{ "Event": { "analysis": "2", "date": "2018-09-06", "extends_uuid": "", "info": "powerpool-malware-exploits-zero-day-vulnerability", "publish_timestamp": "1589183606", "published": true, "threat_level_id": "2", "timestamp": "1621849865", "uuid": "5b9162c3-90b4-423b-bd69-28330acd0835", "Orgc": { "name": "Synovus Financial", "uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1536254918", "to_ids": false, "type": "link", "uuid": "5b9162d7-70bc-4802-a3e8-2efb0acd0835", "value": "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1536255394", "to_ids": true, "type": "domain", "uuid": "5b916597-a96c-43dc-bcc0-2f0b0acd0835", "value": "newsrental.net", "Tag": [ { "colour": "#00aad0", "local": false, "name": "veris:action:malware:variety=\"C2\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1536255394", "to_ids": true, "type": "domain", "uuid": "5b916597-7bc0-45f8-a810-2f0b0acd0835", "value": "rosbusiness.eu", "Tag": [ { "colour": "#00aad0", "local": false, "name": "veris:action:malware:variety=\"C2\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1536255394", "to_ids": true, "type": "domain", "uuid": "5b916597-dc78-43cb-b1df-2f0b0acd0835", "value": "afishaonline.eu", "Tag": [ { "colour": "#00aad0", "local": false, "name": "veris:action:malware:variety=\"C2\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1536255394", "to_ids": true, "type": "domain", "uuid": "5b916597-7ba8-4aaa-98b5-2f0b0acd0835", "value": "sports-collectors.com", "Tag": [ { "colour": "#00aad0", "local": false, "name": "veris:action:malware:variety=\"C2\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "C2\r\nCountry: Korea, Republic Of\r\nRegion: Gyeonggi-do\r\nCity: Yongin\r\nISP: Daou Technology", "deleted": false, "disable_correlation": false, "timestamp": "1536256145", "to_ids": true, "type": "ip-dst", "uuid": "5b916597-ec48-4d1f-b15f-2f0b0acd0835", "value": "27.102.106.149", "Tag": [ { "colour": "#00aad0", "local": false, "name": "veris:action:malware:variety=\"C2\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "13", "timestamp": "1536254905", "uuid": "5b91638b-01d0-4303-9938-28310acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536254957", "to_ids": true, "type": "md5", "uuid": "5b91638b-f688-4841-b4d2-28310acd0835", "value": "32b8d08e67cf509236ae8142fbeb30b3", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536254957", "to_ids": true, "type": "sha256", "uuid": "5b91638b-5d60-4865-9be0-28310acd0835", "value": "8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536254957", "to_ids": true, "type": "sha1", "uuid": "5b91638b-250c-4e03-b6f7-28310acd0835", "value": "038f75dcf1e5277565c68d57fa1f4f7b3005f3f3", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1536254859", "to_ids": false, "type": "size-in-bytes", "uuid": "5b91638b-480c-4627-95ab-28310acd0835", "value": "198656" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1536254963", "to_ids": true, "type": "ssdeep", "uuid": "5b91638b-a4dc-450f-9bc6-28310acd0835", "value": "3072:y0FPC7QAKohdraoNpLOxx85wzWVTBfGGMZhm05Pb8QOutp:ba7zfragLOxx85JVTBezZXbLOut", "Tag": [ { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" }, { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536254859", "to_ids": false, "type": "text", "uuid": "5b91638b-d750-48ec-aeaa-28310acd0835", "value": "Malicious" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1536254905", "to_ids": false, "type": "text", "uuid": "5b9163b9-43a4-43cc-831b-2eff0acd0835", "value": "First stage backdoor" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "13", "timestamp": "1536255024", "uuid": "5b916430-9e3c-4911-b3e9-ca520acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536255053", "to_ids": true, "type": "md5", "uuid": "5b916430-0124-4a45-bf94-ca520acd0835", "value": "efe3518ee7d62299d01b7882f72ffd0a", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1536255024", "to_ids": false, "type": "text", "uuid": "5b916430-f9b4-45ed-b526-ca520acd0835", "value": "First stage backdoor" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536255053", "to_ids": true, "type": "sha256", "uuid": "5b916430-4898-4071-b4f5-ca520acd0835", "value": "035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536255054", "to_ids": true, "type": "sha1", "uuid": "5b916430-e110-4bc6-8427-ca520acd0835", "value": "247b542af23ad9c63697428c7b77348681aadc9a", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1536255024", "to_ids": false, "type": "size-in-bytes", "uuid": "5b916430-0fac-4102-a6c2-ca520acd0835", "value": "195072" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1536255054", "to_ids": true, "type": "ssdeep", "uuid": "5b916430-0b5c-49c8-b20b-ca520acd0835", "value": "3072:hMBIQ8vnQQgZKc1WZL0Az3jGSp0TBfmXnZS1m05xI8QOutt:eBIbPDgZK0yL0Az36e0TBeXZStILOut", "Tag": [ { "colour": "#5fb4b2", "local": false, "name": "Stage 1", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536255024", "to_ids": false, "type": "text", "uuid": "5b916430-0634-4a60-b821-ca520acd0835", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "13", "timestamp": "1536255120", "uuid": "5b91647e-fb8c-475d-a647-2eff0acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536255177", "to_ids": true, "type": "md5", "uuid": "5b91647e-5998-450e-b763-2eff0acd0835", "value": "e2bd4044fab4214c4aa7dd65d65fca21", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536255177", "to_ids": true, "type": "sha256", "uuid": "5b91647e-172c-4f3e-be5d-2eff0acd0835", "value": "af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536255177", "to_ids": true, "type": "sha1", "uuid": "5b91647e-bb5c-4513-980d-2eff0acd0835", "value": "0423672fe9201c325e33f296595fb70dcd81bcd9", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1536255102", "to_ids": false, "type": "size-in-bytes", "uuid": "5b91647e-de40-459d-8828-2eff0acd0835", "value": "395776" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1536255177", "to_ids": true, "type": "ssdeep", "uuid": "5b91647e-a5fc-4161-b118-2eff0acd0835", "value": "6144:Py7VqCkozgC2uNmz/MbVflIaPhlHvuFFNTP9DZ8EX8kE5KRf+L8uvyvcQ0BiF:Py7V6N/wISZvk7TP9F1X8 hcRe8u6wW", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536255102", "to_ids": false, "type": "text", "uuid": "5b91647e-eec4-4749-8e33-2eff0acd0835", "value": "Malicious" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1536255120", "to_ids": false, "type": "text", "uuid": "5b916490-d93c-4284-9455-28330acd0835", "value": "Second stage backdoor" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "13", "timestamp": "1536255239", "uuid": "5b916507-21cc-4a2f-aa8c-28280acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536255270", "to_ids": true, "type": "md5", "uuid": "5b916507-cdc0-4c61-ac3f-28280acd0835", "value": "80e7a7789286d3fb69f083f1a2dddbe6", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1536255239", "to_ids": false, "type": "text", "uuid": "5b916507-2a48-4b4f-9d72-28280acd0835", "value": "Second stage backdoor" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536255270", "to_ids": true, "type": "sha256", "uuid": "5b916507-38cc-4434-90f8-28280acd0835", "value": "58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536255270", "to_ids": true, "type": "sha1", "uuid": "5b916507-c8a4-4c50-9886-28280acd0835", "value": "b4ec4837d07ff64e34947296e73732171d1c1586", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1536255239", "to_ids": false, "type": "size-in-bytes", "uuid": "5b916507-88d0-49cd-b0ba-28280acd0835", "value": "396288" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1536255270", "to_ids": true, "type": "ssdeep", "uuid": "5b916507-d174-4cec-85ee-28280acd0835", "value": "6144:kSH62LyBiglfDq9wD7aG2HODV9cF7Bt7/hNWhZHhvMKpA7KSgodwIFsA40Bia:kSH6F9DiY9udjNW7BvMKp yKsWI97", "Tag": [ { "colour": "#fccc51", "local": false, "name": "Stage 2", "relationship_type": "" }, { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Backdoor\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536255239", "to_ids": false, "type": "text", "uuid": "5b916507-5344-4ccd-bcee-28280acd0835", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "13", "timestamp": "1536255324", "uuid": "5b91655c-3648-48a0-82e3-2f140acd0835", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1536255355", "to_ids": true, "type": "md5", "uuid": "5b91655c-25d0-4a8c-80e8-2f140acd0835", "value": "99670267cbece5f5cc3ce92efd5bb04b", "Tag": [ { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Exploit vuln\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1536255324", "to_ids": false, "type": "text", "uuid": "5b91655c-7730-4639-89de-2f140acd0835", "value": "ALPC LPE exploit" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1536255355", "to_ids": true, "type": "sha256", "uuid": "5b91655c-21a0-4189-b441-2f140acd0835", "value": "97b5b4478d234632df4c65ec251051a6b032ce21e9e68495e31f077bf4074831", "Tag": [ { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Exploit vuln\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1536255355", "to_ids": true, "type": "sha1", "uuid": "5b91655d-3ee8-42f6-8276-2f140acd0835", "value": "9dc173d4d4f74765b5fc1e1c9a2d188d5387beea", "Tag": [ { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Exploit vuln\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1536255325", "to_ids": false, "type": "size-in-bytes", "uuid": "5b91655d-3714-464e-86f5-2f140acd0835", "value": "183296" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1536255355", "to_ids": true, "type": "ssdeep", "uuid": "5b91655d-3c88-4839-90d3-2f140acd0835", "value": "3072:STZt5j+T9LjP4JqIBhNV0St7TZEjOYI1TVmqG7rg:q5j+T9LjPPIBhN2Q7TZAfI1TVwg", "Tag": [ { "colour": "#00a9ce", "local": false, "name": "veris:action:malware:variety=\"Exploit vuln\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1536255325", "to_ids": false, "type": "text", "uuid": "5b91655d-d1bc-4241-95c3-2f140acd0835", "value": "Malicious" } ] } ] } }