1181 lines
No EOL
51 KiB
JSON
1181 lines
No EOL
51 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2023-04-20",
|
|
"extends_uuid": "",
|
|
"info": "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible",
|
|
"publish_timestamp": "1687419940",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1684937230",
|
|
"uuid": "207feacb-6379-484d-8bea-b7281114b381",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:clear",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075300",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Digital Certificates - T1588.004\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Install Digital Certificate - T1608.003\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#053a00",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064b00",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#065000",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064700",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"System Language Discovery - T1614.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075700",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#064500",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Manipulation - T1565\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:backdoor=\"POOLRAT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"POOLRAT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"IconicStealer\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"ICONICSTEALER\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"DAVESHELL\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"SIGFLIP\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:backdoor=\"VEILEDSIGNAL\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"COLDCAT\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"TAXHAUL\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1682598807",
|
|
"to_ids": false,
|
|
"type": "snort",
|
|
"uuid": "726049e7-9805-44ee-a0bc-65c50ba1a1bb",
|
|
"value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"raw.githubusercontent.com/IconStorages/images/main/\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1682598807",
|
|
"to_ids": false,
|
|
"type": "snort",
|
|
"uuid": "a555296d-3c37-415f-8745-b3c68a1496fe",
|
|
"value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"3cx_auth_id=%s\\;3cx_auth_token_content=%s\\;__tutma=true\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1682598807",
|
|
"to_ids": false,
|
|
"type": "snort",
|
|
"uuid": "72986e52-7181-482d-add1-d79c32b22c96",
|
|
"value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1682598807",
|
|
"to_ids": false,
|
|
"type": "snort",
|
|
"uuid": "487ed5ed-71b9-4029-baa0-8e1b1e98da01",
|
|
"value": "alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutmc\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1683108136",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "f6027cce-03d8-4a41-aa37-202458d4fc64",
|
|
"value": "c6441c961dcad0fe127514a918eaabd4"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1683108136",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "2f7a8f74-a0ee-40d7-9e05-1c4908ad0664",
|
|
"value": "www.tradingtechnologies.com/trading/order-management"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1683204346",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "6b0e7a84-17ce-42fe-8a63-8bee1ec4255d",
|
|
"value": "www.tradingtechnologies.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1683207715",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "aea819dd-d381-49c3-aee2-d9b81ca94bf1",
|
|
"value": "451c23709ecd5a8461ad060f6346930c"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1682509494",
|
|
"uuid": "ffe5d3e8-741f-43b0-8414-8af137482627",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1682509494",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "49106857-2ef9-433c-83a3-d96bc057fff5",
|
|
"value": "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1682509494",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "3ca7b986-49fe-4352-9e3b-889f9a0d0f58",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682587388",
|
|
"uuid": "bf154df5-cd9c-4867-a76b-2122be53198e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682587388",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "9521a1e1-903f-4a15-966c-d0999a2890e1",
|
|
"value": "rule M_Hunting_3CXDesktopApp_Key {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects a key found in a malicious 3CXDesktopApp file\"\r\n\r\n\u202f\u202f\u202f md5 = \"74bc2d0b6680faa1a5a76b27e5479cbc\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/29\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $key = \"3jB(2bsG#@c7\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f $key\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682587388",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "9406e1bb-a404-439c-b67f-64f3778bcb54",
|
|
"value": "M_Hunting_3CXDesktopApp_Key"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682587511",
|
|
"uuid": "b589edd7-0f8d-4c01-8eb7-7119b9a9b718",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682587511",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "e7b39492-a458-4cb5-b385-29ec96f84f3e",
|
|
"value": "rule M_Hunting_3CXDesktopApp_Export {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n\u202f\u202f\u202f description = \"Detects an export used in 3CXDesktopApp malware\"\r\n\r\n\u202f\u202f\u202f md5 = \"7faea2b01796b80d180399040bb69835\"\r\n\r\n\u202f\u202f\u202f date = \"2023/03/31\"\r\n\r\n\u202f\u202f\u202f version = \"1\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $str1 = \"DllGetClassObject\" wide ascii\r\n\r\n\u202f\u202f\u202f $str2 = \"3CXDesktopApp\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f all of ($str*)\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682587511",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0b9de3e7-5648-403c-b09d-32818d853cd3",
|
|
"value": "M_Hunting_3CXDesktopApp_Export"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682587655",
|
|
"uuid": "2c9c3600-a5e3-49eb-a53d-34480e340b41",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682587655",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "9ac291ed-fb3a-402b-81ff-097a5bc548c1",
|
|
"value": "rule TAXHAUL\r\n{\r\n\u202f meta:\r\n\u202f author = \"Mandiant\"\r\n\u202f created = \"04/03/2023\"\r\n\u202f modified = \"04/03/2023\"\r\n\u202f version = \"1.0\"\r\n\u202f strings:\r\n\u202f\u202f\u202f $p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n\u202f\u202f\u202f $p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\n\u202f condition:\r\n\u202f\u202f\u202f uint16(0) == 0x5A4D and any of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682587655",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "7d365f5f-2353-4f56-89fb-728b3e64c03f",
|
|
"value": "TAXHAUL"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588366",
|
|
"uuid": "e591c3ee-02d0-438f-89ff-cf300e43d799",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588366",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "482b3caa-594a-4c9e-b739-62c22f863b62",
|
|
"value": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588366",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "d34aa070-1978-4a64-b5cd-1ae0fb5eba3d",
|
|
"value": "M_Hunting_MSI_Installer_3CX_1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588428",
|
|
"uuid": "acdd9039-c804-4b19-8206-e53b552cc1c2",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588428",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "047625c7-cd6d-49cc-b1c4-1d6036845705",
|
|
"value": "rule M_Hunting_SigFlip_SigLoader_Native\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for strings present in SigLoader (Native)\"\r\n\r\nmd5 = \"a3ccc48db9eabfed7245ad6e3a5b203f\"\r\n\r\nstrings:\r\n\r\n$s1 = \"[*]: Basic Loader...\" ascii wide\r\n\r\n$s2 = \"[!]: Missing PE path or Encryption Key...\" ascii wide\r\n\r\n$s3 = \"[!]: Usage: %s <PE_PATH> <Encryption_Key>\" ascii wide\r\n\r\n$s4 = \"[*]: Loading/Parsing PE File '%s'\" ascii wide\r\n\r\n$s5 = \"[!]: Could not read file %s\" ascii wide\r\n\r\n$s6 = \"[!]: '%s' is not a valid PE file\" ascii wide\r\n\r\n$s7 = \"[+]: Certificate Table RVA %x\" ascii wide\r\n\r\n$s8 = \"[+]: Certificate Table Size %d\" ascii wide\r\n\r\n$s9 = \"[*]: Tag Found 0x%x%x%x%x\" ascii wide\r\n\r\n$s10 = \"[!]: Could not locate data/shellcode\" ascii wide\r\n\r\n$s11 = \"[+]: Encrypted/Decrypted Data Size %d\" ascii wide\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588428",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "3a498c7c-aedc-43c4-80d3-378bf95a5697",
|
|
"value": "M_Hunting_SigFlip_SigLoader_Native"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588570",
|
|
"uuid": "72b98f0f-932a-4705-b155-24749dacf208",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588570",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "387a3373-5e01-467e-9a60-780fad94cbde",
|
|
"value": "rule M_Hunting_Raw64_DAVESHELL_Bootstrap\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL\"\r\n\r\nmd5 = \"8a34adda5b981498234be921f86dfb27\"\r\n\r\nstrings:\r\n\r\n$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\n$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and any of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588570",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f9130426-5fd4-4afc-b997-5b9c817ed9e3",
|
|
"value": "M_Hunting_Raw64_DAVESHELL_Bootstrap"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588610",
|
|
"uuid": "e2929d32-2c8d-4998-b7e1-c877dad4a15e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588610",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "9364b556-cdcd-4a73-9dce-fe677eab0f40",
|
|
"value": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate\"\r\n\r\nmd5 = \"0eeb1c0133eb4d571178b2d9d14ce3e9\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \"3CX Ltd1\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \"202303\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588610",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "6b92134a-52ef-4bac-af67-2e1f69c425a4",
|
|
"value": "M_Hunting_MSI_Installer_3CX_1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588637",
|
|
"uuid": "b7b9e0d9-9e7b-4308-a3c5-ea0119e22854",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588637",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "3256e877-5056-4f7b-a5e4-a6a4714ff3b2",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }\r\n\r\n$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}\r\n\r\n$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }\r\n\r\n$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }\r\n\r\ncondition:\r\n\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588637",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "b3e8c72e-6ce3-4a59-8fb4-3cd66d4cb940",
|
|
"value": "M_Hunting_VEILEDSIGNAL_1"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588662",
|
|
"uuid": "3cdb37a4-67e3-498d-8718-cbd9e2ef9543",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588662",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "5f89c788-d148-4660-a1c3-5c403d30d481",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_2\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428\"\r\n\r\nstrings:\r\n\r\n$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }\r\n\r\n$si1 = \"CryptBinaryToStringA\" fullword\r\n\r\n$si2 = \"BCryptGenerateSymmetricKey\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$ss1 = \"ChainingModeGCM\" wide\r\n\r\n$ss2 = \"__tutma\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588662",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "0debd5f6-2c54-4962-b08f-8dc04f98314b",
|
|
"value": "M_Hunting_VEILEDSIGNAL_2"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682588716",
|
|
"uuid": "345f4ba2-569c-4993-ade9-a12f3a160082",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682588716",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "e634f810-56e6-4415-afc4-6aed3a1760ff",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_3\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }\r\n\r\n$si1 = \"HttpSendRequestW\" fullword\r\n\r\n$si2 = \"CreateNamedPipeW\" fullword\r\n\r\n$si3 = \"CreateThread\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682588716",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "3cfb9223-df0a-4a6c-83ae-1d837828bf23",
|
|
"value": "M_Hunting_VEILEDSIGNAL_3"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682589005",
|
|
"uuid": "7e9ba136-4f4a-4357-8642-ffde5864be7e",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682589005",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "e8443379-0e0e-4d81-9b6a-adca81cefdd5",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_4\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\"\r\n\r\nstrings:\r\n\r\n$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }\r\n\r\n$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }\r\n\r\n$si1 = \"CreateThread\" fullword\r\n\r\n$si2 = \"MultiByteToWideChar\" fullword\r\n\r\n$si3 = \"LocalAlloc\" fullword\r\n\r\n$se1 = \"DllGetClassObject\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682589005",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "c0815995-13d1-401e-9989-92770dced361",
|
|
"value": "M_Hunting_VEILEDSIGNAL_4"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682589173",
|
|
"uuid": "39a85650-5607-4aba-b874-75bb1ea6d63b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682589173",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "e1a4f52e-3c35-4e46-b77e-617ead7108e0",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_5\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"6727284586ecf528240be21bb6e97f88\"\r\n\r\nstrings:\r\n\r\n$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }\r\n\r\n$ss1 = \"chrome.exe\" wide fullword\r\n\r\n$ss2 = \"firefox.exe\" wide fullword\r\n\r\n$ss3 = \"msedge.exe\" wide fullword\r\n\r\n$ss4 = \"\\\\\\\\.\\\\pipe\\\\*\" ascii fullword\r\n\r\n$ss5 = \"FindFirstFileA\" ascii fullword\r\n\r\n$ss6 = \"Process32FirstW\" ascii fullword\r\n\r\n$ss7 = \"RtlAdjustPrivilege\" ascii fullword\r\n\r\n$ss8 = \"GetCurrentProcess\" ascii fullword\r\n\r\n$ss9 = \"NtWaitForSingleObject\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682589173",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a8d4eba5-f14b-4766-8db2-0ccaa350926b",
|
|
"value": "M_Hunting_VEILEDSIGNAL_5"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682589931",
|
|
"uuid": "222cef9b-fd08-4b98-b804-eda0f9237624",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682589931",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "b93f1f3a-1ca5-4875-92f3-ef0e1e1b2762",
|
|
"value": "rule M_Hunting_VEILEDSIGNAL_6\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\nmd5 = \"00a43d64f9b5187a1e1f922b99b09b77\"\r\n\r\nstrings:\r\n\r\n$ss1 = \"C:\\\\Programdata\\\\\" wide\r\n\r\n$ss2 = \"devobj.dll\" wide fullword\r\n\r\n$ss3 = \"msvcr100.dll\" wide fullword\r\n\r\n$ss4 = \"TpmVscMgrSvr.exe\" wide fullword\r\n\r\n$ss5 = \"\\\\Microsoft\\\\Windows\\\\TPM\" wide fullword\r\n\r\n$ss6 = \"CreateFileW\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682589931",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "d1de7271-8a0f-4b3d-8427-4d61e33086dc",
|
|
"value": "M_Hunting_VEILEDSIGNAL_6"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682589951",
|
|
"uuid": "c8d27f3a-5439-4121-b4f6-5c73d0ae65fd",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682589951",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "09d0bd7d-fea4-4a22-bda5-df6fa77fcc10",
|
|
"value": "rule M_Hunting_POOLRAT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \"Mandiant\"\r\n\r\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\ndescription = \"Detects strings found in POOLRAT. \"\r\n\r\nmd5 = \"451c23709ecd5a8461ad060f6346930c\"\r\n\r\nstrings:\r\n\r\n$hex1 = { 6e 61 6d 65 3d 22 75 69 64 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni1 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 75 00 69 00 64 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex2 = { 6e 61 6d 65 3d 22 73 65 73 73 69 6f 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni2 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 73 00 65 00 73 00 73 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex3 = { 6e 61 6d 65 3d 22 61 63 74 69 6f 6e 22 25 73 25 73 25 73 25 73 }\r\n\r\n$hex_uni3 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 61 00 63 00 74 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 }\r\n\r\n$hex4 = { 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni4 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 74 00 6f 00 6b 00 65 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$str1 = \"--N9dLfqxHNUUw8qaUPqggVTpX-\" wide ascii nocase\r\n\r\ncondition:\r\n\r\nany of ($hex*) or any of ($hex_uni*) or $str1\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682589951",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "9b57bc87-0703-47c8-acd8-24b71237aedb",
|
|
"value": "M_Hunting_POOLRAT"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "6",
|
|
"timestamp": "1682590080",
|
|
"uuid": "702a3733-669e-4ca5-ad86-c73c36d3d9f9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1682590081",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "94edac12-8a21-4b8a-83ab-3116f8ea12a4",
|
|
"value": "rule M_Hunting_FASTREVERSEPROXY\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \"Mandiant\"\r\n\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment\"\r\n\r\n md5 = \"19dbffec4e359a198daf4ffca1ab9165\"\r\n\r\n strings:\r\n\r\n $ss1 = \"Go build ID:\" fullword\r\n\r\n $ss2 = \"Go buildinf:\" fullword\r\n\r\n $ss3 = \"net/http/httputil.(*ReverseProxy).\" ascii\r\n\r\n $ss4 = \"github.com/fatedier/frp/client\" ascii\r\n\r\n $ss5 = \"\\\"server_port\\\"\" ascii\r\n\r\n $ss6 = \"github.com/armon/go-socks5.proxy\" ascii\r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n\r\n}"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara-rule-name",
|
|
"timestamp": "1682590081",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "fd446cd7-e9de-4a89-9c51-1a0a53491206",
|
|
"value": "M_Hunting_FASTREVERSEPROXY"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1683108044",
|
|
"uuid": "a74a8de1-8907-4d1e-8760-85ad05bb3f9c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1683108044",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "83a9e914-6a59-4343-8106-9481eed16a50",
|
|
"value": "ef4ab22e565684424b4142b1294f1f4d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1683108044",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "d48c0917-5764-46b0-a3d9-e4c9849d8f06",
|
|
"value": "X_TRADER_r7.17.90p608.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1683275801",
|
|
"uuid": "6f374c9e-e55a-4f2d-ae2a-4a0cb7f4e090",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC4469",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1683275796",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d15a50b0-7459-430d-8694-71e64a4fdbfe",
|
|
"value": "curvefinances.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC4736",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1683275801",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c4d3ae0f-ccc6-4d7b-a176-00ac4380b65e",
|
|
"value": "pbxphonenetwork.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1683275711",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "c6c74dcc-a9eb-48d8-aad9-fdb080d5db37",
|
|
"value": "89.45.67.160"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1683275812",
|
|
"uuid": "99124b56-d511-49d3-aecc-39163ec44f88",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC4736",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1683275807",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cb44dce7-1d42-485d-8965-a5c3715233ea",
|
|
"value": "journalide.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1683275739",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "43110f07-e14f-412f-9319-7ea6904e98db",
|
|
"value": "172.93.201.88"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC3782",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1683275812",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "67659020-a084-40a3-a2c0-86d7a69c1bd7",
|
|
"value": "nxmnv.site"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "domain-ip",
|
|
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
|
|
"template_version": "11",
|
|
"timestamp": "1683275853",
|
|
"uuid": "531b631e-1e99-4292-a5df-f2414baaabdb",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1683275842",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "35e00a06-2121-46ec-aa41-95a982ed0bd2",
|
|
"value": "185.38.151.11"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC4736",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "domain",
|
|
"timestamp": "1683275847",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8dc4fe32-0a79-4ad4-ac42-e6b60542442f",
|
|
"value": "msedgepackageinfo.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "UNC4469",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "hostname",
|
|
"timestamp": "1683275853",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "244da4c6-622d-4f3e-899d-4de8491f003a",
|
|
"value": "apollo-crypto.org.shilaerc20.com"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |