├── APT12 ├── 2384c8ce-6eca-4d06-8aa4-151b53d9a6bc.ioc └── README.md ├── APT17 ├── 7b9e87c5-b619-4a13-b862-0145614d359a.ioc └── README.md ├── APT18 ├── 0ae061d7-c624-4a84-8adf-00281b97797b.ioc └── README.md ├── APT28 ├── 0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc ├── README.md ├── a438caeb-96dd-4225-853c-fc5910980961.ioc ├── a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc ├── bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc └── e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc ├── APT3 ├── 62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc ├── README.md └── db0b6ac6-874a-498e-892b-ac7c2020e061.ioc ├── APT30 ├── README.md └── eeffc8e8-caee-4fe1-8ace-7a994b5d893f.ioc ├── BlogPosts ├── 0b879284-0c37-4bfa-9dd8-34505a9c5175.ioc ├── 113e561e-60d2-48db-979d-02f207550125.ioc ├── 4fdb0f45-8151-4941-a9e1-a31e21000659.ioc ├── 5a8d6878-2649-4ddc-a1f6-c98932a54f91.ioc ├── 6037663c-680c-4a28-ad58-40622d206e1d.ioc ├── 60a6de64-7308-4af1-9003-dc23a73fdf01.ioc ├── 6bb9ce5b-94c1-4733-8bb8-dc5be775b190.ioc ├── 9a7a6929-25ea-4254-a300-13fd6b39c490.ioc ├── 9cee306d-5441-4cd3-932d-f3119752634c.ioc ├── README.MD ├── b513e829-b023-426a-b7d4-accd511be3c0.ioc ├── de99badf-b448-49e7-885a-4d8688ddf02d.ioc ├── e598231d-8584-4535-a0de-94e822f04c0b.ioc └── operation_poisoned_handover.yara ├── FIN4 ├── MACROCHECK.yara ├── README.md └── fb0699e2-23a6-40f9-bf96-4514d629eec3.ioc ├── LICENSE └── README.md /APT12/2384c8ce-6eca-4d06-8aa4-151b53d9a6bc.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | DARWIN (BLOGPOST) 22 | This IOC contains indicators detailed in the blog post "Darwin's Favorite APT Group" that can be read here: http://www.fireeye.com/blog/technical/targeted-attack/2014/09/darwins-favorite-apt-group-2.html . This IOC contains indicators for the RIPTIDE and THREEBYTE malware families that are attributed to APT12, and the WATERSPOUT family suspected to be used by APT12. 23 | 24 | FireEye 25 | 2014-08-28T15:57:54Z 26 | 27 | APT 28 | APT12 29 | Backdoor 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | f6fafb7c30b1114befc93f39d0698560 37 | 38 | 39 | 40 | 6e59861931fa2796ee107dc27bfdd480 41 | 42 | 43 | 44 | 73f493f6a2b0da23a79b50765c164e88 45 | 46 | 47 | 48 | eaa6e03d9dae356481215e3a9d2914dc 49 | 50 | 51 | 52 | 06da4eb2ab6412c0dc7f295920eb61c4 53 | 54 | 55 | 56 | 53baedf3765e27fb465057c48387c9b6 57 | 58 | 59 | 60 | e009b95ff7b69cbbebc538b2c5728b11 61 | 62 | 63 | 64 | 16e627dbe730488b1c3d448bfc9096e2 65 | 66 | 67 | 68 | 499bec15ac83f2c8998f03917b63652e 69 | 70 | 71 | 72 | f9cfda6062a8ac9e332186a7ec0e706a 73 | 74 | 75 | 76 | 4ab6bf7e6796bb930be2dd0141128d06 77 | 78 | 79 | 80 | icc.ignorelist.com 81 | 82 | 83 | 84 | video.csmcpr.com 85 | 86 | 87 | 88 | 141.108.2.157 89 | 90 | 91 | 92 | lilywang823@gmail.com 93 | 94 | 95 | 96 | 97 | 75264 98 | 99 | 100 | 101 | 2014-08-23T08:22:49Z 102 | 103 | 104 | 105 | 106 | 107 | 75776 108 | 109 | 110 | 111 | 2014-08-25T01:22:20Z 112 | 113 | 114 | 115 | 116 | 117 | 49152 118 | 119 | 120 | 121 | 2014-08-25T02:10:11Z 122 | 123 | 124 | 125 | 126 | 127 | 128 | word.exe 129 | 130 | 131 | 132 | winword.exe 133 | 134 | 135 | 136 | 137 | 138 | LOCAL SETTINGS\Temp 139 | 140 | 141 | 142 | Local\Temp 143 | 144 | 145 | 146 | 147 | 148 | -------------------------------------------------------------------------------- /APT12/README.md: -------------------------------------------------------------------------------- 1 | # APT12 — Darwin’s Favorite APT Group 2 | 3 | Read more about this group and what these indicators mean in FireEye's blog post about them: [http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html](http://www.fireeye.com/blog/technical/botnet-activities-research/2014/09/darwins-favorite-apt-group-2.html) 4 | -------------------------------------------------------------------------------- /APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | BLACKCOFFEE (FAMILY) 22 | This IOC contains indicators detailed in the whitepaper "Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group's Obfuscation Tactic". The whitepaper can be read here: https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html. This IOC contains indicators for the BLACKCOFFEE malware family that is attributed to APT17. 23 | 24 | FireEye 25 | 2014-10-15T21:02:19 26 | 27 | Backdoor 28 | APT 29 | APT17 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | de56eb5046e518e266e67585afa34612 37 | 38 | 39 | 40 | 195ade342a6a4ea0a58cfbfb43dc64cb 41 | 42 | 43 | 44 | 4c21336dad66ebed2f7ee45d41e6cada 45 | 46 | 47 | 48 | 0370002227619c205402c48bde4332f6 49 | 50 | 51 | 52 | ac169b7d4708c6fa7fee9be5f7576414 53 | 54 | 55 | 56 | 5f2fcba8bd42712d9975da208a1cc0ca 57 | 58 | 59 | 60 | 5d16e5ee1cc571125ab1c44ecd47a04a 61 | 62 | 63 | 64 | da88e711e4ffc7c617986fc585bce305 65 | 66 | 67 | 68 | 358bd08946 69 | Process Handle Type: events 70 | 71 | 72 | 73 | PnP_No_Management 74 | Process Handle Type: events 75 | 76 | 77 | 78 | translate.wordraference.com 79 | 80 | 81 | 82 | news.jusched.net 83 | 84 | 85 | 86 | c016af303b5729e57d0e6563b3c51be4 87 | 88 | 89 | 90 | 130.184.156.62 91 | 92 | 93 | 94 | 69.80.72.165 95 | 96 | 97 | 98 | 110.45.151.43 99 | 100 | 101 | 102 | 121.101.73.231 103 | 104 | 105 | 106 | 103.250.72.39 107 | 108 | 109 | 110 | 148.251.71.75 111 | 112 | 113 | 114 | 217.198.143.40 115 | 116 | 117 | 118 | 178.62.20.110 119 | 120 | 121 | 122 | 175.126.104.175 123 | 124 | 125 | 126 | 103.250.72.254 127 | 128 | 129 | 130 | 1.234.52.111 131 | 132 | 133 | 134 | 0b757d3dc43dab594262579226842531 135 | 136 | 137 | 138 | 139 | -------------------------------------------------------------------------------- /APT17/README.md: -------------------------------------------------------------------------------- 1 | # Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic 2 | 3 | Read more about this group and what these indicators mean in FireEye's blog post about them: [https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html](https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html) 4 | -------------------------------------------------------------------------------- /APT18/0ae061d7-c624-4a84-8adf-00281b97797b.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | DEMONSTRATING HUSTLE - APT18 (BLOG) 22 | This IOC contains indicators detailed in the blog post "Demonstrating Hustle" that can be read here: https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html. This IOC contains indicators for a spearphishing campaign carried out by APT18. 23 | 24 | FireEye 25 | 2015-07-10T21:24:04Z 26 | 27 | APT 28 | APT18 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | 137.175.4.132 36 | 37 | 38 | 39 | 079a440bee0f86d8a59ebc5c4b523a07 40 | 41 | 42 | 43 | 223.25.233.248 44 | 45 | 46 | 47 | 48 | movie.swf 49 | 50 | 51 | 52 | 214976 53 | 54 | 55 | 56 | 57 | 58 | -------------------------------------------------------------------------------- /APT18/README.md: -------------------------------------------------------------------------------- 1 | # Demonstrating Hustle 2 | 3 | Read more about this group and what these indicators mean in FireEye's blog post about them: [https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) -------------------------------------------------------------------------------- /APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | APT28 DOMAINS (REPORT) 22 | Domains used by APT28. 23 | 24 | FireEye 25 | 2014-10-17T02:04:34Z 26 | 27 | APT 28 | APT28 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | kavkazcentr.info 36 | 37 | 38 | 39 | rnil.am 40 | 41 | 42 | 43 | standartnevvs.com 44 | 45 | 46 | 47 | novinitie.com 48 | 49 | 50 | 51 | n0vinite.com 52 | 53 | 54 | 55 | qov.hu.com 56 | 57 | 58 | 59 | q0v.pl 60 | 61 | 62 | 63 | mail.g0v.pl 64 | 65 | 66 | 67 | poczta.mon.q0v.pl 68 | 69 | 70 | 71 | baltichost.org 72 | 73 | 74 | 75 | nato.nshq.in 76 | 77 | 78 | 79 | natoexhibitionff14.com 80 | 81 | 82 | 83 | login-osce.org 84 | 85 | 86 | 87 | smigroup-online.co.uk 88 | 89 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /APT28/README.md: -------------------------------------------------------------------------------- 1 | # APT28 — A Window into Russia's Cyber Espionage Operations? 2 | 3 | Read FireEye's report for more information about APT28 and the threats it poses here: [https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf](https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf) 4 | -------------------------------------------------------------------------------- /APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | OLDBAIT (REPORT) 22 | OLDBAIT is a credential harvester. Both the internal strings and logic are obfuscated and are unpacked at startup. It harvests credentials from Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client made by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both email or HTTP to send out the collected credentials. 23 | 24 | 25 | FireEye 26 | 2014-10-17T02:02:52Z 27 | 28 | APT 29 | APT28 30 | Credential Stealer 31 | OLDBAIT 32 | Apache 2.0 33 | 34 | 35 | 36 | 37 | 38 | Application Data\Microsoft\MediaPlayer\ 39 | 40 | 41 | 42 | updatewindws.exe 43 | 44 | 45 | 46 | updatewindws.exe 47 | 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | EVILTOSS (REPORT) 22 | This backdoor has been delivered through the SOURFACE downloader to gain system access for reconnaissance, monitoring, credential theft, and shellcode execution. 23 | 24 | FireEye 25 | 2014-10-17T02:00:57Z 26 | 27 | APT 28 | APT28 29 | Backdoor 30 | EVILTOSS 31 | Apache 2.0 32 | 33 | 34 | 35 | 36 | 37 | netui.dll 38 | 39 | 40 | 41 | \netui.dll 42 | 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | CHOPSTICK (REPORT) 22 | CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This framework allows for a diverse set of capabilities across malware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP. 23 | 24 | FireEye 25 | 2014-10-17T02:02:02Z 26 | 27 | APT 28 | APT28 29 | Backdoor 30 | CHOPSTICK 31 | Apache 2.0 32 | 33 | 34 | 35 | 36 | 37 | edg6EF885E2.tmp 38 | 39 | 40 | 41 | \Device\Mailslot\check_mes_v5555 42 | 43 | 44 | 45 | 46 | Microsoft\MediaPlayer\{E6696105-E63E-4EF1-939E-15DDD83B669A} 47 | 48 | 49 | 50 | chnnl 51 | 52 | 53 | 54 | 55 | 56 | -------------------------------------------------------------------------------- /APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | SOURFACE (REPORT) 22 | SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, usually compiled with the DLL name 'coreshell.dll'. These variants are distinct from the older versions so we refer to it as SOURFACE/CORESHELL or simply CORESHELL. 23 | 24 | FireEye 25 | 2014-10-16T20:58:21Z 26 | 27 | APT 28 | APT28 29 | Downloader 30 | SOURFACE 31 | SOURFACE.CORESHELL 32 | Apache 2.0 33 | 34 | 35 | 36 | 37 | 38 | 8c4fa713c5e2b009114adda758adc445 39 | 40 | 41 | 42 | 3b0ecd011500f61237c205834db0e13a 43 | 44 | 45 | 46 | 791428601ad12b9230b9ace4f2138713 47 | 48 | 49 | 50 | 5882fda97fdf78b47081cc4105d44f7c 51 | 52 | 53 | 54 | 48656a93f9ba39410763a2196aabc67f 55 | 56 | 57 | 58 | 9eebfebe3987fec3c395594dc57a0c4c 59 | 60 | 61 | 62 | 8b92fe86c5b7a9e34f433a6fbac8bc3a 63 | 64 | 65 | 66 | ead4ec18ebce6890d20757bb9f5285b1 67 | 68 | 69 | 70 | 1259c4fe5efd9bf07fc4c78466f2dd09 71 | 72 | 73 | 74 | 272f0fde35dbdfccbca1e33373b3570d 75 | 76 | 77 | 78 | AppData\Local\conhost.dll 79 | 80 | 81 | 82 | Local Settings\Application Data\conhost.dll 83 | 84 | 85 | 86 | coreshell.dll 87 | 88 | 89 | 90 | \netids.dll 91 | 92 | 93 | 94 | Local Settings\Application Data\svchost.exe 95 | 96 | 97 | 98 | Local Settings\Application Data\conhost.dll 99 | 100 | 101 | 102 | AppData\Local\svchost.exe 103 | 104 | 105 | 106 | AppData\Local\conhost.dll 107 | 108 | 109 | 110 | 70.85.221.10 111 | 112 | 113 | 114 | adawareblock.com 115 | 116 | 117 | 118 | checkmalware.org 119 | 120 | 121 | 122 | malwarecheck.info 123 | 124 | 125 | 126 | scanmalware.info 127 | 128 | 129 | 130 | netids.dll 131 | 132 | 133 | 134 | da2a657dc69d7320f2ffc87013f257ad 135 | 136 | 137 | 138 | 139 | svchost.exe 140 | 141 | 142 | 143 | 144 | Local Settings\Application Data 145 | 146 | 147 | 148 | AppData\Local 149 | 150 | 151 | 152 | 153 | 154 | 155 | rundll32.exe 156 | 157 | 158 | 159 | #1 160 | 161 | 162 | 163 | 164 | AppData\Local\conhost.dll 165 | 166 | 167 | 168 | Local Settings\Application Data\conhost.dll 169 | 170 | 171 | 172 | 173 | 174 | 175 | 1 176 | 177 | 178 | 179 | 180 | coreshell.dll 181 | 182 | 183 | 184 | dll.dll 185 | 186 | 187 | 188 | 189 | 190 | Initialize 191 | 192 | 193 | 194 | Init1 195 | 196 | 197 | 198 | Applicate 199 | 200 | 201 | 202 | 203 | 204 | 205 | Core Shell Runtime Service 206 | 207 | 208 | 209 | coreshell.dll 210 | 211 | 212 | 213 | 214 | 215 | -------------------------------------------------------------------------------- /APT3/62f65dae-9475-44b0-a9eb-c1baebbd9885.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | DEMONSTRATING HUSTLE - APT3 (BLOG) 22 | This IOC contains indicators detailed in the blog post "Demonstrating Hustle" that can be read here: https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html. This IOC contains indicators for a spearphishing campaign carried out by APT3. 23 | 24 | FireEye 25 | 2015-07-10T21:17:05Z 26 | 27 | APT3 28 | APT 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | report.perrydale.com 36 | 37 | 38 | 39 | vic.perrydale.com 40 | 41 | 42 | 43 | rpt.perrydale.com 44 | 45 | 46 | 47 | psa.perrydale.com 48 | 49 | 50 | 51 | link.angellroofing.com 52 | 53 | 54 | 55 | 107.20.255.57 56 | 57 | 58 | 59 | 23.99.20.198 60 | 61 | 62 | 63 | 64 | -------------------------------------------------------------------------------- /APT3/README.md: -------------------------------------------------------------------------------- 1 | # APT3 — Operation Double Tap 2 | 3 | Read more about this group and what these indicators mean in FireEye's blog post about them: [https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html](https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html) 4 | 5 | # Demonstrating Hustle 6 | 7 | Read more about this group and what these indicators mean in FireEye's blog post about them: [https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html](https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html) -------------------------------------------------------------------------------- /APT3/db0b6ac6-874a-498e-892b-ac7c2020e061.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | OPERATION DOUBLE TAP (BLOG) 22 | This IOC contains indicators detailed in the blog post "Operation Double Tap" that can be read here: https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html. This IOC contains indicators for a spearphishing campaign carried out by APT3. 23 | 24 | FireEye 25 | 2014-11-21T16:02:16Z 26 | 27 | APT3 28 | APT 29 | Downloader 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | 5a0c4e1925c76a959ab0588f683ab437 37 | 38 | 39 | 40 | 492a839a3bf9c61b7065589a18c5aa8d 41 | 42 | 43 | 44 | 744a17a3bc6dbd535f568ef1e87d8b9a 45 | 46 | 47 | 48 | 5c08957f05377004376e6a622406f9aa 49 | 50 | 51 | 52 | 8849538ef1c3471640230605c2623c67 53 | 54 | 55 | 56 | join.playboysplus.com 57 | 58 | 59 | 60 | inform.bedircati.com 61 | 62 | 63 | 64 | pn.lamb-site.com 65 | 66 | 67 | 68 | securitywap.com 69 | 70 | 71 | 72 | walterclean.com 73 | 74 | 75 | 76 | 192.157.198.103 77 | 78 | 79 | 80 | 192.184.60.229 81 | 82 | 83 | 84 | 198.55.115.71 85 | 86 | 87 | 88 | 210.109.99.64 89 | 90 | 91 | 92 | 104.151.248.173 93 | 94 | 95 | 96 | C:\Users\Public\doc.exe 97 | 98 | 99 | 100 | C:\Users\Public\test.exe 101 | 102 | 103 | 104 | AppData\Local\Temp\notepad1.exe 105 | 106 | 107 | 108 | AppData\Local\Temp\notepad.exe 109 | 110 | 111 | 112 | AppData\Local\Temp\newnotepad.exe 113 | 114 | 115 | 116 | AppData\Local\Temp\notepad2.exe 117 | 118 | 119 | 120 | AppData\Local\Temp\note.txt 121 | 122 | 123 | 124 | c:\Users\aa\Documents\Visual Studio 2008\Projects\MShell\Release\MShell.pdb 125 | 126 | 127 | 128 | c:\Users\aa\Documents\Visual Studio 2008\Projects\4113\Release\4113.pdb 129 | 130 | 131 | 132 | C:\Users\aa\Documents\Visual Studio 2010\Projects\MyRat\Client\Client\obj\x86\Release\Client.pdb 133 | 134 | 135 | 136 | C:\Users\aa\Documents\Visual Studio 2010\Projects 137 | 138 | 139 | 140 | C:\Users\Public\test.exe 141 | 142 | 143 | 144 | 145 | mysc 146 | 147 | 148 | 149 | 150 | TASK_TRIGGER_LOGON 151 | 152 | 153 | 154 | SYSTEM 155 | 156 | 157 | 158 | 159 | 160 | 161 | -------------------------------------------------------------------------------- /APT30/README.md: -------------------------------------------------------------------------------- 1 | # APT30 and the Mechanics of a Long-Running Cyber Espionage Operation 2 | 3 | Read more about this group and what these indicators mean in FireEye's blog post about them: [https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html](https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html) -------------------------------------------------------------------------------- /BlogPosts/0b879284-0c37-4bfa-9dd8-34505a9c5175.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | PYTHON SHELLCODE (DOWNLOADER) 22 | The shellcode launcher is a simple launcher which recieves an encoded shellcode buffer from its C2 server, allocates memory for it and then executes the shellcode. The launcher is written in python and packaged with PyInstaller. You can read more about this downloader at https://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.htmlhttps://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.html 23 | 24 | FireEye 25 | 2015-01-27T19:56:21Z 26 | 27 | Downloader 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | 64a17f5177157bb8c4199d38c46ec93b 35 | 36 | 37 | 38 | Facebook-Account.exe 39 | 40 | 41 | 42 | 80.241.223.128 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /BlogPosts/113e561e-60d2-48db-979d-02f207550125.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | RAZOR BLADES IN THE CANDY JAR (BLOG) 22 | This IOC contains indicators detailed in the blog post "Razor Blades in the Candy Jar" that can be read here: http://www.fireeye.com/blog/technical/2014/11/razor-blades-in-the-candy-jar.html. This IOC contains indicators for domains and IP addresses used to host the Sweet Orange Exploit Kit. 23 | 24 | FireEye 25 | 2014-11-07T13:45:38Z 26 | 27 | Exploit 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | img.lakeforestparkhome.info 35 | 36 | 37 | 38 | micagirl.net 39 | 40 | 41 | 42 | h.micagirl.net 43 | 44 | 45 | 46 | a.micagirl.net 47 | 48 | 49 | 50 | img.kirklandhouse.info 51 | 52 | 53 | 54 | cdn.jameswoodwardmusic.com 55 | 56 | 57 | 58 | cdn.movetoclarksville.com 59 | 60 | 61 | 62 | img.greenwoodhouse.info 63 | 64 | 65 | 66 | src.sandcastlesmagazine.com 67 | 68 | 69 | 70 | src.sheffieldwoods.org 71 | 72 | 73 | 74 | yimg.1stdayofwinter.com 75 | 76 | 77 | 78 | yimg.1208nw199thpl.info 79 | 80 | 81 | 82 | img.broadviewhome.info 83 | 84 | 85 | 86 | cdn2.movetoclarksville.com 87 | 88 | 89 | 90 | 185.22.233.136 91 | 92 | 93 | 94 | 192.185.16.158 95 | 96 | 97 | 98 | 99 | -------------------------------------------------------------------------------- /BlogPosts/4fdb0f45-8151-4941-a9e1-a31e21000659.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | ADS GONE BAD (BLOG) 22 | This IOC contains indicators detailed in the blog post "Ads Gone Bad" that can be read here: https://www.fireeye.com/blog/threat-research/2015/03/ads_gone_bad.html. This IOC contains indicators for domains, IP addresses and a filename used for a malvertising campaign that employs malicious SWF files. The attacker used the CVE-2014-0569 exploit in order to deliver malicious payloads to victims. 23 | 24 | FireEye 25 | 2015-03-02T16:17:41Z 26 | 27 | Exploit 28 | Downloader 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | adserver.alltraveldaily.com 36 | 37 | 38 | 39 | adserver.mensstylebook.com 40 | 41 | 42 | 43 | adserver.recipechart.com 44 | 45 | 46 | 47 | adserver.highspeedtesting.com 48 | 49 | 50 | 51 | adserver.smackchow.com 52 | 53 | 54 | 55 | adserver.easygoodhealth.com 56 | 57 | 58 | 59 | adserver.1000bites.com 60 | 61 | 62 | 63 | adserver.rawdaily.com 64 | 65 | 66 | 67 | adserver.diyfoodvids.com 68 | 69 | 70 | 71 | adserver.worldtotravel.com 72 | 73 | 74 | 75 | adserver.diybaker.com 76 | 77 | 78 | 79 | adserver.trendingwoman.com 80 | 81 | 82 | 83 | adserver.quickmensguide.com 84 | 85 | 86 | 87 | adserver.citybartender.com 88 | 89 | 90 | 91 | adserver.hometechproducts.com 92 | 93 | 94 | 95 | adserver.streetzsavvy.com 96 | 97 | 98 | 99 | adserver.whyresearch.com 100 | 101 | 102 | 103 | adserver.moviesland.com 104 | 105 | 106 | 107 | adserver.femaleinsider.com 108 | 109 | 110 | 111 | adserver.ie-games.com 112 | 113 | 114 | 115 | adserver.elegantrecipes.com 116 | 117 | 118 | 119 | yieidmanager.com 120 | 121 | 122 | 123 | 184.174.122.30 124 | 125 | 126 | 127 | 184.174.124.168 128 | 129 | 130 | 131 | 184.174.122.54 132 | 133 | 134 | 135 | 184.174.124.169 136 | 137 | 138 | 139 | 198.55.119.125 140 | 141 | 142 | 143 | 198.55.119.126 144 | 145 | 146 | 147 | 66.55.129.199 148 | 149 | 150 | 151 | ?d=300x250 152 | 153 | 154 | 155 | ee2un066aepv4.php 156 | 157 | 158 | 159 | 160 | 161 | user_6290 162 | 163 | 164 | 165 | user_6302 166 | 167 | 168 | 169 | 170 | 171 | camp_3698 172 | 173 | 174 | 175 | camp_3693 176 | 177 | 178 | 179 | camp_3674 180 | 181 | 182 | 183 | camp_3709 184 | 185 | 186 | 187 | camp_3830 188 | 189 | 190 | 191 | 192 | 193 | 194 | -------------------------------------------------------------------------------- /BlogPosts/5a8d6878-2649-4ddc-a1f6-c98932a54f91.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | YABROD (DOWNLOADER) 22 | YABROD is the first stage of a two stage downloader. The downloader downloads the second stage, CABLECAR, which uses a PDF embedded in the YABROD binary to extract shellcode and inject it into processes. This injected shellcode downloads and executes a file, while setting a persistence mechanism for the downloaded file. This downloaded file will then extract shellcode for the Metasploit Meterpreter and execute that shellcode. You can read more about these downloaders at https://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.htmlhttps://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.html 23 | 24 | FireEye 25 | 2015-01-27T22:07:02Z 26 | 27 | YABROD 28 | CABLECAR 29 | Downloader 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | Temp\Keyboard-Sounds.exe 37 | 38 | 39 | 40 | Temp\vpn7x32.exe 41 | 42 | 43 | 44 | Temp\GoogleUpdate.exe 45 | 46 | 47 | 48 | Temp\Yabrod.pdf 49 | 50 | 51 | 52 | Keyboard-Sounds.exe 53 | 54 | 55 | 56 | VPN7.exe 57 | 58 | 59 | 60 | 0e24a0060493bcb85ce4a5110550f204 61 | 62 | 63 | 64 | 1328d3d4872bfe2c98fd7b672d8dff1b 65 | 66 | 67 | 68 | 508deeb6a5a37e9f94d5d4733ce0352f 69 | 70 | 71 | 72 | ba02f98166f1fd960d1371b74f4bb367 73 | 74 | 75 | 76 | bc167bca4ca3cf6f2f2bd7e90ecdeb29 77 | 78 | 79 | 80 | bd4769f37de88321a9b64e5f85baf1ef 81 | 82 | 83 | 84 | e0625817eb11874d806909a8c190d45a 85 | 86 | 87 | 88 | f18dedf9f5d213deba18a2e037819ea1 89 | 90 | 91 | 92 | 44df02ac28d80deb45f5c7c48b56a858 93 | 94 | 95 | 96 | 78c5670e2cee9b5c3b88aa9cb27519be 97 | 98 | 99 | 100 | 9d351b9ee731d88f12fcaa64010e828d 101 | 102 | 103 | 104 | greenhill.png 105 | 106 | 107 | 108 | reporthezbolla20072013_pdf.exe 109 | 110 | 111 | 112 | bayan09072013_pdf.exe 113 | 114 | 115 | 116 | 182c7b1ad894852d23f4de538e59ac2b 117 | 118 | 119 | 120 | 4e007cb87626f0093a84ed50b1d27a7f 121 | 122 | 123 | 124 | 125 | -------------------------------------------------------------------------------- /BlogPosts/6037663c-680c-4a28-ad58-40622d206e1d.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | OPERATION POISONED HANDOVER (BLOGPOST) 22 | This IOC contains indicators detailed in the blog post "Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement" that can be read here: http://www.fireeye.com/blog/technical/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html#commentsl . This IOC contains indicators for variants of the KERNELBOT and PISCESE malware families. 23 | 24 | FireEye 25 | 2014-11-02T20:25:48Z 26 | 27 | Beta 28 | Backdoor 29 | Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong's Pro-Democracy Movement 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | 17bc9d2a640da75db6cbb66e5898feb1 37 | 38 | 39 | 40 | 0b54ae49fd5a841970b98a078968cb6b 41 | 42 | 43 | 44 | ecf21054ab515946a812d1aa5c408ca5 45 | 46 | 47 | 48 | e2a4b96cce9de4fb126cfd5f5c73c3ed 49 | 50 | 51 | 52 | cfa3e3471430a0096a4e7ea2e3da6195 53 | 54 | 55 | 56 | cea42fca9a66a5e10af4f3d244ca2c01 57 | 58 | 59 | 60 | 5d4bc88b1e8c549e50422ce1980dd658 61 | 62 | 63 | 64 | 3d1292b1c650539fcd451ed2eeab95a0 65 | 66 | 67 | 68 | 32801f933db886e3714708c1abbbb155 69 | 70 | 71 | 72 | 9f39a5753a9ccf34ee43269112fe8be0 73 | 74 | 75 | 76 | 39bb90140fc0101f49377b6c60076f9d 77 | 78 | 79 | 80 | a98382645f8cecef96b99661a65f646f 81 | 82 | 83 | 84 | d08e038d318b94764d199d7a85047637 85 | 86 | 87 | 88 | c3d6450075d618b1edba17ee723eb3ca 89 | 90 | 91 | 92 | 431b5adff20eb4ad1f1c689201364103 93 | 94 | 95 | 96 | caa5529010c17b969da01ade084794c6 97 | 98 | 99 | 100 | 59762ad384c7d3c50c874495b0687984 101 | 102 | 103 | 104 | dcc81f653bbec27405c9a7b642a557ac 105 | 106 | 107 | 108 | 84bd0809b1dbc2dc86f30d30faaa7e4e 109 | 110 | 111 | 112 | 7436062842323f26d0f8120d9972b0fd 113 | 114 | 115 | 116 | a02a0e8dea14282a51384ef7f48f515c 117 | 118 | 119 | 120 | 76af046753a23522629e09336d6eeead 121 | 122 | 123 | 124 | 6fa782bb0a54a49e8c9699315e24b0d7 125 | 126 | 127 | 128 | \All Users\Application Data\libssp-0.dll 129 | 130 | 131 | 132 | \All Users\Application Data\ctfmon.exe 133 | 134 | 135 | 136 | \All Users\Application Data\readme.txt 137 | 138 | 139 | 140 | \ProgramData\readme.txt 141 | 142 | 143 | 144 | \ProgramData\ctfmon.exe 145 | 146 | 147 | 148 | \ProgramData\libssp-0.dll 149 | 150 | 151 | 152 | QTI International Inc 153 | 154 | 155 | 156 | CallTogether 157 | 158 | 159 | 160 | hk.java-se.com 161 | 162 | 163 | 164 | u.java-se.com 165 | 166 | 167 | 168 | p.java-sec.com 169 | 170 | 171 | 172 | jre76.java-se.com 173 | 174 | 175 | 176 | u.java-se.com 177 | 178 | 179 | 180 | hk.java-se.com 181 | 182 | 183 | 184 | java-se.com 185 | 186 | 187 | 188 | www.sapporo-digital-photoclub.com 189 | 190 | 191 | 192 | www.credo-biz.com 193 | 194 | 195 | 196 | wizapply.com 197 | 198 | 199 | 200 | ninekobe.com 201 | 202 | 203 | 204 | sp.you-maga.com 205 | 206 | 207 | 208 | mizma.co.jp 209 | 210 | 211 | 212 | tommo.jp 213 | 214 | 215 | 216 | shinzenho.jp 217 | 218 | 219 | 220 | nitori-tour.com 221 | 222 | 223 | 224 | luxscena.com 225 | 226 | 227 | 228 | wakayamasatei.com 229 | 230 | 231 | 232 | 124.248.237.26 233 | 234 | 235 | 236 | 223.29.248.9 237 | 238 | 239 | 240 | 112.175.143.2 241 | 242 | 243 | 244 | 112.175.143.9 245 | 246 | 247 | 248 | 211.233.89.182 249 | 250 | 251 | 252 | 253 | c129ea6cbc201406a9a8a296caae0d21 254 | 255 | 256 | 257 | dllhost.exe 258 | 259 | 260 | 261 | 262 | 263 | CurrentVersion\Run 264 | 265 | 266 | 267 | 268 | C:\ProgramData\ctfmon.exe 269 | 270 | 271 | 272 | \All Users\Application Data\ctfmon.exe 273 | 274 | 275 | 276 | dllhost services 277 | 278 | 279 | 280 | 281 | pidgin 282 | 283 | 284 | 285 | ctfmon.exe 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 1685f978149d7ba8e039af9a4d5803c7 294 | 295 | 296 | 297 | ctfmon.exe 298 | 299 | 300 | 301 | 302 | 303 | ctfmon.exe 304 | 305 | 306 | 307 | \libssp-0.dll 308 | 309 | 310 | 311 | 312 | 313 | -------------------------------------------------------------------------------- /BlogPosts/60a6de64-7308-4af1-9003-dc23a73fdf01.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | REVETON (BLOG) 22 | This IOC contains indicators detailed in the blog post "A Different Exploit Angle on Adobe's Recent Zero-Day" that can be read here: https://www.fireeye.com/blog/threat-research/2015/01/a_different_exploit.html. This IOC contains indicators for domains used to host and deliver a payload for the Angler Exploit Kit, and a Reveton ransomware payload. 23 | 24 | FireEye 25 | 2015-02-04T10:40:42Z 26 | 27 | Backdoor 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | 6769a5b4526f3b2b7c6bebbe464f5f6b 35 | 36 | 37 | 38 | neteasymarketing.biz 39 | 40 | 41 | 42 | xmoqu38hasdf0opw.com 43 | 44 | 45 | 46 | temp\tqPx.dll 47 | 48 | 49 | 50 | Software\Microsoft\Windows\CurrentVersion\ACID 51 | 52 | 53 | 54 | 55 | -------------------------------------------------------------------------------- /BlogPosts/6bb9ce5b-94c1-4733-8bb8-dc5be775b190.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | BLACKSTAR (FAMILY) 22 | BLACKSTAR is a dropper which extracts and executes a second dropper in memory, called REDDWARF. REDDWARF then extractes an obfuscated copy of the DarkComet backdoor and executes it in memory; before writing itself (REDDWARF) to disk and setting a persistence mechanism. DarkComet contains standard backdoor functionality such as manipulating processes, services, the registry, and uploading and downloading files, as well as control of webcams and microphones. You can read more about these droppers at https://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.htmlhttps://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.html 23 | 24 | FireEye 25 | 2015-01-21T20:20:24 26 | 27 | BLACKSTAR 28 | Dropper 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | de65eed45ac210c66db8082f1a72db8f 36 | 37 | 38 | 39 | 7576127f8bd805b30d0016d897211f54 40 | 41 | 42 | 43 | e11aeb603cb7a31c2028976a2deed550 44 | 45 | 46 | 47 | 7247d42b3b4632dc7ed9d8559596fff8 48 | 49 | 50 | 51 | a691e4b629da2b37dd87e760bfb0106e 52 | 53 | 54 | 55 | d1f817744f79dad415a526c4ce51bed9 56 | 57 | 58 | 59 | 202eb180f5faa8460941ae60cf63da63 60 | 61 | 62 | 63 | 64eb08013399e3ac18c936d361d80e17 64 | 65 | 66 | 67 | 163595b20debdeccdeaf4cb14fba737c 68 | 69 | 70 | 71 | 97a35a7471e0951ee4ed8581d2941601 72 | 73 | 74 | 75 | c421f4e12892d4ac345e7b03f6a053d2 76 | 77 | 78 | 79 | 39632325327bf21f7d9cf02caf065646 80 | 81 | 82 | 83 | 60aa1cdb1df16179b88be8cf8dbbaf14 84 | 85 | 86 | 87 | 89dda79018d6216970a274b16b3494ad 88 | 89 | 90 | 91 | a641c08e09c53858d16c0c70107979b5 92 | 93 | 94 | 95 | adobereadersetup-86x.exe 96 | 97 | 98 | 99 | DIOKAK 100 | 101 | 102 | 103 | UXLNYL 104 | 105 | 106 | 107 | adobesetup.exe 108 | 109 | 110 | 111 | adobe32en.exe 112 | 113 | 114 | 115 | adobereadersetup-86x.exe 116 | 117 | 118 | 119 | adobex86setup.sfx.exe 120 | 121 | 122 | 123 | google-update.exe 124 | 125 | 126 | 127 | adobereader-86x.exe 128 | 129 | 130 | 131 | adobesetupx86.exe 132 | 133 | 134 | 135 | adobred-86x.exe 136 | 137 | 138 | 139 | adobereader-86x-64x.exe 140 | 141 | 142 | 143 | adobeflash.exe 144 | 145 | 146 | 147 | adobesetup32.exe 148 | 149 | 150 | 151 | adobeinsx86.exe 152 | 153 | 154 | 155 | adobesetupx86.exe 156 | 157 | 158 | 159 | microtec.exe 160 | 161 | 162 | 163 | DC_MUTEX 164 | 165 | 166 | 167 | 168 | CurrentVersion\Run 169 | 170 | 171 | 172 | 1 173 | 174 | 175 | 176 | RunOnce 177 | 178 | 179 | 180 | 181 | 182 | -------------------------------------------------------------------------------- /BlogPosts/9a7a6929-25ea-4254-a300-13fd6b39c490.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | ANATOMY OF A BRUTE FORCE CAMPAIGN (BLOG) 22 | This IOC contains indicators detailed in the blog post "Anatomy of a Brute Force Campaign: The Story of Hee Thai Limited" that can be read here https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html. This IOC contains indicators from the blog post . The FileItem terms for this indicator are applicable to Linux hosts. 23 | 24 | FireEye 25 | 2015-02-04T21:44:18Z 26 | 27 | Backdoor 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | heethai.com 35 | 36 | 37 | 38 | buhenge.com 39 | 40 | 41 | 42 | rxxiaoao.com 43 | 44 | 45 | 46 | hcxiaoao.com 47 | 48 | 49 | 50 | info.3000uc.com 51 | 52 | 53 | 54 | wangzongfacai.com 55 | 56 | 57 | 58 | navert0p.com 59 | 60 | 61 | 62 | dsaj2a.com 63 | 64 | 65 | 66 | dsaj2a.org 67 | 68 | 69 | 70 | dsaj2a1.org 71 | 72 | 73 | 74 | /etc/cron.hourly/cron.sh 75 | 76 | 77 | 78 | /etc/cron.hourly/udev.sh 79 | 80 | 81 | 82 | /lib/libgcc4.4.so 83 | 84 | 85 | 86 | /lib/libgcc4.so 87 | 88 | 89 | 90 | /lib/libgcc.so.bak 91 | 92 | 93 | 94 | /lib/libgcc.so 95 | 96 | 97 | 98 | 103.41.124. 99 | 100 | 101 | 102 | 103.25.9.228 103 | 104 | 105 | 106 | 103.25.9.229 107 | 108 | 109 | 110 | 111 | /check.action? 112 | 113 | 114 | 115 | iid= 116 | 117 | 118 | 119 | kernel= 120 | 121 | 122 | 123 | 124 | 125 | mod_unload 126 | 127 | 128 | 129 | modversions 130 | 131 | 132 | 133 | username 134 | 135 | 136 | 137 | password 138 | 139 | 140 | 141 | 142 | /submit.action 143 | 144 | 145 | 146 | /compiler.action 147 | 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /BlogPosts/9cee306d-5441-4cd3-932d-f3119752634c.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | IRONGATE (FAMILY) 22 | IRONGATE is a tool that targets biogas.exe programs by replacing the Step7ConMgr.dll library with a malicious one. The malicious Step7ConMgr.dll library performs DLL hijacking where it records data and replays it back to the parent program. The malicious Step7ConMgr.dll library also sends data to what is suspected to be the simulated or controlled device. This IOC contains indicators detailed in the blog post "IRONGATE ICS Malware: Nothing to See Here, Masking Malicious Activity on SCADA Systems" that can be read here: https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html 23 | 24 | FireEye 25 | 2015-08-21T16:39:02Z 26 | 27 | IRONGATE 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | EDA021ACACA81AE99E39ECCDA0163295 35 | 36 | 37 | 38 | 9B588ADB1D0AE72CEB4051031FD1F1F3 39 | 40 | 41 | 42 | EC07A5ECB182960777007AFE2C077A1D 43 | 44 | 45 | 46 | 026BC58300DE02455937CEF46405F065 47 | 48 | 49 | 50 | A79596BCCA537FA3FA45037F4855FD00 51 | 52 | 53 | 54 | Step7ConMgr.dll 55 | 56 | 57 | 58 | scomma scxrt2.ini 59 | 60 | 61 | 62 | 957581FB38A4E76E84F60E2BB19B9499 63 | 64 | 65 | 66 | 75D118996F5190EDAFCA1B1904A7EEA8 67 | 68 | 69 | 70 | 9F37E1EA08E6A4AE03E9FEBA6D1F6259 71 | 72 | 73 | 74 | 3152F21D701A2397E7B22711B8019B82 75 | 76 | 77 | 78 | EF2A97512FDB45CD26089AD2FF61F1CC 79 | 80 | 81 | 82 | 41906403206EA5C7DCDBFAE230ADD9FA 83 | 84 | 85 | 86 | 874F7BCAB71F4745EA6CDA2E2FB5A78C 87 | 88 | 89 | 90 | 7C51474E6560C51DFC815D4A227BA1AA 91 | 92 | 93 | 94 | update_no_pipe.exe 95 | 96 | 97 | 98 | PackagingModule.exe 99 | 100 | 101 | 102 | scxrt2.ini 103 | 104 | 105 | 106 | 107 | 1F338BDD92F08803A2AC7022A34D98FD 108 | 109 | 110 | 111 | install.exe 112 | 113 | 114 | 115 | 116 | 117 | 7A0C1017E6B5BB5DC776B3B883A1D0E0 118 | 119 | 120 | 121 | audiodg.exe 122 | 123 | 124 | 125 | 126 | 127 | scada.exe 128 | 129 | 130 | 131 | mscoree.dll 132 | 133 | 134 | 135 | 136 | 137 | -------------------------------------------------------------------------------- /BlogPosts/README.MD: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mandiant/iocs/d5f1e4c28d0f0afea459a4e26875cbde3a4bf010/BlogPosts/README.MD -------------------------------------------------------------------------------- /BlogPosts/b513e829-b023-426a-b7d4-accd511be3c0.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | CVE-2015-5122 SOGU (BLOG) 22 | This IOC detailed in the blog post "Second Adobe Flash Zero-Day CVE-2015-5122 from HackingTeam Exploited in Strategic Web Compromise Targeting Japanese Victims" that can be read here:https://www.fireeye.com/blog/threat-research/2015/07/second_adobe_flashz.html. This IOC contains indicators for domains, IP addresses and file names used for a campaign that employs malicious SWF files. The attacker used the CVE-2015-5122 exploit in order to deliver malicious SOGU payloads to victims. 23 | 24 | FireEye 25 | 2015-07-16T19:11:59Z 26 | 27 | Backdoor 28 | APT 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | 5a22e5aee4da2fe363b77f1351265a00 36 | 37 | 38 | 39 | amxil.opmuert.org 40 | 41 | 42 | 43 | 54.169.89.240 44 | 45 | 46 | 47 | www.ihcsa.or.jp 48 | 49 | 50 | 51 | cosmetech.co.jp 52 | 53 | 54 | 55 | appdata\local\rdws.exe 56 | 57 | 58 | 59 | application data\rdws.exe 60 | 61 | 62 | 63 | 64 | 413696 65 | 66 | 67 | 68 | 2015-07-13T08:11:01Z 69 | 70 | 71 | 72 | 73 | 74 | ZucFCoeHa8KvZcj1FO838HN 75 | 76 | 77 | 78 | *wz4xSdmm1 79 | 80 | 81 | 82 | 83 | 84 | -------------------------------------------------------------------------------- /BlogPosts/de99badf-b448-49e7-885a-4d8688ddf02d.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | SFX DROPPERS (DROPPER) 22 | SFXRAR Droppers used to deploy BLACKSTAR and ONSIZE malware families. The droppers contain a decoy document, and second password protected SFXRAR containing the malware. You can read more about these droppers at https://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.htmlhttps://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.html 23 | 24 | FireEye 25 | 2015-01-29T20:34:02 26 | 27 | Dropper 28 | Apache 2.0 29 | 30 | 31 | 32 | 33 | 34 | 0187be3ccf42c143ab96e7bbf2efbf2f 35 | 36 | 37 | 38 | 0cc7b05c220ecbeb52891d49f1ab41ab 39 | 40 | 41 | 42 | 29e79080b2b2de01b53223542b46d570 43 | 44 | 45 | 46 | 2a456e35918700bc76f6ec1dd9ea93a1 47 | 48 | 49 | 50 | 36875b44145cf20b8d3148e7f7efcea0 51 | 52 | 53 | 54 | 3ffc4e4081854d04d8217c2ebabdd61d 55 | 56 | 57 | 58 | 4268e2a8209429155ef5df22ca17c0be 59 | 60 | 61 | 62 | 465a0bf22cd101dbd502a2576f10ceb4 63 | 64 | 65 | 66 | 4cd035012ec6015e48f6fb7001330a95 67 | 68 | 69 | 70 | 4d70791db506cb04e62b607e1f57699c 71 | 72 | 73 | 74 | 5e334057856967a5d31c266c550549b0 75 | 76 | 77 | 78 | 6439ccba5b06e434953ba209b8b07107 79 | 80 | 81 | 82 | 6608ce246612d490f3b044627a5e6d9e 83 | 84 | 85 | 86 | 692265ba1d4a5b2773e596d3491ed2be 87 | 88 | 89 | 90 | 7091f135e4718586d16b56c04b21a6b7 91 | 92 | 93 | 94 | 8a0a36d0d1d91b357e5ce8f84ad16346 95 | 96 | 97 | 98 | 931bafa20756eaf8b5371222b5b81a61 99 | 100 | 101 | 102 | 980c6e7f8a10144a28730f3f0adb99d0 103 | 104 | 105 | 106 | 99655bacbe845ad30c6c5ed56a7e13d4 107 | 108 | 109 | 110 | a19e70ffa130a096753463b23733927d 111 | 112 | 113 | 114 | a577701d4b5ada66912a242a7772b48a 115 | 116 | 117 | 118 | a9e5ec23ccdec9cd79af771e2dbf54d5 119 | 120 | 121 | 122 | c79ad54dead0b446fe8fac60cbd133a7 123 | 124 | 125 | 126 | c808ef1ab997d0234ee889ecd5176c8e 127 | 128 | 129 | 130 | d023fc719fba710b44f140deff3f83e4 131 | 132 | 133 | 134 | d32aaf60744678e559db59fbe2daa938 135 | 136 | 137 | 138 | d87356940d3b15d87453ead6374691ab 139 | 140 | 141 | 142 | dc33cbf669df01302ddd124b028a4fd9 143 | 144 | 145 | 146 | e403972c890cf2eb0a361a91ac5ffe5e 147 | 148 | 149 | 150 | e41c913327e6974730da99e7c327a2a2 151 | 152 | 153 | 154 | e65bdb88e606c45521ab2c04c650ed86 155 | 156 | 157 | 158 | ef56383f53b7ccb08016737c98fe2982 159 | 160 | 161 | 162 | 27c2b873849227de45ec10fca112f322 163 | 164 | 165 | 166 | 47702a6cdc59859ec97c99aa31148ae6 167 | 168 | 169 | 170 | 4bd3ea86eb7d63b1bdd001e6adbe8b89 171 | 172 | 173 | 174 | 57cbbe8e7d18b1980cfc4bc87121b2c7 175 | 176 | 177 | 178 | 5ae84cadc1ea5a4bcc027a19eca514c5 179 | 180 | 181 | 182 | 63fb57fd90590c3c0d0d95d86b6df66d 183 | 184 | 185 | 186 | 748b8aca1c17415648b80f0038381097 187 | 188 | 189 | 190 | 81ef5426583e1d6df4193f38402b40c1 191 | 192 | 193 | 194 | 9491c4e0c08c9347421ae352f14a1329 195 | 196 | 197 | 198 | a1e0d40715f66f30aad44ab4c15a474a 199 | 200 | 201 | 202 | b23b16b3cccba9c1ecd0c0d17cc48979 203 | 204 | 205 | 206 | b9623abd519ee688e0b9d9350c83e209 207 | 208 | 209 | 210 | d4b4367f874c9c8d645b1560f9d259ea 211 | 212 | 213 | 214 | d620deacd018da09a69e24cb978f556d 215 | 216 | 217 | 218 | d672e9789f22b806a295f0dd2122316a 219 | 220 | 221 | 222 | e2a624302af7a3eeb59cbb58f36b0fac 223 | 224 | 225 | 226 | f7f8538d2ab0ffee878a4e512230f97d 227 | 228 | 229 | 230 | f893d5d351a3ffc1f89a8ec8147cd060 231 | 232 | 233 | 234 | fda3816d0bac2e4791cbcfaf33416633 235 | 236 | 237 | 238 | ff97bc797ed27b5e21e4e4a6e7443219 239 | 240 | 241 | 242 | idm-en-setup.exe 243 | 244 | 245 | 246 | IslamArmyThem.exe 247 | 248 | 249 | 250 | Keyboard-Sounds.exe 251 | 252 | 253 | 254 | Pdf-to-Word-Converter.exe 255 | 256 | 257 | 258 | from-aliwa2-doctor-salim-dris-to-whom-it-may-concern.exe 259 | 260 | 261 | 262 | diplaced-syrian-people-cod.exe 263 | 264 | 265 | 266 | Displaced-Syrians-Suffering_cod.exe 267 | 268 | 269 | 270 | install_flashplayer11x32_gdrd_aih.exe 271 | 272 | 273 | 274 | JetCleanSetup.exe 275 | 276 | 277 | 278 | Maktal-Kiyadi-Barez-men-hizbillah-fi-ltafgir-l2akhir-fi-ldahya12300012.exe 279 | 280 | 281 | 282 | AdobeReader-9-En-Us.exe 283 | 284 | 285 | 286 | Eye-Protector-Portial-Setup.exe 287 | 288 | 289 | 290 | Billiards.exe 291 | 292 | 293 | 294 | New-Iman-Picture.pif 295 | 296 | 297 | 298 | Live-Chat-ooVoo-Setup.exe 299 | 300 | 301 | 302 | nazhin.exe 303 | 304 | 305 | 306 | Video-Downloader.exe 307 | 308 | 309 | 310 | Amer-Mohemmeh.exe 311 | 312 | 313 | 314 | Russia-vs-Amerika.exe 315 | 316 | 317 | 318 | google-update.sfx.exe 319 | 320 | 321 | 322 | adobereadersetup-86x.sfx.exe 323 | 324 | 325 | 326 | adobeflash.sfx.exe 327 | 328 | 329 | 330 | oovoo-setup.sfx.exe 331 | 332 | 333 | 334 | microtec.sfx.exe 335 | 336 | 337 | 338 | Microsoft-Update.sfx.exe 339 | 340 | 341 | 342 | adobesetup.sfx.exe 343 | 344 | 345 | 346 | adobesetupx86.sfx.exe 347 | 348 | 349 | 350 | office-word-update.sfx.exe 351 | 352 | 353 | 354 | update-flashplayer11.sfx.exe 355 | 356 | 357 | 358 | adobereader-86x.sfx.exe 359 | 360 | 361 | 362 | adobesetup32.sfx.exe 363 | 364 | 365 | 366 | adobe32en.sfx.exe 367 | 368 | 369 | 370 | adobereader-86x-64x.sfx.exe 371 | 372 | 373 | 374 | adobred-86x.sfx.exe 375 | 376 | 377 | 378 | Syrian-Girl-Against-Regime 379 | 380 | 381 | 382 | Syrian-chlidren-under-execution 383 | 384 | 385 | 386 | 1bffa6c711df066663df09f23620f2e1 387 | 388 | 389 | 390 | 3230c89656f38f66270dca06aa881823 391 | 392 | 393 | 394 | 715618e15ce6109d45396302c4914b3b 395 | 396 | 397 | 398 | 7609f31d5e99eb5cca319af7cfa4795d 399 | 400 | 401 | 402 | 89dda79018d6216970a274b16b3494ad 403 | 404 | 405 | 406 | e11aeb603cb7a31c2028976a2deed550 407 | 408 | 409 | 410 | ec12a7ec64f2b2a082a1854995e00817 411 | 412 | 413 | 414 | f96bfc861e90c12040da602348837adf 415 | 416 | 417 | 418 | AdobeSetupx86.exe 419 | 420 | 421 | 422 | Temp\AdobeSetup32.sfx.exe 423 | 424 | 425 | 426 | Temp\horr2.jpg 427 | 428 | 429 | 430 | Start Menu\Programs\Google\Google Update.exe 431 | 432 | 433 | 434 | 435 | Google Update.exe 436 | 437 | 438 | 439 | Start Menu\Programs\Google 440 | 441 | 442 | 443 | 444 | 445 | Start Menu\Programs\Google\Google Update.exe 446 | 447 | 448 | 449 | Software\Microsoft\Windows NT\CurrentVersion\Winlogon 450 | 451 | 452 | 453 | UserInit 454 | 455 | 456 | 457 | 458 | 459 | CurrentVersion\Run 460 | 461 | 462 | 463 | Start Menu\Programs\Google\Google Update.exe 464 | 465 | 466 | 467 | GoogleUpdate 468 | 469 | 470 | 471 | 472 | 473 | -------------------------------------------------------------------------------- /BlogPosts/e598231d-8584-4535-a0de-94e822f04c0b.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | ONESIZE (KEYLOGGER) 22 | ONESIZE is a user-mode keylogger which utilizes GetAsyncKeyState in order to capture keystrokes. The keylogging functionality may have been derived from the UniLogger source code, which gives ONESIZE the ability to log Unicode characters; giving ONESIZE the ability to log languges such as Arabic, Chinese or Russian. ONESIZE wil periodically upload its logfile to its C2 server. You can read more about this keylogger at https://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.htmlhttps://www.fireeye.com/blog/threat-research/2015/02/behind_the_syrianco.html 23 | 24 | FireEye 25 | 2015-01-27T16:01:23 26 | 27 | Keylogger 28 | ONESIZE 29 | Apache 2.0 30 | 31 | 32 | 33 | 34 | 35 | 6b5aabd26998568d9ca628713b53cacf 36 | 37 | 38 | 39 | b68a7e216cb0d18030048935b67e0d68 40 | 41 | 42 | 43 | flashplayer11x32_gdrd_aih.exe 44 | 45 | 46 | 47 | Microsoft-Update.exe 48 | 49 | 50 | 51 | Local Settings\Temp\Keys.txt 52 | 53 | 54 | 55 | AppData\Local\Temp\Keys.txt 56 | 57 | 58 | 59 | Microsoft-Update.exe 60 | 61 | 62 | 63 | flashplayer11x32_gdrd_aih.exe 64 | 65 | 66 | 67 | 80.241.223.128 68 | 69 | 70 | 71 | 72 | -------------------------------------------------------------------------------- /BlogPosts/operation_poisoned_handover.yara: -------------------------------------------------------------------------------- 1 | rule callTogether_certificate 2 | { 3 | meta: 4 | author = "Fireeye Labs" 5 | version = "1.0" 6 | reference_hash = "d08e038d318b94764d199d7a85047637" 7 | description = "detects binaries signed with the CallTogether certificate" 8 | strings: 9 | $serial = {452156C3B3FB0176365BDB5B7715BC4C} 10 | $o = "CallTogether, Inc." 11 | condition: 12 | $serial and $o 13 | } 14 | 15 | rule qti_certificate 16 | { 17 | meta: 18 | author = "Fireeye Labs" 19 | reference_hash = "cfa3e3471430a0096a4e7ea2e3da6195" 20 | description = "detects binaries signed with the QTI International Inc certificate" 21 | strings: 22 | $cn = "QTI International Inc" 23 | $serial = { 2e df b9 fd cf a0 0c cb 5a b0 09 ee 3a db 97 b9 } 24 | condition: 25 | $cn and $serial 26 | } 27 | -------------------------------------------------------------------------------- /FIN4/MACROCHECK.yara: -------------------------------------------------------------------------------- 1 | rule MACROCHECK 2 | { 3 | meta: 4 | description = "Identify office documents with the MACROCHECK credential stealer in them. It can be run against .doc files or VBA macros extraced from .docx files (vbaProject.bin files)." 5 | author = "Fireeye Labs" 6 | version = "1.0" 7 | 8 | strings: 9 | $PARAMpword = "pword=" ascii wide 10 | $PARAMmsg = "msg=" ascii wide 11 | $PARAMuname = "uname=" ascii 12 | $userform = "UserForm" ascii wide 13 | $userloginform = "UserLoginForm" ascii wide 14 | $invalid = "Invalid username or password" ascii wide 15 | $up1 = "uploadPOST" ascii wide 16 | $up2 = "postUpload" ascii wide 17 | 18 | condition: 19 | all of ($PARAM*) or (($invalid or $userloginform or $userform) and ($up1 or $up2)) 20 | } -------------------------------------------------------------------------------- /FIN4/README.md: -------------------------------------------------------------------------------- 1 | # FIN4 - Hacking The Street: FIN4 Likely Playing the Market 2 | 3 | Read more about this group and what these indicators mean in FireEye's white paper about them: [https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html](https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html) -------------------------------------------------------------------------------- /FIN4/fb0699e2-23a6-40f9-bf96-4514d629eec3.ioc: -------------------------------------------------------------------------------- 1 | 2 | 20 | 21 | HACKING THE STREET (REPORT) 22 | This IOC contains indicators detailed in the white paper "Hacking The Street: FIN4 Likely Playing the Market" that can be read here: https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.htmll . This IOC contains DNS entires that are controlled by the FIN4 group. 23 | 24 | FireEye 25 | 2014-11-28T18:38:17Z 26 | 27 | Finance 28 | FIN4 29 | Credential Stealer 30 | Apache 2.0 31 | 32 | 33 | 34 | 35 | 36 | ellismikepage.info 37 | 38 | 39 | 40 | lifehealthsanfrancisco2015.com 41 | 42 | 43 | 44 | rpgallerynow.info 45 | 46 | 47 | 48 | dmforever.biz 49 | 50 | 51 | 52 | msoutexchange.us 53 | 54 | 55 | 56 | junomaat81.us 57 | 58 | 59 | 60 | outlookscansafe.net 61 | 62 | 63 | 64 | outlookexchange.net 65 | 66 | 67 | 68 | nickgoodsite.co.uk 69 | 70 | 71 | 72 | 73 | msg= 74 | 75 | 76 | 77 | uname= 78 | 79 | 80 | 81 | pword= 82 | 83 | 84 | 85 | 86 | 87 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Readme for IOCs to accompany FireEye blog and other public posts. 2 | 3 | IOCs in this repository are provided under the Apache 2.0 license. 4 | 5 | Please read the license and disclaimers before using the IOCs in this repository. 6 | 7 | --------------------------------------------------------------------------------