436 lines
14 KiB
JSON
436 lines
14 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2015-07-14",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT An In-Depth Look at How Pawn Storm\u00e2\u20ac\u2122s Java Zero-Day Was Used by Trend Micro",
|
||
|
"publish_timestamp": "1437650831",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1454273686",
|
||
|
"uuid": "55a76999-52e4-45c0-ac44-2ce2950d210b",
|
||
|
"Orgc": {
|
||
|
"name": "CthulhuSPRL.be",
|
||
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437034929",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "55a769b1-faf0-4553-b131-e4fd950d210b",
|
||
|
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437034949",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a769c5-83c8-41f9-a020-266f950d210b",
|
||
|
"value": "APT28"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437034949",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a769c5-904c-44d3-a10e-266f950d210b",
|
||
|
"value": "Pawn Storm"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437034949",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a769c5-3b70-40c6-8030-266f950d210b",
|
||
|
"value": "Sednit"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437034950",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a769c6-70cc-469e-bae4-266f950d210b",
|
||
|
"value": "Sofacy"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126452",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "55a8cf34-5c94-40bf-9cfc-4301950d210b",
|
||
|
"value": "95dc765700f5af406883d07f165011d2ff8dd0fb"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Marked as not for IDS since it includes a regexp",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126493",
|
||
|
"to_ids": false,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8cf34-29cc-480a-8bfd-43b9950d210b",
|
||
|
"value": "http://ausameetings.com/url?=[a-za-z0-9]{7}/2015annualmeeting/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126452",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "55a8cf34-0550-4b1f-b183-42ae950d210b",
|
||
|
"value": "b4a515ef9de037f18d96b9b0e48271180f5725b7"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126453",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8cf35-add8-4854-b6c3-443b950d210b",
|
||
|
"value": "vhgg5hkvn25.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126453",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "55a8cf35-3b68-473a-8347-49c9950d210b",
|
||
|
"value": "21835aafe6d46840bb697e8b0d4aac06dec44f5b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126453",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8cf35-e610-4d0b-b99a-44a5950d210b",
|
||
|
"value": "api-ms-win-downlevel-profile-l1-1-0.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126700",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "55a8d02c-f300-4479-a2e9-1e08950d210b",
|
||
|
"value": "ausameetings.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Low precision",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126700",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "55a8d02c-8f64-4dd0-a81e-1e08950d210b",
|
||
|
"value": "95.215.45.189"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126700",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "55a8d02c-4300-4109-9e0d-1e08950d210b",
|
||
|
"value": "87.236.215.132"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02d-3cb4-424d-980f-1e08950d210b",
|
||
|
"value": "arrayreplace.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "55a8d02d-e680-47d6-ada7-1e08950d210b",
|
||
|
"value": "App$PassHandleController.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02d-5a2c-49e1-bd33-1e08950d210b",
|
||
|
"value": "converter.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02d-30f4-48a7-9ae8-1e08950d210b",
|
||
|
"value": "mybytearrayinputstream.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02d-9718-48ec-8566-1e08950d210b",
|
||
|
"value": "none2.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126701",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02d-b774-4483-bf97-1e08950d210b",
|
||
|
"value": "none.class"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126702",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "55a8d02e-384c-4a0e-b776-1e08950d210b",
|
||
|
"value": "cormac.mcr"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126702",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "55a8d02e-fa20-43d0-9a16-1e08950d210b",
|
||
|
"value": "192.111.146.185"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126702",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "55a8d02e-71e4-484a-b446-1e08950d210b",
|
||
|
"value": "37.187.116.240"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126722",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "55a8d02e-c688-4242-b2b6-1e08950d210b",
|
||
|
"value": "acledit.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Imported via the freetext import.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126730",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "55a8d02e-d3c4-41d0-adfe-1e08950d210b",
|
||
|
"value": "biocpl.org"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126787",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a8d083-0df0-41d5-aaff-0a95950d210b",
|
||
|
"value": "JAVA_DLOADR.EFD"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126787",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a8d083-889c-4378-8a87-0a95950d210b",
|
||
|
"value": "TROJ_DROPPR.CXC"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1437126787",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "55a8d083-b298-4191-b334-0a95950d210b",
|
||
|
"value": "TSPY_SEDNIT.C"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273686",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56ae7496-ac98-437d-ba17-4bfa02de0b81",
|
||
|
"value": "3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273686",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "56ae7496-ab14-4ad0-a447-44be02de0b81",
|
||
|
"value": "211b7100fd799e9eaabeb13cfa446231"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273687",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "56ae7497-80f0-4165-be41-49d402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8/analysis/1451306949/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273687",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56ae7497-8098-4ffc-b65e-47d302de0b81",
|
||
|
"value": "d93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273687",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "56ae7497-5968-4028-ac90-4fb202de0b81",
|
||
|
"value": "afe09fb5a2b97f9e119f70292092604e"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273688",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "56ae7498-0774-4bcb-ae08-492402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5/analysis/1449817909/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273688",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "56ae7498-5770-4232-9152-4a3102de0b81",
|
||
|
"value": "3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273688",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "56ae7498-cf28-4e29-81fb-47be02de0b81",
|
||
|
"value": "0c345969a5974e8b1ec6a5e23b2cf777"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1454273688",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "56ae7498-af00-40a5-9683-420102de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349/analysis/1443100024/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|