{ "Event": { "analysis": "2", "date": "2015-02-10", "extends_uuid": "", "info": "OSINT MSRT February update from Microsoft", "publish_timestamp": "1424078776", "published": true, "threat_level_id": "3", "timestamp": "1424074675", "uuid": "54e1a3f3-be8c-4840-88ce-f2d9950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#33FF00", "name": "tlp:green" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424073859", "to_ids": false, "type": "link", "uuid": "54e1a3fb-87a8-4d4c-87e7-f2d9950d210b", "value": "http://blogs.technet.com/b/mmpc/archive/2015/02/10/msrt-february-escad-and-nukesped.aspx" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-d028-4fda-ab40-4a72950d210b", "value": "ansi.nls" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-8168-4254-ac41-4968950d210b", "value": "dayipmr.tbl" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-d668-4806-9d14-4f42950d210b", "value": "netmonsvc.dll" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-fbe0-41f8-a0c8-439b950d210b", "value": "pmsconfig.msi" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-88c8-490f-b24f-4cd5950d210b", "value": "pmslog.msi" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a42f-d918-4c44-b106-4a5c950d210b", "value": "rdmgr.dll" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a430-5cf0-4c2f-959b-4d51950d210b", "value": "remoteevtmanager.dll" }, { "category": "Artifacts dropped", "comment": "Escad", "deleted": false, "disable_correlation": false, "timestamp": "1424073829", "to_ids": true, "type": "filename", "uuid": "54e1a430-7e34-4f23-bda3-425c950d210b", "value": "tmscompg.msi" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424073842", "to_ids": false, "type": "text", "uuid": "54e1a472-d4f8-43eb-89af-20b7950d210b", "value": "Escad" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424073842", "to_ids": false, "type": "text", "uuid": "54e1a472-ec94-484f-9bea-20b7950d210b", "value": "Nukesped" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424073886", "to_ids": false, "type": "link", "uuid": "54e1a49e-d43c-4564-9b46-f2d9950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Jinupd" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424073886", "to_ids": false, "type": "link", "uuid": "54e1a49e-04d8-4a50-b68a-f2d9950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/NukeSped" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073937", "to_ids": true, "type": "filename", "uuid": "54e1a4d1-4284-43c9-a77a-fae5950d210b", "value": "comon32.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073937", "to_ids": true, "type": "filename", "uuid": "54e1a4d1-48d4-49d8-864a-fae5950d210b", "value": "diskpartmg16.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073937", "to_ids": true, "type": "filename", "uuid": "54e1a4d1-ad7c-4595-a65c-fae5950d210b", "value": "dpnsvr16.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073937", "to_ids": true, "type": "filename", "uuid": "54e1a4d1-9748-4092-978b-fae5950d210b", "value": "expandmn32.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073937", "to_ids": true, "type": "filename", "uuid": "54e1a4d1-21c0-404f-b2d2-fae5950d210b", "value": "hwrcompsvc64.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073938", "to_ids": true, "type": "filename", "uuid": "54e1a4d2-9554-44d8-9496-fae5950d210b", "value": "mobsynclm64.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073938", "to_ids": true, "type": "filename", "uuid": "54e1a4d2-d004-4aef-b376-fae5950d210b", "value": "rdpshellex32.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073938", "to_ids": true, "type": "filename", "uuid": "54e1a4d2-42d0-4147-b45a-fae5950d210b", "value": "recdiscm32.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073938", "to_ids": true, "type": "filename", "uuid": "54e1a4d2-56bc-4405-9c3e-fae5950d210b", "value": "taskchg16.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424073938", "to_ids": true, "type": "filename", "uuid": "54e1a4d2-1998-4bee-abae-fae5950d210b", "value": "taskhosts64.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074195", "to_ids": false, "type": "comment", "uuid": "54e1a5d3-e2b4-498d-ac48-40c3950d210b", "value": "Seems to be related to Sony hack based on the screenshots on the february update page" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074207", "to_ids": false, "type": "comment", "uuid": "54e1a5df-cfdc-4928-af6f-fae5950d210b", "value": "Data entered by David Andr\u00c3\u00a9" }, { "category": "Network activity", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074349", "to_ids": true, "type": "domain", "uuid": "54e1a66d-d5bc-4f3b-afad-dadf950d210b", "value": "dailygiftclub.info" }, { "category": "Network activity", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074349", "to_ids": true, "type": "domain", "uuid": "54e1a66d-5a08-45f2-8d7e-dadf950d210b", "value": "dailygiftclub1.info" }, { "category": "Network activity", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074349", "to_ids": true, "type": "domain", "uuid": "54e1a66d-6da8-4100-956c-dadf950d210b", "value": "priv8darkshop.com" }, { "category": "Network activity", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074349", "to_ids": true, "type": "domain", "uuid": "54e1a66d-a538-40a0-9882-dadf950d210b", "value": "sopvps.hk" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074363", "to_ids": false, "type": "text", "uuid": "54e1a67b-cf10-473d-803a-4753950d210b", "value": "Jinupd" }, { "category": "Artifacts dropped", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074431", "to_ids": true, "type": "filename", "uuid": "54e1a6aa-88b0-4aef-ad0b-430e950d210b", "value": "%APPDATA%\\java se platform updater\\jusched.exe" }, { "category": "Artifacts dropped", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074431", "to_ids": true, "type": "filename", "uuid": "54e1a6aa-ea00-4864-9e3b-4b7a950d210b", "value": "%APPDATA%\\java platform updater\\jusched.exe" }, { "category": "Artifacts dropped", "comment": "Jinupd", "deleted": false, "disable_correlation": false, "timestamp": "1424074431", "to_ids": true, "type": "filename", "uuid": "54e1a6aa-06c8-4e4f-8d50-4e61950d210b", "value": "%TEMP%\\svchost.exe" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424074477", "to_ids": true, "type": "filename", "uuid": "54e1a6ed-0db0-41ab-b75b-20b7950d210b", "value": "%TEMP% \\usbdrv3.sys" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424074511", "to_ids": true, "type": "filename", "uuid": "54e1a70f-2744-46bd-b771-426c950d210b", "value": "%windir% \\iissvr.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074559", "to_ids": false, "type": "link", "uuid": "54e1a73f-bafc-4cc7-8141-9107950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/NukeSped.C!dha" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074559", "to_ids": false, "type": "link", "uuid": "54e1a73f-1158-4659-901c-9107950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/NukeSped.B!dha" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424074559", "to_ids": false, "type": "link", "uuid": "54e1a73f-97fc-4ceb-8345-9107950d210b", "value": "http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/NukeSped.A!dha" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424074675", "to_ids": true, "type": "filename", "uuid": "54e1a7b3-bc64-4713-be9c-4c95950d210b", "value": "usbdrv3_32bit.sys" }, { "category": "Artifacts dropped", "comment": "NukeSped", "deleted": false, "disable_correlation": false, "timestamp": "1424074675", "to_ids": true, "type": "filename", "uuid": "54e1a7b3-7460-4a04-afb5-45eb950d210b", "value": "usbdrv3_64bit.sys" } ] } }