797 lines
26 KiB
JSON
797 lines
26 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2019-05-28",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Emissary Panda Attacks Middle East Government Sharepoint Servers by Palo Alto Unit42",
|
||
|
"publish_timestamp": "1559307617",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1559307564",
|
||
|
"uuid": "5cf0f134-f504-42dd-b11e-9071950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#10c700",
|
||
|
"name": "misp-galaxy:threat-actor=\"Emissary Panda\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:threat-actor=\"LuckyMouse\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302011",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "5cf10f7b-00d4-443f-b2b0-4531950d210f",
|
||
|
"value": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302022",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "5cf10f86-a5f8-4de9-8883-4d73950d210f",
|
||
|
"value": "CVE-2019-0604"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302334",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf11062-7c4c-4b1d-ac88-4cc5950d210f",
|
||
|
"value": "006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302340",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-9fa0-4692-9750-4257950d210f",
|
||
|
"value": "/_layouts/15/error2.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302343",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-1914-4a55-b137-41d6950d210f",
|
||
|
"value": "/_layouts/15/errr.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302348",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-894c-4f76-b99c-4639950d210f",
|
||
|
"value": "stylecs.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "stylecs.aspx",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302330",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf11062-c2d4-4269-be73-4db5950d210f",
|
||
|
"value": "2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302325",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-377c-4de2-9448-4a0a950d210f",
|
||
|
"value": "stylecss.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "stylecss.aspx",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302310",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf11062-99ec-40c0-9281-4512950d210f",
|
||
|
"value": "d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302314",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-8234-4c77-8250-4850950d210f",
|
||
|
"value": "test.aspx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "test.aspx",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302319",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf11062-f5e0-4d73-915e-4ab8950d210f",
|
||
|
"value": "6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302291",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-9538-4612-a125-4dc8950d210f",
|
||
|
"value": "tool.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302242",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "5cf11062-b3a8-48bd-84b1-4da8950d210f",
|
||
|
"value": "CVE-2017-0144"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "used to check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302258",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11062-a1c4-488d-ac46-4eee950d210f",
|
||
|
"value": "checker1.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Not the psexec from sysinternals but a remote execution functionality offered by a tool similar to PsExec offered by Impacket",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302467",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf110fa-0344-4fbd-bca7-eea7950d210f",
|
||
|
"value": "psexec.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-4024-41aa-be42-44d3950d210f",
|
||
|
"value": "m2.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "m2.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-1334-42c9-9570-4b16950d210f",
|
||
|
"value": "b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-ebb0-46ec-80c2-40f2950d210f",
|
||
|
"value": "7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "HyperBro backdoor",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-58f4-4cbf-8c66-4045950d210f",
|
||
|
"value": "s.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "HyperBro backdoor",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-254c-4d8f-9e26-41be950d210f",
|
||
|
"value": "04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate cURL.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-50bc-4182-a819-430f950d210f",
|
||
|
"value": "curl.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate cURL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-2d28-46e0-8572-4b45950d210f",
|
||
|
"value": "abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate cURL.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-b518-4e6d-a90d-44c3950d210f",
|
||
|
"value": "bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled EternalBlue checker script",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-b34c-4a3e-b0b4-4b9f950d210f",
|
||
|
"value": "090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "C# Tool, likely from https://github.com/mubix/netview",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-d3cc-4c2c-85b1-414d950d210f",
|
||
|
"value": "etool.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "C# Tool, likely from https://github.com/mubix/netview",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-4f10-4eb6-8b1c-4ff7950d210f",
|
||
|
"value": "38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate Sublime Text plugin host",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-c4dc-42c8-9d67-44e5950d210f",
|
||
|
"value": "plugin_host.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate Sublime Text plugin host",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-4df0-4ddd-a140-43ae950d210f",
|
||
|
"value": "738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Sideloaded DLL loaded by Sublime Text",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf111e1-c7e4-4ed5-9635-4af9950d210f",
|
||
|
"value": "PYTHON33.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Sideloaded DLL loaded by Sublime Text",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559302625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf111e1-d158-42da-8dbe-4828950d210f",
|
||
|
"value": "2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "SMB backdoor based on smbrelay3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-a61c-4572-a3c6-eea7950d210f",
|
||
|
"value": "smb1.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "SMB backdoor based on smbrelay3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-b5e8-46e1-a5dd-eea7950d210f",
|
||
|
"value": "88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled zzz_exploit.py",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-8b94-42cd-a8e7-eea7950d210f",
|
||
|
"value": "mcmd.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled zzz_exploit.py",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-6c9c-4b25-8078-eea7950d210f",
|
||
|
"value": "738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-52b8-41c9-a7a0-eea7950d210f",
|
||
|
"value": "zzz_exploit.py"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled zzz_exploit.py",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-7308-40da-bd53-eea7950d210f",
|
||
|
"value": "mcafee.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled zzz_exploit.py",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-dc00-44b0-8e34-eea7950d210f",
|
||
|
"value": "3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "pwdump",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-5a74-409c-9602-eea7950d210f",
|
||
|
"value": "dump.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "pwdump",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-323c-46cd-b6ec-eea7950d210f",
|
||
|
"value": "29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled MS17-010 checker",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-2bd8-467f-91d5-eea7950d210f",
|
||
|
"value": "d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Packed Mimikatz",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-b070-45e2-b7dd-eea7950d210f",
|
||
|
"value": "memory.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Packed Mimikatz",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-4ef4-4334-af42-eea7950d210f",
|
||
|
"value": "a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Compiled MS17-010 checker",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-7f90-4c5f-b7bb-eea7950d210f",
|
||
|
"value": "checker.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "SMB backdoor based on smbrelay3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-ac9c-44c1-9bd7-eea7950d210f",
|
||
|
"value": "smb.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "SMB backdoor based on smbrelay3",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-b28c-4298-b433-eea7950d210f",
|
||
|
"value": "4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Termite",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-a4fc-4db4-ba07-eea7950d210f",
|
||
|
"value": "agent_Win32.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Termite",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-5d40-45c1-942b-eea7950d210f",
|
||
|
"value": "b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "httprelay",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-0750-4a43-b314-eea7950d210f",
|
||
|
"value": "smb_exec.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "httprelay",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-098c-4c83-925d-eea7950d210f",
|
||
|
"value": "475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Incognito",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-3b3c-4982-a3ff-eea7950d210f",
|
||
|
"value": "incognito.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Incognito",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-83ec-41db-aa5a-eea7950d210f",
|
||
|
"value": "9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "nbtscan",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-241c-4f87-8049-eea7950d210f",
|
||
|
"value": "nbtscan.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "nbtscan",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-c35c-4c47-977d-eea7950d210f",
|
||
|
"value": "c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "pwdump",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e1-58b8-426c-9116-eea7950d210f",
|
||
|
"value": "fgdump.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "pwdump",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303137",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e1-1e04-46d5-b0e2-eea7950d210f",
|
||
|
"value": "a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303138",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf113e2-85a4-4b17-8a79-eea7950d210f",
|
||
|
"value": "smbexec.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303138",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf113e2-a6fc-489d-830d-eea7950d210f",
|
||
|
"value": "e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303316",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11443-5c1c-4ec6-8361-4188950d210f",
|
||
|
"value": "CreateMedia.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303325",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf11443-71e0-4c02-9469-4fea950d210f",
|
||
|
"value": "2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Sideloaded DLL loaded by CreateMedia.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303335",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf11443-5c00-4428-957f-4052950d210f",
|
||
|
"value": "CreateTsMediaAdm.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Symantec pcAnywhere thinprobe application",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303294",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf1146c-8d1c-45c7-b23f-4985950d210f",
|
||
|
"value": "thinprobe.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Symantec pcAnywhere thinprobe application",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303297",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf1146c-a964-4838-8be2-4434950d210f",
|
||
|
"value": "76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Sideloaded DLL loaded by thinprobe.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303300",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "5cf1146c-d820-4389-a536-4ab5950d210f",
|
||
|
"value": "thinhostprobedll.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Sideloaded DLL loaded by thinprobe.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303305",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf1146c-048c-4a4c-83e4-4c94950d210f",
|
||
|
"value": "d40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "thumb.db Contains encrypted and compressed DLL payload run by sideloaded DLL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303310",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "5cf1146c-8c60-486c-a98a-4965950d210f",
|
||
|
"value": "270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303420",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5cf114fc-4dbc-4f3a-a659-4540950d210f",
|
||
|
"value": "https://185.12.45.134:443/ajax"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559303437",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5cf1150d-6518-4fbe-b7c1-4dcf950d210f",
|
||
|
"value": "185.12.45.134"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1559307454",
|
||
|
"to_ids": true,
|
||
|
"type": "named pipe",
|
||
|
"uuid": "5cf124be-1fa4-49c1-81e4-de6c950d210f",
|
||
|
"value": "\\\\.\\pipe\\testpipe"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|