931 lines
32 KiB
JSON
931 lines
32 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-05-04",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Turbo Twist: Two 64-bit Derusbi Strains Converge",
|
||
|
"publish_timestamp": "1484165703",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1464350376",
|
||
|
"uuid": "572a1a62-2510-4a7e-b983-4793950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377073",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "572a1a71-edb4-4dbf-9e8b-45bf950d210f",
|
||
|
"value": "http://www.threatgeek.com/2016/05/turbo-twist-two-64-bit-derusbi-strains-converge.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377147",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1abb-c7f0-43e3-91dd-4f9f950d210f",
|
||
|
"value": "asixgroupincmeer.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377148",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1abc-51b0-46d5-8898-4af8950d210f",
|
||
|
"value": "attrcorp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377148",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abc-d5c0-45f4-bcdc-48b4950d210f",
|
||
|
"value": "smtp.attrcorp.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377149",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1abd-5a68-4987-92e7-4d2c950d210f",
|
||
|
"value": "office365e.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377149",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1abd-45c8-4bfc-8611-4bcf950d210f",
|
||
|
"value": "usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377150",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abe-52f0-44b2-9bcd-4959950d210f",
|
||
|
"value": "e.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377150",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abe-8664-4b07-bb34-4e7e950d210f",
|
||
|
"value": "bee.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377150",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abe-5d34-4fe1-81f5-41ef950d210f",
|
||
|
"value": "ftp.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377151",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abf-1ed0-43d7-9896-4421950d210f",
|
||
|
"value": "sun.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377151",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1abf-d138-4b6e-87ac-44c5950d210f",
|
||
|
"value": "wow.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377152",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac0-5074-43cf-9b55-4aba950d210f",
|
||
|
"value": "shot.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377152",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac0-c2d4-40e8-a3ad-4419950d210f",
|
||
|
"value": "email.usapappers.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377152",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ac0-0128-4cb3-8d96-4395950d210f",
|
||
|
"value": "dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377153",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac1-b93c-4b2e-9ab8-4ce9950d210f",
|
||
|
"value": "bbs.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377153",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac1-a47c-4153-a55e-451c950d210f",
|
||
|
"value": "fok.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377154",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac2-555c-4609-9bf1-4cef950d210f",
|
||
|
"value": "back.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377154",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac2-4b3c-4adc-b4c6-4358950d210f",
|
||
|
"value": "info.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377154",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac2-ca94-4b6d-9b99-4d60950d210f",
|
||
|
"value": "live.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377155",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac3-eb08-4629-a85a-4fdc950d210f",
|
||
|
"value": "mail.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377155",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac3-84dc-4075-a1b1-4e7e950d210f",
|
||
|
"value": "news.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377156",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac4-21d0-4c82-9a1d-4240950d210f",
|
||
|
"value": "serv.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377156",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac4-c738-4f9a-a8a4-4525950d210f",
|
||
|
"value": "tele.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377156",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac4-47e8-4ce8-b070-4daa950d210f",
|
||
|
"value": "thec.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377157",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac5-7a5c-4ab6-9ea8-4ad4950d210f",
|
||
|
"value": "zero.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377157",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac5-760c-4d10-92e8-4546950d210f",
|
||
|
"value": "swiss.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377158",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac6-b554-4553-aa6d-4d7c950d210f",
|
||
|
"value": "living.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377158",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac6-5f58-4255-ba23-41da950d210f",
|
||
|
"value": "mailsrv.dijlacultus.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377159",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ac7-09b0-4610-bb7e-4e66950d210f",
|
||
|
"value": "google-dash.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377159",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ac7-6eac-4138-8f7d-49ad950d210f",
|
||
|
"value": "virtualboxs.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377159",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ac7-b4e0-4e7f-aaf5-4164950d210f",
|
||
|
"value": "steletracker.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377160",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ac8-d954-4e9e-ab6b-4a28950d210f",
|
||
|
"value": "vmtools.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377160",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac8-57f4-4853-a7fe-4d33950d210f",
|
||
|
"value": "pwc.vmtools.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377161",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac9-60d4-407e-a2ae-459d950d210f",
|
||
|
"value": "win.winlogon.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377161",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac9-46fc-44df-afd3-4c8f950d210f",
|
||
|
"value": "asia.winlogon.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377161",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ac9-a4a0-48c2-b8f0-4330950d210f",
|
||
|
"value": "winner.winlogon.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377162",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1aca-cc24-4464-b5d8-44ed950d210f",
|
||
|
"value": "hawkthorn.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377162",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1aca-02b8-412d-a188-44ea950d210f",
|
||
|
"value": "strightspunddeals.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377163",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1acb-e85c-4a33-8e51-4059950d210f",
|
||
|
"value": "northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377163",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acb-4b5c-46f0-b8c5-4fc2950d210f",
|
||
|
"value": "owa.northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377163",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acb-f270-4082-8228-4bdf950d210f",
|
||
|
"value": "vpn.northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377164",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acc-748c-47a5-8b2f-4340950d210f",
|
||
|
"value": "soft.northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377164",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acc-6da0-424a-90b6-4af5950d210f",
|
||
|
"value": "update.northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377165",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acd-cd1c-49fb-86e6-48af950d210f",
|
||
|
"value": "software.northropgruman.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377165",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1acd-7580-4a9b-94eb-49ea950d210f",
|
||
|
"value": "cegauoqsykgqecqc.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377165",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1acd-6814-4405-8470-4c12950d210f",
|
||
|
"value": "eimqqakugeccgwak.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377166",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ace-f670-4710-9011-4747950d210f",
|
||
|
"value": "uogwoigiuweyccsw.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377166",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ace-07a8-4bdb-a6e6-4117950d210f",
|
||
|
"value": "soyy.info"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377167",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acf-780c-4794-8875-47f8950d210f",
|
||
|
"value": "ns1.krimeware.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377167",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1acf-7264-41e6-81e7-4972950d210f",
|
||
|
"value": "ns2.krimeware.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377168",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad0-2164-4f38-a1e7-425e950d210f",
|
||
|
"value": "tianzhen.co"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377168",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad0-a6dc-4579-a520-4e6b950d210f",
|
||
|
"value": "www.tianzhen.co"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377168",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad0-9fd4-4b18-879c-4846950d210f",
|
||
|
"value": "monsterlegendsvn.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377169",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad1-37b4-4bce-9874-45a1950d210f",
|
||
|
"value": "www.monsterlegendsvn.biz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377169",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad1-a368-4394-b36a-4aa7950d210f",
|
||
|
"value": "nickytoh.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377170",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad2-6b30-4340-a85c-4771950d210f",
|
||
|
"value": "www.nickytoh.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377170",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad2-bd64-40cd-9370-494b950d210f",
|
||
|
"value": "seratjati.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377170",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad2-6378-4ca5-912f-4371950d210f",
|
||
|
"value": "aiselamodefactory.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377171",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad3-ac8c-46ba-91eb-4c92950d210f",
|
||
|
"value": "tasty-and-healthy.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377171",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad3-9464-4fe1-bbae-453d950d210f",
|
||
|
"value": "nickytoh.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377172",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad4-5a5c-4117-949e-432c950d210f",
|
||
|
"value": "www.nickytoh.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377172",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad4-48e0-41c4-8f1b-4c72950d210f",
|
||
|
"value": "animationmyth.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377172",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad4-a57c-4b1f-8850-4fcf950d210f",
|
||
|
"value": "www.animationmyth.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377173",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "572a1ad5-639c-4368-a027-4790950d210f",
|
||
|
"value": "petersenstore.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Domains identified from pDNS pivots",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377173",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "572a1ad5-ffa4-4dfb-bd1f-4251950d210f",
|
||
|
"value": "www.petersenstore.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1464350376",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "572a1b21-eb60-4e09-af53-4bdb950d210f",
|
||
|
"value": "rule apt_win32_dll_bergard_pgv_pvid_variant {\r\n meta:\r\n copyright = \"Fidelis Cybersecurity\"\r\n strings:\r\n $ = \"Accept:\"\r\n $ = \"User-Agent: %s\"\r\n $ = \"Host: %s:%d\"\r\n $ = \"Cache-Control: no-cache\"\r\n $ = \"Connection: Keep-Alive\"\r\n $ = \"Cookie: pgv_pvid=\"\r\n $ = \"Content-Type: application/x-octet-stream\"\r\n $ = \"User-Agent: %s\"\r\n $ = \"Host: %s:%d\"\r\n $ = \"Pragma: no-cache\"\r\n $ = \"Connection: Keep-Alive\"\r\n $ = \"HTTP/1.0\"\r\n condition:\r\n (uint16(0) == 0x5A4D) and (all of them)\r\n\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377271",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "572a1b37-6ca4-45b1-b0f2-412b950d210f",
|
||
|
"value": "3e4fbb9190227848af32dacb17e9fd17"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377271",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "572a1b37-7580-4e22-a644-40e9950d210f",
|
||
|
"value": "b93197e2aa147fe6b70695ae7bb298b0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377271",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "572a1b37-6958-4706-af56-459d950d210f",
|
||
|
"value": "791295ef196cf8c20913b3cce76af29a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377320",
|
||
|
"to_ids": true,
|
||
|
"type": "imphash",
|
||
|
"uuid": "572a1b68-1380-4d6a-9ab6-4512950d210f",
|
||
|
"value": "86fafe21566d0906fecc5dfd939f3e45"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377320",
|
||
|
"to_ids": true,
|
||
|
"type": "imphash",
|
||
|
"uuid": "572a1b68-a378-4592-8cef-41e3950d210f",
|
||
|
"value": "711a1d4aef8414cf1db45a6945ba3d84"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377320",
|
||
|
"to_ids": true,
|
||
|
"type": "imphash",
|
||
|
"uuid": "572a1b68-2fa8-4247-91ec-4692950d210f",
|
||
|
"value": "6752d45fd952c97c969939600acc5748"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377347",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "572a1b83-4574-436e-b98b-4802950d210f",
|
||
|
"value": "To follow up on the March report on the discovery of a 64-bit Linux variant of Derusbi used in the Turbo campaign, this post covers our analysis of two unique Windows variants of the Derusbi PGV_PVID malware. Derusbi has been widely covered and associated with numerous Chinese cyber espionage actors, including the group known as C0d0s0 Team (aka Sunshop Group) and its watering-hole attacks using Forbes[.]com in 2014.\r\n\r\nWhat made these two variants of interest is that, as of April 28, 2016, there are zero (0) antivirus detections of these variants at VirusTotal. On April 29, our team also scanned these variants with two different local antivirus tools running the latest virus signatures and the APT malware was still undetected. Based on compile times in the variants analyzed, it appears that this variant has been around since at least 2013.\r\n\r\nSome of the strings in these variants have also been observed in variants of the Bergard APT malware. The Derusbi variants were identified and named by Proofpoint earlier this year.\r\n\r\nOur Yara hunting rule that detected these two Derusbi PGV_PVID variants with zero antivirus detections also detected two other variants that are detected by AVs as \u00e2\u20ac\u0153Derusbi\u00e2\u20ac\u009d. One of the Derusbi PGV_PVID samples that we analyzed shares its command-and-control server with a Rekaf sample identified by Proofpoint, furthering the connection between these families that they established in their post."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: 791295ef196cf8c20913b3cce76af29a",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377429",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "572a1bd5-d044-4155-a3fd-40bd02de0b81",
|
||
|
"value": "ecac0b7abed0c5ca580064839813176a68f75d18176234fc15b2aefd277237aa"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: 791295ef196cf8c20913b3cce76af29a",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377429",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "572a1bd5-5cb0-4748-bcd9-45a802de0b81",
|
||
|
"value": "761cd81c46034c3d186f626d17487b804b24e4a1"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "- Xchecked via VT: 791295ef196cf8c20913b3cce76af29a",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377429",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "572a1bd5-3d50-4d7d-b6da-48a502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ecac0b7abed0c5ca580064839813176a68f75d18176234fc15b2aefd277237aa/analysis/1457567423/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: b93197e2aa147fe6b70695ae7bb298b0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377430",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "572a1bd6-ba08-47e0-979f-415902de0b81",
|
||
|
"value": "c6f1a8f9ea60286b24db87d6022991a4342bea473a520569b996a5883332788c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: b93197e2aa147fe6b70695ae7bb298b0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377430",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "572a1bd6-a978-4041-bad2-443b02de0b81",
|
||
|
"value": "71c2407eaa08c7093316b62bc1f8eecaa089f775"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "- Xchecked via VT: b93197e2aa147fe6b70695ae7bb298b0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377431",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "572a1bd7-6f70-4bca-83e4-4b4002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c6f1a8f9ea60286b24db87d6022991a4342bea473a520569b996a5883332788c/analysis/1458611076/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: 3e4fbb9190227848af32dacb17e9fd17",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377431",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "572a1bd7-fa14-4fe4-9c91-45e602de0b81",
|
||
|
"value": "9c4053485b37ebc972c95abd98ea4ee386feb745cc012b9e57dc689469ea064f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: 3e4fbb9190227848af32dacb17e9fd17",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377431",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "572a1bd7-31a4-43e1-b8dd-458b02de0b81",
|
||
|
"value": "4a152785c8b092166cfb164688fc767c22dd3932"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "- Xchecked via VT: 3e4fbb9190227848af32dacb17e9fd17",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1462377432",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "572a1bd8-15dc-49e0-afa8-43c402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/9c4053485b37ebc972c95abd98ea4ee386feb745cc012b9e57dc689469ea064f/analysis/1461791370/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|