{ "Event": { "analysis": "2", "date": "2017-03-29", "extends_uuid": "", "info": "OSINT - Trojanized Adobe Installer used to Install DragonOK\u00e2\u20ac\u2122s New Custom Backdoor", "publish_timestamp": "1490818818", "published": true, "threat_level_id": "3", "timestamp": "1490818721", "uuid": "58dbc5ad-10a4-4da9-9e7e-4b97950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"KHRAT\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": false, "type": "link", "uuid": "58dbc5d4-5f34-4f5e-b2e3-4664950d210f", "value": "https://blogs.forcepoint.com/security-labs/trojanized-adobe-installer-used-install-dragonok%E2%80%99s-new-custom-backdoor", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": false, "type": "text", "uuid": "58dbc5ef-6c24-4801-86c5-4944950d210f", "value": "Since January of this year, Forcepoint Security Labs\u00e2\u201e\u00a2 have observed that the DragonOK campaign have started to target political parties in Cambodia. DragonOK is an active targeted attack that was first discovered in 2014. It is known to target organizations from Taiwan, Japan, Tibet and Russia with spear-phishing emails containing malicious attachments. \r\n\r\nThe latest dropper they used is disguised as an Adobe Reader installer and installs yet another new custom remote access tool (RAT). We have named this RAT \u00e2\u20ac\u0153KHRAT\u00e2\u20ac\u009d based on one of the command and control servers used, kh[.]inter-ctrip[.]com, which pertained to Cambodia\u00e2\u20ac\u2122s country code.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc159d-b54c-4e52-9ee3-4b1d02de0b81", "value": "17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0" }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc159e-6a80-44ee-94fd-456702de0b81", "value": "a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f" }, { "category": "Payload delivery", "comment": "Compilation 16/02/2017 03:53", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc159f-5910-4d6d-b3c1-4e0602de0b81", "value": "540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b" }, { "category": "Payload delivery", "comment": "Compilation 08/03/2017 01:43", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc15a0-80f0-4d65-973b-40b302de0b81", "value": "ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e" }, { "category": "Network activity", "comment": "KHRAT C2s", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "hostname", "uuid": "58dc15c1-cf94-482f-9ee5-418802de0b81", "value": "cookie.inter-ctrip.com" }, { "category": "Network activity", "comment": "KHRAT C2s", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "hostname", "uuid": "58dc15c2-649c-473f-9045-4ee202de0b81", "value": "help.inter-ctrip.com" }, { "category": "Network activity", "comment": "KHRAT C2s", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "hostname", "uuid": "58dc15c3-bb6c-4d2e-a33c-428802de0b81", "value": "bit.inter-ctrip.com" }, { "category": "Network activity", "comment": "KHRAT C2s", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "hostname", "uuid": "58dc15c4-cd04-4b0d-b884-473d02de0b81", "value": "kh.inter-ctrip.com" }, { "category": "Payload delivery", "comment": "(\"reader112_en_ha_install.exe\", dropper)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc1635-62b4-4b6b-adc9-453f02de0b81", "value": "bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2" }, { "category": "Payload delivery", "comment": "(RTF dropper with CVE-2015-1641 exploit, unknown filename)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc1636-6c58-4d65-8fdd-402902de0b81", "value": "9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0" }, { "category": "External analysis", "comment": "(RTF dropper with CVE-2015-1641 exploit, unknown filename)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": false, "type": "vulnerability", "uuid": "58dc1637-eaa4-46be-91b3-413702de0b81", "value": "CVE-2015-1641" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc1637-6314-4a40-87bf-421502de0b81", "value": "d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc1638-d968-4a8c-bbc9-454802de0b81", "value": "a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader)", "deleted": false, "disable_correlation": false, "timestamp": "1490818721", "to_ids": true, "type": "sha256", "uuid": "58dc1639-f108-4f79-bbe8-420902de0b81", "value": "77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7", "deleted": false, "disable_correlation": false, "timestamp": "1490818736", "to_ids": true, "type": "sha1", "uuid": "58dc16b0-ca90-4d27-baf8-485402de0b81", "value": "02c7e31f90ec4bb77dc68c32e626f7ed9a22c1e9" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7", "deleted": false, "disable_correlation": false, "timestamp": "1490818737", "to_ids": true, "type": "md5", "uuid": "58dc16b1-e6b4-4ed3-ba45-421602de0b81", "value": "aea2d5b5e72c0432904039316efa1bd2" }, { "category": "External analysis", "comment": "(\u00e2\u20ac\u0153KFC.com\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: 77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7", "deleted": false, "disable_correlation": false, "timestamp": "1490818738", "to_ids": false, "type": "link", "uuid": "58dc16b2-9a68-4d13-a606-4c7a02de0b81", "value": "https://www.virustotal.com/file/77354141d22998d7166fd80a12d9b913199137b4725495bd9168beb5365f69e7/analysis/1490651490/" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b", "deleted": false, "disable_correlation": false, "timestamp": "1490818739", "to_ids": true, "type": "sha1", "uuid": "58dc16b3-b000-483c-aa79-4a4702de0b81", "value": "8a3a1f879dc0d6ad274223d0cecc471164f67dfe" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b", "deleted": false, "disable_correlation": false, "timestamp": "1490818739", "to_ids": true, "type": "md5", "uuid": "58dc16b3-a060-437a-a68a-4dc102de0b81", "value": "4772aaf68a7a408fa2a344fdef1bd167" }, { "category": "External analysis", "comment": "(\u00e2\u20ac\u0153The plan CPP split CNRP!.doc.exe\u00e2\u20ac\u009d, dropper) - Xchecked via VT: a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b", "deleted": false, "disable_correlation": false, "timestamp": "1490818740", "to_ids": false, "type": "link", "uuid": "58dc16b4-5908-4e49-9f32-469e02de0b81", "value": "https://www.virustotal.com/file/a6e22dfe21993678c6f1b0892c2db085bb8c4342bdf78628456f562d5db1181b/analysis/1490681567/" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5", "deleted": false, "disable_correlation": false, "timestamp": "1490818741", "to_ids": true, "type": "sha1", "uuid": "58dc16b5-e74c-4858-b681-41bc02de0b81", "value": "bffefb8f7d0ec8048e5180e5fb68b327c44dfd25" }, { "category": "Payload delivery", "comment": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5", "deleted": false, "disable_correlation": false, "timestamp": "1490818742", "to_ids": true, "type": "md5", "uuid": "58dc16b6-1b2c-45a2-8f5b-4e4c02de0b81", "value": "e9e5af639641b50d5d1747d43a5fd648" }, { "category": "External analysis", "comment": "(\u00e2\u20ac\u0153KFC.exe\u00e2\u20ac\u009d, KHRAT loader) - Xchecked via VT: d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5", "deleted": false, "disable_correlation": false, "timestamp": "1490818743", "to_ids": false, "type": "link", "uuid": "58dc16b7-4fd4-42d2-8141-45ab02de0b81", "value": "https://www.virustotal.com/file/d9ce24d627edb170145fb78e6acb5ea3cb44a87cd06c05842d78f4fc9b732ec5/analysis/1490681777/" }, { "category": "Payload delivery", "comment": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0", "deleted": false, "disable_correlation": false, "timestamp": "1490818744", "to_ids": true, "type": "sha1", "uuid": "58dc16b8-2fe8-41a4-aba2-445c02de0b81", "value": "e73047c30c30152b0b52bc82a0f109154c9d444a" }, { "category": "Payload delivery", "comment": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0", "deleted": false, "disable_correlation": false, "timestamp": "1490818745", "to_ids": true, "type": "md5", "uuid": "58dc16b9-d638-40f0-a691-420602de0b81", "value": "bb70e1711b7474944b8487b5849dc8de" }, { "category": "External analysis", "comment": "(RTF dropper with CVE-2015-1641 exploit, unknown filename) - Xchecked via VT: 9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0", "deleted": false, "disable_correlation": false, "timestamp": "1490818746", "to_ids": false, "type": "link", "uuid": "58dc16ba-fae0-49ff-9c9a-4f3502de0b81", "value": "https://www.virustotal.com/file/9cdebd98b7889d9a57e5b7ea584d7e03d8ba67c02519b587373204cae0603df0/analysis/1490622667/" }, { "category": "Payload delivery", "comment": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2", "deleted": false, "disable_correlation": false, "timestamp": "1490818747", "to_ids": true, "type": "sha1", "uuid": "58dc16bb-2338-471e-a37e-4c7002de0b81", "value": "760c1e68f7fdc633bdd0cf4a14f0f8f2a1048fa7" }, { "category": "Payload delivery", "comment": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2", "deleted": false, "disable_correlation": false, "timestamp": "1490818748", "to_ids": true, "type": "md5", "uuid": "58dc16bc-4508-47e8-82d3-4a7c02de0b81", "value": "e8a702d15148d8dbe9b0d87c71b6c93e" }, { "category": "External analysis", "comment": "(\"reader112_en_ha_install.exe\", dropper) - Xchecked via VT: bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2", "deleted": false, "disable_correlation": false, "timestamp": "1490818749", "to_ids": false, "type": "link", "uuid": "58dc16bd-4788-4ad3-b66b-430102de0b81", "value": "https://www.virustotal.com/file/bba604effa42399ed6e91c271b78b442d01d36d1570a9574acacfc870e09dce2/analysis/1490617814/" }, { "category": "Payload delivery", "comment": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e", "deleted": false, "disable_correlation": false, "timestamp": "1490818750", "to_ids": true, "type": "sha1", "uuid": "58dc16be-d024-4e8c-b92a-4fd002de0b81", "value": "bf0522bd5ff0b4583bb23c6c5f88a7c69196b025" }, { "category": "Payload delivery", "comment": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e", "deleted": false, "disable_correlation": false, "timestamp": "1490818751", "to_ids": true, "type": "md5", "uuid": "58dc16bf-c7dc-4064-8375-4c3102de0b81", "value": "dabbdb8ca7bc3454bc0c682e18569062" }, { "category": "External analysis", "comment": "Compilation 08/03/2017 01:43 - Xchecked via VT: ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e", "deleted": false, "disable_correlation": false, "timestamp": "1490818752", "to_ids": false, "type": "link", "uuid": "58dc16c0-3678-4c8f-8f5d-44d902de0b81", "value": "https://www.virustotal.com/file/ffc0ebad7c1888cc4a3f5cd86a5942014b9e15a833e575614cd01a0bb6f5de2e/analysis/1490617887/" }, { "category": "Payload delivery", "comment": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b", "deleted": false, "disable_correlation": false, "timestamp": "1490818753", "to_ids": true, "type": "sha1", "uuid": "58dc16c1-a448-4d35-b828-4f1102de0b81", "value": "7b2faee6e1c2b9d81775aab0d41c89e8ff36d5cf" }, { "category": "Payload delivery", "comment": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b", "deleted": false, "disable_correlation": false, "timestamp": "1490818754", "to_ids": true, "type": "md5", "uuid": "58dc16c2-2a20-456e-972f-4bd602de0b81", "value": "cd6f95f767b26b1fcac8ad33d25131c7" }, { "category": "External analysis", "comment": "Compilation 16/02/2017 03:53 - Xchecked via VT: 540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b", "deleted": false, "disable_correlation": false, "timestamp": "1490818755", "to_ids": false, "type": "link", "uuid": "58dc16c3-3474-468a-8d3a-49c502de0b81", "value": "https://www.virustotal.com/file/540d6dd720514cf01a02b516a85d8f761d77fa90f0d05f06bfb90ed66beb235b/analysis/1490778691/" }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f", "deleted": false, "disable_correlation": false, "timestamp": "1490818756", "to_ids": true, "type": "sha1", "uuid": "58dc16c4-b198-4843-8b67-427f02de0b81", "value": "ba4f2368178b6a12b05c6373fbbe8506e4cfe935" }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f", "deleted": false, "disable_correlation": false, "timestamp": "1490818757", "to_ids": true, "type": "md5", "uuid": "58dc16c5-9344-4378-8cd6-49b302de0b81", "value": "156da506f2a89c6cc2c418ffcbbc7ae7" }, { "category": "External analysis", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f", "deleted": false, "disable_correlation": false, "timestamp": "1490818758", "to_ids": false, "type": "link", "uuid": "58dc16c6-3f00-45de-8e32-475902de0b81", "value": "https://www.virustotal.com/file/a5a9598e1d33331f5aeabb277122549d4a7cf1ddbfa00d50e272b57934a6696f/analysis/1490778652/" }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0", "deleted": false, "disable_correlation": false, "timestamp": "1490818759", "to_ids": true, "type": "sha1", "uuid": "58dc16c7-de10-424e-87f1-48ad02de0b81", "value": "c1e2032469155b2299782fb94004379718c2fd8e" }, { "category": "Payload delivery", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0", "deleted": false, "disable_correlation": false, "timestamp": "1490818759", "to_ids": true, "type": "md5", "uuid": "58dc16c7-fa90-4207-bc4e-452302de0b81", "value": "18fc1ed27e04309fe7f62e4221c5a459" }, { "category": "External analysis", "comment": "Compilation 05/01/2017 05:37 - Xchecked via VT: 17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0", "deleted": false, "disable_correlation": false, "timestamp": "1490818760", "to_ids": false, "type": "link", "uuid": "58dc16c8-4a68-42c6-9f2f-438302de0b81", "value": "https://www.virustotal.com/file/17a07b1f5e573899c846edba801f1606ce8f77c2f52e3298d2d2b066730b0bf0/analysis/1490681838/" } ] } }