misp-circl-feed/feeds/circl/misp/595dfe70-4ba8-4f83-8089-4a65950d210f.json

230 lines
8.7 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2017-07-06",
"extends_uuid": "",
"info": "OSINT - New KONNI Campaign References North Korean Missile Capabilities",
"publish_timestamp": "1499332535",
"published": true,
"threat_level_id": "3",
"timestamp": "1499332500",
"uuid": "595dfe70-4ba8-4f83-8089-4a65950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332390",
"to_ids": false,
"type": "text",
"uuid": "595dfe84-33bc-42b1-8a1c-44ac950d210f",
"value": "We recently wrote about the KONNI Remote Access Trojan (RAT) which has been distributed by a small number of campaigns over the past 3 years. We have identified a new distribution campaign which took place on 4th July. The malware used in this campaign has similar features to that distributed earlier in 2017 with the following changes:\r\nA new decoy document copy/pasted from an article published on the 3rd of July by Yonhap News Agency in Korea;\r\nThe dropper includes a 64 bit version of KONNI;\r\nA new CC infrastructure consisting of a climbing club website.\r\nNorth Korea conducted a test missile launch on 3rd July. This campaign appears to be directly related to the launch and the ensuing discussion of North Korean missile technology. This is consistent with previous KONNI distribution campaigns which have also frequently mentioned North Korea.",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332390",
"to_ids": false,
"type": "link",
"uuid": "595dfe98-e904-4afe-8795-4b6b950d210f",
"value": "http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html",
"Tag": [
{
"colour": "#00223b",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Payload delivery",
"comment": "Dropper",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha256",
"uuid": "595dfee2-dd28-4bb6-b9c1-440e950d210f",
"value": "33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90"
},
{
"category": "Payload delivery",
"comment": "32 Bit binary",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha256",
"uuid": "595dfee2-c87c-42f0-908a-41b3950d210f",
"value": "290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a"
},
{
"category": "Payload delivery",
"comment": "64 Bit binary",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha256",
"uuid": "595dfee2-103c-457d-8dfe-42e0950d210f",
"value": "8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "hostname",
"uuid": "595dfef0-0d74-455f-a505-4b53950d210f",
"value": "member-daumchk.netai.net"
},
{
"category": "Payload delivery",
"comment": "64 Bit binary - Xchecked via VT: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha1",
"uuid": "595dff07-cd38-43a2-b8a7-434202de0b81",
"value": "fc8e8390fdbfeb6b6db75a932267cb2f9b59c267"
},
{
"category": "Payload delivery",
"comment": "64 Bit binary - Xchecked via VT: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "md5",
"uuid": "595dff07-e8f8-4dba-a9c1-455902de0b81",
"value": "4e8c61a21d2b91d1ec1404b5857b1663"
},
{
"category": "External analysis",
"comment": "64 Bit binary - Xchecked via VT: 8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": false,
"type": "link",
"uuid": "595dff07-8c58-449a-b220-48fe02de0b81",
"value": "https://www.virustotal.com/file/8aef427aba54581f9c3dc923d8464a92b2d4e83cdf0fd6ace00e8035ee2936ad/analysis/1499151659/"
},
{
"category": "Payload delivery",
"comment": "32 Bit binary - Xchecked via VT: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha1",
"uuid": "595dff07-ed6c-49bb-a884-485f02de0b81",
"value": "ce1e978fc459339e68add4dedb75fb73625571f3"
},
{
"category": "Payload delivery",
"comment": "32 Bit binary - Xchecked via VT: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "md5",
"uuid": "595dff07-f148-4d46-95dc-4bca02de0b81",
"value": "b691a2a2d56b8b74ed93531820bdead6"
},
{
"category": "External analysis",
"comment": "32 Bit binary - Xchecked via VT: 290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": false,
"type": "link",
"uuid": "595dff07-d464-45bd-ae88-45b002de0b81",
"value": "https://www.virustotal.com/file/290b1e2415f88fc3dd1d53db3ba90c4a760cf645526c8240af650751b1652b8a/analysis/1499151692/"
},
{
"category": "Payload delivery",
"comment": "Dropper - Xchecked via VT: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "sha1",
"uuid": "595dff07-5098-4acd-b463-4ca002de0b81",
"value": "400279ca89a2121b6e54a9115a38bca79be9e744"
},
{
"category": "Payload delivery",
"comment": "Dropper - Xchecked via VT: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": true,
"type": "md5",
"uuid": "595dff07-7bcc-42b6-a029-421302de0b81",
"value": "f4abe28f3c35fa75481ae056d8637574"
},
{
"category": "External analysis",
"comment": "Dropper - Xchecked via VT: 33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332359",
"to_ids": false,
"type": "link",
"uuid": "595dff07-7588-429f-b12d-494902de0b81",
"value": "https://www.virustotal.com/file/33f828ad462c414b149f14f16615ce25bd078630eee36ad953950e0da2e2cc90/analysis/1499151819/"
},
{
"category": "Network activity",
"comment": "member-daumchk.netai.net",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332429",
"to_ids": true,
"type": "ip-dst",
"uuid": "595dff4d-19a0-49e6-841f-4930950d210f",
"value": "145.14.144.230"
},
{
"category": "Network activity",
"comment": "CNAME for associated IP address member-daumchk.netai.net",
"deleted": false,
"disable_correlation": false,
"timestamp": "1499332500",
"to_ids": false,
"type": "hostname",
"uuid": "595dff77-406c-49a8-83c2-dafc950d210f",
"value": "donkeytraining.000webhostapp.com"
}
]
}
}