411 lines
17 KiB
JSON
411 lines
17 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2022-08-03",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Github Repo Compromise Domain MyJino RU",
|
||
|
"publish_timestamp": "1659524114",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1659520660",
|
||
|
"uuid": "f811ccb3-5724-4ff4-a920-36d81100e7b8",
|
||
|
"Orgc": {
|
||
|
"name": "BSK",
|
||
|
"uuid": "56024f6c-da70-4584-b689-48ef950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#053a00",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#002642",
|
||
|
"name": "osint:source-type=\"microblog-post\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2 domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1659513139",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "0ea045af-c19c-4dc9-8aba-51bdb8643a74",
|
||
|
"value": "ovz1.j19544519.pr46m.vps.myjino.ru"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "ovz1.j19544519.pr46m.vps.myjino.ru: Enriched via the farsight_passivedns module",
|
||
|
"deleted": false,
|
||
|
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html",
|
||
|
"first_seen": "2022-07-28T11:22:53+00:00",
|
||
|
"last_seen": "2022-08-03T06:19:30+00:00",
|
||
|
"meta-category": "network",
|
||
|
"name": "passive-dns",
|
||
|
"template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
|
||
|
"template_version": "5",
|
||
|
"timestamp": "1659520432",
|
||
|
"uuid": "afdb4f8e-08ca-4beb-b105-c91605eb5513",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "afdb4f8e-08ca-4beb-b105-c91605eb5513",
|
||
|
"referenced_uuid": "0ea045af-c19c-4dc9-8aba-51bdb8643a74",
|
||
|
"relationship_type": "related-to",
|
||
|
"timestamp": "1659519047",
|
||
|
"uuid": "9cd1bcb7-2c93-4308-b98d-dcdbbd3e967a"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rdata",
|
||
|
"timestamp": "1659520428",
|
||
|
"to_ids": true,
|
||
|
"type": "text",
|
||
|
"uuid": "84fd5844-44f6-49b4-ae39-9a77413b8152",
|
||
|
"value": "195.161.41.221"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "count",
|
||
|
"timestamp": "1659519079",
|
||
|
"to_ids": false,
|
||
|
"type": "counter",
|
||
|
"uuid": "517487e4-8ecf-4023-9601-cdeae8d5178e",
|
||
|
"value": "4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "time_first",
|
||
|
"timestamp": "1659519079",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "64322d63-ac27-458a-8e57-3f9b7215b163",
|
||
|
"value": "2022-07-28T11:22:53+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "time_last",
|
||
|
"timestamp": "1659519079",
|
||
|
"to_ids": false,
|
||
|
"type": "datetime",
|
||
|
"uuid": "d5b73acf-82da-4d12-ad2f-557ee481435c",
|
||
|
"value": "2022-08-03T06:19:30+00:00"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "rrname",
|
||
|
"timestamp": "1659520432",
|
||
|
"to_ids": true,
|
||
|
"type": "text",
|
||
|
"uuid": "411cb6d9-2de2-45fe-8858-b31f98e52ce0",
|
||
|
"value": "ovz1.j19544519.pr46m.vps.myjino.ru."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "rrtype",
|
||
|
"timestamp": "1659519079",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ceaec1aa-ea20-46c9-aa26-6e526cc58e4c",
|
||
|
"value": "A"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "bailiwick",
|
||
|
"timestamp": "1659520417",
|
||
|
"to_ids": false,
|
||
|
"type": "domain",
|
||
|
"uuid": "1e73df86-ce7c-445d-9dfa-7c84158a46f6",
|
||
|
"value": "myjino.ru"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "Origin: https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/gen_github_repo_compromise_myjino_ru.yar",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "yara",
|
||
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
||
|
"template_version": "5",
|
||
|
"timestamp": "1659519265",
|
||
|
"uuid": "62e6afb6-4237-41f9-8be7-986c83f038fa",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659519265",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "657fa3c5-8a6f-44a3-a1b2-db62db18ae7e",
|
||
|
"value": "all"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara",
|
||
|
"timestamp": "1659519265",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "537e39eb-37f4-42d5-8944-39022aa38b47",
|
||
|
"value": "rule MAL_Github_Repo_Compromise_MyJino_Ru_Aug22 {\r\n meta:\r\n description = \"Detects URL mentioned in report on compromised Github repositories in August 2022\"\r\n author = \"Florian Roth\"\r\n reference = \"https://twitter.com/stephenlacy/status/1554697077430505473\"\r\n date = \"2022-08-03\"\r\n score = 90\r\n strings:\r\n $x1 = \"curl http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n $x2 = \"http__.Post(\\\"http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n condition:\r\n 1 of them\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara-rule-name",
|
||
|
"timestamp": "1659519265",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "8bc7d3cf-71b6-441b-aa53-0c0a21375995",
|
||
|
"value": "MAL_Github_Repo_Compromise_MyJino_Ru_Aug22"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
||
|
"meta-category": "misc",
|
||
|
"name": "sigma",
|
||
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1659520396",
|
||
|
"uuid": "284f1a37-a166-4b5b-b5b3-4a1e41bae212",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "comment",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "51bf417d-6e35-4fa9-ac51-889898fcb4e5",
|
||
|
"value": "Detects connections to the host used in a big repository compromise discovered in August 2022"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "2b7d7317-6a7b-4245-b72e-860e99a8ae29",
|
||
|
"value": "dns"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "b4455c25-2f5b-4665-8900-dbf1af77bd57",
|
||
|
"value": "network"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "reference",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "ecb93db6-01ee-43ec-a51f-9f858630970a",
|
||
|
"value": "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": true,
|
||
|
"type": "sigma",
|
||
|
"uuid": "a6cd4477-de96-479a-85ca-7c709bf3dd33",
|
||
|
"value": "title: Github Repo Compromise Domain MyJino RU\r\nid: 3a9f4c77-8e2e-45eb-abc1-4754f670d3a9\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: network_connection\r\n product: windows\r\ndetection:\r\n selection:\r\n Initiated: 'true'\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma-rule-name",
|
||
|
"timestamp": "1659520396",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "45dce477-cec0-4a94-a6e9-b23136dc282a",
|
||
|
"value": "Github Repo Compromise Domain MyJino RU"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
||
|
"meta-category": "misc",
|
||
|
"name": "sigma",
|
||
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1659520547",
|
||
|
"uuid": "18ab09f0-b623-40df-8920-eadfbcb0d5e0",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659520547",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5954ae33-cbf4-468d-b11a-7ae33f6bc965",
|
||
|
"value": "dns"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659520547",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "80d8f09b-51e8-47c4-9d22-244973f6a526",
|
||
|
"value": "network"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "reference",
|
||
|
"timestamp": "1659520547",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "68adb1fd-fa19-4a9d-8e4d-dd3724e8db04",
|
||
|
"value": "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/network_connection/net_connection_github_myjino_ru.yml"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma",
|
||
|
"timestamp": "1659520547",
|
||
|
"to_ids": true,
|
||
|
"type": "sigma",
|
||
|
"uuid": "70294bb6-60d9-439f-b7ca-be754d7162d4",
|
||
|
"value": "title: Github Repo Compromise Domain MyJino RU\r\nid: 242e0911-294a-44ea-a54e-7eea97aa2622\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n product: linux\r\n category: network_connection\r\ndetection:\r\n selection:\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma-rule-name",
|
||
|
"timestamp": "1659520547",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "d5f1cfed-c4b0-4c90-8158-21e9e76c28d1",
|
||
|
"value": "Github Repo Compromise Domain MyJino RU"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a Sigma rule (or a Sigma rule name).",
|
||
|
"meta-category": "misc",
|
||
|
"name": "sigma",
|
||
|
"template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
|
||
|
"template_version": "1",
|
||
|
"timestamp": "1659520633",
|
||
|
"uuid": "9d47dc79-72a0-457a-af87-022323dd74c9",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "context",
|
||
|
"timestamp": "1659520633",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "0fe60ee6-7182-4441-a471-d71f9d76fc2f",
|
||
|
"value": "dns"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma",
|
||
|
"timestamp": "1659520633",
|
||
|
"to_ids": true,
|
||
|
"type": "sigma",
|
||
|
"uuid": "60048328-51d0-433c-b979-8fe5b6726458",
|
||
|
"value": "title: DNS Lookup Github Repo Compromise Domain MyJino RU\r\nid: 6b0dd2e4-13ff-4eff-b79b-4444fad43644\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: dns\r\ndetection:\r\n selection:\r\n query: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\n - Web proxy or other security device DNS lookups of the domain\r\nlevel: high"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sigma-rule-name",
|
||
|
"timestamp": "1659520633",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "c306254d-9b71-46c3-ae7a-b3143ce96092",
|
||
|
"value": "DNS Lookup Github Repo Compromise Domain MyJino RU"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|