{ "Event": { "analysis": "2", "date": "2015-09-30", "extends_uuid": "", "info": "OSINT When ELF.BillGates met Windows by Arkoon+Netasq", "publish_timestamp": "1443681826", "published": true, "threat_level_id": "3", "timestamp": "1443681822", "uuid": "560c1c35-fd9c-4fb4-9a93-801b950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634253", "to_ids": false, "type": "link", "uuid": "560c1c4d-a4bc-49c3-b22d-6789950d210b", "value": "http://thisissecurity.net/2015/09/30/when-elf-billgates-met-windows/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1443634319", "to_ids": true, "type": "md5", "uuid": "560c1c8f-05a8-4724-a235-6789950d210b", "value": "4b14d7aca890642c3e269b75953e65cb" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634372", "to_ids": true, "type": "ip-dst", "uuid": "560c1cc4-0984-4576-9d59-8024950d210b", "value": "39.109.0.113" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634372", "to_ids": true, "type": "hostname", "uuid": "560c1cc4-ff38-43cc-9b05-8024950d210b", "value": "say.f322.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634373", "to_ids": true, "type": "ip-dst", "uuid": "560c1cc5-debc-4000-8253-8024950d210b", "value": "1.82.184.200" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634373", "to_ids": true, "type": "hostname", "uuid": "560c1cc5-7154-4873-be3b-8024950d210b", "value": "mou521.f3322.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634373", "to_ids": true, "type": "ip-dst", "uuid": "560c1cc5-4784-49b1-8ed0-8024950d210b", "value": "129.231.45.171" }, { "category": "Payload delivery", "comment": "Win32.BillGates", "deleted": false, "disable_correlation": false, "timestamp": "1443634474", "to_ids": true, "type": "md5", "uuid": "560c1d2a-5ffc-4e83-99cc-8022950d210b", "value": "fb7e7b5c35bb5311acc8139350344878" }, { "category": "Payload delivery", "comment": "Win32.BillGates", "deleted": false, "disable_correlation": false, "timestamp": "1443634474", "to_ids": true, "type": "md5", "uuid": "560c1d2a-2eac-4b6a-a9f1-8022950d210b", "value": "51f00e56b4ef21e6b7d6685ca3fbad1a" }, { "category": "Payload delivery", "comment": "Win32.BillGates", "deleted": false, "disable_correlation": false, "timestamp": "1443634474", "to_ids": true, "type": "md5", "uuid": "560c1d2a-e788-42d7-baa6-8022950d210b", "value": "f864867f277330f81669a7c90fb6a3f4" }, { "category": "Payload delivery", "comment": "Win32.BillGates", "deleted": false, "disable_correlation": false, "timestamp": "1443634475", "to_ids": true, "type": "md5", "uuid": "560c1d2b-38a4-4e2f-85f6-8022950d210b", "value": "c32f27eaadda31c36e32e97c481771c9" }, { "category": "Payload delivery", "comment": "Win32.BillGates", "deleted": false, "disable_correlation": false, "timestamp": "1443634475", "to_ids": true, "type": "md5", "uuid": "560c1d2b-eb64-4fdb-a51d-8022950d210b", "value": "8e9e4da1272f0b637917201443fcbd0a" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut:", "deleted": false, "disable_correlation": false, "timestamp": "1443634476", "to_ids": true, "type": "md5", "uuid": "560c1d2c-0570-40c3-acf4-8022950d210b", "value": "93fe8980c6279c090924e8669b0cb582" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut:", "deleted": false, "disable_correlation": false, "timestamp": "1443634476", "to_ids": true, "type": "md5", "uuid": "560c1d2c-3d98-427a-a61e-8022950d210b", "value": "2130df6f7817c86890a5e922f99430a3" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Parite", "deleted": false, "disable_correlation": false, "timestamp": "1443634476", "to_ids": true, "type": "md5", "uuid": "560c1d2c-488c-414f-a771-8022950d210b", "value": "129877bf0cbc9b8239c674810675f6f7" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634501", "to_ids": true, "type": "filename", "uuid": "560c1d45-63bc-4f07-9ccc-6221950d210b", "value": "%PROGRAMFILES%\\DbSecuritySpt\\DbSecuritySpt.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634502", "to_ids": true, "type": "filename", "uuid": "560c1d46-86e4-4032-bb59-6221950d210b", "value": "%PROGRAMFILES%\\DbSecuritySpt\\svch0st.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634502", "to_ids": true, "type": "filename", "uuid": "560c1d46-9364-41b3-8509-6221950d210b", "value": "%PROGRAMFILES%\\Windows Media Player\\agony.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634503", "to_ids": true, "type": "filename", "uuid": "560c1d47-284c-410b-b4fe-6221950d210b", "value": "%PROGRAMFILES%\\Windows Media Player\\agony.sys" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634503", "to_ids": true, "type": "filename", "uuid": "560c1d47-0584-458b-9819-6221950d210b", "value": "%PROGRAMFILES%\\Windows Media Player\\DNSProtection.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634504", "to_ids": true, "type": "filename", "uuid": "560c1d48-fbb8-4978-ab44-6221950d210b", "value": "%PROGRAMFILES%\\Windows Media Player\\DNSSupport.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634504", "to_ids": true, "type": "filename", "uuid": "560c1d48-4e78-45cb-9ad5-6221950d210b", "value": "%PROGRAMFILES%\\DbSecuritySpt\\NPF.sys" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443634505", "to_ids": true, "type": "filename", "uuid": "560c1d49-b02c-4db0-947d-6221950d210b", "value": "%PROGRAMFILES%\\DbSecuritySpt\\packet.dll" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Parite - Xchecked via VT: 129877bf0cbc9b8239c674810675f6f7", "deleted": false, "disable_correlation": false, "timestamp": "1443680485", "to_ids": true, "type": "sha256", "uuid": "560cd0e5-96f8-4be7-8853-801c950d210b", "value": "2f1ae7942df4f4d47a569e20913fe9107caa14bfd89b08925473f6536acbc6a3" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Parite - Xchecked via VT: 129877bf0cbc9b8239c674810675f6f7", "deleted": false, "disable_correlation": false, "timestamp": "1443680486", "to_ids": true, "type": "sha1", "uuid": "560cd0e6-145c-4336-bc21-801c950d210b", "value": "8d51d194aab4727ff3469b8b4e1486a39f84d6f0" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680486", "to_ids": false, "type": "link", "uuid": "560cd0e6-188c-463c-82f3-801c950d210b", "value": "https://www.virustotal.com/file/2f1ae7942df4f4d47a569e20913fe9107caa14bfd89b08925473f6536acbc6a3/analysis/1432574759/" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut: - Xchecked via VT: 2130df6f7817c86890a5e922f99430a3", "deleted": false, "disable_correlation": false, "timestamp": "1443680487", "to_ids": true, "type": "sha256", "uuid": "560cd0e7-f514-4c7b-a757-801c950d210b", "value": "d7efd8ab33fe77b689968ef3fe790ed7939624c754a455ce512fe5bb67be732f" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut: - Xchecked via VT: 2130df6f7817c86890a5e922f99430a3", "deleted": false, "disable_correlation": false, "timestamp": "1443680487", "to_ids": true, "type": "sha1", "uuid": "560cd0e7-86e4-4368-9656-801c950d210b", "value": "8531f1e1b3d2ee15af6ed3ab5b4a804773650d25" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680487", "to_ids": false, "type": "link", "uuid": "560cd0e7-0238-4fe1-aa85-801c950d210b", "value": "https://www.virustotal.com/file/d7efd8ab33fe77b689968ef3fe790ed7939624c754a455ce512fe5bb67be732f/analysis/1439312871/" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut: - Xchecked via VT: 93fe8980c6279c090924e8669b0cb582", "deleted": false, "disable_correlation": false, "timestamp": "1443680488", "to_ids": true, "type": "sha256", "uuid": "560cd0e8-fc38-4565-bfa5-801c950d210b", "value": "9dc3068a321b41def24dca518b07a717a633a84d953f9e6d6bd94be2e21e8e98" }, { "category": "Payload delivery", "comment": "Win32.BillGates infected by Win32.Virut: - Xchecked via VT: 93fe8980c6279c090924e8669b0cb582", "deleted": false, "disable_correlation": false, "timestamp": "1443680488", "to_ids": true, "type": "sha1", "uuid": "560cd0e8-d208-4923-be9a-801c950d210b", "value": "a80fbe481dfab7d0f4a9e11f649f6863a6b8a844" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680488", "to_ids": false, "type": "link", "uuid": "560cd0e8-ec74-42f0-8c16-801c950d210b", "value": "https://www.virustotal.com/file/9dc3068a321b41def24dca518b07a717a633a84d953f9e6d6bd94be2e21e8e98/analysis/1424121957/" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: 8e9e4da1272f0b637917201443fcbd0a", "deleted": false, "disable_correlation": false, "timestamp": "1443680489", "to_ids": true, "type": "sha256", "uuid": "560cd0e9-bbac-415b-8d4d-801c950d210b", "value": "aa068ca86fd9ec4e29d3bf00c7d99a3039f04f701e358e31ee98e5c48c09cc7a" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: 8e9e4da1272f0b637917201443fcbd0a", "deleted": false, "disable_correlation": false, "timestamp": "1443680489", "to_ids": true, "type": "sha1", "uuid": "560cd0e9-7c40-4d41-867e-801c950d210b", "value": "4367ae72e85d42e979c7faca87c0754e5aa9da41" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680489", "to_ids": false, "type": "link", "uuid": "560cd0e9-2480-4d1f-a35e-801c950d210b", "value": "https://www.virustotal.com/file/aa068ca86fd9ec4e29d3bf00c7d99a3039f04f701e358e31ee98e5c48c09cc7a/analysis/1418116709/" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: c32f27eaadda31c36e32e97c481771c9", "deleted": false, "disable_correlation": false, "timestamp": "1443680490", "to_ids": true, "type": "sha256", "uuid": "560cd0ea-9750-4a76-b276-801c950d210b", "value": "8ad95441c528ab80226ad2bb4be5d921acb6818e97c3e793a05f2677e1591e24" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: c32f27eaadda31c36e32e97c481771c9", "deleted": false, "disable_correlation": false, "timestamp": "1443680490", "to_ids": true, "type": "sha1", "uuid": "560cd0ea-bd54-40a5-a3e1-801c950d210b", "value": "91c6e2ac9dce76bf8ee6bdb5ec58735a6bad98f5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680491", "to_ids": false, "type": "link", "uuid": "560cd0eb-2448-4924-b638-801c950d210b", "value": "https://www.virustotal.com/file/8ad95441c528ab80226ad2bb4be5d921acb6818e97c3e793a05f2677e1591e24/analysis/1406118682/" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: f864867f277330f81669a7c90fb6a3f4", "deleted": false, "disable_correlation": false, "timestamp": "1443680491", "to_ids": true, "type": "sha256", "uuid": "560cd0eb-6f80-44f2-8ed5-801c950d210b", "value": "6341eec9e0bdfad72ae6b05ae9e196539b15a8eb7eb2ece1ca79e93ac6f35e25" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: f864867f277330f81669a7c90fb6a3f4", "deleted": false, "disable_correlation": false, "timestamp": "1443680491", "to_ids": true, "type": "sha1", "uuid": "560cd0eb-41a0-4f9e-8af9-801c950d210b", "value": "495bb971f973104a30a83d1f1e8739dc70181912" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680492", "to_ids": false, "type": "link", "uuid": "560cd0ec-efa0-4a7d-9277-801c950d210b", "value": "https://www.virustotal.com/file/6341eec9e0bdfad72ae6b05ae9e196539b15a8eb7eb2ece1ca79e93ac6f35e25/analysis/1403672511/" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: 51f00e56b4ef21e6b7d6685ca3fbad1a", "deleted": false, "disable_correlation": false, "timestamp": "1443680492", "to_ids": true, "type": "sha256", "uuid": "560cd0ec-8744-4dfe-a85c-801c950d210b", "value": "4209035f042bcd79fe91997c8466cfdd890e740d8cb85b3076d7a5e79891f441" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: 51f00e56b4ef21e6b7d6685ca3fbad1a", "deleted": false, "disable_correlation": false, "timestamp": "1443680492", "to_ids": true, "type": "sha1", "uuid": "560cd0ec-3004-43cc-bbe5-801c950d210b", "value": "c145e5e23cd95de4c0b521f0eb7ded59ba0a381e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680493", "to_ids": false, "type": "link", "uuid": "560cd0ed-f9c0-43ad-a544-801c950d210b", "value": "https://www.virustotal.com/file/4209035f042bcd79fe91997c8466cfdd890e740d8cb85b3076d7a5e79891f441/analysis/1431436610/" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: fb7e7b5c35bb5311acc8139350344878", "deleted": false, "disable_correlation": false, "timestamp": "1443680493", "to_ids": true, "type": "sha256", "uuid": "560cd0ed-59f4-4152-941e-801c950d210b", "value": "0434ba4a0dc59bca819f7586f12f9ef0de83de28b37da9c83a0b12520d3ebbd1" }, { "category": "Payload delivery", "comment": "Win32.BillGates - Xchecked via VT: fb7e7b5c35bb5311acc8139350344878", "deleted": false, "disable_correlation": false, "timestamp": "1443680493", "to_ids": true, "type": "sha1", "uuid": "560cd0ed-2fcc-4467-bfa6-801c950d210b", "value": "3038ca2fc80c4c90cd7909724a937e9890bc0203" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680494", "to_ids": false, "type": "link", "uuid": "560cd0ee-9928-43e5-b9e1-801c950d210b", "value": "https://www.virustotal.com/file/0434ba4a0dc59bca819f7586f12f9ef0de83de28b37da9c83a0b12520d3ebbd1/analysis/1424273883/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 4b14d7aca890642c3e269b75953e65cb", "deleted": false, "disable_correlation": false, "timestamp": "1443680494", "to_ids": true, "type": "sha256", "uuid": "560cd0ee-53b4-491e-abdb-801c950d210b", "value": "d241880aefef812b462153ae0f8ec079e8b56789f1c7547624e9406b74da12fd" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 4b14d7aca890642c3e269b75953e65cb", "deleted": false, "disable_correlation": false, "timestamp": "1443680494", "to_ids": true, "type": "sha1", "uuid": "560cd0ee-d8e8-438b-a5e8-801c950d210b", "value": "cb4271a5ed7cf66b1d508d3d7364c11280c1763d" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1443680495", "to_ids": false, "type": "link", "uuid": "560cd0ef-0258-4b9b-9c61-801c950d210b", "value": "https://www.virustotal.com/file/d241880aefef812b462153ae0f8ec079e8b56789f1c7547624e9406b74da12fd/analysis/1435885257/" } ] } }