misp-circl-feed/feeds/circl/misp/5a38299e-326c-45d6-9279-481102de0b81.json

443 lines
566 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2017-12-18",
"extends_uuid": "",
"info": "OSINT - Operation Dragonfly Analysis Suggests Links to Earlier Attacks",
"publish_timestamp": "1514467913",
"published": true,
"threat_level_id": "3",
"timestamp": "1513738844",
"uuid": "5a38299e-326c-45d6-9279-481102de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-intrusion-set=\"Dragonfly\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513630552",
"to_ids": false,
"type": "text",
"uuid": "5a3829b8-3de0-473e-91ce-8dbe02de0b81",
"value": "On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014.\r\n\r\nMoving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack\u00e2\u20ac\u2122s indicators to determine whether we can glean any further information regarding the source and possible motivations of those behind the campaign. The campaign targets energy companies around the world by leveraging spear-phishing emails that, once successful, allow the attackers to download Trojan software. The Trojans provide access to the victims\u00e2\u20ac\u2122 systems and networks.",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1513630552",
"to_ids": false,
"type": "link",
"uuid": "5a3829c5-4d84-4e8a-b73e-40ac02de0b81",
"value": "https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
},
{
"category": "External analysis",
"comment": "",
"data": "iVBORw0KGgoAAAANSUhEUgAABNIAAALkCAYAAADK/BhZAAAMJGlDQ1BJQ0MgUHJvZmlsZQAASImVVwdUk8kWnr+kkoQSQEBK6E2UXqWGFqlSBRshCSSUEANBxY4uKrAWVCxgQ1dFFF0LIIsNe1kUe18QUVHWxYINlDdJAF33lfPuOfef79y5985355+ZMwOAajRXIslC1QDIFudJY0ICWBOSklmkdqACyIABNIEKl5cr8Y+ODgdQhtq/y/tbAJG31+3kuf7Z/19FnS/I5QGAREOcys/lZUN8CADclSeR5gFA6IZ20+l5EoiJkCXQlEKCEJvJcboSu8txqhKHK3ziYtgQpwBApnG50nQAGHJerHxeOszDKIXYXswXiSFugtiHJ+TyIe6HeFR2dg7EqlYQW6V+lyf9bzlTh3NyuenDWFmLQsiBolxJFnfm/zkd/1uys2RDY5hCpQmloTHymuXzlpkTJsc0iM+LUyOjINaA+IaIr/CX46dCWWj8oP9HXi4bzhnQBgCl8bmBYRDrQ2wiy4z3H8Q+XKkiFvqjyQXCuERlflQszYkZzI8WiLMiwwfzlAoFnCFcJcgNih3ySRMFcyCG/xBtEOVx4gZzns8XJURCzID4QW5mbNhg7IsCITtyeCxZjJwz/OcYyM4dqgUzS5MGxyj9MVehiBM5aA/PE8aFKmOxKTyugoMOxBmC3AnhQ3z4gsAgJR+sUCCOH+SJlUnyAmIG/bdLsqIH/bEmQVaI3G4CcUtufuxQbE8eXGzKWnCQwR0XrRwX15TkRccpueEsEA7YIBCwgAxqKsgBGUDU0l3fDYZ6ggEXSEE6EAC7QctQRKKiRwy/saAA/AmRAOQOxwUoegUgH9q/DFuVXzuQpujNV0RkgqcQZ+N6uA/uhYfDrx9UR9wd9xiKY6kOjUoMIgYSQ4nBROupokLpD3lZgAcryIIqBWGwFcCq5BzEQ9y/5SE8JbQSHhNuEtoId0ECeAL9RP+o8Fs20bAtArTBrMGD1aV+Xx1uAVm74AG4N+QPuePauB6ww51hJf64L6zNBVq/zdq/4y4bYk2xp6CUERQ/itWPfgwbhstwjLy273kqeaUOV8Ie7vlxNPZ3tfFhG/ajJ7YEO4idw05iF7AmrB6wsONYA3YZOyrHw2vjiWJtDI0Wo+CTCfOIhnzsa+y77Pt/GJs7OL5U8f9BnmBGnnzjsHMkM6WidGEeyx+e1gIWR8wbPYrlaO/gBoD87FceLT1XFGc6oqv+zTY/B4Cx5gMDA0e+2SIpAByGe4fa9s1mNQVu5yUAnF/Fk0nzlTZc/iEAKlCFO0UXGMKzywpW5AhcgRfwA0FgHIgCcSAJTIHzLATZkPV0MBssAEWgBKwAa8AGsBlsA7vAXnAA1IMmcBKcBZfAVXAT3IdrpRO8BD3gPehDEISE0BEmoosYIeaILeKIuCM+SBASjsQgSUgKko6IERkyG1mIlCBlyAZkK1KN/IocQU4iF5BW5C7SjnQhb5DPKIbSUE3UALVAx6DuqD8ahsahk9F0dBpagC5Cl6Hr0Cp0D1qHnkQvoTfRNvQl2osBTAXTxowxO8wdY2NRWDKWhkmxuVgxVo5VYbVYI/zT17E2rBv7hBNxJs7C7eB6DcXjcR4+DZ+Ll+Ib8F14HX4av4634z34VwKdoE+wJXgSOIQJhHTCdEIRoZywg3CYcAbuqU7CeyKRqE20JLrBvZpEzCDOIpYSNxL3EU8QW4kdxF4SiaRLsiV5k6JIXFIeqYi0nrSHdJx0jdRJ+khWIRuRHcnB5GSymFxILifvJh8jXyM/I/dR1CjmFE9KFIVPmUlZTtlOaaRcoXRS+qjqVEuqNzWOmkFdQF1HraWeoT6gvlVRUTFR8VAZryJSma+yTmW/ynmVdpVPNA2aDY1Nm0ST0ZbRdtJO0O7S3tLpdAu6Hz2ZnkdfRq+mn6I/on9kMBmjGRwGnzGPUcGoY1xjvFKlqJqr+qtOUS1QLVc9qHpFtVuNomahxlbjqs1Vq1A7onZbrVedqe6gHqWerV6qvlv9gvpzDZKGhUaQBl9jkcY2jVMaHUyMacpkM3nMhcztzDPMTk2ipqUmRzNDs0Rzr2aLZo+WhpazVoLWDK0KraNabdqYtoU2RztLe7n2Ae1b2p9HGIzwHyEYsXRE7YhrIz7ojNTx0xHoFOvs07mp81mXpRukm6m7Urde96EermejN15vut4mvTN63SM1R3qN5I0sHnlg5D19VN9GP0Z/lv42/cv6vQaGBiEGEoP1BqcMug21Df0MMwxXGx4z7DJiGvkYiYxWGx03esHSYvmzsljrWKdZPcb6xqHGMuOtxi3GfSaWJvEmhSb7TB6aUk3dTdNMV5s2m/aYGZlFmM02qzG7Z04xdzcXmq81P2f+wcLSItFisUW9xXNLHUuOZYFljeUDK7qVr9U0qyqrG9ZEa3frTOuN1ldtUBsXG6FNhc0VW9TW1VZku9G2dRRhlMco8aiqUbftaHb+dvl2NXbto7VHh48uHF0/+tUYszHJY1aOOTfmq72LfZb9dvv7DhoO4xwKHRod3jjaOPIcKxxvONGdgp3mOTU4vXa2dRY4b3K+48J0iXBZ7NLs8sXVzVXqWuva5WbmluJW6XbbXdM92r3U/bwHwSPAY55Hk8cnT1fPPM8Dnn952Xlleu32ej7Wcqxg7PaxHd4m3lzvrd5tPiyfFJ8tPm2+xr5c3yrfx36mfny/HX7P/K39M/z3+L8KsA+QBhwO+MD2ZM9hnwjEAkMCiwNbgjSC4oM2BD0KNglOD64J7glxCZkVciKUEBoWujL0NseAw+NUc3rGuY2bM+50GC0sNmxD2ONwm3BpeGMEGjEuYlXEg0jzSHFkfRSI4kStinoYbRk9Lfq38cTx0eMrxj+NcYiZHXMulhk7NXZ37Pu4gLjlcffjreJl8c0JqgmTEqoTPiQGJpYltk0YM2HOhEtJekmipIZkUnJC8o7k3olBE9dM7JzkMqlo0q3JlpNnTL4wRW9K1pSjU1WncqceTCGkJKbsTunnRnGruL2pnNTK1B4em7eW95Lvx1/N7xJ4C8oEz9K808rSnqd7p69K7xL6CsuF3SK2aIPodUZoxuaMD5lRmTszB7ISs/Zlk7NTso+INcSZ4tM5hjkzcloltpIiSds0z2lrpvVIw6Q7cpHcybkNeZrwkn1ZZiX7Sdae75Nfkf9xesL0gzPUZ4hnXJ5pM3PpzGcFwQW/zMJn8WY1zzaevWB2+xz/OVvnInNT5zbPM523aF7n/JD5uxZQF2Qu+L3QvrCs8N3CxIWNiwwWzV/U8VPITzVFjCJp0e3FXos3L8GXiJa0LHVaun7p12J+8cUS+5Lykv5SXunFnx1+XvfzwLK0ZS3LXZdvWkFcIV5xa6Xvyl1l6mUFZR2rIlbVrWatLl79bs3UNRfKncs3r6Wula1tWxe+rmG92foV6/s3CDfcrAio2FepX7m08sNG/sZrm/w21W422Fyy+fMW0ZY7W0O21lVZVJVvI27L3/Z0e8L2c7+4/1K9Q29HyY4vO8U723bF7Dpd7VZdvVt/9/IatEZW07Vn0p6rewP3NtTa1W7dp72vZD/YL9v/4teUX28dCDvQfND9YO0h80OVh5mHi+uQupl1PfXC+raGpIbWI+OONDd6NR7+bfRvO5uMmyqOah1dfox6bNGxgeMFx3tPSE50n0w/2dE8tfn+qQmnbpwef7rlTNiZ82eDz54653/u+Hnv800XPC8cueh+sf6S66W6yy6XD//u8vvhFteWuituVxquelxtbB3beuya77WT1wOvn73BuXHpZuTN1lvxt+7cnnS77Q7/zvO7WXdf38u/13d//gPCg+KHag/LH+k/qvrD+o99ba5tR9sD2y8/jn18v4PX8fJJ7pP+zkVP6U/Lnxk9q37u+LypK7jr6ouJLzpfSl72dRf9qf5n5SurV4f+8vvrcs+Ens7X0tcDb0rf6r7d+c75XXNvdO+j99nv+z4Uf9T9uOuT+6dznxM/P+ub3k/qX/fF+kvj17CvDwayBwYkXClXcRXAoKJpaQC82QkAPQkA5lV4f5iofJspBFG+JxUI/CesfL
"deleted": false,
"disable_correlation": false,
"timestamp": "1513630552",
"to_ids": false,
"type": "attachment",
"uuid": "5a382adf-4198-4b5d-ab93-4a3702de0b81",
"value": "20171213-DragonFly-1.png",
"Tag": [
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
]
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1513630199",
"uuid": "5a3829f7-d57c-42c0-996b-486602de0b81",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1513630199",
"to_ids": false,
"type": "text",
"uuid": "5a3829f7-4a88-431f-b2e6-425602de0b81",
"value": "One of the starting points was a Trojan in the 2017 campaign"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513630200",
"to_ids": true,
"type": "sha256",
"uuid": "5a3829f8-7374-4ca1-b7eb-483d02de0b81",
"value": "fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513630200",
"to_ids": true,
"type": "md5",
"uuid": "5a3829f8-2858-47c7-bd64-482a02de0b81",
"value": "da9d8c78efe0c6c8be70e6b857400fb1"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1513630200",
"to_ids": false,
"type": "text",
"uuid": "5a3829f8-9360-48ed-8880-4a4502de0b81",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "8",
"timestamp": "1513630313",
"uuid": "5a382a56-2654-45a7-ab35-8e6702de0b81",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5a382a56-2654-45a7-ab35-8e6702de0b81",
"referenced_uuid": "5a3829f7-d57c-42c0-996b-486602de0b81",
"relationship_type": "related-to",
"timestamp": "1514467913",
"uuid": "5a382a66-daa4-4b7c-906d-48ce02de0b81"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1513630294",
"to_ids": false,
"type": "text",
"uuid": "5a382a56-45ec-4bc9-a837-8e6702de0b81",
"value": "Comparing this code, we discovered another sample from the group that was used in a July 2013 attack:"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1513630294",
"to_ids": true,
"type": "filename",
"uuid": "5a382a56-e010-49ce-a074-8e6702de0b81",
"value": "fl.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513630294",
"to_ids": true,
"type": "sha256",
"uuid": "5a382a56-1960-4028-a5ff-8e6702de0b81",
"value": "07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513630294",
"to_ids": true,
"type": "md5",
"uuid": "5a382a56-af70-4ad9-b2f3-8e6702de0b81",
"value": "4bfdda1a5f21d56afdc2060b9ce5a170"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1513630294",
"to_ids": false,
"type": "text",
"uuid": "5a382a56-2834-4a1f-a85e-8e6702de0b81",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1513630555",
"uuid": "e04bdc0b-5070-445d-8c65-d069baa29a8b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "e04bdc0b-5070-445d-8c65-d069baa29a8b",
"referenced_uuid": "b49ac891-a300-4741-9602-e1b67d398af8",
"relationship_type": "analysed-with",
"timestamp": "1514467913",
"uuid": "5a382b59-d924-44a3-9ec5-8df402de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1513630553",
"to_ids": true,
"type": "sha1",
"uuid": "5a382b59-b5ec-4e40-8f14-8df402de0b81",
"value": "cd9519127efcc9a65068befe17ae038c94085358"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513630553",
"to_ids": true,
"type": "md5",
"uuid": "5a382b59-c4e0-4db2-94db-8df402de0b81",
"value": "da9d8c78efe0c6c8be70e6b857400fb1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513630553",
"to_ids": true,
"type": "sha256",
"uuid": "5a382b59-8fdc-43a9-bd0e-8df402de0b81",
"value": "fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1513630553",
"uuid": "b49ac891-a300-4741-9602-e1b67d398af8",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1513630553",
"to_ids": false,
"type": "link",
"uuid": "5a382b59-1fa0-4df0-98c2-8df402de0b81",
"value": "https://www.virustotal.com/file/fc54d8afd2ce5cb6cc53c46783bf91d0dd19de604308d536827320826bc36ed9/analysis/1512363514/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1513630553",
"to_ids": false,
"type": "text",
"uuid": "5a382b59-a224-432f-87f0-8df402de0b81",
"value": "51/68"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1513630553",
"to_ids": false,
"type": "datetime",
"uuid": "5a382b59-6bbc-45bc-aa29-8df402de0b81",
"value": "2017-12-04T04:58:34"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1513630556",
"uuid": "a12dbcc3-13b7-4c1c-9eeb-1efef4b067f9",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a12dbcc3-13b7-4c1c-9eeb-1efef4b067f9",
"referenced_uuid": "5538a69d-615d-4ee1-bb37-0b1483ad4db5",
"relationship_type": "analysed-with",
"timestamp": "1514467913",
"uuid": "5a382b59-2e44-4235-87b4-8df402de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1513630553",
"to_ids": true,
"type": "sha1",
"uuid": "5a382b59-caac-40e3-92cb-8df402de0b81",
"value": "a582c87f411150e58e18c929194be797685434f7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1513630553",
"to_ids": true,
"type": "md5",
"uuid": "5a382b59-5314-4008-a700-8df402de0b81",
"value": "4bfdda1a5f21d56afdc2060b9ce5a170"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1513630553",
"to_ids": true,
"type": "sha256",
"uuid": "5a382b59-7ce0-4701-97c7-8df402de0b81",
"value": "07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1513630553",
"uuid": "5538a69d-615d-4ee1-bb37-0b1483ad4db5",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1513630553",
"to_ids": false,
"type": "link",
"uuid": "5a382b59-75bc-4dd3-8107-8df402de0b81",
"value": "https://www.virustotal.com/file/07bd08b07de611b2940e886f453872aa8d9b01f9d3c61d872d6cfe8cde3b50d4/analysis/1513461661/"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1513630553",
"to_ids": false,
"type": "text",
"uuid": "5a382b59-4b04-4b50-bc35-8df402de0b81",
"value": "42/68"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1513630553",
"to_ids": false,
"type": "datetime",
"uuid": "5a382b59-50dc-4977-8b72-8df402de0b81",
"value": "2017-12-16T22:01:01"
}
]
}
]
}
}