2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2014-10-27" ,
"extends_uuid" : "" ,
"info" : "OSINT APT28: A Window into Russia\u00e2\u20ac\u2122s Cyber Espionage Operations? blog post by FireEye" ,
"publish_timestamp" : "1498163632" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1498163533" ,
"uuid" : "544fee45-f108-4fa6-ace9-3989950d210b" ,
"Orgc" : {
"name" : "CthulhuSPRL.be" ,
"uuid" : "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
} ,
"Tag" : [
{
"colour" : "#33FF00" ,
"local" : "0" ,
"name" : "tlp:green" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#12e000" ,
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"Sofacy\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414524506" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "544fee5a-2d54-45c7-96ae-4193950d210b" ,
"value" : "http://www.fireeye.com/blog/technical/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414524506" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "544fee5a-07ec-4539-803c-4ec7950d210b" ,
"value" : "http://www.fireeye.com/resources/pdfs/apt28.pdf"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414524517" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "544fee65-d4e8-4b02-a4db-073f950d210b" ,
"value" : "APT28"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615650" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "544fee73-8964-4c74-a279-b8e1950d210b" ,
"value" : "Data entered by David Andr\u00c3\u00a9 with CIRCL collaboration"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526045" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45d-2f3c-4809-9279-3989950d210b" ,
"value" : "kavkazcentr.info"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-39b0-4303-9ba7-3989950d210b" ,
"value" : "rnil.am"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-a25c-46b3-9505-3989950d210b" ,
"value" : "standartnevvs.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-c6c0-4b28-9733-3989950d210b" ,
"value" : "novinitie.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-e07c-4056-99a5-3989950d210b" ,
"value" : "n0vinite.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-4d2c-49ab-bf10-3989950d210b" ,
"value" : "qov.hu.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-de0c-406b-b09b-3989950d210b" ,
"value" : "q0v.pl"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-3774-4904-9235-3989950d210b" ,
"value" : "nato.nshq.in"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-dc88-4862-a57a-3989950d210b" ,
"value" : "natoexhibitionff14.com"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing domains" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526046" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff45e-e8bc-40be-8afc-3989950d210b" ,
"value" : "login-osce.org"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing hostnames" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615582" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "544ff471-3828-428e-90a6-47e1950d210b" ,
"value" : "mail.q0v.pl"
} ,
{
"category" : "Network activity" ,
"comment" : "Phishing hostnames" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615582" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "544ff472-726c-4994-bb01-4d53950d210b" ,
"value" : "poczta.mon.q0v.pl"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526082" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff482-06e0-40ab-a168-52be950d210b" ,
"value" : "272f0fde35dbdfccbca1e33373b3570d"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-93ec-4a79-b783-52be950d210b" ,
"value" : "8b92fe86c5b7a9e34f433a6fbac8bc3a"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-fb00-4642-b300-52be950d210b" ,
"value" : "9eebfebe3987fec3c395594dc57a0c4c"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-dd28-48ac-a3a8-52be950d210b" ,
"value" : "da2a657dc69d7320f2ffc87013f257ad"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-0214-4d43-ae3d-52be950d210b" ,
"value" : "1259c4fe5efd9bf07fc4c78466f2dd09"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-8e0c-4abe-8c30-52be950d210b" ,
"value" : "3b0ecd011500f61237c205834db0e13a"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-3fa0-4d2b-bfa8-52be950d210b" ,
"value" : "5882fda97fdf78b47081cc4105d44f7c"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-af00-4c6c-a454-52be950d210b" ,
"value" : "791428601ad12b9230b9ace4f2138713"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-7b7c-4e49-88c5-52be950d210b" ,
"value" : "ead4ec18ebce6890d20757bb9f5285b1"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-f044-4c5b-a1f8-52be950d210b" ,
"value" : "48656a93f9ba39410763a2196aabc67f"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526083" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "544ff483-c8dc-4aa7-9aea-52be950d210b" ,
"value" : "8c4fa713c5e2b009114adda758adc445"
} ,
{
"category" : "Network activity" ,
"comment" : "CnC servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526106" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff49a-5084-4354-bf30-3989950d210b" ,
"value" : "adobeincorp.com"
} ,
{
"category" : "Network activity" ,
"comment" : "CnC servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526106" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff49a-9d70-430a-a6d7-3989950d210b" ,
"value" : "windows-updater.com"
} ,
{
"category" : "Network activity" ,
"comment" : "CnC servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526106" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff49a-57fc-4f67-ad9f-3989950d210b" ,
"value" : "adawareblock.com"
} ,
{
"category" : "Network activity" ,
"comment" : "CnC servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526106" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff49a-dfe0-4466-ba42-3989950d210b" ,
"value" : "windous.kz"
} ,
{
"category" : "Network activity" ,
"comment" : "CnC servers" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526106" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "544ff49a-9920-4e52-8790-3989950d210b" ,
"value" : "wind0ws.kz"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526146" ,
"to_ids" : true ,
"type" : "email-dst" ,
"uuid" : "544ff4c2-914c-482f-aa29-4c43950d210b" ,
"value" : "lisa.cuddy@wind0ws.kz"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414526146" ,
"to_ids" : true ,
"type" : "email-dst" ,
"uuid" : "544ff4c2-6e34-48b8-ac27-4730950d210b" ,
"value" : "dr.house@wind0ws.kz"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567513" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "8041a130-1ead-43b7-9e3d-a8e19057292d" ,
"value" : "Application Data\\Microsoft\\MediaPlayer\\"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567513" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "23755a4c-fdfa-420e-964d-565ce679332f" ,
"value" : "ProcessItem/name: updatewindws.exe"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567513" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "ef486ea3-4023-4fcc-960a-58eb87d77a03" ,
"value" : "updatewindws.exe"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567513" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "54509659-ab28-4778-9e1a-449d950d210b" ,
"value" : "long_info: OLDBAIT is a credential harvester. Both the internal strings and logic are obfuscated and are unpacked at startup. It harvests credentials from Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client made by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both email or HTTP to send out the collected credentials."
} ,
{
"category" : "External analysis" ,
"comment" : "OpenIOC import source file" ,
"data" : "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE0MzhjYWViLTk2ZGQtNDIyNS04NTNjLWZjNTkxMDk4MDk2MS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTQzOGNhZWItOTZkZC00MjI1LTg1M2MtZmM1OTEwOTgwOTYxIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQxOjQ4WiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPk9MREJBSVQgKFJFUE9SVCk8L3Nob3J0X2Rlc2NyaXB0aW9uPgogIDxkZXNjcmlwdGlvbj5PTERCQUlUIGlzIGEgY3JlZGVudGlhbCBoYXJ2ZXN0ZXIuIEJvdGggdGhlIGludGVybmFsIHN0cmluZ3MgYW5kIGxvZ2ljIGFyZSBvYmZ1c2NhdGVkIGFuZCBhcmUgdW5wYWNrZWQgYXQgc3RhcnR1cC4gSXQgaGFydmVzdHMgY3JlZGVudGlhbHMgZnJvbSBJbnRlcm5ldCBFeHBsb3JlciwgTW96aWxsYSBGaXJlZm94LCBFdWRvcmEsIFRoZSBCYXQhIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIE1vbGRvdmFuIGNvbXBhbnkpLCBhbmQgQmVja3khIChhbiBlbWFpbCBjbGllbnQgbWFkZSBieSBhIEphcGFuZXNlIGNvbXBhbnkpLiAgSXQgY2FuIHVzZSBib3RoIGVtYWlsIG9yIEhUVFAgdG8gc2VuZCBvdXQgdGhlIGNvbGxlY3RlZCBjcmVkZW50aWFscy4KPC9kZXNjcmlwdGlvbj4KICA8a2V5d29yZHMvPgogIDxhdXRob3JlZF9ieT5GaXJlRXllPC9hdXRob3JlZF9ieT4KICA8YXV0aG9yZWRfZGF0ZT4yMDE0LTEwLTE3VDAyOjAyOjUyWjwvYXV0aG9yZWRfZGF0ZT4KICA8bGlua3M+CiAgICA8bGluayByZWw9InRocmVhdGNhdGVnb3J5Ij5BUFQ8L2xpbms+CiAgICA8bGluayByZWw9InRocmVhdGdyb3VwIj5BUFQyODwvbGluaz4KICAgIDxsaW5rIHJlbD0iY2F0ZWdvcnkiPkNyZWRlbnRpYWwgU3RlYWxlcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5PTERCQUlUPC9saW5rPgogICAgPGxpbmsgcmVsPSJsaWNlbnNlIj5BcGFjaGUgMi4wPC9saW5rPgogIDwvbGlua3M+CiAgPGRlZmluaXRpb24+CiAgICA8SW5kaWNhdG9yIGlkPSJlOTkxNmZjMC03ODI1LTRmYTEtOWY2ZC1jNTQwYTVjZjZkNWUiIG9wZXJhdG9yPSJPUiI+CiAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI4MDQxYTEzMC0xZWFkLTQzYjctOWUzZC1hOGUxOTA1NzI5MmQiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgIDxDb250ZXh0IGRvY3VtZW50PSJGaWxlSXRlbSIgc2VhcmNoPSJGaWxlSXRlbS9GdWxsUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5BcHBsaWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxNZWRpYVBsYXllclw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzNzU1YTRjLWZkZmEtNDIwZS05NjRkLTU2NWNlNjc5MzMyZiIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlByb2Nlc3NJdGVtIiBzZWFyY2g9IlByb2Nlc3NJdGVtL25hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZWY0ODZlYTMtNDAyMy00ZmNjLTk2MGEtNThlYjg3ZDc3YTAzIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iRmlsZUl0ZW0iIHNlYXJjaD0iRmlsZUl0ZW0vRmlsZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgIDxDb250ZW50IHR5cGU9InN0cmluZyI+dXBkYXRld2luZHdzLmV4ZTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567513" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "54509659-bbf4-4523-a9db-42a6950d210b" ,
"value" : "a438caeb-96dd-4225-853c-fc5910980961.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "OpenIOC import source file" ,
"data" : " P D 94 b W w g d m V y c 2 l v b j 0 n M S 4 w J y B l b m N v Z G l u Z z 0 n V V R G L T g n P z 4 K P C E t L Q o g I C A g V E l U T E U 6 I C A g I C A g I C A g I D B m Z j U 4 Y m Y 5 L T F j M D c t N D J m N i 1 i M T M 1 L W I x O G M x M z l m N j M x Y S 5 p b 2 M K I C A g I F Z F U l N J T 0 46 I C A g I C A g I C A x L j A K I C A g I E R F U 0 N S S V B U S U 9 O O i A g I C B P c G V u S U 9 D I G Z p b G U K I C A g I E x J Q 0 V O U 0 U 6 I C A g I C A g I C B D b 3 B 5 c m l n a H Q g M j A x N C B G a X J l R X l l I E N v c n B v c m F 0 a W 9 u L i A g T G l j Z W 5 z Z W Q g d W 5 k Z X I g d G h l I E F w Y W N o Z S A y L j A g b G l j Z W 5 z Z S 4 K C i A g I C B G a X J l R X l l I G x p Y 2 V u c 2 V z I H R o a X M g Z m l s Z S B 0 b y B 5 b 3 U g d W 5 k Z X I g d G h l I E F w Y W N o Z S B M a W N l b n N l L C B W Z X J z a W 9 u C i A g I C A y L j A g K H R o Z S A i T G l j Z W 5 z Z S I p O y B 5 b 3 U g b W F 5 I G 5 v d C B 1 c 2 U g d G h p c y B m a W x l I G V 4 Y 2 V w d C B p b i B j b 21 w b G l h b m N l I H d p d G g g d G h l C i A g I C B M a W N l b n N l L i A g W W 91 I G 1 h e S B v Y n R h a W 4 g Y S B j b 3 B 5 I G 9 m I H R o Z S B M a W N l b n N l I G F 0 O g o K I C A g I C A g I C A g I C A g a H R 0 c D o v L 3 d 3 d y 5 h c G F j a G U u b 3 J n L 2 x p Y 2 V u c 2 V z L 0 x J Q 0 V O U 0 U t M i 4 w C g o g I C A g V W 5 s Z X N z I H J l c X V p c m V k I G J 5 I G F w c G x p Y 2 F i b G U g b G F 3 I G 9 y I G F n c m V l Z C B 0 b y B p b i B 3 c m l 0 a W 5 n L C B z b 2 Z 0 d 2 F y Z Q o g I C A g Z G l z d H J p Y n V 0 Z W Q g d W 5 k Z X I g d G h l I E x p Y 2 V u c 2 U g a X M g Z G l z d H J p Y n V 0 Z W Q g b 24 g Y W 4 g I k F T I E l T I i B C Q V N J U y w K I C A g I F d J V E h P V V Q g V 0 F S U k F O V E l F U y B P U i B D T 0 5 E S V R J T 0 5 T I E 9 G I E F O W S B L S U 5 E L C B l a X R o Z X I g Z X h w c m V z c y B v c g o g I C A g a W 1 w b G l l Z C 4 g I F N l Z S B 0 a G U g T G l j Z W 5 z Z S B m b 3 I g d G h l I H N w Z W N p Z m l j I G x h b m d 1 Y W d l I G d v d m V y b m l u Z w o g I C A g c G V y b W l z c 2 l v b n M g Y W 5 k I G x p b W l 0 Y X R p b 25 z I H V u Z G V y I H R o Z S B M a W N l b n N l L g o t L T 4 K P G l v Y y B 4 b W x u c z p 4 c 2 k 9 I m h 0 d H A 6 L y 93 d 3 c u d z M u b 3 J n L z I w M D E v W E 1 M U 2 N o Z W 1 h L W l u c 3 R h b m N l I i B 4 b W x u c z p 4 c 2 Q 9 I m h 0 d H A 6 L y 93 d 3 c u d z M u b 3 J n L z I w M D E v W E 1 M U 2 N o Z W 1 h I i B 4 b W x u c z 0 i a H R 0 c D o v L 3 N j a G V t Y X M u b W F u Z G l h b n Q u Y 29 t L z I w M T A v a W 9 j I i B p Z D 0 i M G Z m N T h i Z j k t M W M w N y 0 0 M m Y 2 L W I x M z U t Y j E 4 Y z E z O W Y 2 M z F h I i B s Y X N 0 L W 1 v Z G l m a W V k P S I y M D E 0 L T E w L T E 3 V D I w O j U 0 O j U z W i I + C i A g P H N o b 3 J 0 X 2 R l c 2 N y a X B 0 a W 9 u P k F Q V D I 4 I E R P T U F J T l M g K F J F U E 9 S V C k 8 L 3 N o b 3 J 0 X 2 R l c 2 N y a X B 0 a W 9 u P g o g I D x k Z X N j c m l w d G l v b j 5 E b 21 h a W 5 z I H V z Z W Q g Y n k g Q V B U M j g u P C 9 k Z X N j c m l w d G l v b j 4 K I C A 8 a 2 V 5 d 29 y Z H M v P g o g I D x h d X R o b 3 J l Z F 9 i e T 5 G a X J l R X l l P C 9 h d X R o b 3 J l Z F 9 i e T 4 K I C A 8 Y X V 0 a G 9 y Z W R f Z G F 0 Z T 4 y M D E 0 L T E w L T E 3 V D A y O j A 0 O j M 0 W j w v Y X V 0 a G 9 y Z W R f Z G F 0 Z T 4 K I C A 8 b G l u a 3 M + C i A g I C A 8 b G l u a y B y Z W w 9 I n R o c m V h d G N h d G V n b 3 J 5 I j 5 B U F Q 8 L 2 x p b m s + C i A g I C A 8 b G l u a y B y Z W w 9 I n R o c m V h d G d y b 3 V w I j 5 B U F Q y O D w v b G l u a z 4 K I C A g I D x s a W 5 r I H J l b D 0 i b G l j Z W 5 z Z S I + Q X B h Y 2 h l I D I u M D w v b G l u a z 4 K I C A 8 L 2 x p b m t z P g o g I D x k Z W Z p b m l 0 a W 9 u P g o g I C A g P E l u Z G l j Y X R v c i B p Z D 0 i Y 2 Z i N D Y y M z Q t M D E y Y S 0 0 M 2 M 4 L W E 3 N j M t Z j Y z N m M w N T Y 2 M D Z l I i B v c G V y Y X R v c j 0 i T 1 I i P g o g I C A g I C A 8 S W 5 k a W N h d G 9 y S X R l b S B p Z D 0 i N T Q 0 O D F j N D I t Z W Z m Y i 0 0 M z Z i L W I 0 Z D I t Y 2 Z m M W N i Z D A 5 Y T Y 2 I i B j b 25 k a X R p b 249 I m N v b n R h a W 5 z I j 4 K I C A g I C A g I C A 8 Q 29 u d G V 4 d C B k b 2 N 1 b W V u d D 0 i R G 5 z R W 50 c n l J d G V t I i B z Z W F y Y 2 g 9 I k R u c 0 V u d H J 5 S X R l b S 9 I b 3 N 0 I i B 0 e X B l P S J t a X I i L z 4 K I C A g I C A g I C A 8 Q 29 u d G V u d C B 0 e X B l P S J z d H J p b m c i P m t h d m t h e m N l b n R y L m l u Z m 88 L 0 N v b n R l b n Q + C i A g I C A g I D w v S W 5 k a W N h d G 9 y S X R l b T 4 K I C A g I C A g P E l u Z G l j Y X R v c k l 0 Z W 0 g a W Q 9 I m I 4 Y j c 0 M m Q 1 L T V k Z m Y t N G Y w Z i 1 i Z G E 4 L T B j O D c 4 Y z F k Z D F l M S I g Y 29 u Z G l 0 a W 9 u P S J j b 250 Y W l u c y I + C i A g I C A g I C A g P E N v b n R l e H Q g Z G 9 j d W 1 l b n Q 9 I k R u c 0 V u d H J 5 S X R l b S I g c 2 V h c m N o P S J E b n N F b n R y e U l 0 Z W 0 v S G 9 z d C I g d H l w Z T 0 i b W l y I i 8 + C i A g I C A g I C A g P E N v b n R l b n Q g d H l w Z T 0 i c 3 R y a W 5 n I j 5 y b m l s L m F t P C 9 D b 250 Z W 50 P g o g I C A g I C A 8 L 0 l u Z G l j Y X R v c k l 0 Z W 0 + C i A g I C A g I D x J b m R p Y 2 F 0 b 3 J J d G V t I G l k P S J h Z j M 2 Y z l i M y 1 k N T U 0 L T Q 2 Z G U t O T U y N S 1 j M D V h M D c 1 O W E z O T k i I G N v b m R p d G l v b j 0 i Y 29 u d G F p b n M i P g o g I C A g I C A g I D x D b 250 Z X h 0 I G R v Y 3 V t Z W 50 P S J E b n N F b n R y e U l 0 Z W 0 i I H N l Y X J j a D 0 i R G 5 z R W 50 c n l J d G V t L 0 h v c 3 Q i I H R 5 c G U 9 I m 1 p c i I v P g o g I C A g I C A g I D x D b 250 Z W 50 I H R 5 c G U 9 I n N 0 c m l u Z y I + c 3 R h b m R h c n R u Z X Z 2 c y 5 j b 208 L 0 N v b n R l b n Q + C i A g I C A g I D w v S W 5 k a W N h d G 9 y S X R l b T 4 K I C A g I C A g P E l u Z G l j Y X R v c k l 0 Z W 0 g a W Q 9 I j M 4 O W M 5 Y z A z L W V h Z j Q t N D I 1 O S 0 5 N G U 1 L T Y y M z M z N G N l Y T I 2 Z S I g Y 29 u Z G l 0 a W 9 u P S J j b 250 Y W l u c y I + C i A g I C A g I C A g P E N v b n R l e H Q g Z G 9 j d W 1 l b n Q 9 I k R u c 0 V u d H J 5 S X R l b S I g c 2 V h c m N o P S J E b n N F b n R y e U l 0 Z W 0 v S G 9 z d C I g d H l w Z T 0 i b W l y I i 8 + C i A g I C A g I C A g P E N v b n R l b n Q g d H l w Z T 0 i c 3 R y a W 5 n I j 5 u b 3 Z p b m l 0 a W U u Y 29 t P C 9 D b 250 Z W 50 P g o g I C A g I C A 8 L 0 l u Z G l j Y X R v c k l 0 Z W 0 + C i A g I C A g I D x J b m R p Y 2 F 0 b 3 J J d G V t I G l k P S J j M T d k M D A x Y y 1 k Z j g 5 L T Q w Z m Y t O D d k Z S 1 l O D l i Z G U 5 Z j E 0 M j U i I G N v b m R p d G l v b j 0 i Y 29 u d G F p b n M i P g o g I C A g I C A g I D x D b 250 Z X h 0 I G R v Y 3 V t Z W 50 P S J E b n N F b n R y e U l 0 Z W 0 i I H N l Y X J j a D 0 i R G 5 z R W 50 c n l J d G V t L 0 h v c 3 Q i I H R 5 c G U 9 I m 1 p c i I v P g o g I C A g I C A g I D x D b 250 Z W 50 I H R 5 c G U 9 I n N 0 c m l u Z y I + b j B 2 a W 5 p d G U u Y 29 t P C 9 D b 250 Z W 50 P g o g I C A g I C A 8 L 0 l u Z G l j Y X R v c k l 0 Z W 0 + C i A g I C A g I D x J b m R p Y 2 F 0 b 3 J J d G V t I G l k P S I x M T U w M z F i Z i 1 m M z Q y L T R i Z D A t O W Y 5 Y y 1 h N W Q 4 Z T E x M T E y O D E i I G N v b m R p d G l v b j 0 i Y 29 u d G F p b n M i P g o g I C A g I C A g I D x D b 250 Z X h 0 I G R v Y 3 V t Z W 50 P S J E b n N F b n R y e U l 0 Z W 0 i I H N l Y X J j a D 0 i R G 5 z R W 50 c n l J d G V t L 0 h v c 3 Q i I H R 5 c G U 9 I m 1 p c i I v P g o g I C A g I C A g I D x D b 250 Z W 50 I H R 5 c G U 9 I n N 0 c m l u Z y I + c W 92 L m h 1 L m N v b T w v Q 29 u d G V u d D 4 K I C A g I C A g P C 9 J b m R p Y 2 F 0 b 3 J J d G V t P g o g I C A g I C A 8 S W 5 k a W N h d G 9 y S X R l b S B p Z D 0 i M j A x Z G E 1 Y m E t Y z M y N y 0 0 Z T l i L W I w Y W Y t Z G I x N j M y Z D c 0 M m
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567563" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5450968b-cab4-4442-9cc7-4e1c950d210b" ,
"value" : "0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567621" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "0195bdbb-61bd-4fdd-bc80-cc130234b0a9" ,
"value" : "netui.dll"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567621" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "d96396b2-672a-4518-87a2-53c66d20676a" ,
"value" : "ProcessItem/SectionList/MemorySection/Name: \\netui.dll"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567621" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "545096c5-e860-4c9c-97fc-4d8c950d210b" ,
"value" : "long_info: This backdoor has been delivered through the SOURFACE downloader to gain system access for reconnaissance, monitoring, credential theft, and shellcode execution."
} ,
{
"category" : "External analysis" ,
"comment" : "OpenIOC import source file" ,
"data" : "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGE2YzZkYmYwLWQ3MmEtNGYwNy04YjExLTU1NTI3YWVmNDc1NS5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYTZjNmRiZjAtZDcyYS00ZjA3LThiMTEtNTU1MjdhZWY0NzU1IiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTE5VDE1OjQyOjIxWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkVWSUxUT1NTIChSRVBPUlQpPC9zaG9ydF9kZXNjcmlwdGlvbj4KICA8ZGVzY3JpcHRpb24+VGhpcyBiYWNrZG9vciBoYXMgYmVlbiBkZWxpdmVyZWQgdGhyb3VnaCB0aGUgU09VUkZBQ0UgZG93bmxvYWRlciB0byBnYWluIHN5c3RlbSBhY2Nlc3MgZm9yIHJlY29ubmFpc3NhbmNlLCBtb25pdG9yaW5nLCBjcmVkZW50aWFsIHRoZWZ0LCBhbmQgc2hlbGxjb2RlIGV4ZWN1dGlvbi48L2Rlc2NyaXB0aW9uPgogIDxrZXl3b3Jkcy8+CiAgPGF1dGhvcmVkX2J5PkZpcmVFeWU8L2F1dGhvcmVkX2J5PgogIDxhdXRob3JlZF9kYXRlPjIwMTQtMTAtMTdUMDI6MDA6NTdaPC9hdXRob3JlZF9kYXRlPgogIDxsaW5rcz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Y2F0ZWdvcnkiPkFQVDwvbGluaz4KICAgIDxsaW5rIHJlbD0idGhyZWF0Z3JvdXAiPkFQVDI4PC9saW5rPgogICAgPGxpbmsgcmVsPSJjYXRlZ29yeSI+QmFja2Rvb3I8L2xpbms+CiAgICA8bGluayByZWw9ImZhbWlseSI+RVZJTFRPU1M8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImM2ZTI1NjdiLTg0NjYtNDRlZC05ZmQyLTJlOTJmNTMyZmEwYyIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjAxOTViZGJiLTYxYmQtNGZkZC1iYzgwLWNjMTMwMjM0YjBhOSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPm5ldHVpLmRsbDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iZDk2Mzk2YjItNjcyYS00NTE4LTg3YTItNTNjNjZkMjA2NzZhIiBjb25kaXRpb249ImNvbnRhaW5zIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vU2VjdGlvbkxpc3QvTWVtb3J5U2VjdGlvbi9OYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPlxuZXR1aS5kbGw8L0NvbnRlbnQ+CiAgICAgIDwvSW5kaWNhdG9ySXRlbT4KICAgIDwvSW5kaWNhdG9yPgogIDwvZGVmaW5pdGlvbj4KPC9pb2M+Cg==" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567621" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "545096c5-f8c8-49ac-9b71-4e72950d210b" ,
"value" : "a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616373" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "30842d86-e073-4b6e-a5e0-d6b354f6847a" ,
"value" : "edg6EF885E2.tmp"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567659" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "a0e443e4-6a41-4856-8c14-d1a271ba7b6b" ,
"value" : "ProcessItem/HandleList/Handle/Name: \\Device\\Mailslot\\check_mes_v5555"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567659" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "545096eb-1e24-4dd2-861e-46b7950d210b" ,
"value" : "long_info: CHOPSTICK is a backdoor that uses a modularized, object-oriented framework written in C++. This framework allows for a diverse set of capabilities across malware variants sharing a common code base. CHOPSTICK may communicate with external servers using SMTP or HTTP."
} ,
{
"category" : "External analysis" ,
"comment" : "OpenIOC import source file" ,
"data" : "PD94bWwgdmVyc2lvbj0nMS4wJyBlbmNvZGluZz0nVVRGLTgnPz4KPCEtLQogICAgVElUTEU6ICAgICAgICAgIGJkZjc5MjljLTNmMGItNGZkZC1iY2M1LWI0YTgyNTU0YWQ5Mi5pb2MKICAgIFZFUlNJT046ICAgICAgICAxLjAKICAgIERFU0NSSVBUSU9OOiAgICBPcGVuSU9DIGZpbGUKICAgIExJQ0VOU0U6ICAgICAgICBDb3B5cmlnaHQgMjAxNCBGaXJlRXllIENvcnBvcmF0aW9uLiAgTGljZW5zZWQgdW5kZXIgdGhlIEFwYWNoZSAyLjAgbGljZW5zZS4KCiAgICBGaXJlRXllIGxpY2Vuc2VzIHRoaXMgZmlsZSB0byB5b3UgdW5kZXIgdGhlIEFwYWNoZSBMaWNlbnNlLCBWZXJzaW9uCiAgICAyLjAgKHRoZSAiTGljZW5zZSIpOyB5b3UgbWF5IG5vdCB1c2UgdGhpcyBmaWxlIGV4Y2VwdCBpbiBjb21wbGlhbmNlIHdpdGggdGhlCiAgICBMaWNlbnNlLiAgWW91IG1heSBvYnRhaW4gYSBjb3B5IG9mIHRoZSBMaWNlbnNlIGF0OgoKICAgICAgICAgICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wCgogICAgVW5sZXNzIHJlcXVpcmVkIGJ5IGFwcGxpY2FibGUgbGF3IG9yIGFncmVlZCB0byBpbiB3cml0aW5nLCBzb2Z0d2FyZQogICAgZGlzdHJpYnV0ZWQgdW5kZXIgdGhlIExpY2Vuc2UgaXMgZGlzdHJpYnV0ZWQgb24gYW4gIkFTIElTIiBCQVNJUywKICAgIFdJVEhPVVQgV0FSUkFOVElFUyBPUiBDT05ESVRJT05TIE9GIEFOWSBLSU5ELCBlaXRoZXIgZXhwcmVzcyBvcgogICAgaW1wbGllZC4gIFNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZwogICAgcGVybWlzc2lvbnMgYW5kIGxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLgotLT4KPGlvYyB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxucz0iaHR0cDovL3NjaGVtYXMubWFuZGlhbnQuY29tLzIwMTAvaW9jIiBpZD0iYmRmNzkyOWMtM2YwYi00ZmRkLWJjYzUtYjRhODI1NTRhZDkyIiBsYXN0LW1vZGlmaWVkPSIyMDE0LTEwLTIwVDE4OjUwOjUzWiI+CiAgPHNob3J0X2Rlc2NyaXB0aW9uPkNIT1BTVElDSyAoUkVQT1JUKTwvc2hvcnRfZGVzY3JpcHRpb24+CiAgPGRlc2NyaXB0aW9uPkNIT1BTVElDSyBpcyBhIGJhY2tkb29yIHRoYXQgdXNlcyBhIG1vZHVsYXJpemVkLCBvYmplY3Qtb3JpZW50ZWQgZnJhbWV3b3JrIHdyaXR0ZW4gaW4gQysrLiBUaGlzIGZyYW1ld29yayBhbGxvd3MgZm9yIGEgZGl2ZXJzZSBzZXQgb2YgY2FwYWJpbGl0aWVzIGFjcm9zcyBtYWx3YXJlIHZhcmlhbnRzIHNoYXJpbmcgYSBjb21tb24gY29kZSBiYXNlLiAgQ0hPUFNUSUNLIG1heSBjb21tdW5pY2F0ZSB3aXRoIGV4dGVybmFsIHNlcnZlcnMgdXNpbmcgU01UUCBvciBIVFRQLjwvZGVzY3JpcHRpb24+CiAgPGtleXdvcmRzLz4KICA8YXV0aG9yZWRfYnk+RmlyZUV5ZTwvYXV0aG9yZWRfYnk+CiAgPGF1dGhvcmVkX2RhdGU+MjAxNC0xMC0xN1QwMjowMjowMlo8L2F1dGhvcmVkX2RhdGU+CiAgPGxpbmtzPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRjYXRlZ29yeSI+QVBUPC9saW5rPgogICAgPGxpbmsgcmVsPSJ0aHJlYXRncm91cCI+QVBUMjg8L2xpbms+CiAgICA8bGluayByZWw9ImNhdGVnb3J5Ij5CYWNrZG9vcjwvbGluaz4KICAgIDxsaW5rIHJlbD0iZmFtaWx5Ij5DSE9QU1RJQ0s8L2xpbms+CiAgICA8bGluayByZWw9ImxpY2Vuc2UiPkFwYWNoZSAyLjA8L2xpbms+CiAgPC9saW5rcz4KICA8ZGVmaW5pdGlvbj4KICAgIDxJbmRpY2F0b3IgaWQ9ImRkYzg4MGE0LTM2ZDEtNDUxNC1hZGYxLTNjNWI4ZjRmNmVmOCIgb3BlcmF0b3I9Ik9SIj4KICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjMwODQyZDg2LWUwNzMtNGI2ZS1hNWUwLWQ2YjM1NGY2ODQ3YSIgY29uZGl0aW9uPSJpcyI+CiAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IkZpbGVJdGVtIiBzZWFyY2g9IkZpbGVJdGVtL0ZpbGVOYW1lIiB0eXBlPSJtaXIiLz4KICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPmVkZzZFRjg4NUUyLnRtcDwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9ySXRlbSBpZD0iYTBlNDQzZTQtNmE0MS00ODU2LThjMTQtZDFhMjcxYmE3YjZiIiBjb25kaXRpb249ImlzIj4KICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUHJvY2Vzc0l0ZW0iIHNlYXJjaD0iUHJvY2Vzc0l0ZW0vSGFuZGxlTGlzdC9IYW5kbGUvTmFtZSIgdHlwZT0ibWlyIi8+CiAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5cRGV2aWNlXE1haWxzbG90XGNoZWNrX21lc192NTU1NTwvQ29udGVudD4KICAgICAgPC9JbmRpY2F0b3JJdGVtPgogICAgICA8SW5kaWNhdG9yIGlkPSIwZmM5ZTUzNC01MzI5LTRhMzEtODVkMi00M2I0MjYyZTFlZDkiIG9wZXJhdG9yPSJBTkQiPgogICAgICAgIDxJbmRpY2F0b3JJdGVtIGlkPSI5NWUyMmVhZC0xM2VmLTQ3OTctYjNiNi1kMDkwMjdkODU2MDIiIGNvbmRpdGlvbj0iY29udGFpbnMiPgogICAgICAgICAgPENvbnRleHQgZG9jdW1lbnQ9IlJlZ2lzdHJ5SXRlbSIgc2VhcmNoPSJSZWdpc3RyeUl0ZW0vUGF0aCIgdHlwZT0ibWlyIi8+CiAgICAgICAgICA8Q29udGVudCB0eXBlPSJzdHJpbmciPk1pY3Jvc29mdFxNZWRpYVBsYXllclx7RTY2OTYxMDUtRTYzRS00RUYxLTkzOUUtMTVEREQ4M0I2NjlBfTwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgICAgPEluZGljYXRvckl0ZW0gaWQ9IjIzODg3OThhLWUxZTItNDI1MS1hMDFjLTc5M2QyY2VkYWFhOSIgY29uZGl0aW9uPSJjb250YWlucyI+CiAgICAgICAgICA8Q29udGV4dCBkb2N1bWVudD0iUmVnaXN0cnlJdGVtIiBzZWFyY2g9IlJlZ2lzdHJ5SXRlbS9WYWx1ZU5hbWUiIHR5cGU9Im1pciIvPgogICAgICAgICAgPENvbnRlbnQgdHlwZT0ic3RyaW5nIj5jaG5ubDwvQ29udGVudD4KICAgICAgICA8L0luZGljYXRvckl0ZW0+CiAgICAgIDwvSW5kaWNhdG9yPgogICAgPC9JbmRpY2F0b3I+CiAgPC9kZWZpbml0aW9uPgo8L2lvYz4K" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567659" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "545096eb-3080-401b-9a3a-4f7f950d210b" ,
"value" : "bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5ea9f200-01f1-411e-94e3-49903f14d6f9" ,
"value" : "8c4fa713c5e2b009114adda758adc445"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3f83ca5b-9a2c-4aeb-94ef-28093f6709f8" ,
"value" : "3b0ecd011500f61237c205834db0e13a"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "3fe4547e-5e19-4bb3-9792-eb382de45eb0" ,
"value" : "791428601ad12b9230b9ace4f2138713"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "020e58f2-e4f2-4801-b731-d26589bd96b6" ,
"value" : "5882fda97fdf78b47081cc4105d44f7c"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "b48a7011-59d9-4c53-8d6c-2710d705b0c6" ,
"value" : "48656a93f9ba39410763a2196aabc67f"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "9106bde9-52f4-49db-86a1-13f4363bc029" ,
"value" : "9eebfebe3987fec3c395594dc57a0c4c"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8253e6f6-4248-4751-a818-f5d77efd469c" ,
"value" : "8b92fe86c5b7a9e34f433a6fbac8bc3a"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "b707e318-bb58-4965-be62-a15ccf896891" ,
"value" : "ead4ec18ebce6890d20757bb9f5285b1"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "51c11809-d0be-45e0-a035-e5d63686e889" ,
"value" : "1259c4fe5efd9bf07fc4c78466f2dd09"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "21169314-ed29-4148-a70e-e9798894ea55" ,
"value" : "272f0fde35dbdfccbca1e33373b3570d"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "87ba0439-df69-4c21-9013-be773de352ce" ,
"value" : "ProcessItem/SectionList/MemorySection/Name: AppData\\Local\\conhost.dll"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "2660589c-6263-44e1-b4de-484db317f93c" ,
"value" : "ProcessItem/SectionList/MemorySection/Name: Local Settings\\Application Data\\conhost.dll"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "e3fad633-2b34-4bdb-864e-be495f549e2a" ,
"value" : "ProcessItem/SectionList/MemorySection/PEInfo/Exports/DllName: coreshell.dll"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "other" ,
"uuid" : "820fc95e-3d6f-4771-a592-fb60811fa0c0" ,
"value" : "ProcessItem/SectionList/MemorySection/Name: \\netids.dll"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "e704246d-ecca-4ac5-82a7-404c93aab893" ,
"value" : "Local Settings\\Application Data\\svchost.exe"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "91b06096-1333-470f-8d49-f408b51d84a1" ,
"value" : "Local Settings\\Application Data\\conhost.dll"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "37148f5b-fff5-4c9e-98aa-f52fb01a3547" ,
"value" : "AppData\\Local\\svchost.exe"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567718" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "09dd2172-ed97-433f-9c59-517161b78b2d" ,
"value" : "AppData\\Local\\conhost.dll"
} ,
{
"category" : "Network activity" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567719" ,
"to_ids" : false ,
"type" : "ip-src" ,
"uuid" : "590e7aef-7df8-47cd-916a-360d83f132f5" ,
"value" : "70.85.221.10"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567719" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5fa65919-9467-4de8-9cb7-8574ff86b85d" ,
"value" : "netids.dll"
} ,
{
"category" : "Payload installation" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615546" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "ec771d67-32c0-4076-8e9f-d9ce6b9f2a80" ,
"value" : "da2a657dc69d7320f2ffc87013f257ad"
} ,
{
"category" : "Other" ,
"comment" : "OpenIOC import" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567719" ,
"to_ids" : false ,
"type" : "comment" ,
"uuid" : "54509725-4978-4706-bf95-4638950d210b" ,
"value" : "long_info: SOURFACE is a downloader that obtains a second-stage backdoor from a C2 server. Over time the downloader has evolved and the newer versions, usually compiled with the DLL name 'coreshell.dll'. These variants are distinct from the older versions so we refer to it as SOURFACE/CORESHELL or simply CORESHELL."
} ,
{
"category" : "External analysis" ,
"comment" : "OpenIOC import source file" ,
"data" : " P D 94 b W w g d m V y c 2 l v b j 0 n M S 4 w J y B l b m N v Z G l u Z z 0 n V V R G L T g n P z 4 K P C E t L Q o g I C A g V E l U T E U 6 I C A g I C A g I C A g I G U x Y 2 J m N 2 N h L T Q 5 M z g t N G Q z Y y 1 h N 2 U 2 L T N m Z j k 2 N j U x N j E 5 M S 5 p b 2 M K I C A g I F Z F U l N J T 0 46 I C A g I C A g I C A x L j A K I C A g I E R F U 0 N S S V B U S U 9 O O i A g I C B P c G V u S U 9 D I G Z p b G U K I C A g I E x J Q 0 V O U 0 U 6 I C A g I C A g I C B D b 3 B 5 c m l n a H Q g M j A x N C B G a X J l R X l l I E N v c n B v c m F 0 a W 9 u L i A g T G l j Z W 5 z Z W Q g d W 5 k Z X I g d G h l I E F w Y W N o Z S A y L j A g b G l j Z W 5 z Z S 4 K C i A g I C B G a X J l R X l l I G x p Y 2 V u c 2 V z I H R o a X M g Z m l s Z S B 0 b y B 5 b 3 U g d W 5 k Z X I g d G h l I E F w Y W N o Z S B M a W N l b n N l L C B W Z X J z a W 9 u C i A g I C A y L j A g K H R o Z S A i T G l j Z W 5 z Z S I p O y B 5 b 3 U g b W F 5 I G 5 v d C B 1 c 2 U g d G h p c y B m a W x l I G V 4 Y 2 V w d C B p b i B j b 21 w b G l h b m N l I H d p d G g g d G h l C i A g I C B M a W N l b n N l L i A g W W 91 I G 1 h e S B v Y n R h a W 4 g Y S B j b 3 B 5 I G 9 m I H R o Z S B M a W N l b n N l I G F 0 O g o K I C A g I C A g I C A g I C A g a H R 0 c D o v L 3 d 3 d y 5 h c G F j a G U u b 3 J n L 2 x p Y 2 V u c 2 V z L 0 x J Q 0 V O U 0 U t M i 4 w C g o g I C A g V W 5 s Z X N z I H J l c X V p c m V k I G J 5 I G F w c G x p Y 2 F i b G U g b G F 3 I G 9 y I G F n c m V l Z C B 0 b y B p b i B 3 c m l 0 a W 5 n L C B z b 2 Z 0 d 2 F y Z Q o g I C A g Z G l z d H J p Y n V 0 Z W Q g d W 5 k Z X I g d G h l I E x p Y 2 V u c 2 U g a X M g Z G l z d H J p Y n V 0 Z W Q g b 24 g Y W 4 g I k F T I E l T I i B C Q V N J U y w K I C A g I F d J V E h P V V Q g V 0 F S U k F O V E l F U y B P U i B D T 0 5 E S V R J T 0 5 T I E 9 G I E F O W S B L S U 5 E L C B l a X R o Z X I g Z X h w c m V z c y B v c g o g I C A g a W 1 w b G l l Z C 4 g I F N l Z S B 0 a G U g T G l j Z W 5 z Z S B m b 3 I g d G h l I H N w Z W N p Z m l j I G x h b m d 1 Y W d l I G d v d m V y b m l u Z w o g I C A g c G V y b W l z c 2 l v b n M g Y W 5 k I G x p b W l 0 Y X R p b 25 z I H V u Z G V y I H R o Z S B M a W N l b n N l L g o t L T 4 K P G l v Y y B 4 b W x u c z p 4 c 2 k 9 I m h 0 d H A 6 L y 93 d 3 c u d z M u b 3 J n L z I w M D E v W E 1 M U 2 N o Z W 1 h L W l u c 3 R h b m N l I i B 4 b W x u c z p 4 c 2 Q 9 I m h 0 d H A 6 L y 93 d 3 c u d z M u b 3 J n L z I w M D E v W E 1 M U 2 N o Z W 1 h I i B 4 b W x u c z 0 i a H R 0 c D o v L 3 N j a G V t Y X M u b W F u Z G l h b n Q u Y 29 t L z I w M T A v a W 9 j I i B p Z D 0 i Z T F j Y m Y 3 Y 2 E t N D k z O C 0 0 Z D N j L W E 3 Z T Y t M 2 Z m O T Y 2 N T E 2 M T k x I i B s Y X N 0 L W 1 v Z G l m a W V k P S I y M D E 0 L T E w L T I x V D E z O j A 4 O j Q x W i I + C i A g P H N o b 3 J 0 X 2 R l c 2 N y a X B 0 a W 9 u P l N P V V J G Q U N F I C h S R V B P U l Q p P C 9 z a G 9 y d F 9 k Z X N j c m l w d G l v b j 4 K I C A 8 Z G V z Y 3 J p c H R p b 24 + U 0 9 V U k Z B Q 0 U g a X M g Y S B k b 3 d u b G 9 h Z G V y I H R o Y X Q g b 2 J 0 Y W l u c y B h I H N l Y 29 u Z C 1 z d G F n Z S B i Y W N r Z G 9 v c i B m c m 9 t I G E g Q z I g c 2 V y d m V y L i A g T 3 Z l c i B 0 a W 1 l I H R o Z S B k b 3 d u b G 9 h Z G V y I G h h c y B l d m 9 s d m V k I G F u Z C B 0 a G U g b m V 3 Z X I g d m V y c 2 l v b n M s I H V z d W F s b H k g Y 29 t c G l s Z W Q g d 2 l 0 a C B 0 a G U g R E x M I G 5 h b W U g J 2 N v c m V z a G V s b C 5 k b G w n L i A g V G h l c 2 U g d m F y a W F u d H M g Y X J l I G R p c 3 R p b m N 0 I G Z y b 20 g d G h l I G 9 s Z G V y I H Z l c n N p b 25 z I H N v I H d l I H J l Z m V y I H R v I G l 0 I G F z I F N P V V J G Q U N F L 0 N P U k V T S E V M T C B v c i B z a W 1 w b H k g Q 0 9 S R V N I R U x M L j w v Z G V z Y 3 J p c H R p b 24 + C i A g P G t l e X d v c m R z L z 4 K I C A 8 Y X V 0 a G 9 y Z W R f Y n k + R m l y Z U V 5 Z T w v Y X V 0 a G 9 y Z W R f Y n k + C i A g P G F 1 d G h v c m V k X 2 R h d G U + M j A x N C 0 x M C 0 x N l Q y M D o 1 O D o y M V o 8 L 2 F 1 d G h v c m V k X 2 R h d G U + C i A g P G x p b m t z P g o g I C A g P G x p b m s g c m V s P S J 0 a H J l Y X R j Y X R l Z 29 y e S I + Q V B U P C 9 s a W 5 r P g o g I C A g P G x p b m s g c m V s P S J 0 a H J l Y X R n c m 91 c C I + Q V B U M j g 8 L 2 x p b m s + C i A g I C A 8 b G l u a y B y Z W w 9 I m N h d G V n b 3 J 5 I j 5 E b 3 d u b G 9 h Z G V y P C 9 s a W 5 r P g o g I C A g P G x p b m s g c m V s P S J m Y W 1 p b H k i P l N P V V J G Q U N F P C 9 s a W 5 r P g o g I C A g P G x p b m s g c m V s P S J m Y W 1 p b H k i P l N P V V J G Q U N F L k N P U k V T S E V M T D w v b G l u a z 4 K I C A g I D x s a W 5 r I H J l b D 0 i b G l j Z W 5 z Z S I + Q X B h Y 2 h l I D I u M D w v b G l u a z 4 K I C A 8 L 2 x p b m t z P g o g I D x k Z W Z p b m l 0 a W 9 u P g o g I C A g P E l u Z G l j Y X R v c i B p Z D 0 i Z T E 2 Z T Y y O T k t Z j c 1 Y i 0 0 M j I z L T h k O G Q t M j k w Y 2 Q w Y m Y x Y j Q x I i B v c G V y Y X R v c j 0 i T 1 I i P g o g I C A g I C A 8 S W 5 k a W N h d G 9 y S X R l b S B p Z D 0 i N W V h O W Y y M D A t M D F m M S 0 0 M T F l L T k 0 Z T M t N D k 5 M D N m M T R k N m Y 5 I i B j b 25 k a X R p b 249 I m l z I j 4 K I C A g I C A g I C A 8 Q 29 u d G V 4 d C B k b 2 N 1 b W V u d D 0 i R m l s Z U l 0 Z W 0 i I H N l Y X J j a D 0 i R m l s Z U l 0 Z W 0 v T W Q 1 c 3 V t I i B 0 e X B l P S J t a X I i L z 4 K I C A g I C A g I C A 8 Q 29 u d G V u d C B 0 e X B l P S J t Z D U i P j h j N G Z h N z E z Y z V l M m I w M D k x M T R h Z G R h N z U 4 Y W R j N D Q 1 P C 9 D b 250 Z W 50 P g o g I C A g I C A 8 L 0 l u Z G l j Y X R v c k l 0 Z W 0 + C i A g I C A g I D x J b m R p Y 2 F 0 b 3 J J d G V t I G l k P S I z Z j g z Y 2E1 Y i 0 5 Y T J j L T R h Z W I t O T R l Z i 0 y O D A 5 M 2 Y 2 N z A 5 Z j g i I G N v b m R p d G l v b j 0 i a X M i P g o g I C A g I C A g I D x D b 250 Z X h 0 I G R v Y 3 V t Z W 50 P S J G a W x l S X R l b S I g c 2 V h c m N o P S J G a W x l S X R l b S 9 N Z D V z d W 0 i I H R 5 c G U 9 I m 1 p c i I v P g o g I C A g I C A g I D x D b 250 Z W 50 I H R 5 c G U 9 I m 1 k N S I + M 2 I w Z W N k M D E x N T A w Z j Y x M j M 3 Y z I w N T g z N G R i M G U x M 2E8 L 0 N v b n R l b n Q + C i A g I C A g I D w v S W 5 k a W N h d G 9 y S X R l b T 4 K I C A g I C A g P E l u Z G l j Y X R v c k l 0 Z W 0 g a W Q 9 I j N m Z T Q 1 N D d l L T V l M T k t N G J i M y 0 5 N z k y L W V i M z g y Z G U 0 N W V i M C I g Y 29 u Z G l 0 a W 9 u P S J p c y I + C i A g I C A g I C A g P E N v b n R l e H Q g Z G 9 j d W 1 l b n Q 9 I k Z p b G V J d G V t I i B z Z W F y Y 2 g 9 I k Z p b G V J d G V t L 0 1 k N X N 1 b S I g d H l w Z T 0 i b W l y I i 8 + C i A g I C A g I C A g P E N v b n R l b n Q g d H l w Z T 0 i b W Q 1 I j 43 O T E 0 M j g 2 M D F h Z D E y Y j k y M z B i O W F j Z T R m M j E z O D c x M z w v Q 29 u d G V u d D 4 K I C A g I C A g P C 9 J b m R p Y 2 F 0 b 3 J J d G V t P g o g I C A g I C A 8 S W 5 k a W N h d G 9 y S X R l b S B p Z D 0 i M D I w Z T U 4 Z j I t Z T R m M i 0 0 O D A x L W I 3 M z E t Z D I 2 N T g 5 Y m Q 5 N m I 2 I i B j b 25 k a X R p b 249 I m l z I j 4 K I C A g I C A g I C A 8 Q 29 u d G V 4 d C B k b 2 N 1 b W V u d D 0 i R m l s Z U l 0 Z W 0 i I H N l Y X J j a D 0 i R m l s Z U l 0 Z W 0 v T W Q 1 c 3 V t I i B 0 e X B l P S J t a X I i L z 4 K I C A g I C A g I C A 8 Q 29 u d G V u d C B 0 e X B l P S J t Z D U i P j U 4 O D J m Z G E 5 N 2 Z k Z j c 4 Y j Q 3 M D g x Y 2 M 0 M T A 1 Z D Q 0 Z j d j P C 9 D b 250 Z W 50 P g o g I C A g I C A 8 L 0 l u Z G l j Y X R v c k l 0 Z W 0 + C i A g I C A g I D x J b m R p Y 2 F 0 b 3 J J d G V t I G l k P S J i N D h h N z A x M S 0 1 O W Q 5 L T R j N T M t O G Q 2 Y y 0 y N z E w Z D c w N W I w Y z Y i I G N v b m R p d G l v b j 0 i a X M i P g o g I C A g I C A g I D x D b 250 Z X h 0 I G R v Y 3 V t Z W 50 P S J G a W x l S X R l b S I g c 2
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414567719" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "54509725-678c-4a8c-a283-4c8c950d210b" ,
"value" : "e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-0784-49fe-bdff-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/tree/master/APT28"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-3364-46b3-9145-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/blob/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-b254-4a77-8bc0-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/blob/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-b94c-41ae-9be0-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/blob/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-354c-4406-8bde-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/blob/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-24ac-4754-a2a6-b9b0950d210b" ,
"value" : "https://github.com/fireeye/iocs/blob/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-969c-4f4b-a2c1-b9b0950d210b" ,
"value" : "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/0ff58bf9-1c07-42f6-b135-b18c139f631a.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-dd3c-426c-ae5a-b9b0950d210b" ,
"value" : "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a438caeb-96dd-4225-853c-fc5910980961.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-60d4-4a77-b1c4-b9b0950d210b" ,
"value" : "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/a6c6dbf0-d72a-4f07-8b11-55527aef4755.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-bbc8-45b9-899f-b9b0950d210b" ,
"value" : "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/bdf7929c-3f0b-4fdd-bcc5-b4a82554ad92.ioc"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615410" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "54515172-e024-4106-9098-b9b0950d210b" ,
"value" : "https://raw.githubusercontent.com/fireeye/iocs/master/APT28/e1cbf7ca-4938-4d3c-a7e6-3ff966516191.ioc"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414615472" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "545151b0-b7b4-4d33-a3c6-6181950d210b" ,
"value" : "smigroup-online.co.uk"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616303" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "545154ef-0bac-4215-ba2d-4ab3950d210b" ,
"value" : "OLDBAIT"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616303" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "545154ef-3db8-4a5a-9726-47c9950d210b" ,
"value" : "EVILTOSS"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616303" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "545154ef-3854-4a2b-9b51-403e950d210b" ,
"value" : "CHOPSTICK"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616303" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "545154ef-7dfc-4e2c-88b8-4fab950d210b" ,
"value" : "SOURFACE"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616475" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5451559b-be98-46ff-9f68-800f950d210b" ,
"value" : "g0v.pl"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616475" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5451559b-5a28-4c55-ba34-800f950d210b" ,
"value" : "nshq.in"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616475" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5451559b-69cc-4db0-a51c-800f950d210b" ,
"value" : "baltichost.org"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616529" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "545155d1-e76c-4f65-aae3-b9b0950d210b" ,
"value" : "mail.g0v.pl"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1414616529" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "545155d1-4304-461e-9615-b9b0950d210b" ,
"value" : "nato.nshq.in"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 8c4fa713c5e2b009114adda758adc445)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833017" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fb9-0644-4c76-b9d5-c653950d210f" ,
"value" : "f5b3e98c6b5d65807da66d50bd5730d35692174d"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 48656a93f9ba39410763a2196aabc67f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833020" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fbc-c38c-4ebe-a6b2-40e8950d210f" ,
"value" : "a8551397e1f1a2c0148e6eadcb56fa35ee6009ca"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833023" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fbf-d514-4dbf-b3dc-599c950d210f" ,
"value" : "ed48ef531d96e8c7360701da1c57e2ff13f12405"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 791428601ad12b9230b9ace4f2138713)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833025" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fc1-5308-452f-8ea2-4958950d210f" ,
"value" : "367d40465fd1633c435b966fa9b289188aa444bc"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833028" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fc4-59e8-4951-8576-c652950d210f" ,
"value" : "cf3220c867b81949d1ce2b36446642de7894c6dc"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 3b0ecd011500f61237c205834db0e13a)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833030" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fc6-f364-4e59-a679-c650950d210f" ,
"value" : "682e49efa6d2549147a21993d64291bfa40d815a"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833033" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fc9-2818-407f-8c13-42f1950d210f" ,
"value" : "d9c53adce8c35ec3b1e015ec8011078902e6800b"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833036" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fcc-fa60-440b-bb3f-59a1950d210f" ,
"value" : "6316258ca5ba2d85134ad7427f24a8a51ce4815b"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833039" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fcf-2d28-4d26-b266-c652950d210f" ,
"value" : "e2450dffa675c61aa43077b25b12851a910eeeb6"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833041" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fd1-439c-4d04-9e0d-c651950d210f" ,
"value" : "85522190958c82589fa290c0835805f3d9a2f8d6"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833044" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "56c63fd4-1d2c-453b-873d-5ca1950d210f" ,
"value" : "d87b310aa81ae6254fff27b7d57f76035f544073"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 8c4fa713c5e2b009114adda758adc445)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833019" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fbb-19c0-43af-a6b7-599f950d210f" ,
"value" : "d58f2a799552aff8358e9c63a4345ea971b27edd14b8eac825db30a8321d1a7a"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 48656a93f9ba39410763a2196aabc67f)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833021" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fbd-3ca8-4b5b-91d1-4b0d950d210f" ,
"value" : "c8087186a215553d2f95c68c03398e17e67517553f6e9a8adc906faa51bce946"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via ead4ec18ebce6890d20757bb9f5285b1)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833024" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fc0-ec50-4ce9-95e1-599d950d210f" ,
"value" : "7695f20315f84bb1d940149b17dd58383210ea3498450b45fefa22a450e79683"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 791428601ad12b9230b9ace4f2138713)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833026" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fc2-d3a8-4484-977c-44e8950d210f" ,
"value" : "29cc2e69f65b9ce5fe04eb9b65942b2dabf48e41770f0a49eb698271b99d2787"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 5882fda97fdf78b47081cc4105d44f7c)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833029" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fc5-4654-4248-b045-599c950d210f" ,
"value" : "744f2a1e1a62dff2a8d5bd273304a4d21ee37a3c9b0bdcffeeca50374bd10a39"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 3b0ecd011500f61237c205834db0e13a)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833032" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fc8-fe70-4a09-8e89-c651950d210f" ,
"value" : "7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 1259c4fe5efd9bf07fc4c78466f2dd09)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833034" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fca-b464-4f85-8926-59a2950d210f" ,
"value" : "102b0158bcd5a8b64de44d9f765193dd80df1504e398ce52d37b7c8c33f2552a"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via da2a657dc69d7320f2ffc87013f257ad)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833037" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fcd-0868-4b54-a95d-5ca1950d210f" ,
"value" : "d54173be095b688016528f18dc97f2d583efcf5ce562ec766afc0b294eb51ac7"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 9eebfebe3987fec3c395594dc57a0c4c)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833040" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fd0-08cc-4889-8343-4d32950d210f" ,
"value" : "e6d09ce32cc62b6f17279204fac1771a6eb35077bb79471115e8dfed2c86cd75"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 8b92fe86c5b7a9e34f433a6fbac8bc3a)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833042" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fd2-40b8-4459-8d9a-c653950d210f" ,
"value" : "03ed773bde6c6a1ac3b24bde6003322df8d41d3d1c85109b8669c430b58d2f69"
} ,
{
"category" : "External analysis" ,
"comment" : "Automatically added (via 272f0fde35dbdfccbca1e33373b3570d)" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1455833045" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "56c63fd5-98f8-4ed5-bc19-c654950d210f" ,
"value" : "423a0799efe41b28a8b765fa505699183c8278d5a7bf07658b3bd507bfa5346f"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}