{ "Event": { "analysis": "2", "date": "2015-02-24", "extends_uuid": "", "info": "OSINT A deeper look into ScanBox TLP:WHITE report from PWC UK", "publish_timestamp": "1456154126", "published": true, "threat_level_id": "2", "timestamp": "1434353282", "uuid": "54ec3439-7154-48e4-ae1e-4c1c950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766047", "to_ids": false, "type": "link", "uuid": "54ec345f-6524-4783-bc45-41c5950d210b", "value": "http://pwc.blogs.com/cyber_security_updates/2015/02/my-entry.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766047", "to_ids": false, "type": "link", "uuid": "54ec345f-43d8-4a5a-b214-448c950d210b", "value": "http://pwc.blogs.com/files/2015-02-24--scanbox-ii---tlpwhite.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766071", "to_ids": false, "type": "text", "uuid": "54ec3477-e1a8-43b2-8731-4047950d210b", "value": "ScanBox" }, { "category": "Network activity", "comment": "Malware distribution point", "deleted": false, "disable_correlation": false, "timestamp": "1424766144", "to_ids": true, "type": "ip-dst", "uuid": "54ec34c0-ad7c-488c-ab16-42fc950d210b", "value": "88.80.190.133" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766515", "to_ids": true, "type": "domain", "uuid": "54ec3633-164c-47a9-8693-4dad950d210b", "value": "googlecaches.com" }, { "category": "Network activity", "comment": "Legitimate compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1424766645", "to_ids": true, "type": "domain", "uuid": "54ec36b6-6678-4619-9169-4f79950d210b", "value": "gokbayrak.com" }, { "category": "Network activity", "comment": "Legitimate compromised site", "deleted": false, "disable_correlation": false, "timestamp": "1424766703", "to_ids": true, "type": "domain", "uuid": "54ec36d4-caf8-4d3d-83eb-4746950d210b", "value": "macanna.com.tw" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766722", "to_ids": true, "type": "md5", "uuid": "54ec3702-76c4-4368-b35e-4406950d210b", "value": "3b8d7732de3b3c8823d241e7cd3185c4" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424766744", "to_ids": true, "type": "hostname", "uuid": "54ec3718-c068-4cdc-9cb6-510f950d210b", "value": "happynewyear.dns04.com" }, { "category": "Network activity", "comment": "IP of happynewyear.dns04.com and hosts a lot of other malicious host names", "deleted": false, "disable_correlation": false, "timestamp": "1424766828", "to_ids": true, "type": "ip-dst", "uuid": "54ec376c-66f4-415a-b8ef-47e5950d210b", "value": "115.23.172.151" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767422", "to_ids": false, "type": "text", "uuid": "54ec39be-9658-411d-9a63-43c5950d210b", "value": "TH3Bug" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767939", "to_ids": true, "type": "hostname", "uuid": "54ec39d8-4934-47ac-aa10-479d950d210b", "value": "news.foundationssl.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767470", "to_ids": false, "type": "text", "uuid": "54ec39ee-9854-4f56-b521-474b950d210b", "value": "Deep Panda" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767511", "to_ids": true, "type": "domain", "uuid": "54ec3a18-b9d4-4f76-93e7-4f99950d210b", "value": "qoog1e.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767530", "to_ids": true, "type": "domain", "uuid": "54ec3a2a-0918-435c-a163-4b3e950d210b", "value": "webmailgoogle.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-8f44-4071-9fdd-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (plugin_pdf_ie())\"; flow:established,from_server; file_data; content:\"plugin_pdf_ie()\"; classtype:trojanactivity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework- whos-affected-and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-4bf8-4707-9c47-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (.item(0).appendChild(iframe_tag))\"; flow:established,from_server; file_data; content:\".item(0).appendChild(iframe_tag)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-04c8-4824-a61e-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (var version\\;var ax\\;var e\\;try{axo=new ActiveXObject)\"; flow:established,from_server; file_data; content:\"var version\\;var ax\\;var e\\;try{axo=new ActiveXObject\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-3ef8-4b3b-806b-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;)\"; flow:established,from_server; file_data; content:\"document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-b1b4-40fd-ac2b-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;)\"; flow:established,from_server; file_data; content:\"return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1424767781", "to_ids": true, "type": "snort", "uuid": "54ec3b25-1528-4ea9-bf00-65e2950d210b", "value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Code (Chr(CInt(ns(i)) Xor n))\"; flow:established,from_server; file_data; content:\"Chr(CInt(ns(i)) Xor n)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767845", "to_ids": true, "type": "ip-dst", "uuid": "54ec3b65-b04c-483f-8b0d-c5e6950d210b", "value": "1.9.5.38" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767845", "to_ids": true, "type": "ip-dst", "uuid": "54ec3b65-abc4-4227-8c5c-c5e6950d210b", "value": "103.255.61.227" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767845", "to_ids": true, "type": "ip-dst", "uuid": "54ec3b65-82ac-49a8-b2b2-c5e6950d210b", "value": "118.193.153.221" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767845", "to_ids": true, "type": "ip-dst", "uuid": "54ec3b65-28c0-4bd8-93e3-c5e6950d210b", "value": "118.193.153.227" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767845", "to_ids": true, "type": "ip-dst", "uuid": "54ec3b65-3d60-4126-ad34-c5e6950d210b", "value": "174.121.122.73" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767939", "to_ids": true, "type": "hostname", "uuid": "54ec3b95-14c8-409d-a793-48bb950d210b", "value": "file.googlecaches.com" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767939", "to_ids": true, "type": "hostname", "uuid": "54ec3b95-9fe8-4d24-be71-4665950d210b", "value": "gtm.googlecaches.com" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767939", "to_ids": true, "type": "hostname", "uuid": "54ec3b95-7118-461c-ba2c-4cfb950d210b", "value": "js.googlewebcache.com" }, { "category": "Network activity", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767939", "to_ids": true, "type": "hostname", "uuid": "54ec3b95-5820-4cb3-b8dd-4c54950d210b", "value": "owa.outlookssl.com" }, { "category": "Payload delivery", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767971", "to_ids": true, "type": "sha256", "uuid": "54ec3be3-cb88-4725-8231-41ca950d210b", "value": "4639c30b3666cb11b3927d5579790a88bff68e8137f18241f4693e0d4539c608" }, { "category": "Payload delivery", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767971", "to_ids": true, "type": "sha1", "uuid": "54ec3be3-4954-479c-b579-422f950d210b", "value": "809959f390d5a49c8999ad6fff27fdc92ff1b2b0" }, { "category": "Payload delivery", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767972", "to_ids": true, "type": "sha256", "uuid": "54ec3be4-7b64-4b7a-aab6-4de2950d210b", "value": "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2" }, { "category": "Payload delivery", "comment": "Cluster 1", "deleted": false, "disable_correlation": false, "timestamp": "1424767972", "to_ids": true, "type": "sha1", "uuid": "54ec3be4-2c04-47d0-8172-4e87950d210b", "value": "e8a8ffe39040fe36e95217b4e4f1316177d675ed" }, { "category": "Network activity", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "ip-dst", "uuid": "54ec4094-59d4-4b92-883c-4c9a950d210b", "value": "122.10.10.161" }, { "category": "Network activity", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "ip-dst", "uuid": "54ec4094-fc8c-4e3f-a701-40f4950d210b", "value": "204.152.199.43" }, { "category": "Network activity", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "ip-dst", "uuid": "54ec4095-baf4-4f93-bd14-430f950d210b", "value": "50.2.24.211" }, { "category": "Network activity", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "hostname", "uuid": "54ec40a9-18ac-4e47-a399-4941950d210b", "value": "bak.mailaunch.com" }, { "category": "Network activity", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "hostname", "uuid": "54ec40a9-7220-4c16-979d-4913950d210b", "value": "us-mg6.mail.yahoo.mailaunch.com" }, { "category": "Payload delivery", "comment": "Cluster 4", "deleted": false, "disable_correlation": false, "timestamp": "1424769246", "to_ids": true, "type": "sha1", "uuid": "54ec40bc-e490-4845-a9d6-65e2950d210b", "value": "f1890cc9d6dc84021426834063394539414f68d8" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1434353282", "to_ids": false, "type": "link", "uuid": "557e7e82-ee90-4a49-b920-3a74950d210b", "value": "http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf" }, { "category": "Payload delivery", "comment": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)", "deleted": false, "disable_correlation": false, "timestamp": "1455838627", "to_ids": true, "type": "md5", "uuid": "56c655a3-066c-40d9-847b-59a3950d210f", "value": "be3a3daa7d0d11df2380d3401696624a" }, { "category": "Payload delivery", "comment": "Automatically added (via e8a8ffe39040fe36e95217b4e4f1316177d675ed)", "deleted": false, "disable_correlation": false, "timestamp": "1455838628", "to_ids": true, "type": "md5", "uuid": "56c655a4-a164-4629-8286-599e950d210f", "value": "ef498ea09bf51b002fc7eb3dfd0d19d3" }, { "category": "Payload delivery", "comment": "Automatically added (via 809959f390d5a49c8999ad6fff27fdc92ff1b2b0)", "deleted": false, "disable_correlation": false, "timestamp": "1455838630", "to_ids": true, "type": "md5", "uuid": "56c655a6-4ed4-4e67-93a4-4e9c950d210f", "value": "9cf5523da799277a4d40881199eb8325" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)", "deleted": false, "disable_correlation": false, "timestamp": "1455838625", "to_ids": true, "type": "sha1", "uuid": "56c655a1-b548-42d5-8f06-c652950d210f", "value": "27a774e6bb82d4575598be00eb2ca44734d9bcf2" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)", "deleted": false, "disable_correlation": false, "timestamp": "1455838626", "to_ids": true, "type": "sha256", "uuid": "56c655a2-ca34-4a49-a2cb-59a1950d210f", "value": "9dc7d24cf0e0426e0e882badd6145de57384206fd6be46dc31fdfc7ea2a072cc" }, { "category": "Payload delivery", "comment": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)", "deleted": false, "disable_correlation": false, "timestamp": "1455838628", "to_ids": true, "type": "sha256", "uuid": "56c655a4-fdec-4a71-abf7-4d79950d210f", "value": "3112420afeb829a575ba46512314c0fab2fc80870c153de35cde4d3140a2dd26" } ] } }