{ "Event": { "analysis": "2", "date": "2015-08-24", "extends_uuid": "", "info": "OSINT RTF Exploit Installs Italian RAT: uWarrior by Palo Alto", "publish_timestamp": "1440504598", "published": true, "threat_level_id": "2", "timestamp": "1440494650", "uuid": "55dc2f59-7238-468a-8956-575e950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493443", "to_ids": false, "type": "link", "uuid": "55dc2f83-ce00-42b3-946c-58f2950d210b", "value": "http://researchcenter.paloaltonetworks.com/2015/08/rtf-exploit-installs-italian-rat-uwarrior/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493443", "to_ids": false, "type": "link", "uuid": "55dc2f83-5594-4ed1-a759-58f2950d210b", "value": "https://otx.alienvault.com/pulse/55dbbc8c67db8c7bb8cb68c4/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493504", "to_ids": true, "type": "filename", "uuid": "55dc2fc0-ea3c-4a08-9158-58ef950d210b", "value": "%AppData%\\Local\\Temp\\bootloader.dec" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493504", "to_ids": true, "type": "filename", "uuid": "55dc2fc0-1510-46aa-a516-58ef950d210b", "value": "%AppData%\\Roaming\\warriors.dat" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493504", "to_ids": true, "type": "ip-dst", "uuid": "55dc2fc0-9124-4ef4-866a-58ef950d210b", "value": "23.249.225.140" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": true, "type": "sha256", "uuid": "55dc2fc1-e328-49c5-951a-58ef950d210b", "value": "57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": true, "type": "sha256", "uuid": "55dc2fc1-4f84-491a-9d9a-58ef950d210b", "value": "5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": true, "type": "ip-dst", "uuid": "55dc2fc1-0704-42bb-99e6-58ef950d210b", "value": "63.142.245.12" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": true, "type": "sha256", "uuid": "55dc2fc1-e34c-4e1a-a6cc-58ef950d210b", "value": "a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": false, "type": "vulnerability", "uuid": "55dc2fc1-7808-451d-8a34-58ef950d210b", "value": "CVE-2012-1856" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": false, "type": "vulnerability", "uuid": "55dc2fc1-84fc-484d-a0b8-58ef950d210b", "value": "CVE-2015-1770" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493505", "to_ids": true, "type": "sha256", "uuid": "55dc2fc1-c2a8-4ac7-be4a-58ef950d210b", "value": "f4aa83297844eb8297711e32554e41f677cce290732171583199a57fb7a0674b" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493506", "to_ids": true, "type": "hostname", "uuid": "55dc2fc2-a12c-4986-9c18-58ef950d210b", "value": "login.collegefan.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440493506", "to_ids": true, "type": "hostname", "uuid": "55dc2fc2-3858-4ae4-a9f4-58ef950d210b", "value": "login.loginto.me" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: f4aa83297844eb8297711e32554e41f677cce290732171583199a57fb7a0674b", "deleted": false, "disable_correlation": false, "timestamp": "1440494650", "to_ids": true, "type": "sha1", "uuid": "55dc343a-c350-47f7-978f-575e950d210b", "value": "844d4888ec0968a9b6da60ec2f1f2aa26937e201" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: f4aa83297844eb8297711e32554e41f677cce290732171583199a57fb7a0674b", "deleted": false, "disable_correlation": false, "timestamp": "1440494650", "to_ids": true, "type": "md5", "uuid": "55dc343a-d060-4295-8e35-575e950d210b", "value": "828858985c3456e0e5c2bd8add46344b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440494650", "to_ids": false, "type": "link", "uuid": "55dc343a-f080-43dc-a122-575e950d210b", "value": "https://www.virustotal.com/file/f4aa83297844eb8297711e32554e41f677cce290732171583199a57fb7a0674b/analysis/1440299283/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279", "deleted": false, "disable_correlation": false, "timestamp": "1440494651", "to_ids": true, "type": "sha1", "uuid": "55dc343b-6f78-41f9-948a-575e950d210b", "value": "fb434ba4f1eaf9f7f20fe6f49c4375e90fa98069" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279", "deleted": false, "disable_correlation": false, "timestamp": "1440494651", "to_ids": true, "type": "md5", "uuid": "55dc343b-eed8-4b86-bb83-575e950d210b", "value": "ae6b65ca7cbd4ca0ba86c6278c834547" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440494651", "to_ids": false, "type": "link", "uuid": "55dc343b-a264-4918-981d-575e950d210b", "value": "https://www.virustotal.com/file/a6dea088c9e2c9191e4c2fc4ece7b7b7bd3f034f444362d35c8765f6ec4bd279/analysis/1440434527/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc", "deleted": false, "disable_correlation": false, "timestamp": "1440494651", "to_ids": true, "type": "sha1", "uuid": "55dc343b-5e60-488c-8a4c-575e950d210b", "value": "777ba38c219d5c0251571b00d630fa3c5a59c9ac" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc", "deleted": false, "disable_correlation": false, "timestamp": "1440494651", "to_ids": true, "type": "md5", "uuid": "55dc343b-2ff4-4025-99dd-575e950d210b", "value": "4ec51012233e45e8e293c61250b080ac" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440494652", "to_ids": false, "type": "link", "uuid": "55dc343c-1900-4100-adf0-575e950d210b", "value": "https://www.virustotal.com/file/5dce01ec5e1bc1b4f5012e0b4bf16532206284fc8c64cfb8dcf907f45caf98fc/analysis/1439560797/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c", "deleted": false, "disable_correlation": false, "timestamp": "1440494652", "to_ids": true, "type": "sha1", "uuid": "55dc343c-ca88-49f9-b19d-575e950d210b", "value": "58318739e970bbfa3ef45673f47b09ba3fe3f20b" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c", "deleted": false, "disable_correlation": false, "timestamp": "1440494652", "to_ids": true, "type": "md5", "uuid": "55dc343c-2a5c-4153-bca2-575e950d210b", "value": "114c8d4316248de8630364cf4c24a754" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1440494652", "to_ids": false, "type": "link", "uuid": "55dc343c-0144-42ed-9807-575e950d210b", "value": "https://www.virustotal.com/file/57a5d0da72655df9c5ca9137df7210b86845eeabae488537c70e36587274937c/analysis/1440470623/" } ] } }