ShadowBrokers EquationGroup Compilation Timestamp Observation
From the post:
I looked at the IOCs @GossiTheDog posted, looked each up in virus total and dumped the compilation timestamp into a spreadsheet.
To step back a second, the Microsoft Windows compiler embeds the date and time that the given .exe or .dll was compiled. Compilation time is a very useful characteristic of Portable Executable. Malware authors could zero it or change it to a random value, but I’m not sure there is any indication of that here. If the compilation timestamps are real, then there’s an interesting observation in this dataset.
…
A very clever observation! Check time stamps for patterns!
Enables an attentive reader to ask:
- Where the Shadow Broker exploits stolen prior to 2013-08-22?
- If no to #1, where are the exploits post 2013-08-22?
Have dumps so far been far away lightning that precedes very close thunderclaps?
Imagine compilation timestamps in 2014, 2015, or even 2016?
Listen for Shadow Brokers to roar!