260 lines
8.2 KiB
JSON
260 lines
8.2 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "1",
|
||
|
"date": "2020-01-25",
|
||
|
"extends_uuid": "",
|
||
|
"info": "Emotet/Trickbot",
|
||
|
"publish_timestamp": "1580456162",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1580456151",
|
||
|
"uuid": "5e2c4c13-1f64-4e4e-8165-4801950d210f",
|
||
|
"Orgc": {
|
||
|
"name": "wilbursecurity.com",
|
||
|
"uuid": "5e16d2bc-5c68-4ef1-bc80-47f5950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#cdce6a",
|
||
|
"name": "Banker: TrickBot"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ad00ff",
|
||
|
"name": "malware:emotet"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579962769",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2c4de1-ac54-48d5-a37d-e9b4950d210f",
|
||
|
"value": "https://jomamba.best:80/adgvredgdz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579962762",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2c4de1-d8f0-4c26-a183-e9b4950d210f",
|
||
|
"value": "http://144.202.114.147:80/aascx"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579962734",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2c4dfa-7538-4f47-bdec-e9b4950d210f",
|
||
|
"value": "http://149.28.106.230/adsfjasktmsttyoatopoyamfkytasrdltoiqrttmcvbmltpatp"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2 via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579962390",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2c5016-8b18-4d7a-9ec0-414b950d210f",
|
||
|
"value": "149.28.106.230.vultr.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "C2 via Emotet",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579962489",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e2c5079-86ec-4f16-b647-75a9950d210f",
|
||
|
"value": "68.183.170.114"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot connected to this domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579963242",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e2c536a-4134-427d-98d1-4eaf950d210f",
|
||
|
"value": "2cdajlnnwxfylth4.onion"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot connected to this domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579963248",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e2c5370-3918-40ec-8c2f-4a0a950d210f",
|
||
|
"value": "myexternalip.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot connected to this domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579963254",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e2c5376-cd28-4e38-a0e7-48cc950d210f",
|
||
|
"value": "chekfast.zennolab.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot connected to this domain",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579963254",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e2c5376-8478-43fc-8eac-42b2950d210f",
|
||
|
"value": "api.ipify.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "PowerView.ps1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1579965122",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2c5ac2-3588-439c-b693-43d8950d210f",
|
||
|
"value": "https://qwe4dse4.com/hcxUr9dg.ps1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580051493",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2dac25-eda0-44f4-93d4-48af950d210f",
|
||
|
"value": "http://207.148.30.186:80/asdkjbaskjnvscjshxhgbsxsanxrvsars"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580051498",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2dac2a-0ae0-4120-a56e-4ea1950d210f",
|
||
|
"value": "http://155.138.202.17:80/aieutireuoitreuJHJksfhkjhewkkkqowJLKjswwoieuoepo"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot potential c2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580061584",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2dd390-a514-4790-8a1d-be6c950d210f",
|
||
|
"value": "https://updatewinlsass.com:80/afdgszfsbgrg"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot PowerTrick",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580062002",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "5e2dd532-a644-43e8-b03d-418c950d210f",
|
||
|
"value": "updatewinlsass.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot download and IEX via powershell",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580087835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5e2e3a1b-b21c-419a-a86e-4b42950d210f",
|
||
|
"value": "https://koretycbeeb.com:80/lmjnbvgftyujkiu765678"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Trickbot connecting to PowerShell Empire",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1580087929",
|
||
|
"to_ids": false,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "5e2e3a79-d648-4d6f-8375-83e8950d210f",
|
||
|
"value": "155.138.142.157"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "shell-commands",
|
||
|
"template_uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
|
||
|
"template_version": "2",
|
||
|
"timestamp": "1579962888",
|
||
|
"uuid": "5e2c4ed1-e340-4765-a21f-75ba950d210f",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Trickbot",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1579962857",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2c4ed1-17f8-4e56-8dbb-75ba950d210f",
|
||
|
"value": "nltest /domain_trusts /all_trusts"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Trickbot",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1579962878",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2c4ed8-3fec-42f4-99b8-75ba950d210f",
|
||
|
"value": "net view /all /domain"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "Trickbot",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "shell-command",
|
||
|
"timestamp": "1579962888",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5e2c4ede-6fc8-48fa-a7f7-75ba950d210f",
|
||
|
"value": "net config workstation"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|