{ "Event": { "analysis": "0", "date": "2018-11-18", "extends_uuid": "", "info": "OSINT - CozyBear \u00e2\u20ac\u201c In from the Cold?", "publish_timestamp": "1542637552", "published": true, "threat_level_id": "3", "timestamp": "1542637546", "uuid": "5bf26acf-d95c-4892-a05d-4db5950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#12e100", "local": false, "name": "misp-galaxy:threat-actor=\"APT 29\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-intrusion-set=\"APT29\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-malware=\"CozyCar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"APT29 - G0016\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-malware=\"CozyCar\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:rat=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-tool=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-enterprise-attack-tool=\"Cobalt Strike - S0154\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-tool=\"Cobalt Strike\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#316200", "local": false, "name": "circl:incident-classification=\"phishing\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542614180", "to_ids": false, "type": "link", "uuid": "5bf26c6f-d748-499e-a651-40e3950d210f", "value": "https://pylos.co/2018/11/18/cozybear-in-from-the-cold/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1542617834", "to_ids": true, "type": "domain", "uuid": "5bf27aea-d798-4848-88f8-43a7950d210f", "value": "pandorasong.com" } ], "Object": [ { "comment": "mail server", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "6", "timestamp": "1542614707", "uuid": "5bf26eb3-588c-479a-8c42-48b6950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1542614707", "to_ids": true, "type": "ip-dst", "uuid": "5bf26eb3-7a60-4770-af08-4389950d210f", "value": "216.251.161.198" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1542614708", "to_ids": true, "type": "domain", "uuid": "5bf26eb4-219c-47b0-be79-4be7950d210f", "value": "mx1.era.citon.com" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542614867", "uuid": "5bf26f31-11ec-4a5b-aea4-4fee950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5bf26f31-11ec-4a5b-aea4-4fee950d210f", "referenced_uuid": "5bf26f43-b2c0-4102-8ba0-472a950d210f", "relationship_type": "dropped", "timestamp": "1542614866", "uuid": "5bf26f52-1228-47e5-947e-405d950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1542614834", "to_ids": true, "type": "filename", "uuid": "5bf26f32-2910-4db7-a08b-493f950d210f", "value": "ds7002.lnk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542614834", "to_ids": false, "type": "text", "uuid": "5bf26f32-e92c-4486-9f53-4b6f950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542614878", "uuid": "5bf26f43-b2c0-4102-8ba0-472a950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5bf26f43-b2c0-4102-8ba0-472a950d210f", "referenced_uuid": "5bf26f31-11ec-4a5b-aea4-4fee950d210f", "relationship_type": "dropped-by", "timestamp": "1542614877", "uuid": "5bf26f5d-8810-43c3-9c61-4e88950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1542614851", "to_ids": true, "type": "filename", "uuid": "5bf26f43-ef80-4bae-b9b4-444a950d210f", "value": "cyzfc.dat" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542614851", "to_ids": false, "type": "text", "uuid": "5bf26f43-c2b4-4c98-8b0a-412a950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542615846", "uuid": "5bf27326-3988-4648-8349-48a8950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1542615846", "to_ids": true, "type": "filename", "uuid": "5bf27326-3158-4092-97dd-47af950d210f", "value": "7486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542615846", "to_ids": false, "type": "text", "uuid": "5bf27326-559c-4fd2-8e9a-4151950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542615937", "uuid": "5bf27381-7984-4244-933f-402b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542615937", "to_ids": true, "type": "sha256", "uuid": "5bf27381-dfcc-47a1-be1f-431e950d210f", "value": "2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542615938", "to_ids": false, "type": "text", "uuid": "5bf27382-be44-45af-a885-47e9950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1542618149", "uuid": "5bf27c25-d538-45b8-be16-44f0950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542618149", "to_ids": true, "type": "sha256", "uuid": "5bf27c25-7a34-4b6b-87ee-4e24950d210f", "value": "b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1542618150", "to_ids": false, "type": "text", "uuid": "5bf27c26-2b80-4a3c-940c-4b7c950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542637530", "uuid": "f815afa9-6251-4258-af1c-d3c6354478f9", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542637530", "to_ids": true, "type": "md5", "uuid": "470bf785-2b3e-4ada-97e4-0ab1cc6b0cdb", "value": "16bbc967a8b6a365871a05c74a4f345b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542637530", "to_ids": true, "type": "sha1", "uuid": "2a450f9e-bfae-4d06-aefe-c4de80a891da", "value": "9858d5cb2a6614be3c48e33911bf9f7978b441bf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542637531", "to_ids": true, "type": "sha256", "uuid": "97118ed3-5aad-42bc-9dd7-bb355bd0146f", "value": "b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542637531", "uuid": "13b82a46-f0a2-4216-b6ff-f15d7e5aa85f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542637531", "to_ids": false, "type": "datetime", "uuid": "17a08ecf-8c7a-44f0-8d62-5610b7f6016b", "value": "2018-11-19T03:46:22" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542637532", "to_ids": false, "type": "link", "uuid": "fe091e77-2656-44c2-9dba-067a12240376", "value": "https://www.virustotal.com/file/b77ff307ea74a3ab41c92036aea4a049b3c2e69b12a857d26910e535544dfb05/analysis/1542599182/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542637532", "to_ids": false, "type": "text", "uuid": "38131c5b-7a1f-432f-ae28-1d344e1b044e", "value": "38/65" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1542637532", "uuid": "6c5c8753-80c8-496e-8f41-0c72d76ceceb", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1542637533", "to_ids": true, "type": "md5", "uuid": "1de5a03a-f12f-4592-a680-8ea91fbddb4b", "value": "6ed0020b0851fb71d5b0076f4ee95f3c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1542637533", "to_ids": true, "type": "sha1", "uuid": "886d09f5-a091-4a07-a487-de64d25fb989", "value": "e431261c63f94a174a1308defccc674dabbe3609" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1542637534", "to_ids": true, "type": "sha256", "uuid": "86833f7b-86f9-4b2c-97be-2abce35391d6", "value": "2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1542637534", "uuid": "4c234bd0-9fb2-4f60-9e0f-971e8746024d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1542637534", "to_ids": false, "type": "datetime", "uuid": "fb3ad0e4-c955-44af-93d8-874ab7cd17bd", "value": "2018-11-19T03:14:57" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1542637535", "to_ids": false, "type": "link", "uuid": "5f7203c2-d42b-46a5-88da-090e96f40841", "value": "https://www.virustotal.com/file/2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c/analysis/1542597297/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1542637535", "to_ids": false, "type": "text", "uuid": "c1f98fdf-637c-4e0e-be43-b1e622dfe8cd", "value": "22/55" } ] } ] } }