{
    "type": "bundle",
    "id": "bundle--e6bde396-ec07-4a4b-bd2e-aef340490594",
    "objects": [
        {
            "type": "identity",
            "spec_version": "2.1",
            "id": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
            "created": "2023-03-08T12:51:41.595163Z",
            "modified": "2023-03-08T14:31:55.177985Z",
            "name": "GregLesewich",
            "identity_class": "organization"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--5e082fed-b232-47ba-9232-c50c9d6f748f",
            "created": "2026-06-24T20:27:25.621205Z",
            "modified": "2026-06-24T20:27:25.621205Z",
            "name": "YARA Rule",
            "pattern": "rule MAL_MATA_Beacon_Command_Opcodes\r\n{\r\n    \tmeta:\r\n    \t\tauthor = \"Greg Lesnewich\"\r\n    \t\tdate = \"2023-01-18\"\r\n    \t\tversion = \"1.0\"\r\n    \t\tdescription = \"check for Mata framework beacon opcodes and handshake check\"\r\n\r\n    \tstrings: \r\n    \t\t$CMataNet_Auth = {\r\n    \t\tc745c400000200     //1000012a2  c745c400000200     mov     dword [rbp-0x3c {var_44}], 0x20000\r\n    \t\t488d75c4           //1000012a9  488d75c4           lea     rsi, [rbp-0x3c {var_44}]\r\n    \t\t4c89f7             //1000012ad  4c89f7             mov     rdi, r14\r\n    \t\tba04000000         //1000012b0  ba04000000         mov     edx, 0x4\r\n    \t\tb901000000         //1000012b5  b901000000         mov     ecx, 0x1\r\n    \t\te8????????         //1000012ba  e8????????         call    CMataNet_SendBlock\r\n    \t\t85c0               //1000012bf  85c0               test    eax, eax\r\n    \t\t74??               //1000012c1  74??               je      0x10000131b\r\n    \t\tc745c400000000     //1000012c3  c745c400000000     mov     dword [rbp-0x3c {var_44}], 0x0\r\n    \t\t488d75c4           //1000012ca  488d75c4           lea     rsi, [rbp-0x3c {var_44}]\r\n    \t\t4c89f7             //1000012ce  4c89f7             mov     rdi, r14\r\n    \t\tba04000000         //1000012d1  ba04000000         mov     edx, 0x4\r\n    \t\tb901000000         //1000012d6  b901000000         mov     ecx, 0x1\r\n    \t\t41b82c010000       //1000012db  41b82c010000       mov     r8d, 0x12c\r\n    \t\te8????????         //1000012e1  e8????????         call    CMataNet_RecvBlock\r\n    \t\t4531e4             //1000012e6  4531e4             xor     r12d, r12d  {0x0}\r\n    \t\t85c0               //1000012e9  85c0               test    eax, eax\r\n    \t\t74??               //1000012eb  74??               je      0x10000131e\r\n    \t\t817dc400010200     //1000012ed  817dc400010200     cmp     dword [rbp-0x3c {var_44}], 0x20100\r\n    \t\t75??   \t\t\t\t\t\t //1000012f4  75??               jne     0x10000131e\r\n    \t\tc745c400020200     //1000012f6  c745c400020200     mov     dword [rbp-0x3c {var_44}], 0x20200\r\n    \t}\r\n\r\n    \tcondition:\r\n    \t\t(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and\r\n    \t\tall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-01-18T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--c8b45bf1-a977-48ae-83bb-f64d356d1799",
            "created": "2026-06-24T20:27:25.622016Z",
            "modified": "2026-06-24T20:27:25.622016Z",
            "name": "YARA Rule",
            "pattern": "rule MAL_MATA_SendPacket_Command_Opcodes\r\n{\r\n    \tmeta:\r\n    \t\tauthor = \"Greg Lesnewich\"\r\n    \t\tdate = \"2023-01-18\"\r\n    \t\tversion = \"1.0\"\r\n    \t\tdescription = \"check for Mata framework packet opcodes being moved into EDI before sending\"\r\n\r\n    \tstrings:\r\n    \t\t\t$0x20300 = { bf 00 03 02 00 31 f6 31 d2 e8 }\r\n    \t\t\t$0x20600 = { bf 00 06 02 00 31 f6 49 89 d5 31 d2 e8 }\r\n    \t\t\t$0x20500 = { bf 00 05 02 00 31 f6 31 d2 e8 }\r\n    \t\t\t/*\r\n    \t\t\t\t100005d7b  bf00050200         mov     edi, 0x20500\r\n    \t\t\t\t100005d80  31f6               xor     esi, esi  {0x0}\r\n    \t\t\t\t100005d82  31d2               xor     edx, edx  {0x0}\r\n    \t\t\t\t100005d84  e867f9ffff         call    MataSendPacket\r\n    \t\t\t*/\r\n    \tcondition:\r\n    \t\t\t(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and\r\n    \t\t\tall of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-01-18T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--f376a045-da49-4ea6-a43b-871d7ee74989",
            "created": "2026-06-24T20:27:25.622625Z",
            "modified": "2026-06-24T20:27:25.622625Z",
            "name": "YARA Rule",
            "pattern": "rule SUSP_Macho_AES_CBC_Mode_XOR\r\n{\r\n    \tmeta:\r\n    \t\t\tauthor = \"Greg Lesnewich\"\r\n    \t\t\tdate = \"2023-01-18\"\r\n    \t\t\tversion = \"1.0\"\r\n    \t\t\tdescription = \"check Macho files for what might be an AES XOR routine used in its CBC mode \"\r\n\r\n    \tstrings:\r\n    \t\t\t$aes_cbc_xor_movs = {0fb6480141304c1d010fb6480241304c1d020fb6480341304c1d030fb6480441304c1d040fb6480541304c1d050fb6480641304c1d060fb6480741304c1d070fb6480841304c1d080fb6480941304c1d090fb6480a41304c1d0a0fb6480b41304c1d0b0fb6480c41304c1d0c0fb6480d41304c1d0d0fb6480e41304c1d0e0fb6400f4130441d0f}\r\n    \tcondition:\r\n    \t\t\t(uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and\r\n    \t\t\t1 of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-01-18T00:00:00Z"
        },
        {
            "type": "indicator",
            "spec_version": "2.1",
            "id": "indicator--19d2752a-d084-42c7-b62e-bac14df0fcbf",
            "created": "2026-06-24T20:27:25.623213Z",
            "modified": "2026-06-24T20:27:25.623213Z",
            "name": "YARA Rule",
            "pattern": "rule SUSP_Macho_Library_StackString\r\n{\r\n    meta:\r\n        author = \"Greg Lesnewich\"\r\n        date = \"2023-01-18\"\r\n        version = \"1.0\"\r\n        description = \"check for the path /Library being passed as a stack string\"\r\n\r\n    strings:\r\n        $slash_library = {48 ?? 2f 4c 69 62 72 61 72 79} // Library passed to stack with the register wildcarded\r\n\r\n    condition:\r\n        (uint32be(0x0) == 0xCAFEBABE or uint32be(0x0) == 0xCFFAEDFE or uint32be(0x0) == 0xCEFAEDFE) and \r\n    \t1 of them\r\n}",
            "pattern_type": "yara",
            "valid_from": "2023-01-18T00:00:00Z"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--af94d6df-772b-4a8e-8690-2a9f5ba023f5",
            "value": "67.43.239.146"
        },
        {
            "type": "ipv4-addr",
            "spec_version": "2.1",
            "id": "ipv4-addr--38220d44-2862-4067-b988-4909dbafb4ee",
            "value": "185.62.58.207"
        },
        {
            "type": "report",
            "spec_version": "2.1",
            "id": "report--ffd5d925-bff6-416c-a179-247b3a07eef2",
            "created_by_ref": "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
            "created": "2026-06-24T20:27:25.630206Z",
            "modified": "2026-06-24T20:27:25.630206Z",
            "name": "Writing Rules for Non-Objective C Malware",
            "published": "2023-01-18T00:00:00Z",
            "object_refs": [
                "identity--905e45e7-af77-42eb-9289-5cd4fbbb0fa5",
                "indicator--5e082fed-b232-47ba-9232-c50c9d6f748f",
                "indicator--c8b45bf1-a977-48ae-83bb-f64d356d1799",
                "indicator--f376a045-da49-4ea6-a43b-871d7ee74989",
                "indicator--19d2752a-d084-42c7-b62e-bac14df0fcbf",
                "ipv4-addr--af94d6df-772b-4a8e-8690-2a9f5ba023f5",
                "ipv4-addr--38220d44-2862-4067-b988-4909dbafb4ee"
            ],
            "external_references": [
                {
                    "source_name": "source",
                    "url": "https://github.com/g-les/100DaysofYARA/blob/main/100DaysofYARA_2023_Blog5_MATA_Dacls.ipynb"
                }
            ]
        }
    ]
}