APT WINNTI Global BFE_Notify_Event

2024-01-02: Site is back on track, self-hosted on a rpi because you get the Internet you fund. 2025-02-06: Oh well, some power grid issues caused the rpi to reboot, I really should configure uwsgi to restart automatically --'

65a097fe-6102-446a-9f9c-55dfc3f41101
APT WINNTI Global BFE_Notify_Event_

Version	4
Variant	specified in RFC 4122
urn	urn:uuid:65a097fe-6102-446a-9f9c-55dfc3f41101
Hexdump	65a097fe6102446a9f9c55dfc3f41101
Bytes	eáù■a␂Djƒ£U▀├⌠␑␁
UUIDv4	version (4) + randomness
(would-be) MAC Address	55dfc3f41101
(would-be) is_local bit	True
(would-be) is_multicast bit	False
(would-be) MAC Manufacturer	None
(would-be) MAC Date	None

UUID registration form :

APT WINNTI Global BFE_Notify_Event_

https://github.com/3vangel1st/Yara/blob/master/APT_WINNTI.yar

APT WINNTI Global BFE_Notify_Event_ base

fun fact, the notify events have one extra digit (5,4,6 here) https://github.com/3vangel1st/Yara/blob/master/APT_WINNTI.yar

{
  strings:
    $e1 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411015}" ascii nocase
    $e2 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411014}" ascii nocase
    $e3 = "Global\\BFE_Notify_Event_{65a097fe-6102-446a-9f9c-55dfc3f411016}" ascii nocase
    $e4 = "\\BaseNamedObjects\\{B2B87CCA-66BC-4C24-89B2-C23C9EAC2A66}" wide
    $e5 = "BFE_Notify_Event_{7D00FA3C-FBDC-4A8D-AEEB-3F55A4890D2A}" nocase
  condition:
    (any of ($e*))
}

65a097fe-6102-446a-9f9c-55dfc3f41101APT WINNTI Global BFE_Notify_Event_

65a097fe-6102-446a-9f9c-55dfc3f41101
APT WINNTI Global BFE_Notify_Event_