adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/57221ede-4084-4c2b-9463-4e1e950d210f.json

892 lines
7 MiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2016-04-28",
"extends_uuid": "",
"info": "OSINT - PLATINUM Targeted attacks in South and Southeast Asia",
"publish_timestamp": "1464781805",
"published": true,
"threat_level_id": "3",
"timestamp": "1464773185",
"uuid": "57221ede-4084-4c2b-9463-4e1e950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjYNJeLjz9MNCjI4OTQgMCBvYmoNPDwvTGluZWFyaXplZCAxL0wgNTQyMzU4NS9PIDI4OTYvRSA0NDc0MTQ5L04gMzIvVCA1NDIyNjcxL0ggWyA0ODggNjc1XT4+DWVuZG9iag0gICAgICAgDQoyOTA2IDAgb2JqDTw8L0RlY29kZVBhcm1zPDwvQ29sdW1ucyA0L1ByZWRpY3RvciAxMj4+L0ZpbHRlci9GbGF0ZURlY29kZS9JRFs8N0Q3NkEwRjVDMTJFRTc0N0JGMjE5QTU5MDA4MkI5OUE+PEUwNjY4QzYyRUQ5RDNDNEE5MTFDMUY1N0E3QzdGNTlEPl0vSW5kZXhbMjg5NCAyNF0vSW5mbyAyODkzIDAgUi9MZW5ndGggNzQvUHJldiA1NDIyNjcyL1Jvb3QgMjg5NSAwIFIvU2l6ZSAyOTE4L1R5cGUvWFJlZi9XWzEgMiAxXT4+c3RyZWFtDQpo3mJiZBBgYGJgqQYSjPtBhBqQ4AgBEswBQIKpD0gYmIEk4oCExDSQ2Fwgwf8TSEwWYmBi5L4LZDEwMBJN/P82/TtAgAEAU9YLGw0KZW5kc3RyZWFtDWVuZG9iag1zdGFydHhyZWYNCjANCiUlRU9GDQogICAgICAgDQoyOTE3IDAgb2JqDTw8L0MgNzI5L0ZpbHRlci9GbGF0ZURlY29kZS9JIDc1My9MZW5ndGggNTczL08gNjkxL1MgNTY3L1YgNzA3Pj5zdHJlYW0NCmjetFLNaxNBFP/NZvLRpDG7apOYEJOqlAo9xMY0CRjZumlMC8UYjLZi6R5yqIdAxCqWGt1AkFUR4kEoglhUUhAPiqClVAlSDwptFQMGDx6q4E0sBUHowZmU1r/AYWZ+H+/Ng5l5AAQ2Z0AB8zhc+DdczDOxZSn3ku47O0VRko7s4AG9sERyddIWxFya+GvhJ3LHduGS1TDxgo5P4bRuc6nes9Nkrja0CtszuF9jl4qcjtWA8/e066FsfoN4CcbDED/AO4veAFRgDYKN1Q7duluuXvuTf/dzcikUCvUA/q6ZRdr9XqwpxX3LaaWSzY3GZSVmTBSDSvhC+YCmFKuJfE25LDMyKL1spZFFnhxeGGahdolGvsSTmRjxZhdGD4n1GGmjkc8SP3Us/Z3m3/JqpfOVE0myzXz/TNJXLCgDhnrMRPvSSjHlGAlVpJNOGvUfVIh97RM7Msz8qIOTU8s0HBj8VpGy90o/1InG7ovmLVKyfwQp6ey1dJCeMV3XmhSUa7cOC2BklOoQosxhEcmpb2btYdI41FSU7zTFDCT0ZoE+DkKnRiQ310In39F0NcvmNI1p//Ob2DiHdIyjla32ppNlLUMewL8ORwN7K8b1AAS5NaCRFHz9jpFZTLJLB60eFeFmfgO+KG7Owy7DLcKjSS0QW0Ae42gS5gJsKvn1lK6o7ikQFnwO66PN1tSR6bjNkACG4wyvI7N/ZUMLX7ca+AYyXTWGHuBqP3ijm65wv4rMK9NGNhn4K8AA7MvAEQ0KZW5kc3RyZWFtDWVuZG9iag0yODk1IDAgb2JqDTw8L0Fjcm9Gb3JtIDI5MDcgMCBSL0xhbmco/v8ARQBOAC0AVQBTKS9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4vTWV0YWRhdGEgMTY0IDAgUi9PdXRsaW5lcyAzMzYgMCBSL1BhZ2VMYXlvdXQvT25lQ29sdW1uL1BhZ2VzIDI4ODYgMCBSL1N0cnVjdFRyZWVSb290IDM3MiAwIFIvVHlwZS9DYXRhbG9nPj4NZW5kb2JqDTI4OTYgMCBvYmoNPDwvQ29udGVudHMgMjg5OCAwIFIvQ3JvcEJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9Hcm91cCAyOTE2IDAgUi9NZWRpYUJveFswLjAgMC4wIDYxMi4wIDc5Mi4wXS9QYXJlbnQgMjg4NyAwIFIvUmVzb3VyY2VzPDwvRXh0R1N0YXRlPDwvR1MwIDI5MDggMCBSPj4vRm9udDw8L0MyXzAgMjkxMyAwIFIvVFQwIDI5MTUgMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VDXS9YT2JqZWN0PDwvSW0wIDI5MDUgMCBSPj4+Pi9Sb3RhdGUgMC9TdHJ1Y3RQYXJlbnRzIDAvVHlwZS9QYWdlPj4NZW5kb2JqDTI4OTcgMCBvYmoNPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0ZpcnN0IDkzL0xlbmd0aCAyMDMzL04gMTAvVHlwZS9PYmpTdG0+PnN0cmVhbQ0KaN6UWNtu3EYS/ZV+tLHwsu8XIBAgaSJbgBUbGmW9WIIPtETLgx3NCDN0EP19zqkmR1bkOA4Eqsi+Vp2qOtU9tuiktLJFZ2WM4UtRFm22GDSHwhejgmOXscr5+ubw5uXNKxdi5ltQLhuZGZV3xauffmoWxy+aN8P6N+xx9Qn/btXLZnGJjp8319ub1eYWr+8XZ4vt9dygXDIYeHl01JxtNyP6Zb6Lha3N//rFRwzRdQgHrYb1zb7tjo4w9Ph8qT716/3QnFw0v2x3d/26OT1W5t+6efd+6nn3/kKZZnmsxt2XoVle9Pv/Y+hmaK4e7ofm59/H18uxH4fmupd52/s6T9Z/t7sZdlDyxfnNsBlX48PL5nK4Xe3H3cOL45vtx+Fls/xyf78e7tCtdNVpf80Po71uTs8Xy2EkymJjc9rfvxlWt59HlbRuFkMd+spm25yt+9u98gLCycn29/aViVq64KhoZL1Oes/6u9X64cVyuN0O6v1uq5bD3eotV31Z+1frwXJPK3uy6Zf+bmjOX/96ebH8l8zDtFeHaTJkOe6G8frzjCKbPlRVXdDN+divV9fHm9v1oHSzHIe7/6joK4QcSlN2q/txu2v+O1kYdMXjpN8PHPKd/QnTwx6Lnm8+bWtMClrni6vt6/PFRX/fzA5oFh8ABcB7umuNX05afvk4UitM5hBqaB/1bD60uo0+dohlDHetdU7ZjKCOToWSVLBJZXgrabRb2yEZDMGEF1zr8RUjQt4U5UqpMmWZ5FLoLFa18mVdG3zprMfitQEjdZ1gFPbkMs63yBtVfFHRRRWQfdFqFTOmYHufkop8ClTxHK4xBu3RqxyDSlgzBagcbJUYG5CfwWRZPkJxZmlIWNvjSVoMccmJ5BiPfhu4H5I+eeWxPiXXsUhpeQ+6wxJY3cKelFvPhfCawQjoxCDXZYdPGZ5D62CV1xGmYuVgoHFkwCsPCzzIw4csGlhnD5oQgeiSIEDrZ+vQ1xkdkARatARrtdASjmFiBNEUCYKniFLG6pYaG0vP0XoHiX6sR12M061LltzVGUe3OnGQoTc8dNNVX1Ag+sGSsCVn7O91m4gckKdt1DnDK9QRNNgZvBt6Eu0mQAesGZC3lBE6JgAVzRwr2AecmkJQ2VUdGQkMRMGCoNo04YK1QYYGoHvqkUwbGXvJd4a2AXJiZ1JoqUuBzgU4IP06k7Uy2ZCxIWFrZlADg+xbrh2wLv3B6DCMEIu9CuYUzIF+ptg2ANcAnxAzKxhP65lSnUZnQXYWfGPxzm+rfa0qAMWi1Fg4j8pZlhzjpiTyLR3GcHQEBWMcHZwJRJC1HB1LA1INexYoOpwOYDhLIMGJkjI+iCFiEFICsdhZx/7qFIvgsx6OZ8Z712aNfo81MS8RfB9bJrWkBAwVQGAox1c7zXNptaTMX0roFX2VkkrEx/y9ZNpz/F9KUAIzb5aCM8nmOzJgLHUijbANVNI5Jin8xIx2GplNjNH3RCJwqiySlNzvzzKUr9qEitwzSXoiMTyTsz+fyVwJhJLMPH1L4Abzw5IUSPI5xMYUN4f4gf9JPPQnE5oJedB50kUCnwmAxKXvrWHyaElqh/mZhACmz4wdtM90Ttzq2k72o78kD+gPiZNyoPIw5Qgrj8SvqRhQ70QiEQ6OQhoyH+0RxOhdrjGAfUk4bAskNSYucof9HnE/MXUdR98WzIN+AeTofSUhIahIv3MtzMuVxGLhmlnszcznaS/BCJJtwgOlxkw01a/UswCzgvbEMaHaRhwqRuERp1S5JI
"deleted": false,
"disable_correlation": false,
"timestamp": "1461853954",
"to_ids": false,
"type": "attachment",
"uuid": "57221f02-6b1c-4b51-b40c-462d950d210f",
"value": "Platinum feature article - Targeted attacks in South and Southeast Asia April 2016.pdf"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857278",
"to_ids": false,
"type": "vulnerability",
"uuid": "57222bfe-4068-4151-aa6d-40a6950d210f",
"value": "CVE-2015-2545"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461913507",
"to_ids": true,
"type": "yara",
"uuid": "57222c60-7300-4608-a6da-407f950d210f",
"value": "rule Trojan_Win32_PlaSrv : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hotpatching Injector\"\r\noriginal_sample_sha1 = \"ff7f949da665ba8ce9fb01da357b51415634eaad\"\r\nunpacked_sample_sha1 = \"dff2fee984ba9f5a8f5d97582c83fca4fa1fe131\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$Section_name = \".hotp1\"\r\n$offset_x59 = { C7 80 64 01 00 00 00 00 01 00 }\r\ncondition:\r\n$Section_name and $offset_x59\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857398",
"to_ids": true,
"type": "yara",
"uuid": "57222c76-7a74-4696-bfef-4a72950d210f",
"value": "rule Trojan_Win32_Platual : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"e0ac2ae221328313a7eee33e9be0924c46e2beb9\"\r\nunpacked_sample_sha1 = \"ccaf36c2d02c3c5ca24eeeb7b1eae7742a23a86a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name = \"AVCObfuscation\"\r\n$scrambled_dir = { A8 8B B8 E3 B1 D7 FE 85 51 32 3E C0 F1 B7 73 99 }\r\ncondition:\r\n$class_name and $scrambled_dir\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857455",
"to_ids": true,
"type": "yara",
"uuid": "57222caf-8748-4ea3-9e48-4cd8950d210f",
"value": "rule Trojan_Win32_Plaplex : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Variant of the JPin backdoor\"\r\noriginal_sample_sha1 = \"ca3bda30a3cdc15afb78e54fa1bbb9300d268d66\"\r\nunpacked_sample_sha1 = \"2fe3c80e98bbb0cf5a0c4da286cd48ec78130a24\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$class_name1 = \"AVCObfuscation\"\r\n$class_name2 = \"AVCSetiriControl\"\r\ncondition:\r\n$class_name1 and $class_name2\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857485",
"to_ids": true,
"type": "yara",
"uuid": "57222ccd-c09c-402a-af7b-42a5950d210f",
"value": "rule Trojan_Win32_Dipsind_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind Family\"\r\nsample_sha1 = \"09e0dfbb5543c708c0dd6a89fd22bbb96dc4ca1c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$frg1 = {8D 90 04 01 00 00 33 C0 F2 AE F7 D1 2B F9 8B C1 8B F7 8B FA C1 E9 02 F3\r\nA5 8B C8 83 E1 03 F3 A4 8B 4D EC 8B 15 ?? ?? ?? ?? 89 91 ?? 07 00 00 }\r\n$frg2 = {68 A1 86 01 00 C1 E9 02 F3 AB 8B CA 83 E1 03 F3 AA}\r\n$frg3 = {C0 E8 07 D0 E1 0A C1 8A C8 32 D0 C0 E9 07 D0 E0 0A C8 32 CA 80 F1 63}\r\ncondition:\r\n$frg1 and $frg2 and $frg3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857505",
"to_ids": true,
"type": "yara",
"uuid": "57222ce1-6800-4ad5-81d7-461e950d210f",
"value": "rule Trojan_Win32_PlaKeylog_B : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Keylogger component\"\r\noriginal_sample_sha1 = \"0096a3e0c97b85ca75164f48230ae530c94a2b77\"\r\nunpacked_sample_sha1 = \"6a1412daaa9bdc553689537df0a004d44f8a45fd\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$hook = {C6 06 FF 46 C6 06 25}\r\n$dasm_engine = {80 C9 10 88 0E 8A CA 80 E1 07 43 88 56 03 80 F9 05}\r\ncondition:\r\n$hook and $dasm_engine\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857543",
"to_ids": true,
"type": "yara",
"uuid": "57222d07-9af0-482f-ad9a-446d950d210f",
"value": "rule Trojan_Win32_Adupib : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Adupib SSL Backdoor\"\r\noriginal_sample_sha1 = \"d3ad0933e1b114b14c2b3a2c59d7f8a95ea0bcbd\"\r\nunpacked_sample_sha1 = \"a80051d5ae124fd9e5cc03e699dd91c2b373978b\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"POLL_RATE\"\r\n$str2 = \"OP_TIME(end hour)\"\r\n$str3 = \"%d:TCP:*:Enabled\"\r\n$str4 = \"%s[PwFF_cfg%d]\"\r\n$str5 = \"Fake_GetDlgItemTextW: ***value***=\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4 and $str5\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461913516",
"to_ids": true,
"type": "yara",
"uuid": "57222d55-3684-4ca9-8552-4ea1950d210f",
"value": "rule Trojan_Win32_Plagon : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"48b89f61d58b57dba6a0ca857bce97bab636af65\"\r\nunpacked_sample_sha1 = \"6dccf88d89ad7b8611b1bc2e9fb8baea41bdb65a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"VPLRXZHTU\"\r\n$str2 ={64 6F 67 32 6A 7E 6C}\r\n$str3 =\"Dqpqftk(Wou\\\"Isztk)\"\r\n$str4 =\"StartThreadAtWinLogon\"\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461913520",
"to_ids": true,
"type": "yara",
"uuid": "57222d70-8a40-438e-8d32-411f950d210f",
"value": "rule Trojan_Win32_Plakelog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Raw-input based keylogger\"\r\noriginal_sample_sha1 = \"3907a9e41df805f912f821a47031164b6636bd04\"\r\nunpacked_sample_sha1 = \"960feeb15a0939ec0b53dcb6815adbf7ac1e7bb2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 =\"<0x02>\" wide\r\n$str2 =\"[CTR-BRK]\" wide\r\n$str3 =\"[/WIN]\" wide\r\n$str4 ={8A 16 8A 18 32 DA 46 88 18 8B 15 08 E6 42 00 40 41 3B CA 72 EB 5E 5B}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461913523",
"to_ids": true,
"type": "yara",
"uuid": "57222da1-3824-4b9f-aeaa-48ee950d210f",
"value": "rule Trojan_Win32_Plainst : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99c08d31af211a0e17f92dd312ec7ca2b9469ecb\"\r\nunpacked_sample_sha1 = \"dcb6cf7cf7c8fdfc89656a042f81136bda354ba6\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {66 8B 14 4D 18 50 01 10 8B 45 08 66 33 14 70 46 66 89 54 77 FE 66 83 7C 77 FE 00 75 B7 8B 4D FC 89 41 08 8D 04 36 89 41 0C 89 79 04}\r\n$str2 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\ncondition:\r\n$str1 and $str2\r\n}"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857737",
"to_ids": true,
"type": "yara",
"uuid": "57222dc9-3924-415f-b9af-411e950d210f",
"value": "rule Trojan_Win32_Plagicom : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer component\"\r\noriginal_sample_sha1 = \"99dcb148b053f4cef6df5fa1ec5d33971a58bd1e\"\r\nunpacked_sample_sha1 = \"c1c950bc6a2ad67488e675da4dfc8916831239a7\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {C6 44 24 ?? 68 C6 44 24 ?? 4D C6 44 24 ?? 53 C6 44 24 ?? 56 C6 44 24 ??\r\n00}\r\n$str2 = \"OUEMM/EMM\"\r\n$str3 = {85 C9 7E 08 FE 0C 10 40 3B C1 7C F8 C3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857756",
"to_ids": true,
"type": "yara",
"uuid": "57222ddc-86f4-4857-a0b7-4d30950d210f",
"value": "rule Trojan_Win32_Plaklog : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Hook-based keylogger\"\r\noriginal_sample_sha1 = \"831a5a29d47ab85ee3216d4e75f18d93641a9819\"\r\nunpacked_sample_sha1 = \"e18750207ddbd939975466a0e01bd84e75327dda\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"++[%s^^unknown^^%s]++\"\r\n$str2 = \"vtfs43/emm\"\r\n$str3 = {33 C9 39 4C 24 08 7E 10 8B 44 24 04 03 C1 80 00 08 41 3B 4C 24 08 7C F0\r\nC3}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857774",
"to_ids": true,
"type": "yara",
"uuid": "57222dee-bc1c-45cd-990c-4384950d210f",
"value": "rule Trojan_Win32_Plapiio : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"JPin backdoor\"\r\noriginal_sample_sha1 = \"3119de80088c52bd8097394092847cd984606c88\"\r\nunpacked_sample_sha1 = \"3acb8fe2a5eb3478b4553907a571b6614eb5455c\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"ServiceMain\"\r\n$str2 = \"Startup\"\r\n$str3 = {C6 45 ?? 68 C6 45 ?? 4D C6 45 ?? 53 C6 45 ?? 56 C6 45 ?? 6D C6 45 ?? 6D}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464773185",
"to_ids": true,
"type": "yara",
"uuid": "57222e07-30ec-4c0a-b189-494a950d210f",
"value": "rule Trojan_Win32_Plabit : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft Installer component\"\r\nsample_sha1 = \"6d1169775a552230302131f9385135d385efd166\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {4b D3 91 49 A1 80 91 42 83 B6 33 28 36 6B 90 97}\r\n$str2 = \"GetInstanceW\"\r\n$str3 = {8B D0 83 E2 1F 8A 14 0A 30 14 30 40 3B 44 24 04 72 EE}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857826",
"to_ids": true,
"type": "yara",
"uuid": "57222e22-aa2c-415e-8a7b-462d950d210f",
"value": "rule Trojan_Win32_Placisc2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"bf944eb70a382bd77ee5b47548ea9a4969de0527\"\r\nunpacked_sample_sha1 = \"d807648ddecc4572c7b04405f496d25700e0be6e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {76 16 8B D0 83 E2 07 8A 4C 14 24 8A 14 18 32 D1 88 14 18 40 3B C7 72 EA\r\n}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = \"%d) Command:%s\"\r\n$str4 = {0D 0A 2D 2D 2D 2D 2D 09 2D 2D 2D 2D 2D 2D 0D 0A}\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857899",
"to_ids": true,
"type": "yara",
"uuid": "57222e6b-89f4-4baa-9984-4e7b950d210f",
"value": "rule Trojan_Win32_Placisc3 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Dipsind variant\"\r\noriginal_sample_sha1 = \"1b542dd0dacfcd4200879221709f5fa9683cdcda\"\r\nunpacked_sample_sha1 = \"bbd4992ee3f3a3267732151636359cf94fb4575d\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {BA 6E 00 00 00 66 89 95 ?? ?? FF FF B8 73 00 00 00 66 89 85 ?? ?? FF FF\r\nB9 64 00 00 00 66 89 8D ?? ?? FF FF BA 65 00 00 00 66 89 95 ?? ?? FF FF B8 6C 00 00\r\n00}\r\n$str2 = \"VPLRXZHTU\"\r\n$str3 = {8B 44 24 ?? 8A 04 01 41 32 C2 3B CF 7C F2 88 03}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857921",
"to_ids": true,
"type": "yara",
"uuid": "57222e81-ba14-49a1-adcf-4445950d210f",
"value": "rule Trojan_Win32_Placisc4 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Installer for Dipsind variant\"\r\noriginal_sample_sha1 = \"3d17828632e8ff1560f6094703ece5433bc69586\"\r\nunpacked_sample_sha1 = \"2abb8e1e9cac24be474e4955c63108ff86d1a034\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = {8D 71 01 8B C6 99 BB 0A 00 00 00 F7 FB 0F BE D2 0F BE 04 39 2B C2 88 04\r\n39 84 C0 74 0A}\r\n$str2 = {6A 04 68 00 20 00 00 68 00 00 40 00 6A 00 FF D5}\r\n$str3 = {C6 44 24 ?? 64 C6 44 24 ?? 6F C6 44 24 ?? 67 C6 44 24 ?? 32 C6 44 24 ??\r\n6A}\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857955",
"to_ids": true,
"type": "yara",
"uuid": "57222ea3-46a4-48aa-a848-4a89950d210f",
"value": "rule Trojan_Win32_Plakpers : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Injector / loader component\"\r\noriginal_sample_sha1 = \"fa083d744d278c6f4865f095cfd2feabee558056\"\r\nunpacked_sample_sha1 = \"3a678b5c9c46b5b87bfcb18306ed50fadfc6372e\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"MyFileMappingObject\"\r\n$str2 = \"[%.3u] %s %s %s [%s:\" wide\r\n$str3 = \"%s\\\\{%s}\\\\%s\" wide\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461857990",
"to_ids": true,
"type": "yara",
"uuid": "57222ec6-0e78-4173-9f07-4cb8950d210f",
"value": "rule Trojan_Win32_Plainst2 : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool\"\r\noriginal_sample_sha1 = \"3f2ce812c38ff5ac3d813394291a5867e2cddcf2\"\r\nunpacked_sample_sha1 = \"88ff852b1b8077ad5a19cc438afb2402462fbd1a\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"Connected [%s:%d]...\"\r\n$str2 = \"reuse possible: %c\"\r\n$str3 = \"] => %d%%\\x0a\"\r\ncondition:\r\n$str1 and $str2 and $str3\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858015",
"to_ids": true,
"type": "yara",
"uuid": "57222edf-cb54-45e0-bbcc-4210950d210f",
"value": "rule Trojan_Win32_Plakpeer : Platinum\r\n{\r\nmeta:\r\nauthor = \"Microsoft\"\r\ndescription = \"Zc tool v2\"\r\noriginal_sample_sha1 = \"2155c20483528377b5e3fde004bb604198463d29\"\r\nunpacked_sample_sha1 = \"dc991ef598825daabd9e70bac92c79154363bab2\"\r\nactivity_group = \"Platinum\"\r\nversion = \"1.0\"\r\nlast_modified = \"2016-04-12\"\r\nstrings:\r\n$str1 = \"@@E0020(%d)\" wide\r\n$str2 = /exit.{0,3}@exit.{0,3}new.{0,3}query.{0,3}rcz.{0,3}scz/ wide\r\n$str3 = \"---###---\" wide\r\n$str4 = \"---@@@---\" wide\r\ncondition:\r\n$str1 and $str2 and $str3 and $str4\r\n}"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858063",
"to_ids": false,
"type": "comment",
"uuid": "57222f0f-ca58-4844-8763-4c13950d210f",
"value": "PLATINUM: Targeted attacks in South\r\nand Southeast Asia\r\nMicrosoft proactively monitors the threat landscape for emerging threats. Part of this job involves\r\nkeeping tabs on targeted activity groups, which are often the first ones to introduce new exploits and\r\ntechniques that are later used widely by other attackers. In the previous volume, \u00e2\u20ac\u0153STRONTIUM: A\r\nprofile of a persistent and motivated adversary,\u00e2\u20ac\u009d on page 3 of Microsoft Security Intelligence Report,\r\nVolume 19 (January\u00e2\u20ac\u201cJune 2015), chronicled the activities of one such group, which had attracted\r\ninterest because of its aggressive, persistent tactics and techniques as well as its repeated use of new\r\nzero-day exploits to attack its targets.\r\nThis section describes the history, behavior, and tactics of a newly discovered targeted activity group,\r\nwhich Microsoft has code-named PLATINUM. Microsoft is sharing some of the information it has\r\ngathered on this group in the hope that it will raise awareness of the group\u00e2\u20ac\u2122s activities and help\r\norganizations take immediate advantage of available mitigations that can significantly reduce the risks\r\nthey face from this and similar groups.\r\nAdversary profile\r\nPLATINUM has been targeting its victims since at least as early as 2009, and may have been active for\r\nseveral years prior. Its activities are distinctly different not only from those typically seen in untargeted\r\nattacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized\r\nas opportunistic: the activity group changes its target profiles and attack geographies based on\r\ngeopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM\r\nseeks to steal sensitive intellectual property related to government interests, but its range of preferred\r\ntargets is consistently limited to specific governmental organizations, defense institutes, intelligence\r\nagencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The\r\ngroup\u00e2\u20ac\u2122s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and\r\naccess to previously undiscovered zero-day exploits have made it a highly resilient threat."
},
{
"category": "Payload delivery",
"comment": "Gambar gambar Rumah Gay Didiet Prabowo di Sentul Bogor.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858134",
"to_ids": true,
"type": "sha1",
"uuid": "57222f56-1be8-471b-a27f-4ce4950d210f",
"value": "e9f900b5d01320ccd4990fd322a459d709d43e4b"
},
{
"category": "Payload delivery",
"comment": "The real reason Prabowo wants to be President.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858135",
"to_ids": true,
"type": "sha1",
"uuid": "57222f57-87fc-44ef-8b30-41c2950d210f",
"value": "9a4e82ba371cd2fedea0b889c879daee7a01e1b1"
},
{
"category": "Payload delivery",
"comment": "Malaysia a victim of American irregular warfare ops.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858135",
"to_ids": true,
"type": "sha1",
"uuid": "57222f57-30c0-40e6-be3f-430e950d210f",
"value": "92a3ece981bb5e0a3ee4277f08236c1d38b54053"
},
{
"category": "Payload delivery",
"comment": "Tu Vi Nam Tan Mao 2011.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858136",
"to_ids": true,
"type": "sha1",
"uuid": "57222f58-f4c0-423c-9e35-4356950d210f",
"value": "0bc08dca86bd95f43ccc78ef4b27d81f28b4b769"
},
{
"category": "Payload delivery",
"comment": "Indians having fun.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858136",
"to_ids": true,
"type": "sha1",
"uuid": "57222f58-75c4-4151-bc5d-4728950d210f",
"value": "f4af574124e9020ef3d0a7be9f1e42c2261e97e6"
},
{
"category": "Payload delivery",
"comment": "Gerakan Anti SBY II.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858279",
"to_ids": true,
"type": "sha1",
"uuid": "57222fe7-e234-4ba0-8667-45b4950d210f",
"value": "1bdc1a0bc995c1beb363b11b71c14324be8577c9"
},
{
"category": "Network activity",
"comment": "URL for PNG Exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858279",
"to_ids": true,
"type": "url",
"uuid": "57222fe7-82c0-41a5-b39f-4790950d210f",
"value": "mister.nofrillspace.com/users/web8_dice/4226/space.gif"
},
{
"category": "Payload delivery",
"comment": "Tu_Vi_Nam_Tan_ Mao_2011.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858280",
"to_ids": true,
"type": "sha1",
"uuid": "57222fe8-e138-41ca-8e0f-48b1950d210f",
"value": "2a33542038a85db4911d7b846573f6b251e16b2d"
},
{
"category": "Network activity",
"comment": "URL for PNG Exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858280",
"to_ids": true,
"type": "url",
"uuid": "57222fe8-5f0c-45fa-a8ed-4c3b950d210f",
"value": "intent.nofrillspace.com/users/web11_focus/3807/space.gif"
},
{
"category": "Payload delivery",
"comment": "Wikileaks Indonesia.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858281",
"to_ids": true,
"type": "sha1",
"uuid": "57222fe9-9958-4f02-9560-4f43950d210f",
"value": "d6a795e839f51c1a5aeabf5c10664936ebbef8ea"
},
{
"category": "Network activity",
"comment": "URL for PNG Exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858281",
"to_ids": true,
"type": "url",
"uuid": "57222fe9-9edc-43b7-bc6a-43b7950d210f",
"value": "mister.nofrillspace.com/users/web8_dice/3791/space.gif"
},
{
"category": "Payload delivery",
"comment": "Top 11 Aerial Surveillance Devices.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858281",
"to_ids": true,
"type": "sha1",
"uuid": "57222fe9-515c-4e40-8b67-40cf950d210f",
"value": "f362feedc046899a78c4480c32dda4ea82a3e8c0"
},
{
"category": "Network activity",
"comment": "URL for PNG Exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858282",
"to_ids": true,
"type": "url",
"uuid": "57222fea-00b4-4c25-86b6-47b8950d210f",
"value": "intent.nofrillspace.com/users/web11_focus/4307/space.gif"
},
{
"category": "Payload delivery",
"comment": "SEMBOYAN_1.doc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858282",
"to_ids": true,
"type": "sha1",
"uuid": "57222fea-022c-4a86-8c6e-4760950d210f",
"value": "f751cdfaef99c6184f45a563f3d81ff1ada25565"
},
{
"category": "Network activity",
"comment": "URL for PNG Exploit",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858283",
"to_ids": true,
"type": "url",
"uuid": "57222feb-9550-414b-aa37-403b950d210f",
"value": "www.police28122011.0fees.net/pages/013/space.gif"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858325",
"to_ids": true,
"type": "hostname",
"uuid": "57223015-2b48-4137-afae-4aaf950d210f",
"value": "box62.a-inet.net"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858325",
"to_ids": true,
"type": "hostname",
"uuid": "57223015-7138-4387-a596-4b3d950d210f",
"value": "scienceweek.scieron.com"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858326",
"to_ids": true,
"type": "ip-dst",
"uuid": "57223016-2264-4e5f-8211-4468950d210f",
"value": "200.61.248.8"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858326",
"to_ids": true,
"type": "hostname",
"uuid": "57223016-b9bc-4df8-934c-4076950d210f",
"value": "eclipse.a-inet.net"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858326",
"to_ids": true,
"type": "hostname",
"uuid": "57223016-cb40-4ea5-b383-4511950d210f",
"value": "mobileworld.darktech.org"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858327",
"to_ids": true,
"type": "ip-dst",
"uuid": "57223017-2e54-4205-9c7b-485e950d210f",
"value": "209.45.65.163"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858327",
"to_ids": true,
"type": "hostname",
"uuid": "57223017-99cc-41de-abc6-4f39950d210f",
"value": "joomlastats.a-inet.net"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858328",
"to_ids": true,
"type": "hostname",
"uuid": "57223018-d2f0-4939-b72b-46e0950d210f",
"value": "geocities.efnet.at"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858328",
"to_ids": true,
"type": "ip-dst",
"uuid": "57223018-368c-428b-a315-4482950d210f",
"value": "190.96.47.9"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858328",
"to_ids": true,
"type": "hostname",
"uuid": "57223018-bde4-46d2-b4a1-4a67950d210f",
"value": "updates.joomlastats.co.cc"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858329",
"to_ids": true,
"type": "hostname",
"uuid": "57223019-3f84-4531-b4db-45ed950d210f",
"value": "bpl.blogsite.org"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858329",
"to_ids": true,
"type": "ip-dst",
"uuid": "57223019-2de8-4914-b9a9-4b15950d210f",
"value": "192.192.114.1"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858330",
"to_ids": true,
"type": "hostname",
"uuid": "5722301a-b6d0-4690-b82c-447a950d210f",
"value": "server.joomlastats.co.cc"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858330",
"to_ids": true,
"type": "hostname",
"uuid": "5722301a-6a0c-4bd3-973c-4cf3950d210f",
"value": "wiki.servebbs.net"
},
{
"category": "Network activity",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858330",
"to_ids": true,
"type": "ip-dst",
"uuid": "5722301a-264c-4eb4-8e87-4f0f950d210f",
"value": "61.31.203.98"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858359",
"to_ids": false,
"type": "pattern-in-memory",
"uuid": "57223037-e7e0-4004-8cfe-424d950d210f",
"value": "AOPSH03SK09POKSID7FF674PSLI91965"
},
{
"category": "Payload delivery",
"comment": "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858487",
"to_ids": true,
"type": "sha256",
"uuid": "572230b7-32b8-4f91-8c2a-47cd02de0b81",
"value": "66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372"
},
{
"category": "Payload delivery",
"comment": "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858488",
"to_ids": true,
"type": "md5",
"uuid": "572230b8-3e68-44d6-9b51-4f7502de0b81",
"value": "28e81ca00146165385c8916bf0a61046"
},
{
"category": "External analysis",
"comment": "SEMBOYAN_1.doc - Xchecked via VT: f751cdfaef99c6184f45a563f3d81ff1ada25565",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858488",
"to_ids": false,
"type": "link",
"uuid": "572230b8-2b30-4d0e-b33d-487802de0b81",
"value": "https://www.virustotal.com/file/66a85a846c816821635337b61da6bff58cbb5d4a8dc5a87b05f08d4a9e934372/analysis/1461733388/"
},
{
"category": "Payload delivery",
"comment": "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858488",
"to_ids": true,
"type": "sha256",
"uuid": "572230b8-dbac-426b-a9ac-4cbe02de0b81",
"value": "1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15"
},
{
"category": "Payload delivery",
"comment": "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858489",
"to_ids": true,
"type": "md5",
"uuid": "572230b9-c428-47ce-a5f3-42ed02de0b81",
"value": "70511e6e75aa38a4d92cd134caba16ef"
},
{
"category": "External analysis",
"comment": "Top 11 Aerial Surveillance Devices.doc - Xchecked via VT: f362feedc046899a78c4480c32dda4ea82a3e8c0",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858489",
"to_ids": false,
"type": "link",
"uuid": "572230b9-3bd4-4ae8-9fb0-443602de0b81",
"value": "https://www.virustotal.com/file/1cd003a5e089ce906e035efee222785bba679276356b8409c24b3fe5bb863d15/analysis/1461732971/"
},
{
"category": "Payload delivery",
"comment": "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858489",
"to_ids": true,
"type": "sha256",
"uuid": "572230b9-7c5c-44a4-9840-435d02de0b81",
"value": "527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e"
},
{
"category": "Payload delivery",
"comment": "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858490",
"to_ids": true,
"type": "md5",
"uuid": "572230ba-e524-4a2d-8640-4af602de0b81",
"value": "7eb17991ed13960d57ed75c01f6f7fd5"
},
{
"category": "External analysis",
"comment": "Wikileaks Indonesia.doc - Xchecked via VT: d6a795e839f51c1a5aeabf5c10664936ebbef8ea",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858490",
"to_ids": false,
"type": "link",
"uuid": "572230ba-8100-4cb3-851a-49b602de0b81",
"value": "https://www.virustotal.com/file/527ff3a10bd6af99df29f8b2e58fa9fafaf2beae9219c7a82127e5d89d36617e/analysis/1461735840/"
},
{
"category": "Payload delivery",
"comment": "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858490",
"to_ids": true,
"type": "sha256",
"uuid": "572230ba-0d08-41d7-9bc8-4b4e02de0b81",
"value": "5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d"
},
{
"category": "Payload delivery",
"comment": "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858491",
"to_ids": true,
"type": "md5",
"uuid": "572230bb-c9d4-44d2-a86b-467002de0b81",
"value": "2f1ab543b38a7ad61d5dbd72eb0524c4"
},
{
"category": "External analysis",
"comment": "Tu_Vi_Nam_Tan_ Mao_2011.doc - Xchecked via VT: 2a33542038a85db4911d7b846573f6b251e16b2d",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858491",
"to_ids": false,
"type": "link",
"uuid": "572230bb-817c-4de6-a794-42d302de0b81",
"value": "https://www.virustotal.com/file/5f7499ef0eb5cd67f04c4b4f7cd4ac5ce11abad6d7523d275a7f7f3cd70d4c4d/analysis/1461792783/"
},
{
"category": "Payload delivery",
"comment": "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858492",
"to_ids": true,
"type": "sha256",
"uuid": "572230bc-4f94-48a2-9906-48ca02de0b81",
"value": "2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040"
},
{
"category": "Payload delivery",
"comment": "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858492",
"to_ids": true,
"type": "md5",
"uuid": "572230bc-6474-420c-aad7-466502de0b81",
"value": "fde37e60cc4be73dada0fb1ad3d5f273"
},
{
"category": "External analysis",
"comment": "Gerakan Anti SBY II.doc - Xchecked via VT: 1bdc1a0bc995c1beb363b11b71c14324be8577c9",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461858492",
"to_ids": false,
"type": "link",
"uuid": "572230bc-23f4-44b5-82af-405902de0b81",
"value": "https://www.virustotal.com/file/2e71ded564eb42881e93202bbcc00fd7f9decaaa3b82643c0fbe75f0fa118040/analysis/1461733063/"
},
{
"category": "Payload delivery",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912011",
"to_ids": false,
"type": "vulnerability",
"uuid": "572301cb-39dc-48ab-8569-4bbc950d210f",
"value": "CVE-2013-7331"
},
{
"category": "Payload delivery",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912115",
"to_ids": false,
"type": "vulnerability",
"uuid": "57230233-264c-4424-9865-4b32950d210f",
"value": "CVE-2015-2546"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912418",
"to_ids": false,
"type": "regkey",
"uuid": "57230362-94fc-4f8a-8e59-4696950d210f",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Asynchronous"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912424",
"to_ids": false,
"type": "regkey",
"uuid": "57230368-035c-4607-af86-4634950d210f",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\DllName"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912424",
"to_ids": false,
"type": "regkey",
"uuid": "57230368-52dc-4e88-92c0-48cf950d210f",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Impersonate"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912424",
"to_ids": false,
"type": "regkey",
"uuid": "57230368-4350-45bb-a5ef-4a2f950d210f",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\Startup"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912425",
"to_ids": false,
"type": "regkey",
"uuid": "57230369-2ca4-487e-81c1-4f49950d210f",
"value": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\Cscdll32\\shutdown"
},
{
"category": "Persistence mechanism",
"comment": "Imported via the freetext import.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461912425",
"to_ids": false,
"type": "regkey",
"uuid": "57230369-3458-43b5-b0b4-474c950d210f",
"value": "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\cscdll32"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461878832",
"to_ids": false,
"type": "link",
"uuid": "57228030-4c14-48c9-899f-45a202de0b81",
"value": "http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1461878832",
"to_ids": false,
"type": "link",
"uuid": "57228030-5328-4860-976e-42a802de0b81",
"value": "https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/"
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
Reference in a new issue Copy permalink