/malware-indicators

Permalink
Switch branches/tags
Nothing to show
Find file
malware-indicators/201707_InsiderInfo/openioc.ioc
6891050 Jul 5, 2017
Raw Blame History
126 lines (125 sloc) 6.54 KB
<?xml version="1.0" encoding="utf-8"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="595baf14-d8e8-4e33-be25-06e38e96ca05" last-modified="2017-07-04T00:00:00" xmlns="http://schemas.mandiant.com/2010/ioc">
<short_description>Event #108</short_description>
<description>Insider Information: An intrusion campaign targeting Chinese language news sites</description>
<keywords />
<authored_by>citizenlab</authored_by>
<authored_date>2017-07-04T00:00:00</authored_date>
<links />
<definition>
<Indicator operator="OR" id="595baf14-d8e8-4e33-be25-06e38e96ca05">
<IndicatorItem id="email23.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="hk.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="dns.bowenpress.org" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="bowenpres.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="bowenpress.net" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="bowenpress.org" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="bowenpross.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="datalink.one" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="epochatimes.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="get.adobe.com.bowenpress.org" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="hk.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="pop.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="smtpout.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="www.bowenpress.org" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="www.mail.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="www.secuerserver.com" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="www.vnews.hk" condition="is">
<Context document="Network" search="Network/DNS" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="45.124.24.39" condition="is">
<Context document="PortItem" search="PortItem/remoteIP" type="mir" />
<Content type="IP"></Content>
</IndicatorItem>
<IndicatorItem id="23.239.106.119" condition="is">
<Context document="PortItem" search="PortItem/remoteIP" type="mir" />
<Content type="IP"></Content>
</IndicatorItem>
<IndicatorItem id="43.240.14.37" condition="is">
<Context document="PortItem" search="PortItem/remoteIP" type="mir" />
<Content type="IP"></Content>
</IndicatorItem>
<IndicatorItem id="http://43.240.14.37/asdasdasadqddd12222111.php/article.asp" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://chinadagitaltimes.net/2016/07/chinese-hackers-blamed-multiple-breaches-fdic" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate.html" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://get.adobe.com.bowenpress.org/Adobe/update/20160703/AdobeUpdate20160703.exe" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://get.adobe.com.bowenpress.org/Adobe/update/20160812/AdobeUpdate20160812.exe" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate20161201.exe" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
<IndicatorItem id="http://get.adobe.com.bowenpress.org/Adobe/update/20170312/AdobeUpdate20170312.exe" condition="is">
<Context document="UrlHistoryItem" search="UrlHistoryItem/URL" type="mir" />
<Content type="string"></Content>
</IndicatorItem>
</Indicator>
</definition>
</ioc>