Created
February 19, 2013 06:15
-
-
Save thejefflarson/4983514 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ~/Downloads/Digital Appendices/Appendix G (Digital) - IOCs $ cat fabdf553-b3ed-4bc9-9ac6-13d6bd174dad.ioc | |
| <?xml version="1.0" encoding="us-ascii"?> | |
| <ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="fabdf553-b3ed-4bc9-9ac6-13d6bd174dad" last-modified="2013-02-10T13:00:00" xmlns="http://schemas.mandiant.com/2010/ioc"> | |
| <short_description>WEBC2-YAHOO (FAMILY)</short_description> | |
| <description>The WEBC2 malware family is designed to retrieve a Web page from a pre-determined C2 server. It expects the Web page to contain special HTML tags; the backdoor will attempt to interpret the data between the tags as commands. The WEBC2-YAHOO variant enters a loop where every ten minutes it attempts to download a web page that may contain an encoded URL. The encoded URL will be found in the pages returned inside an attribute named 'sb' or 'ex' within a tag named 'yahoo'. The embedded link can direct the malware to download and execute files.</description> | |
| <authored_by>Mandiant</authored_by> | |
| <authored_date>2013-02-10T06:11:53</authored_date> | |
| <links> | |
| <link rel="category">Downloader</link> | |
| <link rel="threatgroup">APT</link> | |
| <link rel="family">APT1</link> | |
| <link rel="family">WEBC2-YAHOO</link> | |
| </links> | |
| <definition> | |
| <Indicator operator="OR" id="3c18ada4-2f65-46e8-b5cc-80b9d47f4e5c"> | |
| <IndicatorItem id="6fcb85fd-f1cf-4b75-b1ec-cee9cff7a792" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">f7f85d7f628ce62d1d8f7b39d8940472</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="f185110e-4fbd-4782-98ff-5db97ca802ef" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">da52e6701c9eba92459c6be28efdba74</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="8c90a6f4-c13c-4cf6-a3ae-15c04a960b0d" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">9dab4da07ed669b44f409eb60f3b0e50</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="28cae9e0-e6ae-440d-a833-fce9fed91746" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">0149b7bd7218aab4e257d28469fddb0d</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="52267a68-5ad0-4132-b3c6-c86a69842df5" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">9d75897d9c0a5da7e95082ea5ae1f648</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1706748c-acbc-4db3-b243-83f705616a57" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">496f04719a365f9718919002eff5748b</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="453c4b44-a1fa-44d5-8655-0bbbea9d8532" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">c2a79bb15a31fd6584d9bf0891673d14</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1eecde36-9399-4bd6-ba13-b414af30bc08" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">4e1a92036a577a87a6fa36168d192c4b</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="6fc7ea0c-b56e-4fca-8297-3af38ddf23af" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">6e9bedcf80f21171adb951a0d85d2adb</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="25a88fc6-025c-47ce-b1c3-7eb475ed787f" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">efc2025431e7ec8f8784fe81389c77cf</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="5d38842f-2585-4c0f-a25d-551dc5cc77d8" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">37ddd3d72ead03c7518f5d47650c8572</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="84b40839-003e-4a6e-ad8e-1df258ea07b2" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">dff4d874b2bfc64a4d1805959c379074</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7ddafb71-345c-4df5-85c3-9cb5087feba4" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">70c10f8b4dcd01b07be6cfb4df0d3348</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="2c9f0b9d-0042-4c9d-b093-c8c239870fe3" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">cc3a9a7b026bfe0e55ff219fd6aa7d94</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="58649176-0ca4-4d1a-9e6a-1236dbc77ac7" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">aa4f1ecc4d25b33395196b5d51a06790</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="76a80ad2-29dd-47cb-b279-1f24cf7027ac" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">1415eb8519d13328091cc5c76a624e3d</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="bcfb0f4d-a535-4e09-bc70-3c4cec5c4357" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">3d573866620eae070a220be89e113f69</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="ea217e94-0489-43c2-9460-792cf8fa7969" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">2762fb36161086f7ef3f33232aa790dc</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3c1a10a3-9c3d-4226-bb7e-28a796fac92a" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">57cbf78c226265cc1e61ad86779bf906</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="f14f51a2-bdde-4474-9c5d-1e91c4e9c739" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">20e2c8c7a98ddd4c16f6e878194c1e78</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="85608e62-7b42-47cb-be04-ee818a567f21" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">6040dd5b603483f738be6a02a63538f2</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="c71a44e2-805b-4e1e-b140-6ccfb1ba2752" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">abe6ab89f957f6edf8f41b5ad198e5e6</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="d08526ca-4936-477f-9670-c8bb4834c802" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">3e3e6fe1a8c6ffc00a9c644997a4f7a1</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="6eb7f59e-c5aa-4fb0-b713-3ad934970c15" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">4c9c9dbf388a8d81d8cfb4d3fc05f8e4</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="4472370d-a4e0-4d5b-a9b4-7a2226c71656" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">7a670d13d4d014169c4080328b8feb86</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="22d4a359-6d97-4c87-9e86-79d7f2822d6b" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">36d5c8fc4b14559f73b6136d85b94198</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="9b54acc9-b2d4-42d8-bca6-229f2807d3ac" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">e5237615fde0977c0ea3626fba609ab8</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="efc5573e-b345-4491-a476-e5e3df158047" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">2b659d71ae168e774faaf38db30f4a84</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="ad80f7dd-1654-4c54-acfd-cf44fdba5874" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">2272791cadf422ce02a117a3a857f84e</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="854fc56a-070c-4eef-b120-8b13b0430a46" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">a354e3c566645100e757f3e43c9b007d</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="6cf40586-66b7-436c-9b78-1de376bda409" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">22aa55134d621672e93c6de928c8b122</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7006d4db-b299-4253-89a0-ebd50503f989" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">9d5aabcda9106132d1e1b6cf6cae28aa</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="399b4560-097d-4c5f-9dd4-eb56ccfc4a39" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">7f26403f8e59a5f2728af2d3e0efaabb</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="56f85a10-c969-4d69-8eb1-8f6265acf0a4" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">70e2827ab4af1a38dc09a02fa95b82fe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="22d0a76b-ca28-4108-ae4c-ba4c99441cde" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">a8f259bb36e00d124963cfa9b86f502e</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3babb67f-61cf-46f8-95be-9e9711bf049c" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">c9f77569aa98f71cc42644d66d9f371c</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7586834c-89b6-4b4d-bea8-f424bccd1536" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">328c3ebb2fd2e170483e8d51ccc6c505</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="b76299cf-3094-4635-9f63-0f4e438ac6ca" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">3de60420845a582b0e44081b1138a7e4</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="4d639056-7dcb-4e3a-b57e-b12f530b3e35" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">2a4604fcae876dee445de5ad74fd7835</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3678d8ef-ace4-456a-93dd-41bc7b51dc0e" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">86a906db5686bbf487689937d15bf71a</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="860f4933-1b3b-4017-a594-df1717a16173" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">13835f0d5aafbeda50560afc92c8b7b7</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="6fff1113-d530-4445-a1e4-30108cac885b" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">63db2f4fd717723f0e6f94e0a6a62c7b</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="4ceb5bc2-bcb9-4d58-af98-c62107b8e52d" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">ec82a53f44511ac09e916bde02cddef0</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="8eda7dde-6882-4040-a236-403f857478fa" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">0588ffa0a244a2c4431c5c4faac60b1f</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1fbed0af-8e0d-43c3-8046-634a9b0b7973" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">a8b183fe32ad8d426e20227f3c8b7592</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="505d95fe-dab7-4184-b177-ed684e30f735" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">d751c7f7d2eab52c43ab31312e229307</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="703567b4-8492-4881-9ac0-406d820a1c02" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">39e28f48c138dc156d1436fd02222e45</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="b3cfa046-8468-4160-9ec6-fd50a6696fe9" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">ca68ccc887cfe5d2194f6a4d3101ae66</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="8368e0af-177d-4c10-acf8-1b112707b0ea" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">9ad292de00b2175a80b5909fa173cdcd</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="e8111648-69af-4631-850d-48a9ed04e830" condition="is"> | |
| <Context document="FileItem" search="FileItem/Md5sum" type="mir" /> | |
| <Content type="md5">b743f6af7e307221ba425d6023ebe42c</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="dbd562e7-1687-4d02-a4aa-18bbd8131073" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir" /> | |
| <Content type="string">Adobe Acrobat Document</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3ffe2f58-0162-42ca-bbb2-84c96f79a429" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir" /> | |
| <Content type="string"> TXT FILE</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="57b9e593-0bfb-4a89-b414-75aaa578d698" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir" /> | |
| <Content type="string">TXT FILE</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="56140567-5ddf-429e-9ad3-3c41355b9c4a" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir" /> | |
| <Content type="string">TXT FILE</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7a74e6c8-7375-48c0-949f-95572a78be54" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/OriginalFilename" type="mir" /> | |
| <Content type="string">ZRMM2011.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="940b86bf-1668-46f7-830d-4be71196add5" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/ProductName" type="mir" /> | |
| <Content type="string">sbt ZRMM2011</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="37e017df-49b2-47e1-9825-85bdf573b9ef" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/FileDescription" type="mir" /> | |
| <Content type="string">ZRMM2011</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7eacea1c-283f-4ce8-9b05-e52a41760159" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/InternalName" type="mir" /> | |
| <Content type="string">ZRMM2011</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="d52ca222-ddd8-4818-babd-469136767128" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/VersionInfoList/VersionInfoItem/CompanyName" type="mir" /> | |
| <Content type="string">sbt</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="2f199249-08c0-4d0c-a48d-92c8f764ad46" condition="contains"> | |
| <Context document="FileItem" search="FileItem/FullPath" type="mir" /> | |
| <Content type="string">\Windows\inetinfo.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="ed6711b3-8778-4084-9a2b-931ae5e7babb" condition="contains"> | |
| <Context document="FileItem" search="FileItem/FullPath" type="mir" /> | |
| <Content type="string">\Windows\fxsst.dll</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="17e77965-cbcb-4c7b-97a9-6c361bc294a6" condition="contains"> | |
| <Context document="FileItem" search="FileItem/FullPath" type="mir" /> | |
| <Content type="string">\Windows\wscntfy.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="4e0b8b31-0f57-4a23-ae2f-b54a7d04c022" condition="contains"> | |
| <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" /> | |
| <Content type="string">LETUSHAVEAGOODTIME</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="192cc28d-7608-44c0-ab78-ed5b5d718c0f" condition="contains"> | |
| <Context document="ProcessItem" search="ProcessItem/HandleList/Handle/Name" type="mir" /> | |
| <Content type="string">HAHAHAHAHAHAH</Content> | |
| </IndicatorItem> | |
| <Indicator operator="AND" id="aa27ca5e-3745-46b3-9ce9-eb8ef327ea62"> | |
| <Indicator operator="OR" id="91a7f815-ecc2-480d-b4cf-5a00d4669a58"> | |
| <IndicatorItem id="d600f291-d6b9-417b-be7f-bb65f374094d" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">iexplore.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="fc91876c-c18d-4711-bcef-c828f18c9356" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">svchost.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="5db34463-cd8e-4783-acb3-92783eaadd23" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">mswab.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="30508b35-dadd-46fe-9701-f6dbdba2bef8" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">1.jpeg</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1428e3b4-01d2-4756-99db-2b33f57e5c50" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">buildout.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="b96748f1-ef0f-43cf-9811-018493c1f1f8" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">reader_sl.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="5eec859d-42d7-4a84-bff1-1d09c8e9835e" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">WINWORD.EXE</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="6470699e-2fc6-46bb-80a1-dc579302ec36" condition="is"> | |
| <Context document="FileItem" search="FileItem/FileName" type="mir" /> | |
| <Content type="string">press_releases_doc.doc.exe</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7ecb7460-915c-4c47-b33b-9e5a22a2784c" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir" /> | |
| <Content type="string">contains_eof_data</Content> | |
| <Comment>PE Header Anomaly identified in 6% samples.</Comment> | |
| </IndicatorItem> | |
| <IndicatorItem id="b69fe666-d750-4162-ad59-05a575ddb028" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/DetectedAnomalies/string" type="mir" /> | |
| <Content type="string">checksum_is_zero</Content> | |
| <Comment>PE Header Anomaly identified in 100% samples.</Comment> | |
| </IndicatorItem> | |
| </Indicator> | |
| <Indicator operator="OR" id="045e2c19-5825-4268-bcf3-0bda24e0d4df"> | |
| <IndicatorItem id="a016ff4b-41f8-4fb9-85fe-2f322de4f84f" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">1220608</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="e4bc1c3d-5031-4dea-a1d8-f6a8180852ab" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">14336</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="7a68303d-0c6e-4604-a48d-b74478e26051" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">14848</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1ec89d4c-13f3-4c8d-9c8c-487b9f4434f3" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">15360</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="ea54de4e-3935-4f99-8a4f-d46cead8a42e" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">15872</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3c7fe9c0-b08c-4921-95d3-8fbdb72e0937" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">16896</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="881afe9e-dbe5-4af0-9018-7f6c9ec69ea3" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">17408</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1b7920f1-5aef-4124-ac18-769e855f03aa" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">17409</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="938c08b4-480f-4868-bdc9-1073ab0039e3" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">2886656</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="070ba35f-e9ff-4884-b7a7-b34e53604cc4" condition="is"> | |
| <Context document="FileItem" search="FileItem/SizeInBytes" type="mir" /> | |
| <Content type="int">40448</Content> | |
| </IndicatorItem> | |
| </Indicator> | |
| <Indicator operator="OR" id="debb5a9b-6d08-49f8-b799-2c0bdba2e771"> | |
| <IndicatorItem id="09b8919f-7d83-4df5-bec0-c55ef595e5e4" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2010-08-27T01:55:04Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="f050d4d3-c778-4ecc-aebd-81df5953a4c2" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2010-09-28T08:09:41Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="d88cae4b-1734-4abb-9aa8-5916bfd5ac38" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-05-30T01:30:24Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="d513f4f2-3f6b-4978-965a-df25d7161a3c" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-05-30T03:27:33Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="962c1701-32e1-47f2-a67c-6868c743bfac" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-05-30T08:29:29Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="4eab86a7-135f-473a-ac63-1a38e2059556" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-07-01T08:23:45Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="51f6df5f-f37b-4e9a-84e8-6de48e817ba0" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-07-29T07:10:31Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="37d15923-831f-4a70-b8d1-7966f07d31bd" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-09T07:30:17Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="a082d17d-99f9-41d3-95af-7cae719f1cfa" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-09T08:15:29Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="269a67b1-be1e-4564-b556-986b99da15a1" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-09T08:18:19Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="98b74df6-b79f-4516-a532-0eb9b8b26beb" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-11T13:15:49Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="90b7970a-9f9c-4be2-8335-94a1a44fa515" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-15T09:26:15Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="1d5a0302-e8b1-405a-90a0-bebaa78b7fbf" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-08-19T03:07:37Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="a42f67d5-b2f5-4225-8a67-38bfba70d472" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-09-16T08:46:55Z</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="322dcf62-fb83-434a-969c-6a1e83b1e709" condition="is"> | |
| <Context document="FileItem" search="FileItem/PEInfo/PETimeStamp" type="mir" /> | |
| <Content type="date">2011-12-12T13:34:30Z</Content> | |
| </IndicatorItem> | |
| </Indicator> | |
| </Indicator> | |
| <Indicator operator="AND" id="aba09b7b-65c4-4410-ac18-91fd1070e408"> | |
| <IndicatorItem id="dedaccf6-93f8-4962-85b7-095d94b4f86d" condition="is"> | |
| <Context document="ServiceItem" search="ServiceItem/serviceDLLSignatureVerified" type="mir" /> | |
| <Content type="string">false</Content> | |
| </IndicatorItem> | |
| <Indicator operator="OR" id="544d4d1f-9116-41d2-b359-b43aeb201d32"> | |
| <IndicatorItem id="2eb66a50-21ee-4861-84dd-1cdc2fc388d0" condition="is"> | |
| <Context document="ServiceItem" search="ServiceItem/name" type="mir" /> | |
| <Content type="string">.Net CLR</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="f777d267-a5c5-46a4-965c-8c4e761a54f1" condition="is"> | |
| <Context document="ServiceItem" search="ServiceItem/descriptiveName" type="mir" /> | |
| <Content type="string">Microsoft .Net Framework COM+ Support</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="fdaec485-9c85-49c2-b17e-99cb0b0db111" condition="is"> | |
| <Context document="ServiceItem" search="ServiceItem/description" type="mir" /> | |
| <Content type="string">Microsoft .NET and Windows XP COM+ Integration with SOAP</Content> | |
| </IndicatorItem> | |
| </Indicator> | |
| </Indicator> | |
| <Indicator operator="AND" id="c9a94413-28f5-4da6-b3fb-fde02f1b9a1c"> | |
| <IndicatorItem id="bbec8b8a-26ef-4d80-9eaf-bb1b75526c59" condition="contains"> | |
| <Context document="RegistryItem" search="RegistryItem/Path" type="mir" /> | |
| <Content type="string">CurrentVersion\Run\</Content> | |
| </IndicatorItem> | |
| <Indicator operator="OR" id="45c324f6-b997-4a16-b481-e085359b9130"> | |
| <IndicatorItem id="6ec4f425-663e-48e5-92c8-e0b2a30c3c2b" condition="contains"> | |
| <Context document="RegistryItem" search="RegistryItem/Text" type="mir" /> | |
| <Content type="string">Users\</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="a176e91c-5b42-47d0-ac83-c799a07dad58" condition="contains"> | |
| <Context document="RegistryItem" search="RegistryItem/Text" type="mir" /> | |
| <Content type="string">Documents and Settings\</Content> | |
| </IndicatorItem> | |
| </Indicator> | |
| <Indicator operator="OR" id="2bff7074-1aa9-4584-a6ec-1e6f6195e565"> | |
| <IndicatorItem id="a96c8466-c539-480a-9261-e5a6a53e54fa" condition="is"> | |
| <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir" /> | |
| <Content type="string">SysTray</Content> | |
| </IndicatorItem> | |
| <IndicatorItem id="3ff1c3a8-ec15-4c63-bad7-9a8b710c999f" condition="is"> | |
| <Context document="RegistryItem" search="RegistryItem/ValueName" type="mir" /> | |
| <Content type="string">systemupdate</Content> | |
| </IndicatorItem> | |
| </Indicator> | |
| </Indicator> | |
| </Indicator> | |
| </definition> | |
| </ioc> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment