2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "0" ,
"date" : "2022-08-03" ,
"extends_uuid" : "" ,
"info" : "Github Repo Compromise Domain MyJino RU" ,
"publish_timestamp" : "1659524114" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1659520660" ,
"uuid" : "f811ccb3-5724-4ff4-a920-36d81100e7b8" ,
"Orgc" : {
"name" : "BSK" ,
"uuid" : "56024f6c-da70-4584-b689-48ef950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#053a00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#002642" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"microblog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "C2 domain" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1659513139" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "0ea045af-c19c-4dc9-8aba-51bdb8643a74" ,
"value" : "ovz1.j19544519.pr46m.vps.myjino.ru"
}
] ,
"Object" : [
{
"comment" : "ovz1.j19544519.pr46m.vps.myjino.ru: Enriched via the farsight_passivedns module" ,
"deleted" : false ,
"description" : "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html" ,
"first_seen" : "2022-07-28T11:22:53+00:00" ,
"last_seen" : "2022-08-03T06:19:30+00:00" ,
"meta-category" : "network" ,
"name" : "passive-dns" ,
"template_uuid" : "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c" ,
"template_version" : "5" ,
"timestamp" : "1659520432" ,
"uuid" : "afdb4f8e-08ca-4beb-b105-c91605eb5513" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "afdb4f8e-08ca-4beb-b105-c91605eb5513" ,
"referenced_uuid" : "0ea045af-c19c-4dc9-8aba-51bdb8643a74" ,
"relationship_type" : "related-to" ,
"timestamp" : "1659519047" ,
"uuid" : "9cd1bcb7-2c93-4308-b98d-dcdbbd3e967a"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "rdata" ,
"timestamp" : "1659520428" ,
"to_ids" : true ,
"type" : "text" ,
"uuid" : "84fd5844-44f6-49b4-ae39-9a77413b8152" ,
"value" : "195.161.41.221"
} ,
{
"category" : "Other" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "count" ,
"timestamp" : "1659519079" ,
"to_ids" : false ,
"type" : "counter" ,
"uuid" : "517487e4-8ecf-4023-9601-cdeae8d5178e" ,
"value" : "4"
} ,
{
"category" : "Other" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "time_first" ,
"timestamp" : "1659519079" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "64322d63-ac27-458a-8e57-3f9b7215b163" ,
"value" : "2022-07-28T11:22:53+00:00"
} ,
{
"category" : "Other" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "time_last" ,
"timestamp" : "1659519079" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d5b73acf-82da-4d12-ad2f-557ee481435c" ,
"value" : "2022-08-03T06:19:30+00:00"
} ,
{
"category" : "Network activity" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "rrname" ,
"timestamp" : "1659520432" ,
"to_ids" : true ,
"type" : "text" ,
"uuid" : "411cb6d9-2de2-45fe-8858-b31f98e52ce0" ,
"value" : "ovz1.j19544519.pr46m.vps.myjino.ru."
} ,
{
"category" : "Network activity" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "rrtype" ,
"timestamp" : "1659519079" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ceaec1aa-ea20-46c9-aa26-6e526cc58e4c" ,
"value" : "A"
} ,
{
"category" : "Network activity" ,
"comment" : "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "bailiwick" ,
"timestamp" : "1659520417" ,
"to_ids" : false ,
"type" : "domain" ,
"uuid" : "1e73df86-ce7c-445d-9dfa-7c84158a46f6" ,
"value" : "myjino.ru"
}
]
} ,
{
"comment" : "Origin: https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/gen_github_repo_compromise_myjino_ru.yar" ,
"deleted" : false ,
"description" : "An object describing a YARA rule (or a YARA rule name) along with its version." ,
"meta-category" : "misc" ,
"name" : "yara" ,
"template_uuid" : "b5acf82e-ecca-4868-82fe-9dbdf4d808c3" ,
"template_version" : "5" ,
"timestamp" : "1659519265" ,
"uuid" : "62e6afb6-4237-41f9-8be7-986c83f038fa" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659519265" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "657fa3c5-8a6f-44a3-a1b2-db62db18ae7e" ,
"value" : "all"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara" ,
"timestamp" : "1659519265" ,
"to_ids" : true ,
"type" : "yara" ,
"uuid" : "537e39eb-37f4-42d5-8944-39022aa38b47" ,
"value" : "rule MAL_Github_Repo_Compromise_MyJino_Ru_Aug22 {\r\n meta:\r\n description = \"Detects URL mentioned in report on compromised Github repositories in August 2022\"\r\n author = \"Florian Roth\"\r\n reference = \"https://twitter.com/stephenlacy/status/1554697077430505473\"\r\n date = \"2022-08-03\"\r\n score = 90\r\n strings:\r\n $x1 = \"curl http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n $x2 = \"http__.Post(\\\"http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n condition:\r\n 1 of them\r\n}"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "yara-rule-name" ,
"timestamp" : "1659519265" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8bc7d3cf-71b6-441b-aa53-0c0a21375995" ,
"value" : "MAL_Github_Repo_Compromise_MyJino_Ru_Aug22"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1659520396" ,
"uuid" : "284f1a37-a166-4b5b-b5b3-4a1e41bae212" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "comment" ,
"timestamp" : "1659520396" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "51bf417d-6e35-4fa9-ac51-889898fcb4e5" ,
"value" : "Detects connections to the host used in a big repository compromise discovered in August 2022"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659520396" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2b7d7317-6a7b-4245-b72e-860e99a8ae29" ,
"value" : "dns"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659520396" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b4455c25-2f5b-4665-8900-dbf1af77bd57" ,
"value" : "network"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1659520396" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ecb93db6-01ee-43ec-a51f-9f858630970a" ,
"value" : "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1659520396" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "a6cd4477-de96-479a-85ca-7c709bf3dd33" ,
"value" : "title: Github Repo Compromise Domain MyJino RU\r\nid: 3a9f4c77-8e2e-45eb-abc1-4754f670d3a9\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: network_connection\r\n product: windows\r\ndetection:\r\n selection:\r\n Initiated: 'true'\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1659520396" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "45dce477-cec0-4a94-a6e9-b23136dc282a" ,
"value" : "Github Repo Compromise Domain MyJino RU"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1659520547" ,
"uuid" : "18ab09f0-b623-40df-8920-eadfbcb0d5e0" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659520547" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5954ae33-cbf4-468d-b11a-7ae33f6bc965" ,
"value" : "dns"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659520547" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "80d8f09b-51e8-47c4-9d22-244973f6a526" ,
"value" : "network"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "reference" ,
"timestamp" : "1659520547" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "68adb1fd-fa19-4a9d-8e4d-dd3724e8db04" ,
"value" : "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/network_connection/net_connection_github_myjino_ru.yml"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1659520547" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "70294bb6-60d9-439f-b7ca-be754d7162d4" ,
"value" : "title: Github Repo Compromise Domain MyJino RU\r\nid: 242e0911-294a-44ea-a54e-7eea97aa2622\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n product: linux\r\n category: network_connection\r\ndetection:\r\n selection:\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1659520547" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "d5f1cfed-c4b0-4c90-8158-21e9e76c28d1" ,
"value" : "Github Repo Compromise Domain MyJino RU"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "An object describing a Sigma rule (or a Sigma rule name)." ,
"meta-category" : "misc" ,
"name" : "sigma" ,
"template_uuid" : "aa21a3cd-ab2c-442a-9999-a5e6626591ec" ,
"template_version" : "1" ,
"timestamp" : "1659520633" ,
"uuid" : "9d47dc79-72a0-457a-af87-022323dd74c9" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "context" ,
"timestamp" : "1659520633" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0fe60ee6-7182-4441-a471-d71f9d76fc2f" ,
"value" : "dns"
} ,
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma" ,
"timestamp" : "1659520633" ,
"to_ids" : true ,
"type" : "sigma" ,
"uuid" : "60048328-51d0-433c-b979-8fe5b6726458" ,
"value" : "title: DNS Lookup Github Repo Compromise Domain MyJino RU\r\nid: 6b0dd2e4-13ff-4eff-b79b-4444fad43644\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: dns\r\ndetection:\r\n selection:\r\n query: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\n - Web proxy or other security device DNS lookups of the domain\r\nlevel: high"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sigma-rule-name" ,
"timestamp" : "1659520633" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "c306254d-9b71-46c3-ae7a-b3143ce96092" ,
"value" : "DNS Lookup Github Repo Compromise Domain MyJino RU"
}
]
}
]
}
}