{ "Event": { "analysis": "2", "date": "2015-03-04", "extends_uuid": "", "info": "OSINT Who's Really Spreading through the Bright Star? by Securelist / Kaspersky", "publish_timestamp": "1456154100", "published": true, "threat_level_id": "3", "timestamp": "1425646275", "uuid": "54f9a0ef-0ebc-414d-88ab-f094950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": false, "type": "link", "uuid": "54f9a0fd-56c8-411a-8cc7-489b950d210b", "value": "https://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": false, "type": "text", "uuid": "54f9a10f-34e4-4fd7-a9d3-484e950d210b", "value": "Dark Hotel" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "hostname", "uuid": "54f9a13b-6bdc-40e8-a010-f094950d210b", "value": "a.gwas.perl.sh" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "hostname", "uuid": "54f9a13b-3c84-4c16-a132-f094950d210b", "value": "a-gwas-01.dyndns.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "hostname", "uuid": "54f9a13c-7868-4fb4-be39-f094950d210b", "value": "a-gwas-01.slyip.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a172-5cac-4b31-ad16-453f950d210b", "value": "78d3c8705f8baf7d34e6a6737d1cfa18" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a172-0e68-4f06-b8c1-4e32950d210b", "value": "978888892a1ed13e94d2fcb832a2a6b5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "filename", "uuid": "54f9a17e-ad50-4166-a1a0-4860950d210b", "value": "%WINDIR%\\system32\\mscaps.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "filename", "uuid": "54f9a17e-97e4-4943-81de-4463950d210b", "value": "%WINDIR%\\system32\\wtime32.dll" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": false, "type": "text", "uuid": "54f9a1ab-b520-4b9a-8339-4188950d210b", "value": "Bright Star" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a217-da1c-4f1b-b37d-4132950d210b", "value": "2d9df706d1857434fcaa014df70d1c66" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a217-df00-4d26-9ac7-4f77950d210b", "value": "fffa05401511ad2a89283c52d0c86472" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a217-b858-49e2-bba3-4321950d210b", "value": "1fcc5b3ed6bc76d70cfa49d051e0dff6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a217-9d88-4a75-a466-4236950d210b", "value": "d0c9ada173da923efabb53d5a9b28d54" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a218-bfe4-4b5c-b5c8-461c950d210b", "value": "daac1781c9d22f5743ade0cb41feaebf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a218-c784-446d-bf77-4ab7950d210b", "value": "6a9461f260ebb2556b8ae1d0ba93858a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a218-e61c-492d-92cc-4777950d210b", "value": "f1c9f4a1f92588aeb82be5d2d4c2c730" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a218-f9e0-45b9-9f98-4797950d210b", "value": "59ee2ff6dbac2b6cd3e98cb0ff581bdb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646116", "to_ids": true, "type": "md5", "uuid": "54f9a218-79d8-4182-84db-4c98950d210b", "value": "f415ea8f2435d6c9656cc6525c65bd3c" }, { "category": "Antivirus detection", "comment": "Kaspersky", "deleted": false, "disable_correlation": false, "timestamp": "1425646155", "to_ids": false, "type": "text", "uuid": "54f9a24b-fca4-4e03-b504-4098950d210b", "value": "Trojan.Win32.Agent.hwgw" }, { "category": "Antivirus detection", "comment": "Kaspersky", "deleted": false, "disable_correlation": false, "timestamp": "1425646155", "to_ids": false, "type": "text", "uuid": "54f9a24b-9908-439e-8df7-44d7950d210b", "value": "UDS:DangerousObject.Multi.Generic" }, { "category": "Antivirus detection", "comment": "Kaspersky", "deleted": false, "disable_correlation": false, "timestamp": "1425646155", "to_ids": false, "type": "text", "uuid": "54f9a24b-b538-4cee-8162-4e69950d210b", "value": "HEUR:Trojan.Win32.Generic" }, { "category": "Antivirus detection", "comment": "Kaspersky", "deleted": false, "disable_correlation": false, "timestamp": "1425646155", "to_ids": false, "type": "text", "uuid": "54f9a24b-ebfc-40f6-a24f-4500950d210b", "value": "Trojan-Dropper.Win32.Daws.awfy" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-ca7c-4ece-8598-40fc950d210b", "value": "78d3c8705f8baf7d34e6a6737d1cfa18" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-108c-4f7a-8982-40c4950d210b", "value": "2d9df706d1857434fcaa014df70d1c66" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-8d30-43e2-a150-4f43950d210b", "value": "1e7c6907b63c4a485e7616aa04351da7" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-87c0-4133-8257-4962950d210b", "value": "1fcc5b3ed6bc76d70cfa49d051e0dff6" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-1724-483e-a397-4a70950d210b", "value": "523b4b169dde3bcab81311cfdee68e92" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-ba10-46fc-91a5-4567950d210b", "value": "541989816355fd606838260f5b49d931" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-d54c-41ec-89b4-455d950d210b", "value": "5e34f85278bf3504fc1b9a59d2e7479b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-f7f4-42c8-b545-4a79950d210b", "value": "6a9461f260ebb2556b8ae1d0ba93858a" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-3cc8-4d0c-ba11-4581950d210b", "value": "78ba5b642df336009812a0b52827e1de" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-fe84-4b60-81b3-4cff950d210b", "value": "7f15d9149736966f1df03fc60e87b8ac" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646210", "to_ids": true, "type": "md5", "uuid": "54f9a282-002c-440a-a52b-4f25950d210b", "value": "7f3a38093bd60da04d0fa5f50867d24f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-56b0-4339-9b32-46cd950d210b", "value": "mscaps.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-8c04-4bba-89b1-40be950d210b", "value": "arc.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-d0f0-43d8-b6a6-4ad1950d210b", "value": "@aedf66.tmp.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-7094-4fea-964c-432b950d210b", "value": "dis.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-7c88-4ac1-a201-413f950d210b", "value": "wdext.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-0690-42fd-8aac-454b950d210b", "value": "sha.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1425646275", "to_ids": true, "type": "filename", "uuid": "54f9a2c3-43c4-4a83-b866-4122950d210b", "value": "wdexe.exe" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 6a9461f260ebb2556b8ae1d0ba93858a)", "deleted": false, "disable_correlation": false, "timestamp": "1455839070", "to_ids": true, "type": "sha1", "uuid": "56c6575e-3d24-4ed7-b7c5-599f950d210f", "value": "01e14b87b69dce8272d84669f44f81d685dcf7c5" }, { "category": "Payload delivery", "comment": "Automatically added (via 978888892a1ed13e94d2fcb832a2a6b5)", "deleted": false, "disable_correlation": false, "timestamp": "1455839072", "to_ids": true, "type": "sha1", "uuid": "56c65760-d398-47c4-9b5a-59a3950d210f", "value": "4528a769de6407f01d01d03095d5d8fa38c4b4ae" }, { "category": "Payload delivery", "comment": "Automatically added (via fffa05401511ad2a89283c52d0c86472)", "deleted": false, "disable_correlation": false, "timestamp": "1455839074", "to_ids": true, "type": "sha1", "uuid": "56c65762-f0a8-4514-a3e7-40a3950d210f", "value": "99a9fbcac39b9522d1d628620b69c4cd7cc110f1" }, { "category": "Payload delivery", "comment": "Automatically added (via d0c9ada173da923efabb53d5a9b28d54)", "deleted": false, "disable_correlation": false, "timestamp": "1455839076", "to_ids": true, "type": "sha1", "uuid": "56c65764-c1c0-4f62-87cd-599c950d210f", "value": "0cefe568d2a06bd44fe9dfab65b1e27bd34def11" }, { "category": "Payload delivery", "comment": "Automatically added (via f1c9f4a1f92588aeb82be5d2d4c2c730)", "deleted": false, "disable_correlation": false, "timestamp": "1455839078", "to_ids": true, "type": "sha1", "uuid": "56c65766-7358-4804-84d2-c650950d210f", "value": "3dc5a017b15ba74fae2342937380905bf7e8fbd5" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 6a9461f260ebb2556b8ae1d0ba93858a)", "deleted": false, "disable_correlation": false, "timestamp": "1455839071", "to_ids": true, "type": "sha256", "uuid": "56c6575f-94f0-44dd-901d-599d950d210f", "value": "0b059565160c180df60470349770a6dd225981a8051639385bb49d33d2a73632" }, { "category": "Payload delivery", "comment": "Automatically added (via 978888892a1ed13e94d2fcb832a2a6b5)", "deleted": false, "disable_correlation": false, "timestamp": "1455839073", "to_ids": true, "type": "sha256", "uuid": "56c65761-4130-4d4a-9614-4766950d210f", "value": "c7dc3ac34cfcadba2aedf1727ce95c7e54a8e4b3ada1373916adb25dcf05e369" }, { "category": "Payload delivery", "comment": "Automatically added (via fffa05401511ad2a89283c52d0c86472)", "deleted": false, "disable_correlation": false, "timestamp": "1455839075", "to_ids": true, "type": "sha256", "uuid": "56c65763-f668-4c0e-ace8-59a1950d210f", "value": "41a712fd2111c5ddec6fe58a29c80f19923cc72e88b4508d5a3daeb236ddf1b8" }, { "category": "Payload delivery", "comment": "Automatically added (via d0c9ada173da923efabb53d5a9b28d54)", "deleted": false, "disable_correlation": false, "timestamp": "1455839076", "to_ids": true, "type": "sha256", "uuid": "56c65764-a468-44de-8d2d-c651950d210f", "value": "ad01ab517cf1c9f5d30b3ea749c91c5c8fc613e771d25287483023d2066e1523" }, { "category": "Payload delivery", "comment": "Automatically added (via f1c9f4a1f92588aeb82be5d2d4c2c730)", "deleted": false, "disable_correlation": false, "timestamp": "1455839078", "to_ids": true, "type": "sha256", "uuid": "56c65766-16b4-4f4f-ae47-599f950d210f", "value": "d3a46f71aa7467920b16b64c9d17eaf6c4e147f41cd1390dccff01e4a81f8dfa" } ] } }