359 lines
11 KiB
JSON
359 lines
11 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2015-06-11",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT Evilgrab Delivered by Watering Hole Attack on President of Myanmar\u00e2\u20ac\u2122s Website by Palo Alto Unit 42",
|
||
|
"publish_timestamp": "1434359247",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1434353143",
|
||
|
"uuid": "557e78b6-91ec-4123-87df-424f950d210b",
|
||
|
"Orgc": {
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Original report",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352985",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e78d1-83c4-4017-9c33-4de6950d210b",
|
||
|
"value": "http://researchcenter.paloaltonetworks.com/2015/06/evilgrab-delivered-by-watering-hole-attack-on-president-of-myanmars-website/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434351835",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "557e78dc-e5c4-4aec-b954-4203950d210b",
|
||
|
"value": "Evilgrab"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434351866",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "557e78fa-dd00-48c9-81bd-4e06950d210b",
|
||
|
"value": "CVE-2014-6332"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434351879",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "557e7907-9c30-4429-8bd2-4ed7950d210b",
|
||
|
"value": "b69106e06dc008e4fa1e4a0b0b58fcb1dc6d2016422a35cb3111168fd3fae577"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434351894",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7916-6e04-4bbc-832e-ce64950d210b",
|
||
|
"value": "mmslsh.tiger1234.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434351914",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "557e792a-d3ac-482a-8701-ce64950d210b",
|
||
|
"value": "http://www.president-office.gov.mm/sites/all/modules/browscap/List_View.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353040",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557e7941-4480-4112-ab99-4dca950d210b",
|
||
|
"value": "2e78e6d02aaed4f057f4dfa631ea5519"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353040",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "557e7941-c378-4a95-8948-4bee950d210b",
|
||
|
"value": "10d9611e5b4ff41fc79e8907e3eb522630131b1bdc1010a0564c8780ba55c87c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352629",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7bf5-1fac-4513-b4e8-3a65950d210b",
|
||
|
"value": "dns.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352630",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7bf6-2230-4082-9f66-3a65950d210b",
|
||
|
"value": "ns.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352630",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7bf6-6e88-43b7-9920-3a65950d210b",
|
||
|
"value": "appeur.gnway.cc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352645",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7c05-7300-4af6-b311-38d3950d210b",
|
||
|
"value": "211.169.202.2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352859",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "557e7cdb-14e4-4883-8db7-3a54950d210b",
|
||
|
"value": "websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352904",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d08-2aec-46bb-adb0-3a65950d210b",
|
||
|
"value": "usafi.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352904",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d08-40a8-45d3-af79-3a65950d210b",
|
||
|
"value": "usacia.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352904",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d08-f270-4072-8dec-3a65950d210b",
|
||
|
"value": "webhttps.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352904",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d08-eaa8-4647-9319-3a65950d210b",
|
||
|
"value": "usagovdns.websecexp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352924",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7d1c-aef8-4fe9-aa83-40be950d210b",
|
||
|
"value": "59.188.16.130"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352945",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d31-a988-4350-8692-3a73950d210b",
|
||
|
"value": "ceshi.mailpseonfz.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434352946",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557e7d32-e780-40dc-b678-3a73950d210b",
|
||
|
"value": "dns.mailpseonfz.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Link in the original post",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353021",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e7d7d-3318-42f9-8a08-3a5f950d210b",
|
||
|
"value": "https://www.virustotal.com/en/url/91f7d6612c79cc0b266891c447359853614546837b003836ab342b091ee1a6cc/analysis/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Link in the original post",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353022",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e7d7e-61e8-4bb3-a675-3a5f950d210b",
|
||
|
"value": "https://www.virustotal.com/en/file/b8c37a1db36d702932b5db97ec150269a323b5dc76059062beff7e330f2d136d/analysis/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Link in the original post",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353022",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e7d7e-d400-4717-a8ea-3a5f950d210b",
|
||
|
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/evilgrab-malware-family-used-in-targeted-attacks-in-asia/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Link in the original post",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353022",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e7d7e-db40-4ea1-9e4e-3a5f950d210b",
|
||
|
"value": "http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Link in the original post",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353022",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557e7d7e-d074-4b71-8a27-3a5f950d210b",
|
||
|
"value": "http://contagiodump.blogspot.com/2013/09/sandbox-miming-cve-2012-0158-in-mhtml.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Attribution",
|
||
|
"comment": "Registrant",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353096",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "557e7dc8-9fe4-4923-b96d-40be950d210b",
|
||
|
"value": "gooleWarning@gmail.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353143",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7df7-21fc-40a9-a9ca-47a7950d210b",
|
||
|
"value": "218.54.45.220"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353143",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7df7-63b8-47fd-95bc-46c8950d210b",
|
||
|
"value": "61.221.66.199"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353143",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7df7-cba4-46a1-9f89-4eca950d210b",
|
||
|
"value": "59.188.4.106"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434353143",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "557e7df7-f578-4161-9a22-444e950d210b",
|
||
|
"value": "59.188.16.135"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|