2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2017-10-28" ,
"extends_uuid" : "" ,
"info" : "OSINT - Bahamut Revisited, More Cyber Espionage in the Middle East and South Asia" ,
"publish_timestamp" : "1514467295" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1511385618" ,
"uuid" : "59f4a30d-fdf8-4617-b6ab-45df02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a332-25a4-4cf0-9c00-0a8f02de0b81" ,
"value" : "https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "59f4a349-5d24-42f1-81fb-427b02de0b81" ,
"value" : "In June we published on a previously unknown group we named \u00e2\u20ac\u0153Bahamut,\u00e2\u20ac\u009d a strange campaign of phishing and malware apparently focused on the Middle East and South Asia. In the Bahamut report, we documented a capable actor interested in a diverse set of political, economic, and non-governmental targets, which suggested espionage rather than criminal intent. Bahamut was shown to be resourceful, not only maintaining their own Android malware but running propaganda sites, although the quality of these activities varied noticeably.\r\n\r\nOur publication on the campaign coincided with a series of defacements and leaked emails related to Qatar and its neighbors, the same types of targets that arose in our research. While we have found no evidence to link the group to these incidents, Bahamut provided a useful window into the activities rampant in the Gulf at a time when hacking has contributed to a regional diplomatic crisis. The incident further demonstrated the blurred lines in cybersecurity between attacks against human rights communities and espionage against diplomats, as well as the potential role of non-state actors in state-aligned cyber operations.\r\n\r\nAfter publication, the identified operations and malware domains were taken down. For three months there was no apparent further activity from the actor. However, in the same week of September a series of spearphishing attempts once again targeted a set of otherwise unrelated individuals, employing the same tactics as before. Bahamut remains active, and its operations are more extensive than first disclosed. Our primary contribution in this update is to implicate Bahamut in what are likely counterterrorism-motivated surveillance operations, and to further affirm our belief that the group is a hacker-for-hire operation. Toward this we document a previously unnoticed link with a campaign targeting South Asia that was published last year. This post extends the previous publication with recent activity and lends more evidence to our past hypotheses about the political nature of its operations."
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-8a84-4a5a-9ef7-46b202de0b81" ,
"value" : "noreply.user.subscripton@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-6a74-4147-bab8-462f02de0b81" ,
"value" : "mirror.news.live@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-9324-4a5f-ab14-425a02de0b81" ,
"value" : "mail.noreplyportals@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-6610-44da-a595-4c9e02de0b81" ,
"value" : "rnicrosoft-recovery-update@hotmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-5c00-4ac5-852f-427302de0b81" ,
"value" : "noreply.subscribeuser.alert@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-4b70-455b-b716-438d02de0b81" ,
"value" : "noreply.users.validation@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-b0f4-4461-9816-457e02de0b81" ,
"value" : "noreply.applc.id.service@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-dfb8-4f4a-8a99-424102de0b81" ,
"value" : "playbooy.magazine.update@outlook.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-7a80-4fb5-8033-414302de0b81" ,
"value" : "noreply.goolgemail@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-ec60-4491-88d5-464c02de0b81" ,
"value" : "dubaicalender.eventupdate@outlook.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-5d20-4e14-86e4-415c02de0b81" ,
"value" : "sputniknews@email.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-69a8-4e3e-9cce-419502de0b81" ,
"value" : "news_update@email.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-5330-4e93-8aaf-404702de0b81" ,
"value" : "bbcnewsdailysubscribe@gmail.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a3af-6370-4398-9b1d-409902de0b81" ,
"value" : "noreply.goolgehangouts@gmail.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-6344-4d78-a2aa-404f02de0b81" ,
"value" : "squre39-cld.info"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-62bc-4e26-929f-471c02de0b81" ,
"value" : "goolg-en.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-d934-4478-b90c-42ce02de0b81" ,
"value" : "login-asmx.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-ae04-4d35-9531-4d6002de0b81" ,
"value" : "string2port.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-27bc-46cc-a325-492402de0b81" ,
"value" : "session-en.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a3d1-12b4-479f-9ee3-480402de0b81" ,
"value" : "singin-go-olge.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "59f4a3d1-a0d0-4e20-afe8-487e02de0b81" ,
"value" : "111.90.138.81"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "59f4a3d1-beac-4341-853a-4ac302de0b81" ,
"value" : "188.68.242.18"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "59f4a3d1-3660-4f97-ba51-457702de0b81" ,
"value" : "91.92.136.134"
} ,
{
"category" : "Network activity" ,
"comment" : "Credential Harvesting and Recon" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "59f4a3d1-78f4-4000-a477-429302de0b81" ,
"value" : "200.63.45.47"
} ,
{
"category" : "Network activity" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a404-b5bc-41c4-9347-4ee802de0b81" ,
"value" : "devotedtohumanity-fif.info"
} ,
{
"category" : "Network activity" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a404-de84-4ff5-8084-481d02de0b81" ,
"value" : "kashmir-weather-info.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a404-0010-4f6d-8836-4fb802de0b81" ,
"value" : "mxiplayer.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a404-b910-465c-9eef-4fce02de0b81" ,
"value" : "6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a404-f3c0-43bf-855c-4cce02de0b81" ,
"value" : "0550dad8d55446e5b5dbae61783cfb7c78ee10d2"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205190" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a404-2bf8-49c5-8a9a-4a9502de0b81" ,
"value" : "00d000679baab456953b4302d8b2a1e65241ed12"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a404-e5d8-48f4-ab58-474e02de0b81" ,
"value" : "ddaf5e43da0b00884ef957c32d7b16ed692a057a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Windows Agent" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a425-9ea8-4578-9922-4ea302de0b81" ,
"value" : "9850ac30c3357d3a412d0f6cec2716b63db6c21d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a439-698c-4c47-a051-4f2902de0b81" ,
"value" : "9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a439-675c-43f6-bd3e-499302de0b81" ,
"value" : "1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96"
} ,
{
"category" : "Network activity" ,
"comment" : "Other Malware References" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "59f4a439-d53c-404e-b3be-4d8b02de0b81" ,
"value" : "mint-news-portal.hymnfork.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Other Malware References" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "59f4a439-35e4-48e3-b6be-48a902de0b81" ,
"value" : "online-tracking-status.hymnfork.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-8b14-42ff-9666-0ccc02de0b81" ,
"value" : "insidecloud-aspx.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-3b74-4fea-8ab8-0ccc02de0b81" ,
"value" : "data-covery.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-687c-4de7-9b05-0ccc02de0b81" ,
"value" : "sa-google.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-2bb8-4fce-b099-0ccc02de0b81" ,
"value" : "rnail-aspx.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-9fe8-4825-a85f-0ccc02de0b81" ,
"value" : "session-service.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-1888-4734-90e7-0ccc02de0b81" ,
"value" : "session-owa.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-24d0-4ce1-b1d5-0ccc02de0b81" ,
"value" : "myinfocheck.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a456-ea64-43f5-b0b8-0ccc02de0b81" ,
"value" : "host-auth.com"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-9788-4384-b858-411902de0b81" ,
"value" : "janko.kolar@bulletmail.org"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-5b9c-4f72-8dd4-48a102de0b81" ,
"value" : "jacbov.vjan@bulletmail.org"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-b230-44f5-9a22-41aa02de0b81" ,
"value" : "robert.warne@list.ru"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-6c04-414f-bd1d-40c202de0b81" ,
"value" : "viera.taafi@pobox.sk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-58a8-4306-9cd8-442f02de0b81" ,
"value" : "aaron.drago@pobox.sk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-c3b8-4846-b081-43ed02de0b81" ,
"value" : "marek.franko@pobox.sk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-1564-4a13-9711-4dcb02de0b81" ,
"value" : "oliver.dagur@mail.ru"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-cef8-4254-94ef-467802de0b81" ,
"value" : "ralph.cramey@mail.ru"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Similar Infrastructure" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "email-src" ,
"uuid" : "59f4a48d-8170-473f-8941-4e7802de0b81" ,
"value" : "petru.negru@pobox.sk"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References - Xchecked via VT: 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a4c7-3db0-410a-ab8d-0a8f02de0b81" ,
"value" : "381307e3120a0ee6b2769b4fe650c910bb55eb90"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References - Xchecked via VT: 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-397c-46fd-a32a-0a8f02de0b81" ,
"value" : "94da91def54db4c1895eb7ba99eb75a6"
} ,
{
"category" : "External analysis" ,
"comment" : "Other Malware References - Xchecked via VT: 1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-93c8-4d72-88ce-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/1518badcb2717e6b0fa9bdd883d5ff61fedddf7ddf22cc3dc04a38f4e137fc96/analysis/1508453214/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References - Xchecked via VT: 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "59f4a4c7-d944-473a-95bb-0a8f02de0b81" ,
"value" : "9ef613c4db7e172f7df271513dd501f0a18de2c8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Other Malware References - Xchecked via VT: 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-6eb8-4df3-90cf-0a8f02de0b81" ,
"value" : "cfa27503eb37b1c94966d7ac3a5c28c0"
} ,
{
"category" : "External analysis" ,
"comment" : "Other Malware References - Xchecked via VT: 9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-4148-4cba-91d2-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/9e4596bfb4f58d8ecfe2bc3514c6c7b2170040d9acfb02f295ed1e9ab13ec560/analysis/1508352935/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Windows Agent - Xchecked via VT: 9850ac30c3357d3a412d0f6cec2716b63db6c21d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a4c7-c9a0-42ab-94ea-0a8f02de0b81" ,
"value" : "d0e2e7fe3fab992a670137d0693a2b76a5ac88283011b4aa8786d439b37c877b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Windows Agent - Xchecked via VT: 9850ac30c3357d3a412d0f6cec2716b63db6c21d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-d7f4-4ecf-8b42-0a8f02de0b81" ,
"value" : "94a6aba63c9d2d9587e424acfde41bcb"
} ,
{
"category" : "External analysis" ,
"comment" : "Windows Agent - Xchecked via VT: 9850ac30c3357d3a412d0f6cec2716b63db6c21d" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-6b7c-4e67-8ccc-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/d0e2e7fe3fab992a670137d0693a2b76a5ac88283011b4aa8786d439b37c877b/analysis/1504758200/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: ddaf5e43da0b00884ef957c32d7b16ed692a057a" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a4c7-918c-4245-8ebf-0a8f02de0b81" ,
"value" : "05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: ddaf5e43da0b00884ef957c32d7b16ed692a057a" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-70c8-483e-95b1-0a8f02de0b81" ,
"value" : "019db1adb064ff0245470d0c1972c515"
} ,
{
"category" : "External analysis" ,
"comment" : "Android Agent - Xchecked via VT: ddaf5e43da0b00884ef957c32d7b16ed692a057a" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-d43c-4a02-9a99-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/05a4e1e6542d6b0ba7b6eced12c05e96a341deaf88adb28695365544940da5ed/analysis/1500233344/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 00d000679baab456953b4302d8b2a1e65241ed12" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a4c7-6d74-4281-937a-0a8f02de0b81" ,
"value" : "6f60dfbd3c3fdffc731969acc1b7a82a545b8ec5baaecd48e7ae8055beb37259"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 00d000679baab456953b4302d8b2a1e65241ed12" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-1df0-44d5-ad99-0a8f02de0b81" ,
"value" : "eec26ee59a6fc0f4b7a2a82b13fe6b05"
} ,
{
"category" : "External analysis" ,
"comment" : "Android Agent - Xchecked via VT: 00d000679baab456953b4302d8b2a1e65241ed12" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-3b28-4a10-8aaf-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/6f60dfbd3c3fdffc731969acc1b7a82a545b8ec5baaecd48e7ae8055beb37259/analysis/1504073634/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 0550dad8d55446e5b5dbae61783cfb7c78ee10d2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a4c7-8e84-45ed-b728-0a8f02de0b81" ,
"value" : "65398e0f12248ca71642216ff8606744305c2397c368ff072c243e6410fd42bc"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 0550dad8d55446e5b5dbae61783cfb7c78ee10d2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-a794-4b6b-9542-0a8f02de0b81" ,
"value" : "146335f1c4ffaae9cf3d48e767a1c66b"
} ,
{
"category" : "External analysis" ,
"comment" : "Android Agent - Xchecked via VT: 0550dad8d55446e5b5dbae61783cfb7c78ee10d2" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-4d18-4218-bd0e-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/65398e0f12248ca71642216ff8606744305c2397c368ff072c243e6410fd42bc/analysis/1504229307/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "59f4a4c7-9e84-4f2b-9008-0a8f02de0b81" ,
"value" : "090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Android Agent - Xchecked via VT: 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "59f4a4c7-bbfc-460f-8045-0a8f02de0b81" ,
"value" : "63c2bc55a032eef24d0746158727e373"
} ,
{
"category" : "External analysis" ,
"comment" : "Android Agent - Xchecked via VT: 6e5e7ecb929fdc29ba93058bf2f501842ac0f2c0" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1509205191" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "59f4a4c7-b32c-4349-a488-0a8f02de0b81" ,
"value" : "https://www.virustotal.com/file/090bc0f5936a12771b7fdf15070ba2169a24108a095e939920498b94ce19596d/analysis/1504410339/"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Whois records information for a domain name." ,
"meta-category" : "network" ,
"name" : "whois" ,
"template_uuid" : "429faea1-34ff-47af-8a00-7c62d3be5a6a" ,
"template_version" : "4" ,
"timestamp" : "1509206013" ,
"uuid" : "59f4a7fd-20e0-493a-b9a3-481e02de0b81" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1509206014" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "59f4a7fe-8b80-4a1c-9aa4-429002de0b81" ,
"value" : "i3mode.com"
} ,
{
"category" : "Attribution" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "registrant-email" ,
"timestamp" : "1509206014" ,
"to_ids" : false ,
"type" : "whois-registrant-email" ,
"uuid" : "59f4a7fe-1498-4acb-bc1c-440602de0b81" ,
"value" : "kedrick.brown.84@mail.ru"
} ,
{
"category" : "Attribution" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "registrant-name" ,
"timestamp" : "1509206014" ,
"to_ids" : false ,
"type" : "whois-registrant-name" ,
"uuid" : "59f4a7fe-c3f0-41db-ba32-488402de0b81" ,
"value" : "KEDRICK BROWN"
} ,
{
"category" : "Attribution" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "registrant-phone" ,
"timestamp" : "1509206014" ,
"to_ids" : false ,
"type" : "whois-registrant-phone" ,
"uuid" : "59f4a7fe-0614-49f2-81f1-47d702de0b81" ,
"value" : "00503503226605642"
}
]
}
]
}
}