids": true, "type": "ip-dst", "uuid": "57a89d8d-74b0-4507-9ea8-4cea950d210f", "value": "95.154.199.79" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668285", "to_ids": true, "type": "sha256", "uuid": "57a89dfd-d4d0-468f-b66b-4181950d210f", "value": "09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668285", "to_ids": true, "type": "sha256", "uuid": "57a89dfd-0088-4d78-921a-4d6c950d210f", "value": "0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668286", "to_ids": true, "type": "sha256", "uuid": "57a89dfe-215c-4030-97c0-4f17950d210f", "value": "588fe945aeba2099e0f1743f046ee82cb7b92737fbae8673faeba50faebba847" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668286", "to_ids": true, "type": "sha256", "uuid": "57a89dfe-19b0-491a-96ac-4975950d210f", "value": "5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668286", "to_ids": true, "type": "sha256", "uuid": "57a89dfe-7d38-4e77-a631-4326950d210f", "value": "676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668286", "to_ids": true, "type": "sha256", "uuid": "57a89dfe-a39c-4b20-98a0-4aff950d210f", "value": "7ea69328bc3dbaa53db243c3b789f719bb14283c32168f1bc8ea947fedf968f8" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668287", "to_ids": true, "type": "sha256", "uuid": "57a89dff-8c98-43fb-b064-4ce9950d210f", "value": "a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668287", "to_ids": true, "type": "sha256", "uuid": "57a89dff-2a30-48e7-bbd3-41e2950d210f", "value": "af4ad3afa72ac39650f508a5f301c6e37b2b5f296563e43cd29eff49b8f25c7c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668287", "to_ids": true, "type": "sha256", "uuid": "57a89dff-e68c-4ee7-a7a1-4202950d210f", "value": "b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668287", "to_ids": true, "type": "sha256", "uuid": "57a89dff-dd6c-4400-87bd-4d32950d210f", "value": "d2d8de76afcf1fec3b8a41b1fc41405051c352b38b215666197d7045a79b99a9" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668287", "to_ids": true, "type": "sha256", "uuid": "57a89dff-f750-4895-8537-4f40950d210f", "value": "e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668288", "to_ids": true, "type": "sha256", "uuid": "57a89e00-cbec-4c22-8682-4751950d210f", "value": "e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668313", "to_ids": true, "type": "domain", "uuid": "57a89e19-57ac-45fe-9c0a-403a950d210f", "value": "allerager.click" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668313", "to_ids": true, "type": "domain", "uuid": "57a89e19-5ae0-4597-9a74-4fc1950d210f", "value": "amyrwsmur.click" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668313", "to_ids": true, "type": "domain", "uuid": "57a89e19-1964-4253-b0a4-4154950d210f", "value": "biicqwfvqiec.click" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668314", "to_ids": true, "type": "domain", "uuid": "57a89e1a-1a10-451d-9ccf-4c2c950d210f", "value": "cmedia.cloud" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668325", "to_ids": true, "type": "ip-dst", "uuid": "57a89e25-a258-49ba-a36a-4ddf950d210f", "value": "108.61.103.205" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668325", "to_ids": true, "type": "ip-dst", "uuid": "57a89e25-6a28-4026-8108-4ae1950d210f", "value": "176.31.62.78" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668326", "to_ids": true, "type": "ip-dst", "uuid": "57a89e26-8b3c-4a3c-a88d-4eaa950d210f", "value": "198.105.244.11" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668326", "to_ids": true, "type": "ip-dst", "uuid": "57a89e26-5eac-41cb-90fc-4e9d950d210f", "value": "45.32.157.168" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668326", "to_ids": true, "type": "ip-dst", "uuid": "57a89e26-8f3c-447c-a0f6-40f0950d210f", "value": "93.190.177.179" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668345", "to_ids": true, "type": "domain", "uuid": "57a89e39-43c4-4c41-ad7e-4943950d210f", "value": "987034569274692894.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668345", "to_ids": true, "type": "domain", "uuid": "57a89e39-6d00-4231-8fe4-4ab5950d210f", "value": "allkindsublidamages.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668345", "to_ids": true, "type": "domain", "uuid": "57a89e39-d61c-4e8b-b526-48c0950d210f", "value": "allenia.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668346", "to_ids": true, "type": "domain", "uuid": "57a89e3a-021c-4005-bfea-4d4f950d210f", "value": "fqelkidudcwb.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668346", "to_ids": true, "type": "domain", "uuid": "57a89e3a-bf48-4851-a137-486d950d210f", "value": "genetyoucircuminformed.xyz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668346", "to_ids": true, "type": "domain", "uuid": "57a89e3a-44f0-4b61-a213-492a950d210f", "value": "ionbudeerttsq.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668346", "to_ids": true, "type": "domain", "uuid": "57a89e3a-9d0c-4a94-881a-4e9d950d210f", "value": "j73gdy64reff625r.cc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668346", "to_ids": true, "type": "domain", "uuid": "57a89e3a-2fd0-455c-aedb-45f7950d210f", "value": "oghtjpo.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668347", "to_ids": true, "type": "domain", "uuid": "57a89e3b-e718-421b-b049-40ed950d210f", "value": "othrebso.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668347", "to_ids": true, "type": "domain", "uuid": "57a89e3b-4be0-47b1-ba46-466c950d210f", "value": "andnetscapeadefective.ru" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668347", "to_ids": true, "type": "domain", "uuid": "57a89e3b-c38c-4943-817e-414a950d210f", "value": "allerapo.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668347", "to_ids": true, "type": "domain", "uuid": "57a89e3b-bb78-43bb-b705-42e0950d210f", "value": "blastercast.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668348", "to_ids": true, "type": "domain", "uuid": "57a89e3c-da8c-49cd-8129-40c1950d210f", "value": "enwhhdvfolsn.click" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668348", "to_ids": true, "type": "domain", "uuid": "57a89e3c-7364-4edc-84e9-4dda950d210f", "value": "gegbghtyg.eu" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668348", "to_ids": true, "type": "domain", "uuid": "57a89e3c-705c-47a0-ad9d-4c67950d210f", "value": "heleryjoortusd.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668348", "to_ids": true, "type": "domain", "uuid": "57a89e3c-6398-46b8-89d8-49ac950d210f", "value": "obesca.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668348", "to_ids": true, "type": "domain", "uuid": "57a89e3c-1f7c-4b02-9a37-43b3950d210f", "value": "stream.gizdosales.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668363", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4b-80ec-45f4-9cef-4cfe950d210f", "value": "112.20.178.110" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668363", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4b-2018-4f65-adc0-48b3950d210f", "value": "192.42.116.41" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668363", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4b-b734-46dc-b3f6-453a950d210f", "value": "212.92.127.39" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-60b8-4768-992f-4019950d210f", "value": "45.32.154.141" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-d3c0-4276-855f-4403950d210f", "value": "45.32.245.19" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-e0cc-47d1-90b7-4c81950d210f", "value": "46.45.169.120" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-4194-4bdb-86c6-41f0950d210f", "value": "46.45.169.182" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-7624-43f7-b5b4-4780950d210f", "value": "87.98.254.64" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668364", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4c-00c0-46e1-8d8a-47e3950d210f", "value": "91.233.116.174" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668365", "to_ids": true, "type": "ip-dst", "uuid": "57a89e4d-f93c-470c-9eb1-4ebd950d210f", "value": "94.242.254.51" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668400", "to_ids": true, "type": "yara", "uuid": "57a89e70-2270-4df0-ad4c-495f950d210f", "value": "rule AdGholas_mem\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $a1 = \"(3e8)!=\" ascii wide\r\n $a2 = /href=\\x22\\.\\x22\\+[a-z]+\\,mimeType\\}/ ascii wide\r\n $a3 = /\\+[a-z]+\\([\\x22\\x27]divx[^\\x22\\x27]+torrent[^\\x22\\x27]*[\\x22\\x27]\\.split/ ascii wide\r\n $a4 = \"chls\" nocase ascii wide\r\n $a5 = \"saz\" nocase ascii wide\r\n $a6 = \"flac\" nocase ascii wide\r\n $a7 = \"pcap\" nocase ascii wide\r\n\r\n condition:\r\n all of ($a*)\r\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668412", "to_ids": true, "type": "yara", "uuid": "57a89e7c-1090-44a6-8d7e-4be2950d210f", "value": "rule AdGholas_mem_MIME\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $b1=\".300000000\" ascii nocase wide fullword\r\n $b2=\".saz\" ascii nocase wide fullword\r\n $b3=\".py\" ascii nocase wide fullword\r\n $b4=\".pcap\" ascii nocase wide fullword\r\n $b5=\".chls\" ascii nocase wide fullword\r\n\r\n condition:\r\n all of ($b*)\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668439", "to_ids": true, "type": "yara", "uuid": "57a89e97-d100-4a36-a731-41e6950d210f", "value": "rule AdGholas_mem_antisec_M2\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $s1 = \"ActiveXObject(\\\"Microsoft.XMLDOM\\\")\" nocase ascii wide\r\n $s2 = \"loadXML\" nocase ascii wide fullword\r\n $s3 = \"parseError.errorCode\" nocase ascii wide\r\n $s4 = /res\\x3a\\x2f\\x2f[\\x27\\x22]\\x2b/ nocase ascii wide\r\n $s5 = /\\x251e3\\x21\\s*\\x3d\\x3d\\s*[a-zA-Z]+\\x3f1\\x3a0/ nocase ascii wide\r\n\r\n condition:\r\n all of ($s*)\r\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1470668452", "to_ids": true, "type": "yara", "uuid": "57a89ea4-0130-4423-bba4-4c31950d210f", "value": "rule AdGholas_mem_MIME_M2\r\n{\r\n meta:\r\n malfamily = \"AdGholas\"\r\n\r\n strings:\r\n $s1 = \"halog\" nocase ascii wide fullword\r\n $s2 = \"pcap\" nocase ascii wide fullword\r\n $s3 = \"saz\" nocase ascii wide fullword\r\n $s4 = \"chls\" nocase ascii wide fullword\r\n $s5 = /return[^\\x3b\\x7d\\n]+href\\s*=\\s*[\\x22\\x27]\\x2e[\\x27\\x22]\\s*\\+\\s*[^\\x3b\\x7d\\n]+\\s*,\\s*[^\\x3b\\x7d\\n]+\\.mimeType/ nocase ascii wide\r\n $s6 = /\\x21==[a-zA-Z]+\\x3f\\x210\\x3a\\x211/ nocase ascii wide\r\n\r\n condition:\r\n all of ($s*)\r\n}" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb)", "deleted": false, "disable_correlation": false, "timestamp": "1470668582", "to_ids": true, "type": "md5", "uuid": "57a89f26-2de4-4480-8200-4cbf950d210f", "value": "59e964c3556c3edee5ec46047d22334f" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e)", "deleted": false, "disable_correlation": false, "timestamp": "1470668584", "to_ids": true, "type": "md5", "uuid": "57a89f28-0cb8-47cc-956b-46c3950d210f", "value": "6ab935d12654160bb9dc2c423330b04c" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c)", "deleted": false, "disable_correlation": false, "timestamp": "1470668587", "to_ids": true, "type": "md5", "uuid": "57a89f2b-fbe4-4dbe-bd19-4213950d210f", "value": "f3b3266a92725d42c2bc8a1a6fb49a69" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0)", "deleted": false, "disable_correlation": false, "timestamp": "1470668589", "to_ids": true, "type": "md5", "uuid": "57a89f2d-62f8-4437-9b65-4c69950d210f", "value": "9b03a798139e9509322ce95755ac4250" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0)", "deleted": false, "disable_correlation": false, "timestamp": "1470668593", "to_ids": true, "type": "md5", "uuid": "57a89f31-6610-4e18-95f6-4299950d210f", "value": "c8f5b2b6507d0fd7e421c5b59699deb7" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44)", "deleted": false, "disable_correlation": false, "timestamp": "1470668596", "to_ids": true, "type": "md5", "uuid": "57a89f34-3640-4efb-bf6e-4457950d210f", "value": "fd6b65fc06598d473baa02d4c81b26f0" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4)", "deleted": false, "disable_correlation": false, "timestamp": "1470668599", "to_ids": true, "type": "md5", "uuid": "57a89f37-a410-4538-9926-4924950d210f", "value": "92094b6882ce0584feb37de21266d38b" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19)", "deleted": false, "disable_correlation": false, "timestamp": "1470668601", "to_ids": true, "type": "md5", "uuid": "57a89f39-9594-4912-a651-4c88950d210f", "value": "88e1bd67c7bd0554fda176d5621d08dc" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 09ba8463a09bbb430987ac1cbcbb7004c3be6b9bcf72b2db2333e599cc4203eb)", "deleted": false, "disable_correlation": false, "timestamp": "1470668583", "to_ids": true, "type": "sha1", "uuid": "57a89f27-1940-4f9c-9e98-4729950d210f", "value": "997d1ecef80855818be02c2faf8aba21f813c090" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 0ca994d7e06405793f8fc9b9ced5364bd0dd46119031b8b0d09f03e8bbffb85e)", "deleted": false, "disable_correlation": false, "timestamp": "1470668585", "to_ids": true, "type": "sha1", "uuid": "57a89f29-378c-418b-b5a0-458a950d210f", "value": "5500fbff24ef6d5de69970794ac0a1296099f6bc" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 5962b458a0d3852a6974836951dc072593ecd4407b58dccad4a38eccc39dc54c)", "deleted": false, "disable_correlation": false, "timestamp": "1470668588", "to_ids": true, "type": "sha1", "uuid": "57a89f2c-5070-44d4-aed7-41b8950d210f", "value": "da9b18ff7f24fb9c80cab35bf93b7269416ed761" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 676ea2b87029e18edf3a1b221e5173cbc7a5dc73da9e48b09644eac65ab544f0)", "deleted": false, "disable_correlation": false, "timestamp": "1470668590", "to_ids": true, "type": "sha1", "uuid": "57a89f2e-297c-48df-b8be-437d950d210f", "value": "ebeef25bc783181cdb52f287c4dea3cc870e7bf2" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a5881a71d46346224e3d23d49a0577ea898fab3ea619d0e1acc77c982787fca0)", "deleted": false, "disable_correlation": false, "timestamp": "1470668594", "to_ids": true, "type": "sha1", "uuid": "57a89f32-0920-44c2-bc0b-4570950d210f", "value": "5bd373b0c41890881a4e0e6b51452291fb63df62" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b46408cefa56cd09faa2d994271f03fcae9aa27dee279ea2eb71e163a15c3d44)", "deleted": false, "disable_correlation": false, "timestamp": "1470668596", "to_ids": true, "type": "sha1", "uuid": "57a89f34-ad98-4946-badd-43fe950d210f", "value": "6da1337d040189ea6d5c869e6aedd7baf5762cd8" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e06b753aa98e1b8fdc7c8ee1cbd07f5d46b2bbf88ebc8d450c8f24c6e79520a4)", "deleted": false, "disable_correlation": false, "timestamp": "1470668599", "to_ids": true, "type": "sha1", "uuid": "57a89f37-f7ac-408c-ace5-4609950d210f", "value": "63ed0f2fda0005f302b4ca9a810a76011cbe7045" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e7febe0cdfa798c3bb78e5ca8fd143b4721b04ff4d81cfea2b4c7b9da039fa19)", "deleted": false, "disable_correlation": false, "timestamp": "1470668602", "to_ids": true, "type": "sha1", "uuid": "57a89f3a-58cc-4f61-b95b-446a950d210f", "value": "e52ecfdca76e20d8fa23957388e0ce3043047c98" } ] } }