783 lines
No EOL
47 KiB
JSON
783 lines
No EOL
47 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--207feacb-6379-484d-8bea-b7281114b381",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-24T14:07:10.000Z",
|
|
"modified": "2023-05-24T14:07:10.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--207feacb-6379-484d-8bea-b7281114b381",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-24T14:07:10.000Z",
|
|
"modified": "2023-05-24T14:07:10.000Z",
|
|
"name": "3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible",
|
|
"published": "2023-06-22T07:45:40Z",
|
|
"object_refs": [
|
|
"indicator--726049e7-9805-44ee-a0bc-65c50ba1a1bb",
|
|
"indicator--a555296d-3c37-415f-8745-b3c68a1496fe",
|
|
"indicator--72986e52-7181-482d-add1-d79c32b22c96",
|
|
"indicator--487ed5ed-71b9-4029-baa0-8e1b1e98da01",
|
|
"indicator--f6027cce-03d8-4a41-aa37-202458d4fc64",
|
|
"indicator--2f7a8f74-a0ee-40d7-9e05-1c4908ad0664",
|
|
"indicator--6b0e7a84-17ce-42fe-8a63-8bee1ec4255d",
|
|
"indicator--aea819dd-d381-49c3-aee2-d9b81ca94bf1",
|
|
"x-misp-object--ffe5d3e8-741f-43b0-8414-8af137482627",
|
|
"indicator--bf154df5-cd9c-4867-a76b-2122be53198e",
|
|
"indicator--b589edd7-0f8d-4c01-8eb7-7119b9a9b718",
|
|
"indicator--2c9c3600-a5e3-49eb-a53d-34480e340b41",
|
|
"indicator--e591c3ee-02d0-438f-89ff-cf300e43d799",
|
|
"indicator--acdd9039-c804-4b19-8206-e53b552cc1c2",
|
|
"indicator--72b98f0f-932a-4705-b155-24749dacf208",
|
|
"indicator--e2929d32-2c8d-4998-b7e1-c877dad4a15e",
|
|
"indicator--b7b9e0d9-9e7b-4308-a3c5-ea0119e22854",
|
|
"indicator--3cdb37a4-67e3-498d-8718-cbd9e2ef9543",
|
|
"indicator--345f4ba2-569c-4993-ade9-a12f3a160082",
|
|
"indicator--7e9ba136-4f4a-4357-8642-ffde5864be7e",
|
|
"indicator--39a85650-5607-4aba-b874-75bb1ea6d63b",
|
|
"indicator--222cef9b-fd08-4b98-b804-eda0f9237624",
|
|
"indicator--c8d27f3a-5439-4121-b4f6-5c73d0ae65fd",
|
|
"indicator--702a3733-669e-4ca5-ad86-c73c36d3d9f9",
|
|
"indicator--a74a8de1-8907-4d1e-8760-85ad05bb3f9c",
|
|
"indicator--6f374c9e-e55a-4f2d-ae2a-4a0cb7f4e090",
|
|
"indicator--99124b56-d511-49d3-aecc-39163ec44f88",
|
|
"indicator--531b631e-1e99-4292-a5df-f2414baaabdb"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"type:OSINT",
|
|
"osint:lifetime=\"perpetual\"",
|
|
"osint:certainty=\"50\"",
|
|
"tlp:clear",
|
|
"misp-galaxy:mitre-attack-pattern=\"Obtain Capabilities - T1588\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Digital Certificates - T1588.004\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Stage Capabilities - T1608\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Install Digital Certificate - T1608.003\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Supply Chain Compromise - T1195\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Masquerading - T1036\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Invalid Code Signature - T1036.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Indicator Removal - T1070\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"File Deletion - T1070.004\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Clear Windows Event Logs - T1070.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Virtualization/Sandbox Evasion - T1497\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Reflective Code Loading - T1620\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Debugger Evasion - T1622\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Query Registry - T1012\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"System Location Discovery - T1614\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"System Language Discovery - T1614.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"DNS - T1071.004\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Data Manipulation - T1565\"",
|
|
"misp-galaxy:mitre-attack-pattern=\"Stored Data Manipulation - T1565.001\"",
|
|
"misp-galaxy:backdoor=\"POOLRAT\"",
|
|
"misp-galaxy:malpedia=\"POOLRAT\"",
|
|
"misp-galaxy:malpedia=\"IconicStealer\"",
|
|
"misp-galaxy:tool=\"ICONICSTEALER\"",
|
|
"misp-galaxy:tool=\"DAVESHELL\"",
|
|
"misp-galaxy:tool=\"SIGFLIP\"",
|
|
"misp-galaxy:backdoor=\"VEILEDSIGNAL\"",
|
|
"misp-galaxy:tool=\"COLDCAT\"",
|
|
"misp-galaxy:tool=\"TAXHAUL\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--726049e7-9805-44ee-a0bc-65c50ba1a1bb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T12:33:27.000Z",
|
|
"modified": "2023-04-27T12:33:27.000Z",
|
|
"pattern": "[alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"raw.githubusercontent.com/IconStorages/images/main/\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)]",
|
|
"pattern_type": "snort",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T12:33:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "External analysis"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"snort\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a555296d-3c37-415f-8745-b3c68a1496fe",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T12:33:27.000Z",
|
|
"modified": "2023-04-27T12:33:27.000Z",
|
|
"pattern": "[alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"3cx_auth_id=%s\\;3cx_auth_token_content=%s\\;__tutma=true\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)]",
|
|
"pattern_type": "snort",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T12:33:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "External analysis"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"snort\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--72986e52-7181-482d-add1-d79c32b22c96",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T12:33:27.000Z",
|
|
"modified": "2023-04-27T12:33:27.000Z",
|
|
"pattern": "[alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutma\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)]",
|
|
"pattern_type": "snort",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T12:33:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "External analysis"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"snort\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--487ed5ed-71b9-4029-baa0-8e1b1e98da01",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T12:33:27.000Z",
|
|
"modified": "2023-04-27T12:33:27.000Z",
|
|
"pattern": "[alert tcp any any -> any any (msg:\"Possible malicious 3CXDesktopApp Identified\"; content:\"__tutmc\"; threshold:type limit, track by_src, count 1, seconds 3600; sid: 99999999;)]",
|
|
"pattern_type": "snort",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T12:33:27Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "External analysis"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"snort\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--f6027cce-03d8-4a41-aa37-202458d4fc64",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-03T10:02:16.000Z",
|
|
"modified": "2023-05-03T10:02:16.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'c6441c961dcad0fe127514a918eaabd4']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-03T10:02:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2f7a8f74-a0ee-40d7-9e05-1c4908ad0664",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-03T10:02:16.000Z",
|
|
"modified": "2023-05-03T10:02:16.000Z",
|
|
"pattern": "[url:value = 'www.tradingtechnologies.com/trading/order-management']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-03T10:02:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6b0e7a84-17ce-42fe-8a63-8bee1ec4255d",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-04T12:45:46.000Z",
|
|
"modified": "2023-05-04T12:45:46.000Z",
|
|
"pattern": "[domain-name:value = 'www.tradingtechnologies.com']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-04T12:45:46Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"hostname\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--aea819dd-d381-49c3-aee2-d9b81ca94bf1",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-04T13:41:55.000Z",
|
|
"modified": "2023-05-04T13:41:55.000Z",
|
|
"pattern": "[file:hashes.MD5 = '451c23709ecd5a8461ad060f6346930c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-04T13:41:55Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-object",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-object--ffe5d3e8-741f-43b0-8414-8af137482627",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-26T11:44:54.000Z",
|
|
"modified": "2023-04-26T11:44:54.000Z",
|
|
"labels": [
|
|
"misp:name=\"report\"",
|
|
"misp:meta-category=\"misc\""
|
|
],
|
|
"x_misp_attributes": [
|
|
{
|
|
"type": "link",
|
|
"object_relation": "link",
|
|
"value": "https://www.mandiant.com/resources/blog/3cx-software-supply-chain-compromise",
|
|
"category": "External analysis",
|
|
"uuid": "49106857-2ef9-433c-83a3-d96bc057fff5"
|
|
},
|
|
{
|
|
"type": "text",
|
|
"object_relation": "type",
|
|
"value": "Blog",
|
|
"category": "Other",
|
|
"uuid": "3ca7b986-49fe-4352-9e3b-889f9a0d0f58"
|
|
}
|
|
],
|
|
"x_misp_meta_category": "misc",
|
|
"x_misp_name": "report"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--bf154df5-cd9c-4867-a76b-2122be53198e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:23:08.000Z",
|
|
"modified": "2023-04-27T09:23:08.000Z",
|
|
"name": "M_Hunting_3CXDesktopApp_Key",
|
|
"pattern": "rule M_Hunting_3CXDesktopApp_Key {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\n\u202f\u202f\u202f description = \\\\\"Detects a key found in a malicious 3CXDesktopApp file\\\\\"\r\n\r\n\u202f\u202f\u202f md5 = \\\\\"74bc2d0b6680faa1a5a76b27e5479cbc\\\\\"\r\n\r\n\u202f\u202f\u202f date = \\\\\"2023/03/29\\\\\"\r\n\r\n\u202f\u202f\u202f version = \\\\\"1\\\\\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $key = \\\\\"3jB(2bsG#@c7\\\\\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f $key\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:23:08Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b589edd7-0f8d-4c01-8eb7-7119b9a9b718",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:25:11.000Z",
|
|
"modified": "2023-04-27T09:25:11.000Z",
|
|
"name": "M_Hunting_3CXDesktopApp_Export",
|
|
"pattern": "rule M_Hunting_3CXDesktopApp_Export {\r\n\r\n\u202f meta:\r\n\r\n\u202f\u202f\u202f disclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\n\u202f\u202f\u202f description = \\\\\"Detects an export used in 3CXDesktopApp malware\\\\\"\r\n\r\n\u202f\u202f\u202f md5 = \\\\\"7faea2b01796b80d180399040bb69835\\\\\"\r\n\r\n\u202f\u202f\u202f date = \\\\\"2023/03/31\\\\\"\r\n\r\n\u202f\u202f\u202f version = \\\\\"1\\\\\"\r\n\r\n\u202f strings:\r\n\r\n\u202f\u202f\u202f $str1 = \\\\\"DllGetClassObject\\\\\" wide ascii\r\n\r\n\u202f\u202f\u202f $str2 = \\\\\"3CXDesktopApp\\\\\" wide ascii\r\n\r\n\u202f condition:\r\n\r\n\u202f\u202f\u202f all of ($str*)\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:25:11Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--2c9c3600-a5e3-49eb-a53d-34480e340b41",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:27:35.000Z",
|
|
"modified": "2023-04-27T09:27:35.000Z",
|
|
"name": "TAXHAUL",
|
|
"pattern": "rule TAXHAUL\r\n{\r\n\u202f meta:\r\n\u202f author = \\\\\"Mandiant\\\\\"\r\n\u202f created = \\\\\"04/03/2023\\\\\"\r\n\u202f modified = \\\\\"04/03/2023\\\\\"\r\n\u202f version = \\\\\"1.0\\\\\"\r\n\u202f strings:\r\n\u202f\u202f\u202f $p00_0 = {410f45fe4c8d3d[4]eb??4533f64c8d3d[4]eb??4533f64c8d3d[4]eb}\r\n\u202f\u202f\u202f $p00_1 = {4d3926488b01400f94c6ff90[4]41b9[4]eb??8bde4885c074}\r\n\u202f condition:\r\n\u202f\u202f\u202f uint16(0) == 0x5A4D and any of them\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:27:35Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e591c3ee-02d0-438f-89ff-cf300e43d799",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:39:26.000Z",
|
|
"modified": "2023-04-27T09:39:26.000Z",
|
|
"name": "M_Hunting_MSI_Installer_3CX_1",
|
|
"pattern": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\nmd5 = \\\\\"0eeb1c0133eb4d571178b2d9d14ce3e9, f3d4144860ca10ba60f7ef4d176cc736\\\\\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \\\\\"3CX Ltd1\\\\\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \\\\\"202303\\\\\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 105MB and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:39:26Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--acdd9039-c804-4b19-8206-e53b552cc1c2",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:40:28.000Z",
|
|
"modified": "2023-04-27T09:40:28.000Z",
|
|
"name": "M_Hunting_SigFlip_SigLoader_Native",
|
|
"pattern": "rule M_Hunting_SigFlip_SigLoader_Native\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\ndescription = \\\\\"Rule looks for strings present in SigLoader (Native)\\\\\"\r\n\r\nmd5 = \\\\\"a3ccc48db9eabfed7245ad6e3a5b203f\\\\\"\r\n\r\nstrings:\r\n\r\n$s1 = \\\\\"[*]: Basic Loader...\\\\\" ascii wide\r\n\r\n$s2 = \\\\\"[!]: Missing PE path or Encryption Key...\\\\\" ascii wide\r\n\r\n$s3 = \\\\\"[!]: Usage: \\\\%s <PE_PATH> <Encryption_Key>\\\\\" ascii wide\r\n\r\n$s4 = \\\\\"[*]: Loading/Parsing PE File \\'\\\\%s\\'\\\\\" ascii wide\r\n\r\n$s5 = \\\\\"[!]: Could not read file \\\\%s\\\\\" ascii wide\r\n\r\n$s6 = \\\\\"[!]: \\'\\\\%s\\' is not a valid PE file\\\\\" ascii wide\r\n\r\n$s7 = \\\\\"[+]: Certificate Table RVA \\\\%x\\\\\" ascii wide\r\n\r\n$s8 = \\\\\"[+]: Certificate Table Size \\\\%d\\\\\" ascii wide\r\n\r\n$s9 = \\\\\"[*]: Tag Found 0x\\\\%x\\\\%x\\\\%x\\\\%x\\\\\" ascii wide\r\n\r\n$s10 = \\\\\"[!]: Could not locate data/shellcode\\\\\" ascii wide\r\n\r\n$s11 = \\\\\"[+]: Encrypted/Decrypted Data Size \\\\%d\\\\\" ascii wide\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and 4 of ($s*)\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:40:28Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--72b98f0f-932a-4705-b155-24749dacf208",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:42:50.000Z",
|
|
"modified": "2023-04-27T09:42:50.000Z",
|
|
"name": "M_Hunting_Raw64_DAVESHELL_Bootstrap",
|
|
"pattern": "rule M_Hunting_Raw64_DAVESHELL_Bootstrap\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\ndescription = \\\\\"Rule looks for bootstrap shellcode (64 bit) present in DAVESHELL\\\\\"\r\n\r\nmd5 = \\\\\"8a34adda5b981498234be921f86dfb27\\\\\"\r\n\r\nstrings:\r\n\r\n$b6ba50888f08e4f39b43ef67da27521dcfc61f1e = { E8 00 00 00 00 59 49 89 C8 48 81 C1 ?? ?? ?? ?? BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\n$e32abbe82e1f957fb058c3770375da3bf71a8cab = { E8 00 00 00 00 59 49 89 C8 BA ?? ?? ?? ?? 49 81 C0 ?? ?? ?? ?? 41 B9 ?? ?? ?? ?? 56 48 89 E6 48 83 E4 F0 48 83 EC 30 48 89 4C 24 28 48 81 C1 ?? ?? ?? ?? C7 44 24 20 ?? ?? ?? ?? E8 ?? 00 00 00 48 89 F4 5E C3 }\r\n\r\ncondition:\r\n\r\nfilesize < 15MB and any of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:42:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--e2929d32-2c8d-4998-b7e1-c877dad4a15e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:43:30.000Z",
|
|
"modified": "2023-04-27T09:43:30.000Z",
|
|
"name": "M_Hunting_MSI_Installer_3CX_1",
|
|
"pattern": "rule M_Hunting_MSI_Installer_3CX_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\ndescription = \\\\\"This rule looks for hardcoded values within the MSI installer observed in strings and signing certificate\\\\\"\r\n\r\nmd5 = \\\\\"0eeb1c0133eb4d571178b2d9d14ce3e9\\\\\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 20 00 5F 64 33 64 63 6F 6D 70 69 6C 65 72 5F 34 37 2E 64 6C 6C 5F }\r\n\r\n$ss2 = { 20 00 5F 33 43 58 44 65 73 6B 74 6F 70 41 70 70 2E }\r\n\r\n$ss3 = { 20 00 5F 66 66 6D 70 65 67 2E 64 6C 6C 5F }\r\n\r\n$ss4 = \\\\\"3CX Ltd1\\\\\" ascii\r\n\r\n$sc1 = { 1B 66 11 DF 9C 9A 4D 6E CC 8E D5 0C 9B 91 78 73 }\r\n\r\n$sc2 = \\\\\"202303\\\\\" ascii\r\n\r\ncondition:\r\n\r\n(uint32(0) == 0xE011CFD0) and filesize > 90MB and filesize < 100MB and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:43:30Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--b7b9e0d9-9e7b-4308-a3c5-ea0119e22854",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:43:57.000Z",
|
|
"modified": "2023-04-27T09:43:57.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_1",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_1\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\\\\\"\r\n\r\nstrings:\r\n\r\n$rh1 = { 68 5D 7A D2 2C 3C 14 81 2C 3C 14 81 2C 3C 14 81 77 54 10 80 26 3C 14 81 77 54 17 80 29 3C 14 81 77 54 11 80 AB 3C 14 81 D4 4C 11 80 33 3C 14 81 D4 4C 10 80 22 3C 14 81 D4 4C 17 80 25 3C 14 81 77 54 15 80 27 3C 14 81 2C 3C 15 81 4B 3C 14 81 94 4D 1D 80 28 3C 14 81 94 4D 14 80 2D 3C 14 81 94 4D 16 80 2D 3C 14 81 }\r\n\r\n$rh2 = { 00 E5 A0 2B 44 84 CE 78 44 84 CE 78 44 84 CE 78 1F EC CA 79 49 84 CE 78 1F EC CD 79 41 84 CE 78 1F EC CB 79 C8 84 CE 78 BC F4 CA 79 4A 84 CE 78 BC F4 CD 79 4D 84 CE 78 BC F4 CB 79 65 84 CE 78 1F EC CF 79 43 84 CE 78 44 84 CF 78 22 84 CE 78 FC F5 C7 79 42 84 CE 78 FC F5 CE 79 45 84 CE 78 FC F5 CC 79 45 84 CE 78}\r\n\r\n$rh3 = { DA D2 21 22 9E B3 4F 71 9E B3 4F 71 9E B3 4F 71 C5 DB 4C 70 94 B3 4F 71 C5 DB 4A 70 15 B3 4F 71 C5 DB 4B 70 8C B3 4F 71 66 C3 4B 70 8C B3 4F 71 66 C3 4C 70 8F B3 4F 71 C5 DB 49 70 9F B3 4F 71 66 C3 4A 70 B0 B3 4F 71 C5 DB 4E 70 97 B3 4F 71 9E B3 4E 71 F9 B3 4F 71 26 C2 46 70 9F B3 4F 71 26 C2 B0 71 9F B3 4F 71 9E B3 D8 71 9F B3 4F 71 26 C2 4D 70 9F B3 4F 71 }\r\n\r\n$rh4 = { CB 8A 35 66 8F EB 5B 35 8F EB 5B 35 8F EB 5B 35 D4 83 5F 34 85 EB 5B 35 D4 83 58 34 8A EB 5B 35 D4 83 5E 34 09 EB 5B 35 77 9B 5E 34 92 EB 5B 35 77 9B 5F 34 81 EB 5B 35 77 9B 58 34 86 EB 5B 35 D4 83 5A 34 8C EB 5B 35 8F EB 5A 35 D3 EB 5B 35 37 9A 52 34 8C EB 5B 35 37 9A 58 34 8E EB 5B 35 37 9A 5B 34 8E EB 5B 35 37 9A 59 34 8E EB 5B 35 }\r\n\r\ncondition:\r\n\r\nuint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and 1 of ($rh*)\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:43:57Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--3cdb37a4-67e3-498d-8718-cbd9e2ef9543",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:44:22.000Z",
|
|
"modified": "2023-04-27T09:44:22.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_2",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_2\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"404b09def6054a281b41d309d809a428\\\\\"\r\n\r\nstrings:\r\n\r\n$sb1 = { C1 E0 05 4D 8? [2] 33 D0 45 69 C0 7D 50 BF 12 8B C2 41 FF C2 C1 E8 07 33 D0 8B C2 C1 E0 16 41 81 C0 87 D6 12 00 }\r\n\r\n$si1 = \\\\\"CryptBinaryToStringA\\\\\" fullword\r\n\r\n$si2 = \\\\\"BCryptGenerateSymmetricKey\\\\\" fullword\r\n\r\n$si3 = \\\\\"CreateThread\\\\\" fullword\r\n\r\n$ss1 = \\\\\"ChainingModeGCM\\\\\" wide\r\n\r\n$ss2 = \\\\\"__tutma\\\\\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:44:22Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--345f4ba2-569c-4993-ade9-a12f3a160082",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:45:16.000Z",
|
|
"modified": "2023-04-27T09:45:16.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_3",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_3\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"c6441c961dcad0fe127514a918eaabd4\\\\\"\r\n\r\nstrings:\r\n\r\n$ss1 = { 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6A 73 6F 6E 2C 20 74 65 78 74 2F 6A 61 76 61 73 63 72 69 70 74 2C 20 2A 2F 2A 3B 20 71 3D 30 2E 30 31 00 00 61 63 63 65 70 74 00 00 65 6E 2D 55 53 2C 65 6E 3B 71 3D 30 2E 39 00 00 61 63 63 65 70 74 2D 6C 61 6E 67 75 61 67 65 00 63 6F 6F 6B 69 65 00 00 }\r\n\r\n$si1 = \\\\\"HttpSendRequestW\\\\\" fullword\r\n\r\n$si2 = \\\\\"CreateNamedPipeW\\\\\" fullword\r\n\r\n$si3 = \\\\\"CreateThread\\\\\" fullword\r\n\r\n$se1 = \\\\\"DllGetClassObject\\\\\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:45:16Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--7e9ba136-4f4a-4357-8642-ffde5864be7e",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:50:05.000Z",
|
|
"modified": "2023-04-27T09:50:05.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_4",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_4\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"404b09def6054a281b41d309d809a428, c6441c961dcad0fe127514a918eaabd4\\\\\"\r\n\r\nstrings:\r\n\r\n$sb1 = { FF 15 FC 76 01 00 8B F0 85 C0 74 ?? 8D 50 01 [6-16] FF 15 [4] 48 8B D8 48 85 C0 74 ?? 89 ?? 24 28 44 8B CD 4C 8B C? 48 89 44 24 20 }\r\n\r\n$sb2 = { 33 D2 33 C9 FF 15 [4] 4C 8B CB 4C 89 74 24 28 4C 8D 05 [2] FF FF 44 89 74 24 20 33 D2 33 C9 FF 15 }\r\n\r\n$si1 = \\\\\"CreateThread\\\\\" fullword\r\n\r\n$si2 = \\\\\"MultiByteToWideChar\\\\\" fullword\r\n\r\n$si3 = \\\\\"LocalAlloc\\\\\" fullword\r\n\r\n$se1 = \\\\\"DllGetClassObject\\\\\" fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:50:05Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--39a85650-5607-4aba-b874-75bb1ea6d63b",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T09:52:53.000Z",
|
|
"modified": "2023-04-27T09:52:53.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_5",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_5\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"6727284586ecf528240be21bb6e97f88\\\\\"\r\n\r\nstrings:\r\n\r\n$sb1 = { 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D 15 [4] 48 8D 4C 24 4C E8 [4] 85 C0 74 ?? 48 8D [3] 48 8B CB FF 15 [4] EB }\r\n\r\n$ss1 = \\\\\"chrome.exe\\\\\" wide fullword\r\n\r\n$ss2 = \\\\\"firefox.exe\\\\\" wide fullword\r\n\r\n$ss3 = \\\\\"msedge.exe\\\\\" wide fullword\r\n\r\n$ss4 = \\\\\"\\\\\\\\\\\\\\\\.\\\\\\\\pipe\\\\\\\\*\\\\\" ascii fullword\r\n\r\n$ss5 = \\\\\"FindFirstFileA\\\\\" ascii fullword\r\n\r\n$ss6 = \\\\\"Process32FirstW\\\\\" ascii fullword\r\n\r\n$ss7 = \\\\\"RtlAdjustPrivilege\\\\\" ascii fullword\r\n\r\n$ss8 = \\\\\"GetCurrentProcess\\\\\" ascii fullword\r\n\r\n$ss9 = \\\\\"NtWaitForSingleObject\\\\\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x020B) and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T09:52:53Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--222cef9b-fd08-4b98-b804-eda0f9237624",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T10:05:31.000Z",
|
|
"modified": "2023-04-27T10:05:31.000Z",
|
|
"name": "M_Hunting_VEILEDSIGNAL_6",
|
|
"pattern": "rule M_Hunting_VEILEDSIGNAL_6\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\nmd5 = \\\\\"00a43d64f9b5187a1e1f922b99b09b77\\\\\"\r\n\r\nstrings:\r\n\r\n$ss1 = \\\\\"C:\\\\\\\\Programdata\\\\\\\\\\\\\" wide\r\n\r\n$ss2 = \\\\\"devobj.dll\\\\\" wide fullword\r\n\r\n$ss3 = \\\\\"msvcr100.dll\\\\\" wide fullword\r\n\r\n$ss4 = \\\\\"TpmVscMgrSvr.exe\\\\\" wide fullword\r\n\r\n$ss5 = \\\\\"\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\TPM\\\\\" wide fullword\r\n\r\n$ss6 = \\\\\"CreateFileW\\\\\" ascii fullword\r\n\r\ncondition:\r\n\r\n(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and (uint16(uint32(0x3C)+0x18) == 0x010B) and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T10:05:31Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--c8d27f3a-5439-4121-b4f6-5c73d0ae65fd",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T10:05:51.000Z",
|
|
"modified": "2023-04-27T10:05:51.000Z",
|
|
"name": "M_Hunting_POOLRAT",
|
|
"pattern": "rule M_Hunting_POOLRAT\r\n\r\n{\r\n\r\nmeta:\r\n\r\nauthor = \\\\\"Mandiant\\\\\"\r\n\r\ndisclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\ndescription = \\\\\"Detects strings found in POOLRAT. \\\\\"\r\n\r\nmd5 = \\\\\"451c23709ecd5a8461ad060f6346930c\\\\\"\r\n\r\nstrings:\r\n\r\n$hex1 = { 6e 61 6d 65 3d 22 75 69 64 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni1 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 75 00 69 00 64 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex2 = { 6e 61 6d 65 3d 22 73 65 73 73 69 6f 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni2 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 73 00 65 00 73 00 73 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$hex3 = { 6e 61 6d 65 3d 22 61 63 74 69 6f 6e 22 25 73 25 73 25 73 25 73 }\r\n\r\n$hex_uni3 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 61 00 63 00 74 00 69 00 6f 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 73 00 25 00 73 }\r\n\r\n$hex4 = { 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 25 73 25 73 25 75 25 73 }\r\n\r\n$hex_uni4 = { 6e 00 61 00 6d 00 65 00 3d 00 22 00 74 00 6f 00 6b 00 65 00 6e 00 22 00 25 00 73 00 25 00 73 00 25 00 75 00 25 00 73 }\r\n\r\n$str1 = \\\\\"--N9dLfqxHNUUw8qaUPqggVTpX-\\\\\" wide ascii nocase\r\n\r\ncondition:\r\n\r\nany of ($hex*) or any of ($hex_uni*) or $str1\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T10:05:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--702a3733-669e-4ca5-ad86-c73c36d3d9f9",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-04-27T10:08:00.000Z",
|
|
"modified": "2023-04-27T10:08:00.000Z",
|
|
"name": "M_Hunting_FASTREVERSEPROXY",
|
|
"pattern": "rule M_Hunting_FASTREVERSEPROXY\r\n\r\n{\r\n\r\n meta:\r\n\r\n author = \\\\\"Mandiant\\\\\"\r\n\r\n disclaimer = \\\\\"This rule is meant for hunting and is not tested to run in a production environment\\\\\"\r\n\r\n md5 = \\\\\"19dbffec4e359a198daf4ffca1ab9165\\\\\"\r\n\r\n strings:\r\n\r\n $ss1 = \\\\\"Go build ID:\\\\\" fullword\r\n\r\n $ss2 = \\\\\"Go buildinf:\\\\\" fullword\r\n\r\n $ss3 = \\\\\"net/http/httputil.(*ReverseProxy).\\\\\" ascii\r\n\r\n $ss4 = \\\\\"github.com/fatedier/frp/client\\\\\" ascii\r\n\r\n $ss5 = \\\\\"\\\\\\\\\"server_port\\\\\\\\\"\\\\\" ascii\r\n\r\n $ss6 = \\\\\"github.com/armon/go-socks5.proxy\\\\\" ascii\r\n\r\n condition:\r\n\r\n uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and all of them\r\n\r\n}",
|
|
"pattern_type": "yara",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-04-27T10:08:00Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "misc"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"yara\"",
|
|
"misp:meta-category=\"misc\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--a74a8de1-8907-4d1e-8760-85ad05bb3f9c",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-03T10:00:44.000Z",
|
|
"modified": "2023-05-03T10:00:44.000Z",
|
|
"pattern": "[file:hashes.MD5 = 'ef4ab22e565684424b4142b1294f1f4d' AND file:name = 'X_TRADER_r7.17.90p608.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-03T10:00:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "file"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"file\"",
|
|
"misp:meta-category=\"file\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--6f374c9e-e55a-4f2d-ae2a-4a0cb7f4e090",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-05T08:36:41.000Z",
|
|
"modified": "2023-05-05T08:36:41.000Z",
|
|
"pattern": "[domain-name:value = 'curvefinances.com' AND domain-name:value = 'pbxphonenetwork.com' AND domain-name:resolves_to_refs[*].value = '89.45.67.160']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-05T08:36:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--99124b56-d511-49d3-aecc-39163ec44f88",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-05T08:36:52.000Z",
|
|
"modified": "2023-05-05T08:36:52.000Z",
|
|
"pattern": "[domain-name:value = 'journalide.org' AND domain-name:value = 'nxmnv.site' AND domain-name:resolves_to_refs[*].value = '172.93.201.88']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-05T08:36:52Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--531b631e-1e99-4292-a5df-f2414baaabdb",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2023-05-05T08:37:33.000Z",
|
|
"modified": "2023-05-05T08:37:33.000Z",
|
|
"pattern": "[domain-name:value = 'msedgepackageinfo.com' AND domain-name:x_misp_hostname = 'apollo-crypto.org.shilaerc20.com' AND domain-name:resolves_to_refs[*].value = '185.38.151.11']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2023-05-05T08:37:33Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "network"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:name=\"domain-ip\"",
|
|
"misp:meta-category=\"network\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |