348 lines
13 KiB
JSON
348 lines
13 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-04-22",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - New Poison Ivy RAT Variant Targets Hong Kong Pro-Democracy Activists",
|
||
|
"publish_timestamp": "1461356783",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1461356749",
|
||
|
"uuid": "571a87f2-13e0-4396-83e5-4780950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356566",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a8816-0ed8-4575-a709-4c0a950d210f",
|
||
|
"value": "http://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356580",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "571a8824-8a5c-44b9-9f31-4530950d210f",
|
||
|
"value": "Malware writers have always sought to develop feature-rich, easy to use tools that are also somewhat hard to detect via both host- and network-based detection systems. For many years, one of the go-to families of malware used by both less-skilled and advanced actors has been the Poison Ivy (aka PIVY) RAT. Poison Ivy has a convenient graphical user interface (GUI) for managing compromised hosts and provides easy access to a rich suite of post-compromise tools. It is no surprise it\u00e2\u20ac\u2122s now being used against pro-democracy organizations and supporters in Hong Kong that have long been a target of advanced attack campaigns."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356606",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "571a883e-bcdc-4fee-9ea8-4c53950d210f",
|
||
|
"value": "CVE-2015-2545"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356630",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a8856-6624-497d-a423-4aa2950d210f",
|
||
|
"value": "13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356631",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a8857-814c-4806-973b-4cad950d210f",
|
||
|
"value": "4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356631",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a8857-2c0c-4800-b4db-4a24950d210f",
|
||
|
"value": "9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Poison Ivy shellcode files",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356653",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a886d-05c8-4a7a-aa10-4157950d210f",
|
||
|
"value": "c707716afde80a41ce6eb7d6d93da2ea5ce00aa9e36944c20657d062330e13d8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Poison Ivy shellcode files",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356654",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a886e-0314-4f2b-aca3-4845950d210f",
|
||
|
"value": "0414bd2186d9748d129f66ff16e2c15df41bf173dc8e3c9cbd450571c99b3403"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2 Domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356668",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "571a887c-6cb8-4016-9961-48e2950d210f",
|
||
|
"value": "sent.leeh0m.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2 Domains",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356669",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "571a887d-f61c-48c1-becf-47f8950d210f",
|
||
|
"value": "found.leeh0m.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356719",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "571a88af-94b4-434b-b71a-4d46950d210f",
|
||
|
"value": "RasTls.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356719",
|
||
|
"to_ids": false,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a88af-3544-4294-928e-40c3950d210f",
|
||
|
"value": "0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356720",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "571a88b0-719c-412f-9467-4cb0950d210f",
|
||
|
"value": "ssMUIDLL.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356720",
|
||
|
"to_ids": false,
|
||
|
"type": "sha256",
|
||
|
"uuid": "571a88b0-fc5c-4f6c-a9a9-490a950d210f",
|
||
|
"value": "7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process - Xchecked via VT: 7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356749",
|
||
|
"to_ids": false,
|
||
|
"type": "sha1",
|
||
|
"uuid": "571a88cd-6d50-45e8-8ce0-4af802de0b81",
|
||
|
"value": "e9ccf4e139bbbd114b67cc3cee260d1cb638c9d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process - Xchecked via VT: 7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356749",
|
||
|
"to_ids": false,
|
||
|
"type": "md5",
|
||
|
"uuid": "571a88cd-d5e8-47cd-babc-464402de0b81",
|
||
|
"value": "2fecb7d30ac753db36973a72048b4173"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356749",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a88ce-cec0-41e5-8deb-458d02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7a424ad3f3106b87e8e82c7125834d7d8af8730a2a97485a639928f66d5f6bf4/analysis/1459770131/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process - Xchecked via VT: 0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356750",
|
||
|
"to_ids": false,
|
||
|
"type": "sha1",
|
||
|
"uuid": "571a88ce-d5fc-4cb3-84d2-446b02de0b81",
|
||
|
"value": "11d8bbd1a76e2e9ad43539480fed29bb07ef0a4d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Loader Files - legitimate, signed binary that is used in the sideloading process - Xchecked via VT: 0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356750",
|
||
|
"to_ids": false,
|
||
|
"type": "md5",
|
||
|
"uuid": "571a88ce-3634-407f-b0f9-432302de0b81",
|
||
|
"value": "8ddc664747b4c424c4ed576362134f3c"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356750",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a88ce-274c-4e90-a2e7-490602de0b81",
|
||
|
"value": "https://www.virustotal.com/file/0191cb2a2624b532b2dffef6690824f7f32ea00730e5aef5d86c4bad6edf9ead/analysis/1461310950/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356751",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "571a88cf-6db4-4145-9579-47ba02de0b81",
|
||
|
"value": "0e06e99c8f1c8882fd1f35793c50213f1905494f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356751",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "571a88cf-9f4c-4a9b-bb6d-4c1202de0b81",
|
||
|
"value": "50064d33625970a8145add7e3e242fe3"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356751",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a88cf-2694-462c-a1fd-497802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9c6dc1c2ea5b2370b58b0ac11fde8287cd49aee3e089dbdf589cc8d51c1f7a9e/analysis/1461331258/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356752",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "571a88d0-28b4-486e-a523-421502de0b81",
|
||
|
"value": "c3ed7bd750192bd43e7fb30d515a109850fb6342"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356752",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "571a88d0-71cc-4ed6-90e6-4dc802de0b81",
|
||
|
"value": "e1b4a5a565fdfcec52346d3b6063c587"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356753",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a88d1-5970-43ee-a4fd-4a2e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/4d38d4ee5b625e09b61a253a52eb29fcf9c506ee9329b3a90a0b3911e59174f2/analysis/1461331255/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356753",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "571a88d1-0264-4cec-a6ae-465a02de0b81",
|
||
|
"value": "12627ba5fea1f00d6ac0704d053c519db93f9122"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Weaponized EPS Docs - Xchecked via VT: 13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356753",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "571a88d1-9650-43b7-976c-4cd502de0b81",
|
||
|
"value": "3fe0cbedec6969803a72b8c76a4a0a03"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1461356754",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "571a88d2-28a0-4dda-93fb-449802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/13bdc52c2066e4b02bae5cc42bc9ec7dfcc1f19fbf35007aea93e9d62e3e3fd0/analysis/1461331255/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|