misp-circl-feed/feeds/circl/misp/5d7dba44-67d4-4fad-b919-4c2d950d210f.json

115 lines
3.3 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2019-09-15",
"extends_uuid": "",
"info": "On-memory post exploit payloads from encoded binary",
"publish_timestamp": "1568643213",
"published": true,
"threat_level_id": "2",
"timestamp": "1568643188",
"uuid": "5d7dba44-67d4-4fad-b919-4c2d950d210f",
"Orgc": {
"name": "MalwareMustDie",
"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#380046",
"name": "ms-caro-malware:malware-type=\"HackTool\""
},
{
"colour": "#ffc100",
"name": "poshc2 beacon"
},
{
"colour": "#c1e21c",
"name": " C2"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:course-of-action=\"PowerShell Mitigation\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:course-of-action=\"Network Sniffing Mitigation\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:course-of-action=\"Credential Dumping Mitigation\""
}
],
"Attribute": [
{
"category": "Internal reference",
"comment": "Threat analysis report and analysis screenshots",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568520892",
"to_ids": false,
"type": "link",
"uuid": "5d7dbabc-3ef8-4eb1-9500-448e950d210f",
"value": "https://imgur.com/a/k60b8pm"
},
{
"category": "Network activity",
"comment": "The attacker C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568520952",
"to_ids": true,
"type": "ip-dst",
"uuid": "5d7dbaf8-3e4c-4334-a278-403c950d210f",
"value": "154.121.50.129"
},
{
"category": "Network activity",
"comment": "The attacker C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568520989",
"to_ids": true,
"type": "hostname",
"uuid": "5d7dbb1d-a2ec-4534-9e0b-48f0950d210f",
"value": "amazon34.duckdns.org"
},
{
"category": "Payload delivery",
"comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568521103",
"to_ids": false,
"type": "url",
"uuid": "5d7dbb8f-210c-4f25-86d9-4e5c950d210f",
"value": "https://pastebin.com/Pgi3pMgj"
},
{
"category": "Payload delivery",
"comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568521103",
"to_ids": false,
"type": "url",
"uuid": "5d7dbb8f-2dec-4875-b15d-4f31950d210f",
"value": "https://pastebin.com/SAQRkmef"
},
{
"category": "Network activity",
"comment": "The attacker C2's network AS Number",
"deleted": false,
"disable_correlation": false,
"timestamp": "1568521195",
"to_ids": false,
"type": "AS",
"uuid": "5d7dbbeb-9aa0-4209-beda-4a70950d210f",
"value": "AS327712"
}
]
}
}