2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-05-09" ,
"extends_uuid" : "" ,
"info" : "OSINT - keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site." ,
"publish_timestamp" : "1557415440" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1557415377" ,
"uuid" : "5cd4446a-b318-40d6-8120-473a950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Unconditional client-side exploitation/Injected Website/Driveby - T1372\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5cd444bb-5100-4607-ab39-4e98950d210f" ,
"value" : "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5cd444bb-b15c-4760-b152-4fda950d210f" ,
"value" : "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1557415149" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "5cd444ed-5814-49ff-a3f9-466a950d210f" ,
"value" : "lifopp-sacoho.com"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1557415108" ,
"uuid" : "9bc5279d-fa53-4c2f-92f1-9aac47fe4658" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "9bc5279d-fa53-4c2f-92f1-9aac47fe4658" ,
"referenced_uuid" : "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1557415108" ,
"uuid" : "5cd444c4-dc64-44bb-b6bc-45ec950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "74f7c0dd-c91b-40c0-8f79-2a166f238326" ,
"value" : "3590c4b2cfa63655dc14bef32659f675"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "62f22eb0-6df4-4280-8141-68c00d1b25d8" ,
"value" : "5b0825a4436e4908501667e1cfa91e9e39e82302"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1876d114-6aff-4578-bdb3-fb33a4177b40" ,
"value" : "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1557415108" ,
"uuid" : "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "9268cd71-c418-4b6c-8ae7-b2755788dedc" ,
"value" : "2019-05-08T10:03:22"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "fea2b397-1408-4777-ab45-308963ac7d8b" ,
"value" : "https://www.virustotal.com/file/4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966/analysis/1557309802/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "584d4279-982a-4ca3-bedf-933dd6a5b6bb" ,
"value" : "31/72"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1557415108" ,
"uuid" : "2ec00d74-5d8a-4db5-9d43-1845fcfd8917" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "2ec00d74-5d8a-4db5-9d43-1845fcfd8917" ,
"referenced_uuid" : "b6b594cd-778d-4c19-a1e8-b04a78d6154d" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1557415108" ,
"uuid" : "5cd444c4-2080-4e51-8579-47de950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "81add71e-e549-4b98-9afe-695b617f0642" ,
"value" : "0211036d4f551610892d3da2f2377b95"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "addec366-d1b1-446f-ba62-24d6bcfbb96f" ,
"value" : "b4f5d93b0eb93812018646f6b358da9592ae6499"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1557415099" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "3dc10670-ea31-4e41-984c-2bd669198b13" ,
"value" : "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1557415108" ,
"uuid" : "b6b594cd-778d-4c19-a1e8-b04a78d6154d" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a6d53689-a303-42fe-8c7f-def94d11e653" ,
"value" : "2019-05-07T11:36:35"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "eceb9e59-eff8-433b-8169-b854da49308d" ,
"value" : "https://www.virustotal.com/file/41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e/analysis/1557228995/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1557415099" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "05cda147-431f-4496-807b-50aa24c3c031" ,
"value" : "14/56"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Microblog post like a Twitter tweet or a post on a Facebook wall." ,
"meta-category" : "misc" ,
"name" : "microblog" ,
"template_uuid" : "8ec8c911-ddbe-4f5b-895b-fbff70c42a60" ,
"template_version" : "5" ,
"timestamp" : "1557415316" ,
"uuid" : "5cd44594-ead8-4e11-8ccb-4a0e950d210f" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "post" ,
"timestamp" : "1557415317" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cd44595-8944-400e-b668-4629950d210f" ,
"value" : "keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site. @malwrhunterteam"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1557415317" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cd44595-c004-4e7e-83c1-442b950d210f" ,
"value" : "Twitter"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "url" ,
"timestamp" : "1557415317" ,
"to_ids" : false ,
"type" : "url" ,
"uuid" : "5cd44595-d14c-4a3d-bb69-4f53950d210f" ,
"value" : "https://twitter.com/berkcgoksel/status/1125727590440931329"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username" ,
"timestamp" : "1557415317" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5cd44595-720c-4b7b-9eb2-42a8950d210f" ,
"value" : "berkcgoksel"
}
]
}
]
}
}