adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/58806a6c-14a4-49a9-8d6c-49e6950d210f.json

783 lines
737 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2017-01-19",
"extends_uuid": "",
"info": "OSINT - Uncovering the Inner Workings of EyePyramid",
"publish_timestamp": "1484813235",
"published": true,
"threat_level_id": "3",
"timestamp": "1484812427",
"uuid": "58806a6c-14a4-49a9-8d6c-49e6950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:tool=\" EyePyramid Malware\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
chg: [feed] updated
2024-04-05 12:15:17 +00:00
"local": false,
chg: [gen] updated
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484810875",
"to_ids": false,
"type": "text",
"uuid": "58806a7b-5040-4706-8eaf-4e44950d210f",
"value": "Two Italians referred to as the \u00e2\u20ac\u0153Occhionero brothers\u00e2\u20ac\u009d have been arrested and accused of using malware and a carefully-prepared spear-phishing scheme to spy on high-profile politicians and businessmen. This case has been called \u00e2\u20ac\u0153EyePyramid\u00e2\u20ac\u009d, which we first discussed last week. (Conspiracy theories aside, the name came from a domain name and directory path that was found during the research.)\r\n\r\nThe court order was published by AGI, an Italian news agency, around noon on January 11. It (surprisingly) contains multiple technical details which we used to bootstrap our initial analysis. This post builds on the details of the case to provide a more complete and in-depth view of the activities of this campaign.\r\n\r\nScope of this analysis\r\n\r\nWe have analyzed nearly 250 distinct samples, with new batches of EyePryramid-related samples seen and identified daily. Right after our initial analysis, about a dozen suspicious samples were uploaded to VirusTotal and tagged as \u00e2\u20ac\u0153#eyepyramid\u00e2\u20ac\u009d. We believe that these samples are \u00e2\u20ac\u0153false flags,\u00e2\u20ac\u009d because the samples do not resemble any of the samples that we were able to definitely relate to the EyePyramid case. Although we are not able to say with 100% certainty that there are no relationships between these \u00e2\u20ac\u0153false flags\u00e2\u20ac\u009d and the original EyePyramid samples, we purposely did not focus on these uploaded samples."
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484810892",
"to_ids": false,
"type": "link",
"uuid": "58806a8c-4008-48f2-8de3-4842950d210f",
"value": "http://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811291",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1b-a244-41a1-9bbf-4532950d210f",
"value": ":\\Projects\\VS2005\\ChromePass\\Release\\ChromePass.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811292",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1c-bb6c-40f4-92d0-433b950d210f",
"value": ":\\Projects\\VS2005\\MyLastSearch\\release\\MyLastSearch.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811293",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1d-49cc-4664-8c7d-428d950d210f",
"value": ":\\Projects\\VS2005\\NK2View\\Release\\NK2View.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811294",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1e-0a40-4830-bdb0-424b950d210f",
"value": ":\\Projects\\VS2005\\ProduKey\\Release\\ProduKey.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811295",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1f-b1a8-4261-b7a8-4a08950d210f",
"value": ":\\Projects\\VS2005\\RecentFilesView\\Release\\RecentFilesView.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811295",
"to_ids": true,
"type": "pdb",
"uuid": "58806c1f-95b8-4c6d-b981-4e0a950d210f",
"value": ":\\Projects\\VS2005\\USBDeview\\Release\\USBDeview.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811296",
"to_ids": true,
"type": "pdb",
"uuid": "58806c20-91b0-45df-b625-412c950d210f",
"value": ":\\Projects\\VS2005\\WirelessKeyView\\Release\\WirelessKeyView.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811297",
"to_ids": true,
"type": "pdb",
"uuid": "58806c21-2540-48fd-b445-40b4950d210f",
"value": ":\\Projects\\VS2005\\mspass\\Release\\mspass.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811298",
"to_ids": true,
"type": "pdb",
"uuid": "58806c22-0390-488d-bfb9-415e950d210f",
"value": ":\\Projects\\VS2005\\netpass\\Release\\netpass.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811299",
"to_ids": true,
"type": "pdb",
"uuid": "58806c23-9c98-4b91-9120-454d950d210f",
"value": ":\\projects\\VS2005\\iepv\\Release\\iepv.pdb"
},
{
"category": "Artifacts dropped",
"comment": "paths or library names indicating code reuse of specific components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811300",
"to_ids": true,
"type": "pdb",
"uuid": "58806c24-4134-4bc3-9c5a-4fe7950d210f",
"value": ":\\projects\\vs2005\\shortcutsman\\release\\shman.pdb"
},
{
"category": "Attribution",
"comment": "Both the 2010 and 2012 versions share the infamous MN600-D8102F401003102110C5114F1F18-0E8C MailBee license key, which was either purchased by Giulio Occhionero, or purchased using his name.",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811351",
"to_ids": false,
"type": "text",
"uuid": "58806c57-ddb0-4a50-851d-454c950d210f",
"value": "MN600-D8102F401003102110C5114F1F18-0E8C"
},
{
"category": "Payload delivery",
"comment": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811446",
"to_ids": true,
"type": "sha256",
"uuid": "58806cb6-2af8-4192-90f9-4f10950d210f",
"value": "21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316"
},
{
"category": "External analysis",
"comment": "Analysis Methodology",
"data": "/9j/4AAQSkZJRgABAgEAkACQAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAAkAAAAAEAAQCQAAAAAQAB/+Fmmmh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC8APD94cGFja2V0IGJlZ2luPSLvu78iIGlkPSJXNU0wTXBDZWhpSHpyZVN6TlRjemtjOWQiPz4KPHg6eG1wbWV0YSB4bWxuczp4PSJhZG9iZTpuczptZXRhLyIgeDp4bXB0az0iQWRvYmUgWE1QIENvcmUgNS4zLWMwMTEgNjYuMTQ1NjYxLCAyMDEyLzAyLzA2LTE0OjU2OjI3ICAgICAgICAiPgogICA8cmRmOlJERiB4bWxuczpyZGY9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkvMDIvMjItcmRmLXN5bnRheC1ucyMiPgogICAgICA8cmRmOkRlc2NyaXB0aW9uIHJkZjphYm91dD0iIgogICAgICAgICAgICB4bWxuczpkYz0iaHR0cDovL3B1cmwub3JnL2RjL2VsZW1lbnRzLzEuMS8iPgogICAgICAgICA8ZGM6Zm9ybWF0PmltYWdlL2pwZWc8L2RjOmZvcm1hdD4KICAgICAgICAgPGRjOnRpdGxlPgogICAgICAgICAgICA8cmRmOkFsdD4KICAgICAgICAgICAgICAgPHJkZjpsaSB4bWw6bGFuZz0ieC1kZWZhdWx0Ij5kZ20tYXBrLWZpbGU8L3JkZjpsaT4KICAgICAgICAgICAgPC9yZGY6QWx0PgogICAgICAgICA8L2RjOnRpdGxlPgogICAgICA8L3JkZjpEZXNjcmlwdGlvbj4KICAgICAgPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIKICAgICAgICAgICAgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIgogICAgICAgICAgICB4bWxuczp4bXBHSW1nPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvZy9pbWcvIj4KICAgICAgICAgPHhtcDpDcmVhdG9yVG9vbD5BZG9iZSBJbGx1c3RyYXRvciBDUzYgKFdpbmRvd3MpPC94bXA6Q3JlYXRvclRvb2w+CiAgICAgICAgIDx4bXA6Q3JlYXRlRGF0ZT4yMDE3LTAxLTE4VDIyOjIyOjM5KzA4OjAwPC94bXA6Q3JlYXRlRGF0ZT4KICAgICAgICAgPHhtcDpNb2RpZnlEYXRlPjIwMTctMDEtMThUMTQ6MjI6NDBaPC94bXA6TW9kaWZ5RGF0ZT4KICAgICAgICAgPHhtcDpNZXRhZGF0YURhdGU+MjAxNy0wMS0xOFQyMjoyMjozOSswODowMDwveG1wOk1ldGFkYXRhRGF0ZT4KICAgICAgICAgPHhtcDpUaHVtYm5haWxzPgogICAgICAgICAgICA8cmRmOkFsdD4KICAgICAgICAgICAgICAgPHJkZjpsaSByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOndpZHRoPjI1NjwveG1wR0ltZzp3aWR0aD4KICAgICAgICAgICAgICAgICAgPHhtcEdJbWc6aGVpZ2h0PjE5MjwveG1wR0ltZzpoZWlnaHQ+CiAgICAgICAgICAgICAgICAgIDx4bXBHSW1nOmZvcm1hdD5KUEVHPC94bXBHSW1nOmZvcm1hdD4KICAgICAgICAgICAgICAgICAgPHhtcEdJbWc6aW1hZ2U+LzlqLzRBQVFTa1pKUmdBQkFnRUFrQUNRQUFELzdRQXNVR2h2ZEc5emFHOXdJRE11TUFBNFFrbE5BKzBBQUFBQUFCQUFrQUFBQUFFQSYjeEE7QVFDUUFBQUFBUUFCLytJTVdFbERRMTlRVWs5R1NVeEZBQUVCQUFBTVNFeHBibThDRUFBQWJXNTBjbEpIUWlCWVdWb2dCODRBQWdBSiYjeEE7QUFZQU1RQUFZV056Y0UxVFJsUUFBQUFBU1VWRElITlNSMElBQUFBQUFBQUFBQUFBQUFBQUFQYldBQUVBQUFBQTB5MUlVQ0FnQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFSWTNCeWRBQUFBVkFBQUFBeiYjeEE7WkdWell3QUFBWVFBQUFCc2QzUndkQUFBQWZBQUFBQVVZbXR3ZEFBQUFnUUFBQUFVY2xoWldnQUFBaGdBQUFBVVoxaFpXZ0FBQWl3QSYjeEE7QUFBVVlsaFpXZ0FBQWtBQUFBQVVaRzF1WkFBQUFsUUFBQUJ3Wkcxa1pBQUFBc1FBQUFDSWRuVmxaQUFBQTB3QUFBQ0dkbWxsZHdBQSYjeEE7QTlRQUFBQWtiSFZ0YVFBQUEvZ0FBQUFVYldWaGN3QUFCQXdBQUFBa2RHVmphQUFBQkRBQUFBQU1jbFJTUXdBQUJEd0FBQWdNWjFSUyYjeEE7UXdBQUJEd0FBQWdNWWxSU1F3QUFCRHdBQUFnTWRHVjRkQUFBQUFCRGIzQjVjbWxuYUhRZ0tHTXBJREU1T1RnZ1NHVjNiR1YwZEMxUSYjeEE7WVdOcllYSmtJRU52YlhCaGJua0FBR1JsYzJNQUFBQUFBQUFBRW5OU1IwSWdTVVZETmpFNU5qWXRNaTR4QUFBQUFBQUFBQUFBQUFBUyYjeEE7YzFKSFFpQkpSVU0yTVRrMk5pMHlMakVBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUZoWldpQUFBQUFBQUFEelVRQUJBQUFBQVJiTVdGbGFJQUFBQUFBQUFBQUFBQUFBQUFBQUFBQllXVm9nQUFBQSYjeEE7QUFBQWI2SUFBRGoxQUFBRGtGaFpXaUFBQUFBQUFBQmltUUFBdDRVQUFCamFXRmxhSUFBQUFBQUFBQ1NnQUFBUGhBQUF0czlrWlhOaiYjeEE7QUFBQUFBQUFBQlpKUlVNZ2FIUjBjRG92TDNkM2R5NXBaV011WTJnQUFBQUFBQUFBQUFBQUFCWkpSVU1nYUhSMGNEb3ZMM2QzZHk1cCYjeEE7WldNdVkyZ0FBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFaR1Z6WXdBQSYjeEE7QUFBQUFBQXVTVVZESURZeE9UWTJMVEl1TVNCRVpXWmhkV3gwSUZKSFFpQmpiMnh2ZFhJZ2MzQmhZMlVnTFNCelVrZENBQUFBQUFBQSYjeEE7QUFBQUFBQXVTVVZESURZeE9UWTJMVEl1TVNCRVpXWmhkV3gwSUZKSFFpQmpiMnh2ZFhJZ2MzQmhZMlVnTFNCelVrZENBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFBQUFBQUFBR1JsYzJNQUFBQUFBQUFBTEZKbFptVnlaVzVqWlNCV2FXVjNhVzVuSUVOdmJtUnBkR2x2YmlCcCYjeEE7YmlCSlJVTTJNVGsyTmkweUxqRUFBQUFBQUFBQUFBQUFBQ3hTWldabGNtVnVZMlVnVm1sbGQybHVaeUJEYjI1a2FYUnBiMjRnYVc0ZyYjeEE7U1VWRE5qRTVOall0TWk0eEFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFCMmFXVjNBQUFBQUFBVHBQNEFGRjh1QUJEUCYjeEE7RkFBRDdjd0FCQk1MQUFOY25nQUFBQUZZV1ZvZ0FBQUFBQUJNQ1ZZQVVBQUFBRmNmNTIxbFlYTUFBQUFBQUFBQUFRQUFBQUFBQUFBQSYjeEE7QUFBQUFBQUFBQUFBQUFLUEFBQUFBbk5wWnlBQUFBQUFRMUpVSUdOMWNuWUFBQUFBQUFBRUFBQUFBQVVBQ2dBUEFCUU
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811513",
"to_ids": false,
"type": "attachment",
"uuid": "58806cf9-7a5c-467f-bea2-41ab950d210f",
"value": "EyePyramid_15-01.jpg"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811686",
"to_ids": true,
"type": "sha256",
"uuid": "58806da6-5f00-4e00-871d-4cdd950d210f",
"value": "d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c"
},
{
"category": "External analysis",
"comment": "Appendix",
"data": "JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDQxIDAgUi9NYXJrSW5mbzw8L01hcmtlZCB0cnVlPj4+Pg0KZW5kb2JqDQoyIDAgb2JqDQo8PC9UeXBlL1BhZ2VzL0NvdW50IDgvS2lkc1sgMyAwIFIgMTAgMCBSIDE5IDAgUiAyMyAwIFIgMjUgMCBSIDI3IDAgUiAyOSAwIFIgMzYgMCBSXSA+Pg0KZW5kb2JqDQozIDAgb2JqDQo8PC9UeXBlL1BhZ2UvUGFyZW50IDIgMCBSL1Jlc291cmNlczw8L1hPYmplY3Q8PC9JbWFnZTUgNSAwIFI+Pi9Gb250PDwvRjEgNiAwIFIvRjIgOCAwIFI+Pi9Qcm9jU2V0Wy9QREYvVGV4dC9JbWFnZUIvSW1hZ2VDL0ltYWdlSV0gPj4vTWVkaWFCb3hbIDAgMCA2MTIgNzkyXSAvQ29udGVudHMgNCAwIFIvR3JvdXA8PC9UeXBlL0dyb3VwL1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQj4+L1RhYnMvUy9TdHJ1Y3RQYXJlbnRzIDA+Pg0KZW5kb2JqDQo0IDAgb2JqDQo8PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDczOT4+DQpzdHJlYW0NCniclZZLb9swDMfvAfIdeJQOUfS0LKAokL6GFh3QdR52SHvwXDcx2tiZ627Ltx/lJIOdxZ6HAIof4k9/UiRlmN7Bycn04/n1BfDTUzi7OIfv41EgNJMKOP6sM0wZ4DhwHsKEM6GdDSFZjUfT61W8SA1cFPBpPILLj+cwnZVV9hwnlcfOqipOlukTzKdRsX6cRpt1Or2LF1keV1mR79Y7i5B0JcAxF0D0PB6JemEBKgCrA2bxKS5WLwyL/cWH8WhOZlST9ZpOLElzvHyiE0cyasgv+gjRzXh0iWiP3xOtZTbUTeqcQGNu7QI0YiIONEp7KNJKxqWGwCkWyq3QWuRWYC9cNuCHOK8wHKJQtRRKULwtzzGJPGMwup1h/JLTiSRJ8SMtMYpZvoCKKrJM4Tqv36Ql4P3XonzBd2/QFdzdUtIwrXbSi2e43KR3mzJeZfUGHTeVoWWBa5v2eq0PvBbmr33ZqtEmYMLtkDMqDMF02Q2pT5z8ybvclTDC4H4EbUqvMHOQMEIwro8ljFacSft/CRN0J4zmhtlBCm03RIVioJthDwRjFQyCuB6Iwv9BEMF7KBzTSgyiiG6KDBXjwyg9FS1NyPQwiuqhKMXcoAoRuofCHVPDKKabIkK9b3n/ovQkrgiwDoZR7GHRy1ZhSSeZVRg+zfaZE5VY4wpr/Db+9uav4DOt616RxA/vZVbRSUg2VAYEruu5FfaDesbrqx+zBd5okifUbh/D2Wux6GgXhmsmWgr6PTpWRlLVmyMk1uIOclWUVAjyE3uxIDENSNndSIM6Bg3jSddUx32dNqfeFsVL5hs+ngDR0sdO4nLocwX36ds+cvWTMvFRWXpZ8ECuont8+0AhSmPfWVf98Wks2R+fYx1ix8DSHpTB8lh/0P4cd4BntvHduabc/PEtf49LOhES0+K4G9piFYZt865TUeM3h9LNufgtxTWe7cmcSC66zJxlpm1VW9jeyHYqqsPyG1pMCNsNCmVuZHN0cmVhbQ0KZW5kb2JqDQo1IDAgb2JqDQo8PC9UeXBlL1hPYmplY3QvU3VidHlwZS9JbWFnZS9XaWR0aCAxMjc1L0hlaWdodCAxNjUwL0NvbG9yU3BhY2UvRGV2aWNlUkdCL0JpdHNQZXJDb21wb25lbnQgOC9GaWx0ZXIvRENURGVjb2RlL0ludGVycG9sYXRlIHRydWUvTGVuZ3RoIDYxNTc5Pj4NCnN0cmVhbQ0K/9j/4AAQSkZJRgABAQEAlgCWAAD/4QBcRXhpZgAATU0AKgAAAAgABAMCAAIAAAAWAAAAPlEQAAEAAAABAQAAAFERAAQAAAABAAAXElESAAQAAAABAAAXEgAAAABQaG90b3Nob3AgSUNDIHByb2ZpbGUA/+IMWElDQ19QUk9GSUxFAAEBAAAMSExpbm8CEAAAbW50clJHQiBYWVogB84AAgAJAAYAMQAAYWNzcE1TRlQAAAAASUVDIHNSR0IAAAAAAAAAAAAAAAEAAPbWAAEAAAAA0y1IUCAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAARY3BydAAAAVAAAAAzZGVzYwAAAYQAAABsd3RwdAAAAfAAAAAUYmtwdAAAAgQAAAAUclhZWgAAAhgAAAAUZ1hZWgAAAiwAAAAUYlhZWgAAAkAAAAAUZG1uZAAAAlQAAABwZG1kZAAAAsQAAACIdnVlZAAAA0wAAACGdmlldwAAA9QAAAAkbHVtaQAAA/gAAAAUbWVhcwAABAwAAAAkdGVjaAAABDAAAAAMclRSQwAABDwAAAgMZ1RSQwAABDwAAAgMYlRSQwAABDwAAAgMdGV4dAAAAABDb3B5cmlnaHQgKGMpIDE5OTggSGV3bGV0dC1QYWNrYXJkIENvbXBhbnkAAGRlc2MAAAAAAAAAEnNSR0IgSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAASc1JHQiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFhZWiAAAAAAAADzUQABAAAAARbMWFlaIAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAAb6IAADj1AAADkFhZWiAAAAAAAABimQAAt4UAABjaWFlaIAAAAAAAACSgAAAPhAAAts9kZXNjAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAABZJRUMgaHR0cDovL3d3dy5pZWMuY2gAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZGVzYwAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAuSUVDIDYxOTY2LTIuMSBEZWZhdWx0IFJHQiBjb2xvdXIgc3BhY2UgLSBzUkdCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRlc2MAAAAAAAAALFJlZmVyZW5jZSBWaWV3aW5nIENvbmRpdGlvbiBpbiBJRUM2MTk2Ni0yLjEAAAAAAAAAAAAAACxSZWZlcmVuY2UgVmlld2luZyBDb25kaXRpb24gaW4gSUVDNjE5NjYtMi4xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB2aWV3AAAAAAATpP4AFF8uABDPFAAD7cwABBMLAANcngAAAAFYWVogAAAAAABMCVYAUAAAAFcf521lYXMAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAKPAAAAAnNpZyAAAAAAQ1JUIGN1cnYAAAAAAAAEAAAAAAUACgAPABQAGQAeACMAKAAtADIANwA7AEAARQBKAE8AVABZAF4AYwBoAG0AcgB3AHwAgQCGAIsAkACVAJoAnwCkAKkArgCyALcAvADBAMYAywDQANUA2wDgAOUA6wDwAPYA+wEBAQcBDQETARkBHwElASsBMgE4AT4BRQFMAVIBWQFgAWcBbgF1AXwBgwGLAZIBmgGhAakBsQG5AcEByQHRAdkB4QHpAfIB+gIDAgwCFAIdAiYCLwI4AkECSwJUAl0CZwJxAnoChAKOApgCogKsArYCwQLLAtUC4ALrAvUDAAMLAxYDIQMtAzgDQwNPA1oDZgNyA34DigOWA6IDrgO6A8cD0wPgA+wD+QQGBBMEIAQtBDsESARVBGMEcQR+BIwEmgSoBLYExATTBOEE8AT+BQ0FHAUrBToFSQVYBWcFdwWGBZYFpgW1BcUF1QXlBfYGBgYWBicGNwZIBlkGagZ7BowGnQavBs
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811762",
"to_ids": false,
"type": "attachment",
"uuid": "58806df2-9f50-44e7-85e2-42a5950d210f",
"value": "Appendix_uncovering-the-inner-workings-of-eyepyramid.pdf"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811850",
"to_ids": true,
"type": "url",
"uuid": "58806e4a-0990-4e82-b7d2-4b14950d210f",
"value": "http://guess515.fastmail.fm/files/jobs/44dc7eceb"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811851",
"to_ids": true,
"type": "url",
"uuid": "58806e4b-0acc-4f4c-8073-43d1950d210f",
"value": "http://guess515.fastmail.fm/files/jobs/3261cc389"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811851",
"to_ids": true,
"type": "url",
"uuid": "58806e4b-25ac-4bd6-a0b9-46c8950d210f",
"value": "http://guess515.fastmail.fm/files/run"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811852",
"to_ids": true,
"type": "url",
"uuid": "58806e4c-3f68-409f-aa6a-4b33950d210f",
"value": "http://guess515.fastmail.fm/files/ghk"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811853",
"to_ids": true,
"type": "url",
"uuid": "58806e4d-148c-4308-b2e1-4d98950d210f",
"value": "http://guess515.fastmail.fm/files/co"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811854",
"to_ids": true,
"type": "url",
"uuid": "58806e4e-b3e4-4f18-9a79-4931950d210f",
"value": "http://guess515.fastmail.fm/files/bin/ghk"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811855",
"to_ids": true,
"type": "url",
"uuid": "58806e4f-db9c-42ca-9ff4-4ff5950d210f",
"value": "http://guess515.fastmail.fm/files/obj/decepk"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811856",
"to_ids": true,
"type": "url",
"uuid": "58806e50-a450-4989-8cc0-4f48950d210f",
"value": "http://guess515.fastmail.fm/files/tasks"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811857",
"to_ids": true,
"type": "url",
"uuid": "58806e51-89e4-463c-b283-4703950d210f",
"value": "http://guess515.fastmail.fm/files/decepk"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811857",
"to_ids": true,
"type": "url",
"uuid": "58806e51-886c-4da1-87d3-4032950d210f",
"value": "http://guess515.fastmail.fm/files/bin/run"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811858",
"to_ids": true,
"type": "url",
"uuid": "58806e52-d2d0-4a2b-9cb9-428f950d210f",
"value": "http://guess515.fastmail.fm/files/jobs"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811859",
"to_ids": true,
"type": "url",
"uuid": "58806e53-07f8-4bdc-b554-46c6950d210f",
"value": "http://guess515.fastmail.fm/files/replace"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811860",
"to_ids": true,
"type": "url",
"uuid": "58806e54-beb0-45c1-81af-4638950d210f",
"value": "http://guess515.fastmail.fm/files/fail"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811861",
"to_ids": true,
"type": "url",
"uuid": "58806e55-0568-4c64-b4cd-4782950d210f",
"value": "http://guess515.fastmail.fm/files/obj"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811862",
"to_ids": true,
"type": "url",
"uuid": "58806e56-72e0-4602-81cb-4356950d210f",
"value": "http://guess515.fastmail.fm/files/obj/tasks"
},
{
"category": "Network activity",
"comment": "2010 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811862",
"to_ids": true,
"type": "url",
"uuid": "58806e56-400c-4f3c-b727-4b4e950d210f",
"value": "http://guess515.fastmail.fm/files/bin"
},
{
"category": "Network activity",
"comment": "2012 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811903",
"to_ids": true,
"type": "url",
"uuid": "58806e7f-11e0-411a-adf0-497a950d210f",
"value": "ftp://ftp1.storegate.com/home/jiwoku375"
},
{
"category": "Network activity",
"comment": "2012 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811904",
"to_ids": true,
"type": "url",
"uuid": "58806e80-ee2c-48e1-b25c-494d950d210f",
"value": "https://webdav1.storegate.com/jiwoku375/home/jiwoku375"
},
{
"category": "Network activity",
"comment": "2012 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811905",
"to_ids": true,
"type": "url",
"uuid": "58806e81-ba68-4cfb-a12c-4edc950d210f",
"value": "http://webdav1.storegate.com/jiwoku375/home/jiwoku375"
},
{
"category": "Network activity",
"comment": "2012 sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484811905",
"to_ids": true,
"type": "url",
"uuid": "58806e81-4664-4964-9817-4847950d210f",
"value": "ftp1.storegate.com/home/jiwoku375"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812244",
"to_ids": true,
"type": "url",
"uuid": "58806fd4-f158-41a6-bad8-46c3950d210f",
"value": "https://webdav.hidrive.strato.com/users/oncole3991"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812245",
"to_ids": true,
"type": "url",
"uuid": "58806fd5-ae40-4b64-a154-4c7b950d210f",
"value": "http://webdav.cloudme.com/imin1399/xios"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812246",
"to_ids": true,
"type": "url",
"uuid": "58806fd6-af4c-4467-86bf-429d950d210f",
"value": "http://webdav1.storegate.com/oldi4006/home/oldi4006"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812247",
"to_ids": true,
"type": "url",
"uuid": "58806fd7-424c-45a5-b1c3-4e88950d210f",
"value": "https://webdav1.storegate.com/oldi4006/home/oldi4006"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812247",
"to_ids": true,
"type": "url",
"uuid": "58806fd7-18c0-4ca5-b2e2-4e88950d210f",
"value": "http://webdav1.storegate.com/uwiq175/home/uwiq175"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812248",
"to_ids": true,
"type": "url",
"uuid": "58806fd8-85c4-4455-903a-47b7950d210f",
"value": "https://webdav1.storegate.com/enzevu888/home/enzevu888"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812249",
"to_ids": true,
"type": "url",
"uuid": "58806fd9-a310-4e87-b4fb-4eaa950d210f",
"value": "https://webdav1.storegate.com/ordu1337/home/ordu1337"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812250",
"to_ids": true,
"type": "url",
"uuid": "58806fda-01c4-473b-aaf6-4d45950d210f",
"value": "http://webdav1.storegate.com/oqokul68646/home/oqokul68646"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812251",
"to_ids": true,
"type": "url",
"uuid": "58806fdb-168c-4c83-8e3c-4c92950d210f",
"value": "http://webdav1.storegate.com/enzevu888/home/enzevu888"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812252",
"to_ids": true,
"type": "url",
"uuid": "58806fdc-a3f4-4be0-8fb3-4a8f950d210f",
"value": "https://webdav.cloudme.com/imin1399/xios"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812253",
"to_ids": true,
"type": "url",
"uuid": "58806fdd-3744-4672-bd97-40df950d210f",
"value": "https://webdav1.storegate.com/uwiq175/home/uwiq175"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812254",
"to_ids": true,
"type": "url",
"uuid": "58806fde-249c-4132-ad29-4cfe950d210f",
"value": "http://webdav.hidrive.strato.com/users/oncole3991"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812254",
"to_ids": true,
"type": "url",
"uuid": "58806fde-85e0-4f67-b8dd-4355950d210f",
"value": "http://webdav1.storegate.com/ordu1337/home/ordu1337"
},
{
"category": "Network activity",
"comment": "2014 - sample C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812255",
"to_ids": true,
"type": "url",
"uuid": "58806fdf-1b18-4b72-8947-4979950d210f",
"value": "https://webdav1.storegate.com/oqokul68646/home/oqokul68646"
},
{
"category": "Payload delivery",
"comment": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet - Xchecked via VT: 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812277",
"to_ids": true,
"type": "sha1",
"uuid": "58806ff5-5330-4f91-8468-42f602de0b81",
"value": "b5f08add2745bbed9ae4573fc9f16431cefa13f1"
},
{
"category": "Payload delivery",
"comment": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet - Xchecked via VT: 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812278",
"to_ids": true,
"type": "md5",
"uuid": "58806ff6-1afc-4b7c-b9c9-47de02de0b81",
"value": "f3802442727c0b614482455d6ad9edc2"
},
{
"category": "External analysis",
"comment": "Although used for debugging only, we found that the malware author was playing around with email-based cross-site scripting, as can be seen from the following code snippet - Xchecked via VT: 21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812278",
"to_ids": false,
"type": "link",
"uuid": "58806ff6-889c-407f-b3b2-401902de0b81",
"value": "https://www.virustotal.com/file/21b6f2584485b8bbfffdefd45c1c72dc2133290fd8cefb235eb39cf015550316/analysis/1423753823/"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812279",
"to_ids": true,
"type": "sha1",
"uuid": "58806ff7-2504-4521-bbb3-4a3d02de0b81",
"value": "b61633975206c58df648df144c78bb3e20051d93"
},
{
"category": "Payload delivery",
"comment": "- Xchecked via VT: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812280",
"to_ids": true,
"type": "md5",
"uuid": "58806ff8-0868-4e2b-959a-42e402de0b81",
"value": "b39a673a5d2ceaa1fb5571769097ca77"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812280",
"to_ids": false,
"type": "link",
"uuid": "58806ff8-af9c-47f3-882f-4ace02de0b81",
"value": "https://www.virustotal.com/file/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c/analysis/1484353398/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812420",
"to_ids": true,
"type": "email-dst",
"uuid": "58807084-6eec-49b2-b5bb-4715950d210f",
"value": "tip848@gmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812420",
"to_ids": true,
"type": "email-dst",
"uuid": "58807084-8600-417b-9bf2-47fb950d210f",
"value": "deliver@hostpenta.com.xml"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812421",
"to_ids": true,
"type": "email-dst",
"uuid": "58807085-f248-4cf5-9a5f-4666950d210f",
"value": "archive@hostpenta.com.xml"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812422",
"to_ids": true,
"type": "email-dst",
"uuid": "58807086-775c-4aeb-a65a-4898950d210f",
"value": "tim11235@gmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812422",
"to_ids": true,
"type": "email-dst",
"uuid": "58807086-53a0-4a37-bf8f-4b83950d210f",
"value": "guess515@fastmail.fm"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812423",
"to_ids": true,
"type": "email-dst",
"uuid": "58807087-4370-4e79-b2ee-4bce950d210f",
"value": "tim11235@googlemail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812424",
"to_ids": true,
"type": "email-dst",
"uuid": "58807088-8d4c-4489-9df2-4d14950d210f",
"value": "dude626@gmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812425",
"to_ids": true,
"type": "email-dst",
"uuid": "58807089-4074-41eb-ad4b-4e1e950d210f",
"value": "octo424@gmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812425",
"to_ids": true,
"type": "email-dst",
"uuid": "58807089-8f08-4b3b-9ac0-403c950d210f",
"value": "plars575@gmail.com"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1484812426",
"to_ids": true,
"type": "email-dst",
"uuid": "5880708a-3e68-48f3-8aba-4df5950d210f",
"value": "purge626@gmail.com"
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
chg: [gen] updated
2023-12-14 14:30:15 +00:00
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
}
Reference in a new issue Copy permalink