{ "Event": { "analysis": "2", "date": "2014-10-30", "extends_uuid": "", "info": "OSINT The Rotten Tomato Campaign", "publish_timestamp": "1456154066", "published": true, "threat_level_id": "2", "timestamp": "1415888726", "uuid": "5462a024-eed8-4057-9a85-3030950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749839", "to_ids": false, "type": "link", "uuid": "5462a0cf-c80c-425a-b3b9-42c9950d210b", "value": "http://blogs.sophos.com/2014/10/30/the-rotten-tomato-campaign-new-sophoslabs-research-on-apts/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749839", "to_ids": false, "type": "link", "uuid": "5462a0cf-9b84-4402-83eb-4761950d210b", "value": "http://blogs.sophos.com/tag/rotten-tomato/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749839", "to_ids": false, "type": "link", "uuid": "5462a0cf-f9d0-4de3-8497-4d61950d210b", "value": "http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-rotten-tomato-campaign.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749854", "to_ids": false, "type": "comment", "uuid": "5462a0de-b6f0-4ac9-b880-4459950d210b", "value": "Data entered by David Andr\u00c3\u00a9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749866", "to_ids": false, "type": "text", "uuid": "5462a0ea-4114-461d-b355-baa5950d210b", "value": "Rotten Tomato" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749910", "to_ids": false, "type": "vulnerability", "uuid": "5462a116-c38c-4e6b-8025-56b7950d210b", "value": "CVE-2012-0158" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749910", "to_ids": false, "type": "vulnerability", "uuid": "5462a116-dbdc-46e5-bc97-56b7950d210b", "value": "CVE-2014-1761" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415749985", "to_ids": true, "type": "sha1", "uuid": "5462a161-2a34-480a-8cf3-bf0d950d210b", "value": "13effaca957cc362bdcbfdd05b5763205b53d9ca" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415750066", "to_ids": true, "type": "filename", "uuid": "5462a185-34e4-4a8a-a64d-5857950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\AShld\\BlackBox.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415750047", "to_ids": true, "type": "filename", "uuid": "5462a19f-1db0-42cd-80bf-4910950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\AShld\\BlackBox.BOX" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415750103", "to_ids": true, "type": "hostname", "uuid": "5462a1d7-cc38-44a3-8ef9-56b7950d210b", "value": "chromeupdate.authorizeddns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415750103", "to_ids": true, "type": "hostname", "uuid": "5462a1d7-aac8-4538-998f-56b7950d210b", "value": "googlesupport.proxydns.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-22b8-41f8-a5c6-4878950d210b", "value": "e2474cc0da5a79af876771217eb81974e73c39e5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-4c00-4d20-bb35-49f6950d210b", "value": "21b3e540746816c85e5270a1b8bb58bf713ff5f5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-8c3c-49f2-a715-4b42950d210b", "value": "80f965432ce872fc3592d9f907d5a4f66ab07f9c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-5bac-472a-b63d-421c950d210b", "value": "176273806e6fe338123ff660e70145935bac77c3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-6378-46bb-9c4d-4f1a950d210b", "value": "4ad76ce333b38c5bdd558e3d76640fa322e3cca6" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-5e10-418b-a037-4e06950d210b", "value": "0dfd883c1f205f0740d50688683f1869bcc0e9d7" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779684", "to_ids": true, "type": "sha1", "uuid": "54631564-9ddc-443d-addd-40df950d210b", "value": "9bc128f120996677d3c4f7c1d7506315b232e49e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-0f2c-495b-9391-48c1950d210b", "value": "712df1f1f11f63e2154eb9023d584be62ef100b8" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-5968-4198-837a-46c8950d210b", "value": "960ac7329a6e80682959d6da0469921f8167e79a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-7d44-4f3c-9d04-4315950d210b", "value": "bb185efd35f7b4892a32e7853e044e94502a36af" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-be38-4a2f-adef-49bf950d210b", "value": "a44308788bbd189e532745a79d126feaf708c3cd" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-ef80-41b4-adbc-452c950d210b", "value": "d05e586251b3a965b9c9af76568eff912e16432f" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-a510-4dd3-960d-4799950d210b", "value": "fa616b8e2f91810a8d036ba0adca6df50da2ad22" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-72a4-4205-90d3-4747950d210b", "value": "6f845ef154a0b456afcf8b562a0387dabf4f5f85" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-9d20-4a19-95be-4865950d210b", "value": "a97827aef54e7969b9cbbec64d9ee81a835f2240" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-65ec-4c5f-b9d9-4a5c950d210b", "value": "e8a29bb90422fa6116563073725fa54169998325" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415779685", "to_ids": true, "type": "sha1", "uuid": "54631565-65e8-4539-a075-4649950d210b", "value": "19e9dfabdb9b10a90b62c12f205ff0d1eeef3f14" }, { "category": "Artifacts dropped", "comment": "clean loader digitally signed by Microsoft", "deleted": false, "disable_correlation": false, "timestamp": "1415779979", "to_ids": false, "type": "filename", "uuid": "5463168b-5518-4ecc-a527-4f03950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\AShld\\drmupgds.exe" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-4808-413e-b122-baa5950d210b", "value": "www.notebookhk.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-b56c-40a6-ab4e-baa5950d210b", "value": "dwm.dnsedc.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-6c0c-43df-af55-baa5950d210b", "value": "futuresgolda.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-8018-41b7-bc55-baa5950d210b", "value": "adobeflashupdate.dynu.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-d7c4-48ff-b49f-baa5950d210b", "value": "systemupdate5.dtdns.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-af34-4176-8d7c-baa5950d210b", "value": "indiasceus.jetos.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-765c-4690-8086-baa5950d210b", "value": "indiasceus.justdied.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-ae08-467a-9e40-baa5950d210b", "value": "transactiona.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-56e0-414a-b3b5-baa5950d210b", "value": "buglaa.sportnewsa.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-378c-435c-aa3f-baa5950d210b", "value": "unisers.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-72b4-4295-807a-baa5950d210b", "value": "www.starorder.ezua.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-5d2c-43d5-b5ba-baa5950d210b", "value": "pop3.sec-homeland.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780567", "to_ids": true, "type": "hostname", "uuid": "546318d7-7044-4ed6-a037-baa5950d210b", "value": "sec-homeland.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780568", "to_ids": true, "type": "hostname", "uuid": "546318d8-a1f4-47a3-adc7-baa5950d210b", "value": "supercat.strangled.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780568", "to_ids": true, "type": "hostname", "uuid": "546318d8-2030-4aea-8184-baa5950d210b", "value": "nusteachers.no-ip.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780568", "to_ids": true, "type": "hostname", "uuid": "546318d8-3e14-476c-892f-baa5950d210b", "value": "ruchi.mysq1.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415780568", "to_ids": true, "type": "hostname", "uuid": "546318d8-727c-464f-a9ed-baa5950d210b", "value": "www.freetimes.dns05.com" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-0058-43dd-b5dc-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\usta\\ushata.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-4d04-487d-aa4f-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\usta\\ushata.dll.avp" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-ce84-43ea-b047-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\AShld\\AShldRes.DLL" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-14e4-4f87-b644-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\AShld\\AShldRes.DLL.asr" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-d914-4ed8-be54-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\KavSky\\msi.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-e144-42d9-b5f0-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\DRM\\KavSky\\msi.dll.eng" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-6eb0-4681-9a3d-5d0f950d210b", "value": "%WINDOWS%\\AppPatch\\AcProtect.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887726", "to_ids": true, "type": "filename", "uuid": "5464bb6e-a3a8-42a7-a54d-5d0f950d210b", "value": "%WINDOWS%\\AppPatch\\msimain.mui" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-cda8-4e5a-88c2-5d0f950d210b", "value": "%WINDOWS%\\AppPatch\\Custom\\{099BF1AE-6A93-493D-0C48-2453E7FBC801}.sdband" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-1e1c-488b-9251-5d0f950d210b", "value": "%PROFILE%\\Local Settings\\Temp\\3.tmp" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-1dc8-470a-8135-5d0f950d210b", "value": "%PROFILE%\\Local Settings\\Temp\\msvcpdl100.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-2db8-4a65-96b0-5d0f950d210b", "value": "C:\\MsBuild\\Microsoft\\Windows\\System32\\svchost.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-fc2c-4d68-8cf1-5d0f950d210b", "value": "%PROFILE%\\Application Data\\winlog.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-b204-47b7-baad-5d0f950d210b", "value": "%PROFILE%\\Application Data\\winlog.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-1af0-4cd6-8381-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\RasTls\\RasTls.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887727", "to_ids": true, "type": "filename", "uuid": "5464bb6f-4e34-41c7-9cad-5d0f950d210b", "value": "%ALLUSERSPROFILE%\\RasTls\\RasTls.dll.msc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887951", "to_ids": true, "type": "sha1", "uuid": "5464bc4f-1ea4-489c-b8c8-637d950d210b", "value": "c3a7cb43ec13299b758cb8ca25eace71329939f7" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887951", "to_ids": true, "type": "sha1", "uuid": "5464bc4f-18b0-4436-affb-637d950d210b", "value": "51346d70ea97a7aaef80f98c4891526443b2696c" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887951", "to_ids": true, "type": "sha1", "uuid": "5464bc4f-0b04-42a6-b085-637d950d210b", "value": "994be9c340f57ba8cbb20b7ceedad49b00294f3e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887951", "to_ids": true, "type": "sha1", "uuid": "5464bc4f-a100-4f1c-9fce-637d950d210b", "value": "2196770391bdbdd15bce5895427ec99b1bef0868" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1415887951", "to_ids": true, "type": "sha1", "uuid": "5464bc4f-fc78-423f-9276-637d950d210b", "value": "511f2055a56c0f458b1b14cc207730d0fe639df4" }, { "category": "Attribution", "comment": "Registrant", "deleted": false, "disable_correlation": false, "timestamp": "1415888726", "to_ids": false, "type": "text", "uuid": "5464bf56-9edc-45db-8bf7-51e4950d210b", "value": "yuminga1@126.com" }, { "category": "Attribution", "comment": "Registrant", "deleted": false, "disable_correlation": false, "timestamp": "1415888726", "to_ids": false, "type": "text", "uuid": "5464bf56-330c-4ec0-b962-51e4950d210b", "value": "bitumberls@163.com" }, { "category": "Attribution", "comment": "Registrant", "deleted": false, "disable_correlation": false, "timestamp": "1415888726", "to_ids": false, "type": "text", "uuid": "5464bf56-74fc-4eef-a489-51e4950d210b", "value": "joiupnhs@163.com" }, { "category": "Attribution", "comment": "Registrant", "deleted": false, "disable_correlation": false, "timestamp": "1415888726", "to_ids": false, "type": "text", "uuid": "5464bf57-385c-4932-ac40-51e4950d210b", "value": "stanlee@gmail.com" }, { "category": "External analysis", "comment": "Automatically added (via 511f2055a56c0f458b1b14cc207730d0fe639df4)", "deleted": false, "disable_correlation": false, "timestamp": "1455834393", "to_ids": true, "type": "md5", "uuid": "56c64519-01b4-4d37-bc35-599d950d210f", "value": "5c986d32add37bc11bd8f89c3d38df9b" }, { "category": "External analysis", "comment": "Automatically added (via 511f2055a56c0f458b1b14cc207730d0fe639df4)", "deleted": false, "disable_correlation": false, "timestamp": "1455834395", "to_ids": true, "type": "sha256", "uuid": "56c6451b-57dc-4903-825e-5ca1950d210f", "value": "25339bfd0befe9f493a6b120755e5e87b47df4aeaf4ba9f1157ff1215f37db97" } ] } }