{
  "Event": {
    "analysis": "2",
    "date": "2017-06-05",
    "extends_uuid": "",
    "info": "OSINT - Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads",
    "publish_timestamp": "1496646208",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1496646131",
    "uuid": "5935004a-eb44-4393-8e7b-4a86950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:tool=\"ETERNALBLUE\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": false,
        "name": "misp-galaxy:tool=\"gh0st\"",
        "relationship_type": ""
      },
      {
        "colour": "#ffffff",
        "local": false,
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#0055d5",
        "local": false,
        "name": "ms-caro-malware-full:malware-family=\"Nitol\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": false,
        "type": "link",
        "uuid": "59350055-54cc-457d-89f8-41e2950d210f",
        "value": "https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": false,
        "type": "text",
        "uuid": "5935006c-a094-4d05-a611-4bcd950d210f",
        "value": "The \u00e2\u20ac\u0153EternalBlue\u00e2\u20ac\u009d exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol \u00e2\u20ac\u201c this time to distribute Backdoor.Nitol and Trojan Gh0st RAT.\r\n\r\nFireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution vulnerability using the ADODB.Stream ActiveX Object that affects older versions of Internet Explorer. Both payloads have previously been involved in targeted cyber-attacks against the aerospace and defense industry."
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5935007c-f8b0-4b8f-9a56-41fd950d210f",
        "value": "cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "sha256",
        "uuid": "5935007d-4268-42e0-9fda-4064950d210f",
        "value": "4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309"
      },
      {
        "category": "Payload delivery",
        "comment": "On port 45988 -  taskmgr.exe  (Nitol)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "ip-dst|port",
        "uuid": "593500ad-f8a8-4f0e-b785-47c0950d210f",
        "value": "121.201.9.204|45988"
      },
      {
        "category": "Network activity",
        "comment": "On port 1541 - systemUpdate.exe (Gh0st)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "hostname",
        "uuid": "593500ad-1b5c-4d90-b9c8-44a4950d210f",
        "value": "beiyeye.401hk.com"
      },
      {
        "category": "Network activity",
        "comment": "C2 - (Nitol)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "hostname",
        "uuid": "593500dd-83bc-47ef-9823-4ee9950d210f",
        "value": "hackqz.f3322.org"
      },
      {
        "category": "Payload delivery",
        "comment": "C2 - On port 8880",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "ip-dst|port",
        "uuid": "593500de-84f0-48dd-9a18-491b950d210f",
        "value": "120.209.40.157|8880"
      },
      {
        "category": "Network activity",
        "comment": "C2 (Gh0st)",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646131",
        "to_ids": true,
        "type": "hostname",
        "uuid": "593500de-2280-4f00-a7ee-4fdc950d210f",
        "value": "bj6po.a1free9bird.com"
      },
      {
        "category": "Payload delivery",
        "comment": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646136",
        "to_ids": true,
        "type": "sha1",
        "uuid": "593501f8-c548-4d1c-a134-4eef02de0b81",
        "value": "220c140c6dc21b39c7ef804a87186ff4a34af1f3"
      },
      {
        "category": "Payload delivery",
        "comment": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646136",
        "to_ids": true,
        "type": "md5",
        "uuid": "593501f8-f3ac-4cc5-8bb6-4f0402de0b81",
        "value": "b43006d33d0d33cd4e45f2e761358953"
      },
      {
        "category": "External analysis",
        "comment": "- Xchecked via VT: 4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646137",
        "to_ids": false,
        "type": "link",
        "uuid": "593501f9-dd30-4e05-9460-456502de0b81",
        "value": "https://www.virustotal.com/file/4f49e17b457ef202ab0be905691ef2b2d2b0a086a7caddd1e70dd45e5ed3b309/analysis/1495688434/"
      },
      {
        "category": "Payload delivery",
        "comment": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646137",
        "to_ids": true,
        "type": "sha1",
        "uuid": "593501f9-d36c-44f2-8b0c-45e702de0b81",
        "value": "d6f2548e58bd3e3de8c64bba9cdb8f18a66aef36"
      },
      {
        "category": "Payload delivery",
        "comment": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646138",
        "to_ids": true,
        "type": "md5",
        "uuid": "593501fa-f060-4bd9-af1c-477e02de0b81",
        "value": "863877867a84bdb28148c6d871ccf94f"
      },
      {
        "category": "External analysis",
        "comment": "- Xchecked via VT: cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1496646138",
        "to_ids": false,
        "type": "link",
        "uuid": "593501fa-e124-4a10-8553-45c102de0b81",
        "value": "https://www.virustotal.com/file/cba19d228abf31ec8afab7330df3c9da60cd4dae376552b503aea6d7feff9946/analysis/1496639055/"
      }
    ]
  }
}