458 lines
15 KiB
JSON
458 lines
15 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2015-06-15",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT Targeted Attacks against Tibetan and Hong Kong Groups Exploiting CVE-2014-4114 by Citizen Lab",
|
||
|
"publish_timestamp": "1456870655",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1441971856",
|
||
|
"uuid": "557fddba-87c0-4ac1-a79a-a56f950d210b",
|
||
|
"Orgc": {
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Original report",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443390",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557fddd3-8660-4fae-8afd-a54c950d210b",
|
||
|
"value": "https://citizenlab.org/2015/06/targeted-attacks-against-tibetan-and-hong-kong-groups-exploiting-cve-2014-4114/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443239",
|
||
|
"to_ids": false,
|
||
|
"type": "vulnerability",
|
||
|
"uuid": "557fdde7-a1b4-4353-8c55-9a18950d210b",
|
||
|
"value": "CVE-2014-4114"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443289",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "557fde19-2370-42ff-b177-a578950d210b",
|
||
|
"value": "tibet_net@yahoo.com.hk"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443350",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fde56-f758-440f-ba85-a557950d210b",
|
||
|
"value": "18bb1ce405e4abac4b0fc63054beac6c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443350",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fde56-2028-4b0e-b56a-a557950d210b",
|
||
|
"value": "8a18a13910838d08e38db80a08e15bd5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443350",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fde56-ee28-45c5-b529-a557950d210b",
|
||
|
"value": "2a544922d3ece4351c1af4ca63c24550"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443377",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557fde71-8300-4656-b6c1-a56f950d210b",
|
||
|
"value": "https://www.virustotal.com/en-gb/file/c895d68a40b9a61dce6758f537a08a289dd4a392202e2d4e7635efb063d58d16/analysis/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443377",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557fde71-0ee8-4703-89eb-a56f950d210b",
|
||
|
"value": "https://www.virustotal.com/en-gb/file/45a4a937dd727dad29d46bceeb460bf24fd9f6df44f10692508fbd6ed2b7dfbd/analysis/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443377",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "557fde71-ef04-4184-8bac-a56f950d210b",
|
||
|
"value": "https://www.virustotal.com/en-gb/file/ab118ff89762b8bd32f8bcb754bec06004604380b20349255bc637a197fa5f2d/analysis/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443424",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557fdea0-24fc-4196-8d74-9a18950d210b",
|
||
|
"value": "free1999.jkub.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443544",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557fdf18-691c-46df-8ee6-a578950d210b",
|
||
|
"value": "eset-windows.findhere.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443544",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fdf18-a958-4c1c-a813-a578950d210b",
|
||
|
"value": "705147c509206151c22515ef568bac51"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443544",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557fdf18-8f2c-4fce-87f3-a578950d210b",
|
||
|
"value": "dnsupdate.dynamic-dns.net"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443544",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "557fdf18-8dfc-4438-a5c7-a578950d210b",
|
||
|
"value": "good.wha.la"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443544",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fdf18-3280-4a48-94d3-a578950d210b",
|
||
|
"value": "d7832e76ee2c5c48ae428e57599b589e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443793",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe011-bc38-40b7-97e6-a557950d210b",
|
||
|
"value": "Challenge.pps"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "False Positive - F-Secure Antivirus executable",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1441971856",
|
||
|
"to_ids": false,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe012-b77c-4d62-8b0b-a557950d210b",
|
||
|
"value": "fsavstrt.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe012-ac0c-4808-89b7-a557950d210b",
|
||
|
"value": "9459478ab9a9b996de683789f77b185c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe012-3a7c-43b1-891d-a557950d210b",
|
||
|
"value": "FSMA32.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe012-83c8-45d9-98d0-a557950d210b",
|
||
|
"value": "8432c77b12343d59d991b0d0e0c12f7d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe012-3e5c-435e-843f-a557950d210b",
|
||
|
"value": "FSMA32.dllfox"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe012-8ac8-4dd8-bd7a-a557950d210b",
|
||
|
"value": "db5a9c790e909629aaf7079b6996861f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe012-c6e4-462a-913f-a557950d210b",
|
||
|
"value": "putty.gif.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443794",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe012-5d90-484d-a016-a557950d210b",
|
||
|
"value": "a990071b60046863c98bcf462fede77a"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe013-e694-4c28-b731-a557950d210b",
|
||
|
"value": "H.H."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe013-c4b4-4c17-bea2-a557950d210b",
|
||
|
"value": "LAMA.pps"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe013-4b10-4e5c-bace-a557950d210b",
|
||
|
"value": "SX.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe013-3ed0-4a80-b8a2-a557950d210b",
|
||
|
"value": "5730866b34ef589bd398c9a9b6d7e307"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe013-fd28-4c49-b39c-a557950d210b",
|
||
|
"value": "SXLOC.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe013-1d70-43aa-aab5-a557950d210b",
|
||
|
"value": "d839691657ca814be13d5c9c6511d6b2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443795",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe013-9898-4d44-ab23-a557950d210b",
|
||
|
"value": "SXLOC.zap"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443796",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "557fe014-4658-4ea7-af4d-a557950d210b",
|
||
|
"value": "03c900a1b115e759b32e4172dec52aa2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1434443796",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "557fe014-be88-4162-8de2-a557950d210b",
|
||
|
"value": "\u00e3\u20ac\u0152\u00e4\u00bd\u201d\u00e9\u00a0\u02dc\u00e4\u00b8\u00ad\u00e7\u2019\u00b0\u00e3\u20ac\u008d\u00e5\u00bc\u2022\u00e7\u2122\u00bc\u00e7\u02c6\u00ad\u00e8\u00ad\u00b0\u00e7\u0161\u201e\u00e8\u0192\u0152\u00e5\u00be\u0152.pps"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via 9459478ab9a9b996de683789f77b185c)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841049",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "56c65f19-a4a8-4aba-97c5-5f51950d210f",
|
||
|
"value": "c6d8eabea5bac84b90851c1a6e17c0c30bcf5c27"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via 8432c77b12343d59d991b0d0e0c12f7d)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841051",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "56c65f1b-65a4-469f-870a-4a61950d210f",
|
||
|
"value": "62dbbcd115497a7bbbd4d1351d50a328914a8b26"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via d839691657ca814be13d5c9c6511d6b2)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841054",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "56c65f1e-461c-4530-864e-458f950d210f",
|
||
|
"value": "cd425ce7f3e4a823d9027780e1b439759c4dc665"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via 9459478ab9a9b996de683789f77b185c)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841050",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56c65f1a-dd00-494f-8ae5-c653950d210f",
|
||
|
"value": "583c8920445feaf0a963fbd3ad8ad24fd9143941e4046cf376cfe08cb9137613"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via 8432c77b12343d59d991b0d0e0c12f7d)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841052",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56c65f1c-0a5c-4bfa-8f6a-59a1950d210f",
|
||
|
"value": "cbb1d6b3c76c77ce1c3397cd607a7642fcb703201b82e07704e7074061d86ea3"
|
||
|
},
|
||
|
{
|
||
|
"category": "Artifacts dropped",
|
||
|
"comment": "Automatically added (via d839691657ca814be13d5c9c6511d6b2)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1455841054",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56c65f1e-afc8-469a-82e6-599c950d210f",
|
||
|
"value": "5ff2bc7267759bde3c02e4c19b8c3144c43c4f7fc2c21f2d4f881ca0b821e00b"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|