valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
938 Commits 2 Branches 1 Tag 33 MiB
fe92bee246
Commit Graph

700 Commits

Author SHA1 Message Date
Florian Roth
c8d3a207a8 False Positive Reduction 2018-10-19 09:06:10 +02:00
Florian Roth
a62eeef8ba Suspicious IEX PowerShell Combo 2018-10-10 16:30:50 +02:00
Florian Roth
ee33d93858 Suspicious String Obfuscation Concat 2018-10-10 16:30:32 +02:00
Florian Roth
ce17d9ab65 False Positive Reduction 2018-10-10 16:30:08 +02:00
Florian Roth
a7cbf7b9c7 Suspicious SFX running wscript.exe 2018-09-28 13:29:43 +02:00
Florian Roth
7dd457c5b3 Suspicious CMD Var expansion in Office Docs 2018-09-28 13:29:35 +02:00
Florian Roth
a907fd2210 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/44
 2018-09-24 12:30:09 +02:00
Florian Roth
d6a2d00cb7 Xbash 
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
 2018-09-20 07:38:08 +02:00
Florian Roth
265ad6fba8 Suspicious LNK files 2018-09-19 08:51:23 +02:00
Florian Roth
9412f650d8 Fix: tightened the SFX rule 2018-09-17 08:27:58 +02:00
Florian Roth
954bb96328 Anomaly: SFX with Microsoft Copyright 2018-09-17 08:21:16 +02:00
Florian Roth
f2984271d4 Generic rule: Suspicious office dropper strings 2018-09-14 00:24:44 +02:00
Florian Roth
3efa3f9648 BlackBone Driver Injector 2018-09-11 13:34:44 +02:00
Florian Roth
eed7fcdf4c False Positive Reduction 2018-09-11 13:34:14 +02:00
Florian Roth
1d3baf823b Fixed error in RC4 keys list 2018-08-26 20:16:40 +02:00
Florian Roth
7c8745c59e License notice on my own rules, removed rules with unclear/problematic licensing 2018-08-26 12:48:01 +02:00
Florian Roth
3281e6dc72 APT Lazarus Operation Applejeus YARA rules 2018-08-26 12:48:01 +02:00
Florian Roth
3fb661511c Modified mimikatz rule to exclude low performing expr 2018-08-26 12:48:01 +02:00
Florian Roth
4a1deff33c DriveCrypt exploits 2018-08-22 11:10:00 +02:00
Florian Roth
8ddab9bd5a False Positive Reduction https://github.com/Neo23x0/signature-base/issues/42 2018-08-22 11:09:39 +02:00
Florian Roth
5d4ed2203d fix: fixed typo in rule name 2018-08-21 11:09:06 +02:00
Florian Roth
e3d60d7899 Metasploit Framework UA 2018-08-21 10:59:12 +02:00
Florian Roth
a30f16f056 False Positive Reduction 2018-08-21 10:58:45 +02:00
Florian Roth
9020d1f005 More HiddenCobra rules 
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/
 2018-08-13 16:27:03 +02:00
Florian Roth
1ee9142dc5 Improved certificate payload rule 2018-08-02 15:47:42 +02:00
Florian Roth
62400d7324 fix: missing import "pe" statement 2018-08-02 12:20:24 +02:00
Florian Roth
5141e33893 YARA rules for sample in FireEye's FIN7 report 
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
 2018-08-02 12:15:01 +02:00
Florian Roth
1ba9e9f57f DarkHydrus YARA rules 2018-08-02 11:51:03 +02:00
Florian Roth
3e9a1a5579 Certificate Payloads 2018-08-02 11:50:29 +02:00
Florian Roth
9bdccc2360 Hacktools: BeRoot, PDF Embedded Mal Code 2018-07-27 13:25:10 +02:00
Florian Roth
0cd91f3afe FancyBear MacOS Agent 2018-07-16 11:44:59 -06:00
Florian Roth
1bea712d70 False Positive Reduction 2018-07-16 11:44:41 -06:00
Florian Roth
24a899602e fix: Added missing import statement for "pe" module 2018-07-14 08:06:35 -06:00
Florian Roth
af76f26aa3 Big Bang report by Check Point 
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
 2018-07-14 07:58:52 -06:00
Florian Roth
e6d6825c94 Monero miner update 2018-07-06 16:07:00 -06:00
Florian Roth
c2634bfa23 APT Rancor 
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/
 2018-06-27 07:57:03 +02:00
Florian Roth
4122386cba Limited Cloud Hopper Rule 2018-06-25 10:57:21 +02:00
Florian Roth
93f62d8300 Hacktool PowerSploit Dropper 2018-06-24 22:44:28 +02:00
Florian Roth
5f87e74c00 Tick Weaponized USB 2018-06-24 22:44:11 +02:00
Florian Roth
1c41cd5d16 APT Thrip 
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
 2018-06-22 00:01:47 +02:00
Florian Roth
04a5426a14 Minor changes and adjustments 2018-06-22 00:00:14 +02:00
Florian Roth
c835b3a58c PLEAD Downloader 2018-06-16 17:40:31 +02:00
Florian Roth
3b25bd8a05 AR18-165 YARA rules 2018-06-16 17:40:18 +02:00
Florian Roth
e53539d7e4 Turla Agent.BTZ 2018-06-16 17:39:25 +02:00
Florian Roth
edfdb48bdc Score adjusted 2018-06-13 13:37:06 +02:00
Florian Roth
6dd31e254c New MuddyWater signature 2018-06-13 13:34:58 +02:00
Florian Roth
4a4a94fc9c Rules prone to false positives on process memory to "file" only 2018-06-13 08:30:02 +02:00
Florian Roth
c42709fe0d BluenoroffPoS DLL 
http://blog.trex.re.kr/
 2018-06-08 21:12:24 +02:00
Florian Roth
be2315b3cf False Positive Reduction 2018-06-08 21:11:39 +02:00
Florian Roth
8f48aa959b APT Lazarus RAT & Dropper 
https://twitter.com/DrunkBinary/status/1002587521073721346
 2018-06-03 00:28:59 +02:00
Florian Roth
55aa4639d2 TA18-149A YARA signatures 
https://www.us-cert.gov/ncas/alerts/TA18-149A
 2018-06-01 09:25:27 +02:00
Florian Roth
077384492c Updated BadPDF rule 2018-05-29 14:22:41 +02:00
Florian Roth
3596fea85a False Positive Reduction 2018-05-24 16:12:52 +02:00
Florian Roth
c9296e7ca8 VPNFilter YARA rules 2018-05-24 16:12:37 +02:00
Florian Roth
ee986a7e7b Bugfix - missing "pe" 2018-05-20 19:41:00 +02:00
Florian Roth
9f3067d594 Floxif / FlyStudio malware 2018-05-20 18:49:45 +02:00
Florian Roth
0838bfff7d Hacktool ShellPop shells 2018-05-20 18:49:45 +02:00
Florian Roth
ae1bd7b7ea Suspicious LNK file with path traversal like relative path 2018-05-20 18:49:45 +02:00
Florian Roth
4671958b12 Suspicious LNK file with reference to AppData Roaming 2018-05-20 18:49:45 +02:00
Florian Roth
da89105ae5 Another Microsoft Copyright Anomaly 2018-05-20 18:49:45 +02:00
Florian Roth
a06dae24aa Renamed Rule 2018-05-20 18:49:45 +02:00
Florian Roth
642cc04bb0 False Positive Reduction 2018-05-20 18:49:45 +02:00
r00t0vi4
7e95136760
Update generic_anomalies.yar 
Replace external variable "filetype" with hex 0x4749463839 (GIF89). 
It's a simplifies rules. You are using external variable "filetype" only in this place.
 2018-05-07 15:17:14 +03:00
Florian Roth
c595b47958 Winnti Burning Umbrella 
https://401trg.pw/burning-umbrella/
 2018-05-05 11:43:11 +02:00
Florian Roth
1f58d867d4 Turla Signature 2018-05-04 00:30:10 +02:00
Florian Roth
08385bc71d Bad PDF 
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
 2018-05-03 16:02:46 +02:00
Florian Roth
defc966d74 Fancy Bear Lojack Double Agent Hashes & YARA rule 
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
 2018-05-02 10:41:35 +02:00
Florian Roth
cc376073cc APT10 Hogfish Redleaves 2018-05-02 08:04:26 +02:00
Florian Roth
bd26c9226e Lazagne PW Dumper 2018-05-01 21:18:10 +02:00
Florian Roth
2b122abd9b Another YARA rule for CVE-2017-11882 detection 2018-05-01 21:17:24 +02:00
Florian Roth
c2e12db40c HScan False Positive 2018-04-26 23:19:47 +02:00
Florian Roth
b396038d14 Process Injector Generic 2018-04-26 23:19:35 +02:00
Florian Roth
abdc494d13 False Positive Reduction 2018-04-26 23:19:13 +02:00
Florian Roth
78ce62d33f Sednit Delphi Downloader 
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
 2018-04-26 23:18:46 +02:00
Florian Roth
f7da02c0f3 Kwampirs malware 
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
 2018-04-24 11:29:01 +02:00
Florian Roth
8d6d3b36ae GrandCrab malware 2018-04-24 11:22:46 +02:00
Florian Roth
8424575572
Merge pull request #33 from yt0ng/signature-base-yt0ng 
added winnti Mozilla Kingsoft Confusion in PE Metadata
 2018-04-16 08:11:03 +02:00
Florian Roth
06067a7399
Slightly modified - and QA tested 2018-04-16 07:58:13 +02:00
Florian Roth
a4ecbf4410 WebMonitor RAT 
https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
 2018-04-16 07:51:01 +02:00
yt0ng
edb7390a48 added winnti Mozilla Kingsoft Confusion in PE Metadata 2018-04-15 09:46:48 +02:00
Florian Roth
70037ba67e PowerShell JAB rule 2018-04-14 11:56:12 +02:00
Florian Roth
e0245230c3 Renamed rule to avoid problems with updated LOKI versions 2018-04-14 11:55:57 +02:00
Florian Roth
615b9a117e Updated GIF cloaked webshell rule 2018-04-13 11:34:48 +02:00
Florian Roth
4ca62a2556 Turla Agent.BTZ 2018-04-12 19:42:29 +02:00
Florian Roth
5b2c2b58d9 Cosmetics 2018-04-11 23:51:43 +02:00
Florian Roth
f2f9956fbb New hacktool signatures 2018-04-11 23:51:43 +02:00
Florian Roth
c1b50600c1 Rule improvements 2018-04-11 23:51:43 +02:00
yt0ng
b6c6e60681 added Turla Kazuar RAT described by DrunkBinary 2018-04-09 14:22:36 +02:00
Florian Roth
da310446fe Generic PowerShell rule for code the uses Kernel32 / write remote process memory 2018-04-06 12:45:37 +02:00
Florian Roth
bb8fe2cdf4 Revised YARA sigs from NCSC report 
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control
 2018-04-06 12:45:37 +02:00
Florian Roth
68f98c8775 CVE-2014-4076 exploit code 2018-04-06 12:45:37 +02:00
Florian Roth
4e57b9f856 Renamed rule 2018-04-06 12:45:37 +02:00
Florian Roth
05f65d6592
Performance optimization 2018-04-03 15:30:23 +02:00
John Lambert
28bd891428
Update gen_unicorn_obfuscated_powershell.yar 
Tweak rule for optional paren
 2018-04-03 06:23:50 -07:00
John Lambert
30f914e71d
Update gen_unicorn_obfuscated_powershell.yar 
add support for alternative switches (i.e. -w and /w) and paren block on payload. Found in VT sample 1afb9795cb489abce39f685a420147a2875303a07c32bf7eec398125300a460b
 2018-04-03 06:17:48 -07:00
Florian Roth
4263292a16 Hidden Cobra Wiper 
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
 2018-03-28 19:57:12 +02:00
John Lambert
df49f01006
update for VT uploads that include the POST header 
came across submissions (7d5819a2ea62376e24f0dd3cf5466d97bbbf4f5f730eb9302307154b363967ea, 2a69e46094d0fef2b3ffcab73086c16a10b517f58e0c1f743ece4f246889962b) with a header such as:
POST /wls-wsat/CoordinatorPortType HTTP/1.1
Host: 90.147.64.54:80
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0
Connection: Close
Content-Type: text/xml
Content-Length: 1214

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>...
 2018-03-28 05:31:01 -07:00
Florian Roth
2d4a023211 Updated Keyboy malware rules 2018-03-28 11:28:38 +02:00
Florian Roth
5a5268e3db Suspicious Keylogger / Backdoor PDB strings 2018-03-28 11:27:53 +02:00
Florian Roth
d89fda03fe Improved Impacket rules 2018-03-28 11:27:18 +02:00
Florian Roth
29dc390b2b OilRig / Chafer YARA Rules 
https://nyotron.com/nyotron-discovers-next-generation-oilrig-attacks/
 2018-03-23 08:43:43 +01:00
Florian Roth
89eb1aaed2 Added .yar extension to weblogic exploit rule 2018-03-22 00:19:09 +01:00
Florian Roth
525bb2d361 False Positive Reduction 2018-03-22 00:17:41 +01:00
John Lambert
f6fef3e296
detect Oracle Weblogic exploit CVE-2017-10271 
Performed a retrohunt. 3 matches came back--all true positives:
20f5a6b4915d51c36b1e2fa77da7f75c44b07697b717ef733deba86d7c57b09a
376c2bc11d4c366ad4f6fecffc0bea8b195e680b4c52a48d85a8d3f9fab01c95
864e9d8904941fae90ddd10eb03d998f85707dc2faff80cba2e365a64e830e1d/subfile
 2018-03-21 14:06:07 -07:00
Florian Roth
1e2fb32e11 Removed rule - prone to false positives 2018-03-20 15:15:28 +01:00
Florian Roth
2b845847fc Bugfix in TA18-074A webshell rule 2018-03-17 11:18:13 +01:00
Florian Roth
0cef4b1890 Revised YARA rules of TA18-074A 2018-03-16 23:22:20 +01:00
Florian Roth
892b159c00 First commit of TA18-074A rules 2018-03-16 16:32:11 +01:00
Florian Roth
65d45e5638 Fixed false positives in Slingshot APT sigs 2018-03-12 15:26:00 +01:00
Florian Roth
5334216f73 Prone to false positives 
https://www.virustotal.com/en/file/8e928dc79b4dd5695b1b3fcd4592b7179c2e2857a82d325d49237977636b21d2/analysis/
 2018-03-12 14:56:19 +01:00
Florian Roth
2ce3e0bbaf Fix to avoid too many false positives 2018-03-12 14:49:03 +01:00
Florian Roth
117270469f Moved all rules that use ext vars to a new rule set 2018-03-12 13:47:40 +01:00
Florian Roth
3018b8b551 Extended the APT15 rules by NCCGroups rules (revised) 
https://github.com/nccgroup/Royal_APT/blob/master/signatures/apt15.yara
 2018-03-12 12:55:33 +01:00
Florian Roth
07b44fe78a APT15 YARA signatures 
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
 2018-03-12 09:40:31 +01:00
Florian Roth
125a220411 Slingshot APT YARA signatures 
https://securelist.com/apt-slingshot/84312/
 2018-03-10 12:20:04 +01:00
Florian Roth
3fe8f66d3b Bigfix: missing "pe" import 2018-03-09 15:35:38 +01:00
Florian Roth
9c5765484d DonotTeam YTYFramework YARA sig 
https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/
 2018-03-09 15:29:45 +01:00
Florian Roth
b031d55469 Crimson RAT 2018-03-08 18:56:38 +01:00
Florian Roth
cecd779892 Updated generic dump files : gesecdump output 2018-03-08 18:48:55 +01:00
Florian Roth
b0f6890de1 TSCookie RAT 2018-03-08 18:48:55 +01:00
Florian Roth
62ff9d53f5
PowerShell payload obfuscated by Unicorn toolkit 2018-03-08 18:24:10 +01:00
JohnLaTwC
70c1a24de4
finds powershell commands obfuscated by unicorn 
I see unicorn samples uploaded to VT a few times a day. Here is a rule for it. 
Unicorn toolkit: https://github.com/trustedsec/unicorn/

Example hashes:
14c708d8577eafc56fa8af4d45aaedfbba185aee6ffc22650b2b5b4a58c6ae0f
19c8d44fe80cfbd61e30f9aeef3f7433473e6ae66d7b2e26bae22ed9b338a755
1f1990d08ae6ac2480e2ba4fcc4f00105aa2eb8606fa5b23be450922a705a637
211c690cded91446b43ec2bd89a8071df8b96442b3fa9762a91945c8987996db
4b877196a90b2ad62fe795fff63d36742d9099ae677fe5e44ef47e6a9919adc4
5239c2de70c82b70ce3dac0669b4b4ec95b5d5fd0286bad8e3ec960217e20627

Also https://twitter.com/JohnLaTwC/status/971536587388407809
 2018-03-07 17:29:36 -08:00
JohnLaTwC
7cab502150
yara rule for encoded python payloads for adware 
Ran it through a retrohunt earlier and has good true positive track record in VT.  Very interesting python samples that it is a part of.
 2018-03-07 08:45:57 -08:00
Florian Roth
5110a57cd5 Minor changes: performance reasons, reference, hashes split up 2018-03-05 15:41:51 +01:00
Florian Roth
7c4b9b1725
Merge pull request #24 from JohnLaTwC/patch-1 
generic python reverse shell
 2018-03-05 15:36:05 +01:00
Florian Roth
27442f03b0 Operation Honey Bee Malware YARA sigs 
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
 2018-03-03 16:12:34 +01:00
Florian Roth
77281d4ea2 Generic dropper PDB string 2018-03-03 12:15:31 +01:00
Florian Roth
0b21871f52 IceFog malware 
https://twitter.com/ClearskySec/status/968104465818669057
 2018-03-03 10:15:24 +01:00
Florian Roth
c41806f2cf False Positive Reduction 2018-03-01 19:13:20 +01:00
Florian Roth
aefa8e8af7 Bugfix and extended Sofacy rule 2018-03-01 09:34:03 +01:00
Florian Roth
4bdcf3c64b Sofacy IOCs and YARA signature 2018-03-01 09:29:57 +01:00
Florian Roth
3a7554d535 MuddyWater Doc Dropper 2018-02-27 09:54:05 +01:00
JohnLaTwC
865ac9ce04
generic python reverse shell 
seen in:
1b97cb64e9be8db9d5e959d183f4c5469f7eafab0e34198be784f2e54a9cc768
22b33d5f2028eff3b11a68c8971cfcc6b57509efecf0af7ac6f9aa33e3929f93
25bd4762908751d19b4d27479470cb442319a1419af559bc5c31b83bece20ad4
26b8b960f08fea6d9f18a7ff7a44f46c90972d0fd48332ea90c32f8293266088
528bf356946abd82ce4639e1f66bd71bbad2fadfc83df1c4ff92ffd61e5e8a2c
5eb14f86ab101c5b78d8397a89e7c5a775464565dc5ed6af30eef14f264e0a62
640c80a36f387026871aa2d5e8447f990ec5b18395eb46f453c4215aee0d1846
6623f7f5a326c932ea893419509eac8c243363fea5eadbb940da0d3f949c79a6
6ca26484201218eb0352ce50f1937ec84f09f5187b882c23d2c9a67015d6aedb
743b5192bfe88e67dd1d2259a3ce5b02250b47fefa01274a88eb063a4746b378
b42309e69b8066bdb54faf425d19f5c84e5a00959e641609590cd6607a4601d6
b4e7f9a84ba3ad5f88ced24b43f5ba9bcc98976c45ae74b3e8c47921590e27f7
b8fd4dfe91708511ca87a83b3ee97da0dd4b5cc1e106e2ea6cb93ccddd3b7b17
bfb5c622a3352bb71b86df81c45ccefaa68b9f7cc0a3577e8013aad951308f12
c365c6d27f04637804f4d28c5aa5166342db1aa8712d94488bc518a21f408f53
f3b443d83488c35d5c11ff9eda98d460bf650071235561d3290f7f25c4c76405
fadb468f0324666a4b8eeb3bb499e84b11daa32efac2ae8ccaddf3941c5e25b1
 2018-02-24 14:52:23 -08:00
Florian Roth
d85ae13956 OSX malware by @JohnLaTwC 
https://ghostbin.com/paste/mz5nf
 2018-02-24 10:08:40 +01:00
Florian Roth
328024dfd0 Turla Mosquito YARA Sigs 
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
 2018-02-23 11:50:35 +01:00
Florian Roth
5741438d48 Wscript.Shell rule false positive reduction 2018-02-20 20:12:00 +01:00
Florian Roth
2bdfedfd1a NanoCore RAT update 2018-02-20 20:11:09 +01:00
Florian Roth
898deba325 Loki Bot and Dropper (Feb variant) 2018-02-15 17:08:01 +01:00
Florian Roth
1af4d4347c New CVE-2017-11882 detection rule 2018-02-14 08:51:45 +01:00
Florian Roth
c1360521b4 VBS Obfuscator 2018-02-13 16:20:16 +01:00
Florian Roth
351b5e4c17 Modified Olympic Destroyer rule - made rule 1 a generic rule 2018-02-13 08:29:38 +01:00
Florian Roth
5321485d2a Olympic Destroyer 
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
 2018-02-12 21:54:21 +01:00
Florian Roth
46d21154ca HawkEye keylogger variant rule 2018-02-12 18:22:30 +01:00
Florian Roth
699b322d89 CN disclosed malware repo - NjRAT 
https://twitter.com/cyberintproject/status/961714165550342146
 2018-02-09 10:04:27 +01:00
Florian Roth
e71703c8d0 WScript PowerShell Combo 2018-02-08 23:03:23 +01:00
Florian Roth
b1924d6cde False Positive Reduction 2018-02-08 22:59:08 +01:00
Florian Roth
e1bab3de46 Middle Eastern Campaign - Talos Report 
http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
 2018-02-08 22:58:31 +01:00
Florian Roth
f51713750c False Positive Reduction 2018-02-07 14:39:28 +01:00
Florian Roth
fc18cc990f Scracruft APT malware 
https://twitter.com/craiu/status/959477129795731458
 2018-02-05 10:22:40 +01:00
Florian Roth
846f5ad86c OLE LoadSwf CVE 2018-4878 
https://www.flashpoint-intel.com/blog/targeted-attacks-south-korean-entities/
 2018-02-05 10:20:19 +01:00