Error trying to collect misp IOC's from CIRCL using threatintel/get-misp-iocs.py

[root@myhost signature-base-master]# python36 threatintel/get-misp-iocs.py 

CRITICAL [api.py:243 - _check_response() ] Unknown error: the response is not in JSON.
Something is broken server-side, please send us everything that follows (careful with the auth key):
Request headers:
{'User-Agent': 'PyMISP 2.4.101 - Python 3.6.6', 'Accept-Encoding': 'gzip, deflate', 'Accept': 'application/json', 'Connection': 'keep-alive', 'Content-Length': '15', 'Authorization': 'REDACTED', 'content-type': 'application/json'}
Request body:
{"last": "30d"}
Response (if any):
{'name': 'An Internal Error Has Occurred.', 'message': 'An Internal Error Has Occurred.', 'url': '/events/restSearch/download'}
Traceback (most recent call last):
  File "threatintel/get-misp-iocs.py", line 195, in <module>
    misp_receiver.get_iocs_last(args.l)
  File "threatintel/get-misp-iocs.py", line 48, in get_iocs_last
    self.events = result['response']
KeyError: 'response'

Hey Neo23x0,

Could you please fix these entries? Looks like they tied together.

Thanks

domainsaccount.google.com.gmgoogle.comie.update-windows-microsoft.commail.upgoogle.comsupport.outlook-microsoft.comhelp.outlook-microsoft.comoem.outlook-microsoft.comwindws-microsoft.com
domainsapplemedia1218.comavssync3357.combbmdroid.combbmsync2727.combluesync2121.comeastmedia1221.comeastmedia3347.co.cceastmedia3347.comfacemedia.co.cckssync3343.comkssync3347.co.cckssync3347.commahee.kssync3343.co.ccmvssync8767.com

Traceback (most recent call last):
File ".\get-misp-iocs.py", line 195, in
misp_receiver.get_iocs_last(args.l)
File ".\get-misp-iocs.py", line 47, in get_iocs_last
result = self.misp.download_last(last)
AttributeError: 'PyMISP' object has no attribute 'download_last'

The " \toast." from "Shadow Broker File Listing Dec 2016" is a bit generic.

[WARNING]
FILE: C:\Windows\WinSxS\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_10.0.17134.556_none_975be06a5b67a894\svchost.exe
SCORE: 60 TYPE: EXE SIZE: 85472
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
MD5: 0861726716c9610ce5f6bcf3f4858da1
SHA1: c02ec813b2e6cba92e1c72376850737df204d4c5
SHA256: 29f04d5f4b8d798038cb9647178a8b9c68e16dc50da850937f6e993fc7967b75
CREATED: Sun Jan 20 16:29:31 2019 MODIFIED: Sun Jan 20 16:29:31 2019

REASON_1: Yara Rule
MATCH: Suspicious_Size_svchost_exe SUBSCORE: 60
DESCRIPTION: Detects uncommon file size of svchost.exe
REF: -

ASPX will have a Request object with an Item property, requiring a dot in the middle.

\sPage\sLanguage=.Jscript.%><%eval\(Request\.Item\[.{0,100}unsafe

Hi,

otx-hash-ioc, line 8841:
A11A2F0CFE6D0B4C50945989DB6360CD;ARP Spoofing Used to Insert Malicious Adverts https://www.alienvault.com/blogs/labs-research/arp-spoofing-used-to-insert-malic

It seems to be WinPcap 4.1.3 installer : https://www.winpcap.org/install/default.htm
Tried to contact the blog article author on www.alienvault.com to discuss this, no luck yet.

Thanks for Loki and keeping the rules up to date by the way.

FILE: [PATH]\Estudios Archives - SMART CITIES.url
Estudios Archives - SMART CITIES.zip
SCORE: 100 TYPE: UNKNOWN SIZE: 221
FIRST_BYTES: 5b7b30303032313441302d303030302d30303030 / [{000214A0-0000-0000
MD5: c4a8424639efc494001d6ee131ed5958
SHA1: 0ae03bc8c5b0201f72e09db5e3dd446f57cb6608
SHA256: d72031fd58a3e914b57ba34dd86afc94102fd596901edbc8a2bddc3c17d56f2f CREATED: Sun May 12 20:18:10 2019 MODIFIED: Fri Jun 28 19:21:09 2019 ACCESSED: Mon Dec 9 19:09:47 2019
REASON_1: Yara Rule MATCH: Methodology_Suspicious_Shortcut_IconRemote_HTTP SUBSCORE: 50
DESCRIPTION: Detects possible shortcut usage for .URL persistence REF: https://twitter.com/cglyer/status/1176184798248919044

SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: ApplicationFrameHost.exe DESC: - PID: 5180 CMD: C:\Windows\system32\ApplicationFrameHost.exe -Embedding RULE: hatman_dividers

SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: WeChat.exe DESC: - PID: 2964 CMD: "D:\Program Files (x86)\Tencent\WeChat\WeChat.exe" RULE: hatman_dividers
Download url https://dldir1.qq.com/weixin/Windows/WeChatSetup.exe

SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: TencentDocs.exe DESC: - PID: 10340 CMD: "C:\Program Files (x86)\Tencent\TencentDocs\TencentDocs.exe" --minibrowsertype=browser --channel=722318 --client-id=qq --user-agent-extra=TxDocsPC/1.0.0.300 --no-sandbox /prefetch:1 --cache-path=C:\Users\xxx\AppData\Local\Tencent\TencentDocs\UserData RULE: hatman_dividers
Download url https://qd.myapp.com/myapp/qqteam/TencentDocs/Down/TencentDocsSetup.exe

SPARK: Warning: MODULE: Filescan MESSAGE: Suspicious file found FILE: C:\Program Files (x86)\Sangfor\SSL\RemoteAppClient\SRAPSession.exe SCORE: 75 MD5: da4b4b9ada092abf082bf79562d67226 SHA1: 9ee8de0c27a1813ffccfecc79f116cdd021c4e78 SHA256: 2a44b41df86d150f92530ac485e2149574d63d8d2944e5fb5e25e9276d20d576 SIZE: 271640 TYPE: UNKNOWN FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ CREATED: 2017-12-01T08:29:44Z MODIFIED: 2017-12-01T08:29:44Z ACCESSED: 2019-08-24T12:24:15Z EXT: .exe REASON_1: YARA rule IronTiger_PlugX_DosEmulator / Iron Tiger Malware - PlugX DosEmulator MATCHED_1: Str1: "Fail,Error Code = %d." SUBSCORE_1: 75 REF_1: http://goo.gl/T5fSJC

SPARK: Warning: MODULE: Filescan MESSAGE: Suspicious file found FILE: C:\Program Files (x86)\Sangfor\SSL\RemoteAppClient\SfRemoteAppClient.exe SCORE: 75 MD5: 6a62b6e77720bdf907900bef48d56acb SHA1: 9193cdfa9b5c373d208a7ca1f9938f0dd5d34431 SHA256: 3e78facdbc9a07735b55d03d273b9c225aca76816431ae573da1c5fb9ee5bfc5 SIZE: 543000 TYPE: UNKNOWN FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ CREATED: 2017-12-01T08:24:30Z MODIFIED: 2017-12-01T08:24:30Z ACCESSED: 2019-08-24T12:24:15Z EXT: .exe REASON_1: YARA rule IronTiger_PlugX_DosEmulator / Iron Tiger Malware - PlugX DosEmulator MATCHED_1: Str1: "Fail,Error Code = %d." SUBSCORE_1: 75 REF_1: http://goo.gl/T5fSJC

SPARK: Warning: MODULE: Filescan MESSAGE: Suspicious file found FILE: C:\Program Files (x86)\Sangfor\SSL\RemoteAppClient\SfRemoteAppSession.exe SCORE: 75 MD5: 034c67c6aba4c97a605ac46f0586301b SHA1: 15455c0c64de4acb71dd79e8a122e1de4a4fd516 SHA256: 53e3ac0b78edc741f776a2738ed8bf227b51796c93139a4cd2c84db1889b8157 SIZE: 307992 TYPE: UNKNOWN FIRSTBYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ CREATED: 2017-12-01T08:25:50Z MODIFIED: 2017-12-01T08:25:50Z ACCESSED: 2019-08-24T12:24:16Z EXT: .exe REASON_1: YARA rule IronTiger_PlugX_DosEmulator / Iron Tiger Malware - PlugX DosEmulator MATCHED_1: Str1: "Fail,Error Code = %d." SUBSCORE_1: 75 REF_1: http://goo.gl/T5fSJC

Spark issued the following warning:
Warning Autoruns Autoruns element located in a suspicious location
MD5:
SHA1:
SHA256: TYPE: run_key LAUNCH_STRING: C:\Users.......\AppData\Local\Temp{438E237C-C9D2-4803-A1FE-EE77D929E548}\USBListener.exe -autorun IMAGE_NAME: USBListener.exe ARGUMENTS: -autorun MATCH_STRING: C:\Users......\AppData\Local\Temp ENTRY: USBListener LOCATION: CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IMAGE_PATH: C:\Users.....\AppData\Local\Temp{438E237C-C9D2-4803-A1FE-EE77D929E548}\USBListener.exe

This belongs to the legitimate program called: "Drive Security" a virus scanner implemented on an encrypted USB stick. I counterchecked the location with the manufacturer. It is a typical and save entry. May consider it for white listing. THANKS

Lots of alerts regarding binary files like certutil, cmd, powershell.
I suppose they are false positive. Can you fine tune this yara rule ?
FILE: C:\Windows\Installer$PatchCache$\Managed\00004109210000000000000000F01FEC\14.0.4763\POWERPNT.EXE SCORE: 100 TYPE: EXE SIZE: 2162024 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: e24133dd836d99182a6227dcf6613d08 SHA1: 72c2dbbb1fe642073002b30987fcd68921a6b140 SHA256: 4dde54cfc600dbd9a610645d197a632e064115ffaa3a1b595c3a23036e501678 CREATED: Tue Mar 09 08:57:40 2010 MODIFIED: Tue Mar 09 08:57:40 2010 ACCESSED: Wed May 06 15:28:22 2015 REASON_1: Malware Hash TYPE: MD5 HASH: e24133dd836d99182a6227dcf6613d08 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd

FILE: C:\Windows\System32\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe SCORE: 160 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: File Name IOC matched PATTERN: \WindowsPowerShell\ SUBSCORE: 60 DESC: -10REASON_2: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe SCORE: 160 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: File Name IOC matched PATTERN: \WindowsPowerShell\ SUBSCORE: 60 DESC: -10REASON_2: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-commandprompt_31bf3856ad364e35_6.1.7601.17514_none_f387767e655cd5ab\cmd.exe SCORE: 100 TYPE: EXE SIZE: 302592 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: ad7b9c14083b52bc532fba5948342b98 SHA1: ee8cbf12d87c4d388f09b4f69bed2e91682920b5 SHA256: 17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae CREATED: Sun Nov 21 04:24:03 2010 MODIFIED: Sun Nov 21 04:24:03 2010 ACCESSED: Sun Nov 21 04:24:03 2010 REASON_1: Malware Hash TYPE: MD5 HASH: ad7b9c14083b52bc532fba5948342b98 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-powershell-exe_31bf3856ad364e35_6.1.7600.16385_none_cf5f9aad50446c26\powershell.exe SCORE: 100 TYPE: EXE SIZE: 452608 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 92f44e405db16ac55d97e3bfe3b132fa SHA1: 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d SHA256: 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7 CREATED: Tue Jul 14 01:32:37 2009 MODIFIED: Tue Jul 14 03:14:24 2009 ACCESSED: Tue Jul 14 01:32:37 2009 REASON_1: Malware Hash TYPE: MD5 HASH: 92f44e405db16ac55d97e3bfe3b132fa SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-scripting_31bf3856ad364e35_6.1.7601.18283_none_b096369f4b940a23\wscript.exe SCORE: 100 TYPE: EXE SIZE: 141824 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 979d74799ea6c8b8167869a68df5204a SHA1: 7fde3d18c7370dff0d5a339c93b8b7e91930f65d SHA256: 2160ba6829909eeb1d272ac4a5f43588750c0b4743477bf2b46952033b5d4b3b CREATED: Wed May 06 16:11:42 2015 MODIFIED: Sat Oct 12 03:15:48 2013 ACCESSED: Wed May 06 16:11:42 2015 REASON_1: Malware Hash TYPE: MD5 HASH: 979d74799ea6c8b8167869a68df5204a SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\wow64_microsoft-windows-t..minalservicesclient_31bf3856ad364e35_7.2.7601.16415_none_6ff75c0c95c8e0b9\mstsc.exe SCORE: 100 TYPE: EXE SIZE: 1068544 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 4676aaa9ddf52a50c829fedb4ea81e54 SHA1: f47600bbf079f6b0b6e7fd385262daebd369fa50 SHA256: 8640038aed460464a7421d7866cb24be70330b03d47143a772292c13fcd54e5f CREATED: Wed Nov 13 12:02:32 2013 MODIFIED: Wed Oct 02 00:34:12 2013 ACCESSED: Wed Nov 13 12:02:32 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 4676aaa9ddf52a50c829fedb4ea81e54 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd
FILE: C:\Windows\winsxs\x86_microsoft-windows-certutil_31bf3856ad364e35_6.1.7601.18151_none_b75e12ea91c1f49b\certutil.exe SCORE: 100 TYPE: EXE SIZE: 903168 FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ MD5: 0d52559aef4aa5eac82f530617032283 SHA1: 8186d64dd28cd63ca883b1d3ce5f07aeabad67c0 SHA256: 48850fb7229d99e48c3a749556684e962587058d612c659c58f8b8db2d00abee CREATED: Tue Oct 29 17:48:26 2013 MODIFIED: Mon May 13 05:08:10 2013 ACCESSED: Tue Oct 29 17:48:26 2013 REASON_1: Malware Hash TYPE: MD5 HASH: 0d52559aef4aa5eac82f530617032283 SUBSCORE: 100 DESC: Microsoft Office Hover Over malware https://www.virustotal.com/en/file/796a386b43f12b99568f55166e339fcf43a4792d292bd

20180802T15:17:40Z FELSEN LOKI: Alert: MODULE: ProcessScan MESSAGE: File Name IOC matched PATTERN: \smsvchost.exe DESC: Hexacorn Blog Entry - Homomorphic abuse http://goo.gl/1UGJVn MATCH: c:\windows\microsoft.net\framework64\v4.0.30319\smsvchost.exe

Virustotal.com:
Verified: Signed
Signing date: 09:27 22.02.2018
Publisher: Microsoft Corporation
Company: Microsoft Corporation
Description: SMSvcHost.exe
Product: Microsoft« .NET Framework
Prod version: 4.7.3056.0
File version: 4.7.3056.0 built by: NET472REL1
MachineType: 32-bit
MD5: 7EC8B56348F9298BCCA7A745C7F70E2C
SHA1: 43DACCE26801C45666676F1AB09F53143C74D88C
PESHA1: 545D11581566406E14165665E5A2886D9F1E1909
PE256: 1210B3A9F034F5081BEF1F5026072B215589DB86E7B0F868B52D6F73C19ACC81
SHA256: F677CBD94ABE25AECF08ECFBBDA063A9C032C678327A0D105CB6B3E587C44C19
IMP: F34D5F2D4577ED6D9CEEC516C1F5A744
VT detection: 0/66
VT link: https://www.virustotal.com/file/f677cbd94abe25aecf08ecfbbda063a9c032c678327a0d105cb6b3e587c44c19/analysis/

/usr/bin/python3.6 get-otx-iocs.py
Traceback (most recent call last):
File "get-otx-iocs.py", line 182, in write_iocs
description = event["name"].encode('unicode-escape').replace(self.separator, " - ")
TypeError: a bytes-like object is required, not 'str'
Traceback (most recent call last):
File "get-otx-iocs.py", line 182, in write_iocs
description = event["name"].encode('unicode-escape').replace(self.separator, " - ")
TypeError: a bytes-like object is required, not 'str'
Traceback (most recent call last):
File "get-otx-iocs.py", line 182, in write_iocs
description = event["name"].encode('unicode-escape').replace(self.separator, " - ")
TypeError: a bytes-like object is required, not 'str'

Hi, I was researching about APT32 and found your Yara rule on an interesting sample.
It saying that it's an internal research, however that was long time ago, I wonder if you could publish those Yara rule or whitepaper relate to the case.

Sample: 6b64382e0d7fe3d455c8065625d91ca3
Yara rule: APT_OceanLotus_ISSUTIL_Sep18
https://www.virustotal.com/gui/file/4e692aa0c2b858917235b4cc2befe649c1fc3df90d6c42d0f329cde57156d752/community

PS: I found this whitepaper, but it's not really related to the sample above.
https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/white-papers/OceanLotus-Steganography-Malware-Analysis-White-Paper.pdf

29f12ccdfad0a45edff6dbbc95a82d2820b2d3d008c9661b531f452dfcc9c6a2

Seems to be matching on

A couple of days ago, first time spark-core-util.exe (SHA-256: 9B4D9812D742679F2277D00454E764C3AD2C7511FB8035CA5713F8D226A72B86) was labeld as generic Trojan (Trojan.GenericKD.32703131) by two AV engines (Bitdefender and HitmanPro) on my computer. I asked both companies to whitelist it by e-mail. From Bitdefender so far no reply. HitmanPro answered today, that they have whitelisted it for their engine. However, they told me that some more AV scanner have already labeled this file as malicious. I suggest to take steps for whitelisting. I sent a second mail today to Bitdefender. So long as the file is not whitelisted, it will be difficult to use spark-core, because it triggers the AV engines in alert.

Looks like it fires on the strings in https://github.com/subTee/nativecmd

Eg; c9a3b976ec9dfbc539ae87d8235c3589

Hello Florian,
please would you consider renaming the rule _kappfree_kelloworld_KiwiCmd_KiwiRegedit_KiwiTaskmgr_klock_mimikatz_sekurlsa_kappfree_kelloworld_KiwiCmd_KiwiRegedit_KiwiTaskmg to something shorter - like kiwi_tools_gentil_kiwi ?

The rule name is very long and makes it hard to prefix/rename to something unique when using your ruleset together with some other rulesets (like Yara-rules).

Thank you
Michal Ambroz

This rule generates a lot of false positives since it just checks if "Adobe Systems" is present.
Is it possible to add some more checks?

2018-07-16T06:46:49Z AZE-OFFICE/192.168.2.121 SPARK: Warning: MODULE: Autoruns MESSAGE: Autoruns element located in a suspicious location MD5: 14904e77af50fabe79f8fa9247ab5db6 SHA1: 0a6b0ecaf41ed94b4b05f20618e20c39a7d27e01 SHA256: 09019651ecb8ddea13a905ffe0d1391f557f027aba6b7111d5e3a1ac06c16c11 TYPE: run_key LOCATION: CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run IMAGE_NAME: E_IATIEGE.EXE LAUNCH_STRING: C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEGE.EXE /FU "C:\Windows\TEMP\E_SA623.tmp" /EF "HKCU" IMAGE_PATH: C:\Windows\system32\spool\DRIVERS\x64\3\E_IATIEGE.EXE ARGUMENTS: /FU C:\Windows\TEMP\E_SA623.tmp /EF HKCU ENTRY: EPSON Stylus SX400 Series MATCH_STRING: \TEMP\

2018-07-16T06:46:49Z AZE-OFFICE/192.168.2.121 SPARK: Warning: MODULE: Autoruns MESSAGE: Autoruns element located in a suspicious location MD5: 1a6f3eeb35f06cfb2fd8e1d4fe81dfc2 SHA1: 40e2271fdeda3587440a93fe5ba299744fda45a3 SHA256: 7519a9b53812d04d7288236d1a6b446b28d938354b221304efec4e76972b58b2 TYPE: run_key ENTRY: Epson Stylus SX410 ARGUMENTS: /FU C:\WINDOWS\TEMP\E_SDEFE.tmp /EF HKCU IMAGE_PATH: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IATIFCE.EXE MATCH_STRING: \TEMP\ IMAGE_NAME: E_IATIFCE.EXE LAUNCH_STRING: C:\WINDOWS\system32\spool\DRIVERS\x64\3\E_IATIFCE.EXE /FU "C:\WINDOWS\TEMP\E_SDEFE.tmp" /EF "HKCU" LOCATION: CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Can you please remove the following line from the APT10 Yara rules file?
hash255 = "DA5EE020BEF41DC95C3532CBAA1EA8F4"

This is a legit, signed binary by Microsoft (VT results).

Thank you.

First time approximately 8 processes issued a warning (all with score 75). Processes were originated from Windows, HP, beside others. All warnings were triggered by hatman_dividers. Two examples can be found below.

Warning ProcessCheck YARA rule match on process memory SCORE: 75 NAME: SearchUI.exe DESC: - PID: 12852 CMD: "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca RULE: hatman_dividers REFERENCE: - TAGS: USER:

Warning ProcessCheck YARA rule match on process memory SCORE: 75 NAME: DPAgent.exe DESC: - PID: 14856 CMD: "c:\program files (x86)\hp\hp protecttools security manager\bin\dpagent.exe" RULE: hatman_dividers REFERENCE: - USER

The following Python Network And Cryptography Library https://github.com/pyca/pynacl/tree/master/src/nacl subdirectory triggers an IoC

FILE: /usr/local/lib/python2.7/dist-packages/PyNaCl-1.2.1-py2.7-linux-x86_64.egg/nacl/pwhash/argon2i.py SCORE: 60 TYPE: UNKNOWN SIZE: 4598 
FIRST_BYTES: -  CREATED: Sun Feb 25 04:01:25 2018 MODIFIED: Sun Feb 25 04:01:25 2018 ACCESSED: Mon Mar 19 22:39:51 2018 
REASON_1: File Name IOC matched PATTERN: /(pwhash|fgdump) SUBSCORE: 60 DESC: Cred Dumping

Hello,

After running the integration script between otx platform API and loki through signature based, I am facing this error

Is there any specific way to fix it?

[ALERT]
FILE: C:\Program Files\HP\Sure Click\4.1.0.5734\servers\firefox_.exe SCORE: 105 TYPE: EXE SIZE: 266712
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
MD5: e95e117acc1725c7e34b4ec531a640b8
SHA1: fe9bf24d823b6aa51ebe9c1b5345349bc5ab9d98
SHA256: 630e75ef3c2b2f5eea9d508e2bfa6eaa39d42e8d0b2bfa6dad5f4ca01ef61b06 CREATED: Wed Sep 26 15:03:04 2018 MODIFIED: Wed Sep 26 15:03:04 2018 ACCESSED: Tue Oct 30 08:17:17 2018
REASON_1: File Name IOC matched PATTERN: \firefox_.exe SUBSCORE: 45 DESC: Hexacorn Blog Entry - Homomorphic abuse http://goo.gl/1UGJVn
REASON_2: Levenshtein check - filename looks much like a well-known system file SUBSCORE: 40 ORIGINAL: firefox.exe

[ALERT]
FILE: C:\Program Files\HP\Sure Click\servers\firefox_.exe SCORE: 105 TYPE: EXE SIZE: 266712
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
MD5: e95e117acc1725c7e34b4ec531a640b8
SHA1: fe9bf24d823b6aa51ebe9c1b5345349bc5ab9d98
SHA256: 630e75ef3c2b2f5eea9d508e2bfa6eaa39d42e8d0b2bfa6dad5f4ca01ef61b06 CREATED: Wed Sep 26 15:03:04 2018 MODIFIED: Wed Sep 26 15:03:04 2018 ACCESSED: Tue Oct 30 08:17:17 2018
REASON_1: File Name IOC matched PATTERN: \firefox_.exe SUBSCORE: 45 DESC: Hexacorn Blog Entry - Homomorphic abuse http://goo.gl/1UGJVn
REASON_2: Levenshtein check - filename looks much like a well-known system file SUBSCORE: 40 ORIGINAL: firefox.exe

File was checked by VirusTotal, no engine could find any treat. I believe it is a false positive

Hi Florian,

i have a lot of F/P with two rules below

YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs PID: 10564 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --service-pipe-token=10935207763610381885 --lang=fr --disable-dinosaur-easter-egg --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10935207763610381885 --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1 RULE: Hacktool_Strings_p0wnedShell REFERENCE: https://github.com/Cn33liz/p0wnedShell

YARA rule match on process memory SCORE: 75 NAME: chrome.exe DESC: - PID: 11744 CMD: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1384,1381225692283285303,12548745127206151242,131072 --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=6827380407446322870 --mojo-platform-channel-handle=1400 --ignored=" --type=renderer " /prefetch:2 RULE: hatman_dividers

If certain escaped characters are added to the metadata (VirusTotal/yara-python#135), it crashes Python when yara-python tries to match.

If a related rule was created in this repository, it passes the compilation checks, but would crash Loki or any other Python based system that uses these signatures.

Calling compiledRules.match(data='') a couple times in build-rules.py would ensure that rules don't get accepted that would crash Loki. Wrapping it in a try/except doesn't help, as it crashes the interpreter.

Got a false positive on the rule PP_CN_APT_ZeroT_6 on MD5: ac071bcaf66ab101dbe87990d4fabdfa.

As the example hash is a self-extrating RAR, adding an additional rule condition like:

   $s5 = "
d:\\Projects\\WinRAR\\SFX\\build\\sfxrar32\\Release\\sfxrar.pdb"

Rule:

rule PP_CN_APT_ZeroT_6 {
   meta:
      description = "Detects malware from the Proofpoint CN APT ZeroT incident"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      author = "Florian Roth"
      reference = "https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx"
      date = "2017-02-03"
      hash1 = "a16078c6d09fcfc9d6ff7a91e39e6d72e2d6d6ab6080930e1e2169ec002b37d3"
   strings:
      $s6 = "jGetgQ|0h9=" fullword ascii
   condition:
      ( uint16(0) == 0x5a4d and filesize < 1000KB and ( 10 of ($s*) ) ) or ( all of them )
}

Hi Florian, I have detected a rule with a false positive, triggering a DDE alert.

Rule: Office_OLE_DDE {

The file, related with iTunes updates, that is triggering the rule is:
http://swcdn.apple.com/content/downloads/56/00/091-97366/e23k1iiixvzrghv5grhee3kss1aqarqexq/AppleMobileDeviceSupport64.msi

File command detects it as:
AppleMobileDeviceSupport64.msi: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Installation Database, Subject: Apple Mobile Device Support Installer, Author: Apple Inc., Keywords: Installer,MSI,Database, Comments: Apple Mobile Device Support 12.2.0.15, Template: x64;1033, Revision Number: {8F4013EF-D6E7-433C-B22F-830A797C3179}, Create Time/Date: Fri Mar 8 21:10:20 2019, Last Saved Time/Date: Fri Mar 8 21:10:20 2019, Number of Pages: 300, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.5.2519.0), Security: 2

This file has the string "Apple Mobile Device Support Installer" and other Apple-related strings.
The following is a quick fix to avoid this specific false positive, although you may find a better way to do it.

rule Office_OLE_DDE {
meta:
description = "Detects DDE in MS Office documents"
author = "NVISO Labs"
reference = "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
date = "2017-10-12"
score = 50
strings:
$a = /\x13\s*DDE\b[^\x14]+/ nocase
$b = "Apple Mobile Device Support Installer"
condition:
uint32be(0) == 0xD0CF11E0 and $a and not $b
}

Best regards,

Recentely I reported some false positive (detecting Bitdefender files), this is now solved. However, some Bitdefender processes show up as warnings wiht score 75. Also one Cortana entry exists in the process list with the same score.

SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: vsserv.exe DESC: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs PID: 1064 CMD: "C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe" /service RULE: Hacktool_Strings_p0wnedShell REFERENCE: https://github.com/Cn33liz/p0wnedShell TAGS: USER: NT-AUTORITT\SYSTEM
Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: vsserv.exe DESC: p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedPotato.cs PID: 1064 CMD: "C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe" /service RULE: p0wnedPotato REFERENCE: https://github.com/Cn33liz/p0wnedShell TAGS: USER: NT-AUTORITT\SYSTEM
SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: vsserv.exe DESC: - PID: 1064 CMD: "C:\Program Files\Bitdefender\Bitdefender Security\vsserv.exe" /service RULE: hatman_dividers REFERENCE: - TAGS: USER: NT-AUTORITT\SYSTEM
SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: SearchUI.exe DESC: - PID: 14324 CMD: "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca RULE: hatman_dividers REFERENCE: - USER: HP-ZBOOK-15U-G5\selten TAGS:

gen_faked_versions.yar:Fake_FlashPlayerUpdaterService_EXE

BE62B286791F715E430FB022C1707BBA	c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
7EB7A3B01751889C6459C51A74CC87FA	c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
89ECFB35517F62C3802B227F288B750E	c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
CC2BADA495F53719836FAC0999F67480	c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe

/cn_pentestset_tools.yar:CN_Honker__mysql_injectV1_1_Creak_DomainBlastingTool_super_Injection1

53CCEBEFE6603534BB936653542EB62F	c:\program files (x86)\oak telecom\comms suite\report\datasetclient.exe

apt_irontiger_trendmicro.yar:IronTiger_HTTPBrowser_Dropper

AC383425189CED8E4E3AA0ECB5A3A199	c:\program files\java\jre1.8.0_131\installer.exe
8F6B3BF4EE10046F20AFFF1559B9DF49	c:\program files\dell\sysmgt\cm\invcol\invcol.exe
7E60A8C0165BC3DE2475EE155698DA1D	c:\program files (x86)\java\jre1.8.0_131\installer.exe
DB796E75846E7370AC1B9E5C50C57334	c:\program files (x86)\java\jre1.8.0_121\installer.exe
15C08C3ADD45E6997B7D2E13E6E9F45B	c:\program files (x86)\dell\sysmgt\cm\invcol\invcol.exe
8BC18D71AA04ADED75D549744842474A	c:\program files\dell\sysmgt\cm\invcol\invcol.exe
6084802E0C8B72F1B613C1FD3C199121	c:\program files\dell\sysmgt\cm\invcol\invcol.exe

apt_ham_tofu_chches.yar:Ham_backdoor
484acf6af85a29ac52f3cf054dfde9d3
f13f5ac8b89c9ac8d02d1ef7cf9bdf0a
c2ba43865243a94d980c763f0b8c8493
1d398e4352f96ebf4e81f8e054c7f1d3
964ad15d1eb90520f8b7dc9739157629
a445263326301bf126ff4721b5644f90
1f2c388084a1bc978751d4c9465d127c
bee7b3dd24b420fac027cd72bc8d91e6

crime_petya_ransom.yar:Petya_Ransomware
abf64234f3462571e66527828040219b

gen_faked_versions.yar:Fake_AdobeReader_EXE
4f996b50c3f00e1776e1e1bae8cd1554
e53934afd93659e00305d858e89f7655
ca0c67ba7aeba6aed5ddb852e6eea811
124e70674c0cafdac4c0c8f8d95f0ba3
8a7c310e9ca50ceddcdb4f453e13036c

gen_faked_versions.yar:Fake_FlashPlayerUpdaterService_EXE
cc2bada495f53719836fac0999f67480
874b1d3b016bb6051eed24e6f94da18b
7eb7a3b01751889c6459c51a74cc87fa
89ecfb35517f62c3802b227f288b750e

gen_rats_malwareconfig.yar:RAT_Sakula
e32ad11b4d445d47fee3ff3608a16989
d8df9c697e4070b5ae4e30bf8e1c2e1b

thor-hacktools.yar:lsadump
fc55e571f4965b3f31822fc5f0b1b14c

Loki has flagged some static text files that belong to the sosreport library for RHEL and CentOS systems. I've seen these files get flagged during several scans on different systems and have performed an analysis on them and it always has resulted in a false positive.

Looks like it has to do with the file name? In any case these are simply static text files and should not be flagged.

2018-07-16T06:48:37Z AZE-OFFICE/192.168.2.121 SPARK: Warning: MODULE: ProcessCheck MESSAGE: YARA rule match on process memory SCORE: 75 NAME: producer-tbb.exe DESC: Detects NanoCore RAT PID: 12104 CMD: "C:\Users\AZE\AppData\Local\Zeta Producer 14\Applications\producer-tbb.exe" RULE: RAT_NanoCore REFERENCE: http://malwareconfig.com/stats/NanoCore USER: AZE-OFFICE\AZE

The proofpoint domain is on the signature-base/master/iocs/otx-c2-iocs.txt

www.proofpoint[.]com

sudo -H python2 loki.py --intense

I used virustotal and no antivirus detected it, loki scan file output:

[WARNING] 
FILE: /usr/share/julia/stdlib/v1.4/Pkg/appveyor.yml SCORE: 70 TYPE: UNKNOWN SIZE: 1146 
FIRST_BYTES: 656e7669726f6e6d656e743a0a20206d61747269 / environment:  matri 
MD5: a46b77ecb28ce184fbd2ea204fb5a096 
SHA1: 5e588d71142a58431340f309094c931db4935db9 
SHA256: b9da054fb354bc8a523fabf2edd6ba17c55fbf8909f4bbdc2fa351e83d3f5b8a CREATED: Thu Nov 12 14:53:46 
2020 MODIFIED: Tue Apr 21 13:21:34 2020 ACCESSED: Sun Jan 10 12:06:34 2021 
REASON_1: Yara Rule MATCH: SUSP_PowerShell_IEX_Download_Combo SUBSCORE: 70 
DESCRIPTION: Detects strings found in sample from CN group repo leak in October 2018 REF: 
https://twitter.com/JaromirHorejsi/status/1047084277920411648 
MATCHES: Str1: iex ((new-object net.webclient).Download

I know that julia programming language that i installed via apt is not infected so I think it's a false positive.

File /usr/share/julia/stdlib/v1.4/Pkg/appveyor.yml code:

environment:
  matrix:
  # - julia_version: 1.0
  - julia_version: nightly

platform:
  - x64 # 64-bit

# # Uncomment the following lines to allow failures on nightly julia
# # (tests will run but not make your overall status red)
# matrix:
#   allow_failures:
#   - julia_version: latest

branches:
  only:
    - master
    - /^release-.*/
    - /^v[0-9]+\.[0-9]+\.[0-9]+$/ # version tags

notifications:
  - provider: Email
    on_build_success: false
    on_build_failure: false
    on_build_status_changed: false

install:
  - ps: iex ((new-object net.webclient).DownloadString("https://raw.githubusercontent.com/JuliaCI/Appveyor.jl/version-1/bin/install.ps1"))

build_script:
  - C:\julia\bin\julia -e "using InteractiveUtils; versioninfo();
      using UUIDs;
      before = read(\"Project.toml\", String);
      after = replace(before, \"uuid = \\\"44cfe95a-1eb2-52ea-b672-e2afdf69b78f\\\"\" =>
                              \"uuid = \\\"4d836010-47a6-11e8-12b2-0918962bae33\\\"\");
      write(\"Project.toml\", after);
      import Pkg; Pkg.build()"

test_script:
  - echo "%JL_TEST_SCRIPT%"
  - C:\julia\bin\julia -e "%JL_TEST_SCRIPT%"

Hello

I have a false positive for a specific tool devleoped interbnally APT10 LOKI: Alert: Yara Rule MATCH: APT10_Malware_Sample_Gen PID: 1460 NAME: dispnomade.exe CMD: "C:\Program Files (x86)\www\dispnomade.exe"
Can you check that ? The MD5 is : b3d08e9b37ad6092fbf27af219a92d0c

Regards

RCL

Hello,

Whenever I run this script, I get the following error:

Traceback (most recent call last):
File "get-otx-iocs.py", line 231, in write_iocs
self.separator)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in position 10: ordinal not in range(128)
Traceback (most recent call last):
File "get-otx-iocs.py", line 231, in write_iocs
self.separator)
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf8' in position 10: ordinal not in range(128)

The Drupal Module "Transliteration" is heavily triggering on "more symbols than alphanum chars"

https://www.drupal.org/project/transliteration
https://ftp.drupal.org/files/projects/transliteration-7.x-3.2.tar.gz

Regards

Hello Neo23x0,

I noticed that several entries in filename-iocs have wrong regex escape sequence.
The entries with invalid '\'-escapes are listed below:

# Hidden Cobra https://www.us-cert.gov/ncas/alerts/TA17-164A
(?i)C:\WINDOWS\SYSTEM32\CATROOT2\EDBCHK.LOG;75
(?i)C:\WINDOWS\SYSTEM32\MIMEFILTER.XML;75
(?i)C:\AWORK\CATROOT2;80
(?i)C:\WINDOWS\SYSTEM32\CATROOT2\{12CD0A1D-4EA2-11D1-8608-00C04F-C295EF};65
(?i)C:\WINDOWS\SYSTEM32\CATROOT2\{A750E6C3-38EE-17D5-85E5-10D03D-A378DE};65

Another invalid entry I found is the following: Windows\\inf\\mdmeric3.\PNF ;65 (notice the .\)

Best regards,
aelth

Hey,

It seems that rule TurlaMosquito_Mal_7 (https://github.com/Neo23x0/signature-base/blob/master/yara/apt_turla_mosquito.yar) is matching a PE distributed by Samsung :
https://www.virustotal.com/#/file/56b472606d6af2c0f3121f1e5fe85bc8183c21bf15b6c52e24219e64bca7437f/details

It matches both $x1 and $s19 strings

FILE: C:\Program Files (x86)\Samsung\Samsung Magician\PAL.dll SCORE: 70 TYPE: EXE SIZE: 120736
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
MD5: 1d29bf0951062df2c0c87f67524e9c0e
SHA1: 2f93ede17c6e550b8c0e143db14a21398fb705fd
SHA256: 56b472606d6af2c0f3121f1e5fe85bc8183c21bf15b6c52e24219e64bca7437f CREATED: XXX MODIFIED: XXX ACCESSED: XXX
REASON_1: Yara Rule MATCH: TurlaMosquito_Mal_7 SUBSCORE: 70
DESCRIPTION: Detects malware sample from Turla Mosquito report REF: https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

Best,

In Spark two files will trigger some alerts:

Both files were sent to lab, no malware was found. Also ok, according Virus Total scans, countercheck it by hashes. In loki, those files trigger no alert.

Ugrading / updatting spark-core inside an administrative cmd windows was possible in the past with the command: "spark-core-util.exe -upgrade" inside the path of the installation.

However, recently I receive an error message: "unknown shorthand flag: ´u´ in -updgrade". The same happens if I update. "spark-core-util --help" does not provide insight. Update and upgrade fail both. I would appreciate your comment. THANKS

Hello,
while scanning my computer the following alert occurs :

FILE: g:\Portable\sox-14-4-1\wget.exe SCORE: 100 TYPE: EXE SIZE: 401408
FIRST_BYTES: 4d5a90000300000004000000ffff0000b8000000 / MZ
MD5: bd126a7b59d5d1f97ba89a3e71425731
SHA1: 457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256: a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599 CREATED: Tue Feb 09 21:38:20 2016 MODIFIED: Sat Feb 02 03:21:00 2013 ACCESSED: Sat Jul 07 09:05:05 2018
REASON_1: Malware Hash TYPE: MD5 HASH: bd126a7b59d5d1f97ba89a3e71425731 SUBSCORE: 100 DESC: Carbanak IOCs

virustotol.com says:

One engine detected this file [1/67, Cylance]
SHA-256 a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
File name wget.exe
File size 392 KB
Last analysis 2018-07-07 00:17:26 UTC
Community score +735

Thank you for the program!

Regards,
Thomas Koehler

The industroyer yara ruleset submitted to VT https://www.virustotal.com/gui/search/f093e76bf030473c042aca186d8face41348aedddeb60711eaac1b01706cf4c2 matched on Industroyer_Portscan_3_Output , Industroyer_Malware_5 , even though the second rule has uint16 MZ condition

Rule: CN_Honker__mysql_injectV1_1_Creak_DomainBlastingTool_super_Injection1

Matched: $s1, $s2, $s3 on this false positive:

• 53CCEBEFE6603534BB936653542EB62F
• c:\program files (x86)\oak telecom\comms suite\report\datasetclient.exe

Thanks @Neo23x0 - Your rules are awesome, thanks again for your open source contributions :)

[INFO] Initializing Yara rule gen_mimikittenz.yar
Traceback (most recent call last):
File "loki.py", line 971, in initialize_yara_rules
'md5': dummy
SyntaxError: /Users/xxxx/tools/Loki/./signature-base/yara/gen_mimipenguin.yar(10835): undefined identifier "PEFILE"

A few of the yara rules fail to be compiled and throw that error:

• yara/generic_anomalies.yar
• yara/general_cloaking.yar
• yara/thor_inverse_matches.yar
• yara/yara_mixed_ext_vars.yar

This causes a segfault in go-yara with Yara version 3.7.1

[NOTICE]
FILE: C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-appvclient_31bf3856ad364e35_10.0.17134.1_none_b1f3037231516201\SyncAppvPublishingServer.vbs SCORE: 50 TYPE: UNKNOWN SIZE: 1720
FIRST_BYTES: 272d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d / '-------------------
MD5: 20c4fe2b130d9f0c92d7629e71afbb66
SHA1: f01de532969553083cf7906b2709940f0a41b083
SHA256: b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66 CREATED: Thu Apr 12 01:35:10 2018 MODIFIED: Thu Apr 12 01:35:10 2018 ACCESSED: Thu Apr 12 01:35:10 2018
REASON_1: Yara Rule MATCH: WScript_Shell_PowerShell_Combo SUBSCORE: 50
DESCRIPTION: Detects malware from Middle Eastern campaign reported by Talos REF: http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
MATCHES: Str1: .CreateObject("WScript.Shell") Str2: powershell.exe

according to https://www.virustotal.com/de/file/b8a5c42bf6f7a14ba73660be29f5c061d30b41c6d14e42b880a4ea522f43ce66/analysis/
, this file belongs to the Microsoft Corporation software catalogue.
But the file has been deleted, so I can't upload it.