{ "Event": { "analysis": "2", "date": "2015-04-14", "extends_uuid": "", "info": "OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42", "publish_timestamp": "1511189977", "published": true, "threat_level_id": "4", "timestamp": "1429110761", "uuid": "552e76b6-3b44-410e-a0a9-4fec950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#f71212", "name": "APT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429108429", "to_ids": false, "type": "link", "uuid": "552e76cd-5a6c-4b3f-aec9-47d1950d210b", "value": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429108443", "to_ids": false, "type": "text", "uuid": "552e76db-3ebc-4327-9550-494a950d210b", "value": "DragonOK" }, { "category": "External analysis", "comment": "Related to this", "deleted": false, "disable_correlation": false, "timestamp": "1429108475", "to_ids": false, "type": "link", "uuid": "552e76fb-e018-49be-97dc-4cd9950d210b", "value": "https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429109155", "to_ids": true, "type": "url", "uuid": "552e79a3-0ea4-4d0b-8d76-44b8950d210b", "value": "/news/STravel.asp" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429109155", "to_ids": true, "type": "url", "uuid": "552e79a3-0e0c-4f40-a40c-4b59950d210b", "value": "/news/SJobs.asp" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429109155", "to_ids": true, "type": "url", "uuid": "552e79a3-3b78-4e06-bae5-4a96950d210b", "value": "/news/SSports.asp" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429109155", "to_ids": true, "type": "url", "uuid": "552e79a3-c120-47fa-83d8-450d950d210b", "value": "/news/SWeather.asp" }, { "category": "Network activity", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109564", "to_ids": true, "type": "domain", "uuid": "552e7b3c-c450-426d-9943-4cce950d210b", "value": "biosnews.info" }, { "category": "Attribution", "comment": "Debug symbols Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109628", "to_ids": false, "type": "text", "uuid": "552e7b51-39a0-48d3-ad1f-4a62950d210b", "value": "D:\\Work\\1021WinInetGEnc1\\Release\\WinInetG.pdb" }, { "category": "Network activity", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109614", "to_ids": true, "type": "ip-dst", "uuid": "552e7b5f-957c-4e45-8481-1539950d210b", "value": "23.229.234.160" }, { "category": "Payload delivery", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109652", "to_ids": true, "type": "sha256", "uuid": "552e7b94-e1dc-4594-9221-4592950d210b", "value": "227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968" }, { "category": "Payload delivery", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109652", "to_ids": true, "type": "sha256", "uuid": "552e7b94-2958-4692-a665-452f950d210b", "value": "35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae" }, { "category": "Payload delivery", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109652", "to_ids": true, "type": "sha256", "uuid": "552e7b95-0a3c-4522-8850-4805950d210b", "value": "0b97ced3fabb14dbffa641d9bd1cc9dd8c97eab9cb6160d43202ee078e017989" }, { "category": "Payload delivery", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429109653", "to_ids": true, "type": "sha256", "uuid": "552e7b95-f2cc-4a4e-8f4b-45c1950d210b", "value": "287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e" }, { "category": "Payload delivery", "comment": "PlugX", "deleted": false, "disable_correlation": false, "timestamp": "1429109682", "to_ids": true, "type": "sha256", "uuid": "552e7bb2-d774-42b7-94b6-47d6950d210b", "value": "70ac649d31db748c4396a9a3f7a9c619c8d09e6400492ab3447520fb726083c4" }, { "category": "Network activity", "comment": "PlugX", "deleted": false, "disable_correlation": false, "timestamp": "1429109702", "to_ids": true, "type": "hostname", "uuid": "552e7bc6-5210-4bc3-9c59-4cf4950d210b", "value": "http.tourecord.com" }, { "category": "Network activity", "comment": "PlugX & Poison Ivy & FirstFormerRAT", "deleted": false, "disable_correlation": false, "timestamp": "1429109888", "to_ids": true, "type": "ip-dst", "uuid": "552e7bdb-eb54-485d-aee5-1534950d210b", "value": "103.20.193.62" }, { "category": "Artifacts dropped", "comment": "PoisonIvy", "deleted": false, "disable_correlation": false, "timestamp": "1429109754", "to_ids": true, "type": "sha256", "uuid": "552e7bfa-c7f8-4207-92dd-4cb1950d210b", "value": "6e95215a52e1cbf4a58cb24c91750151170ea3d59fa9dbfe566e33a2ffc04f4c" }, { "category": "Network activity", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429109773", "to_ids": true, "type": "hostname", "uuid": "552e7c0d-8e70-4165-85a4-4fb8950d210b", "value": "bbs.reweblink.com" }, { "category": "Artifacts dropped", "comment": "FirstFormerRAT", "deleted": false, "disable_correlation": false, "timestamp": "1429109855", "to_ids": true, "type": "filename|sha256", "uuid": "552e7c55-d884-4920-8b49-4843950d210b", "value": "RpcRtRemote.dll|e68b70eaaf45fa43e726a29ce956f0e6ea26ece51165a1989e22597aebba244f" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429109873", "to_ids": true, "type": "hostname", "uuid": "552e7c71-9a24-4abe-aef2-1534950d210b", "value": "https.reweblink.com" }, { "category": "Artifacts dropped", "comment": "Nflog", "deleted": false, "disable_correlation": false, "timestamp": "1429109918", "to_ids": true, "type": "sha256", "uuid": "552e7c9e-207c-4efc-bf4a-403c950d210b", "value": "64cbcb1f5b8a9d98b3543e3bf342e8c799e0f74f582a5eb0dc383abac7692f63" }, { "category": "Network activity", "comment": "Nflog", "deleted": false, "disable_correlation": false, "timestamp": "1429109934", "to_ids": true, "type": "hostname", "uuid": "552e7cae-34e8-4e05-9cee-4b50950d210b", "value": "new.hotpmsn.com" }, { "category": "Network activity", "comment": "Nflog", "deleted": false, "disable_correlation": false, "timestamp": "1429109958", "to_ids": true, "type": "ip-dst", "uuid": "552e7cc6-2928-42c4-ab4a-468c950d210b", "value": "58.64.156.140" }, { "category": "Network activity", "comment": "NewCT", "deleted": false, "disable_correlation": false, "timestamp": "1429110109", "to_ids": true, "type": "hostname", "uuid": "552e7d5d-cdec-4afb-a0ae-484b950d210b", "value": "bbs.jpaols.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110761", "to_ids": true, "type": "domain", "uuid": "552e7fe9-4294-4638-954e-2d3d950d210b", "value": "jpaols.com" }, { "category": "Payload delivery", "comment": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)", "deleted": false, "disable_correlation": false, "timestamp": "1455839868", "to_ids": true, "type": "md5", "uuid": "56c65a7c-1364-4f10-a9c9-c652950d210f", "value": "5a656afcd99ffac80db0b256e150e69c" }, { "category": "Payload delivery", "comment": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)", "deleted": false, "disable_correlation": false, "timestamp": "1455839870", "to_ids": true, "type": "md5", "uuid": "56c65a7e-ca60-48d9-a6a1-5f51950d210f", "value": "da1d2288aab04a4f97d594d8dd2b8249" }, { "category": "Payload delivery", "comment": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)", "deleted": false, "disable_correlation": false, "timestamp": "1455839872", "to_ids": true, "type": "md5", "uuid": "56c65a80-01d8-42ca-b19d-599e950d210f", "value": "9d10cc1cb4a0fd8d94c02fc5d7ba8bd1" }, { "category": "Payload delivery", "comment": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)", "deleted": false, "disable_correlation": false, "timestamp": "1455839869", "to_ids": true, "type": "sha1", "uuid": "56c65a7d-8344-42ac-8777-c651950d210f", "value": "d698174f2bee6665edda571865d2d6ce4c9995df" }, { "category": "Payload delivery", "comment": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)", "deleted": false, "disable_correlation": false, "timestamp": "1455839871", "to_ids": true, "type": "sha1", "uuid": "56c65a7f-25cc-4ced-b707-599f950d210f", "value": "4f405b7d13748327d1d1737c0b050b104a39fba4" }, { "category": "Payload delivery", "comment": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)", "deleted": false, "disable_correlation": false, "timestamp": "1455839873", "to_ids": true, "type": "sha1", "uuid": "56c65a81-0c80-4738-8bfa-c650950d210f", "value": "d2e1b0e27d0f134b4bab6bf9437067fdf6a16618" }, { "category": "External analysis", "comment": "Sysget/HelloBrige HTTP GET request in response from a getinto command from the C2 server to download a file", "deleted": false, "disable_correlation": false, "timestamp": "1504792656", "to_ids": true, "type": "url", "uuid": "59b15050-20b4-4439-bab6-4cd5950d210f", "value": "http://biosnews.info//index.php?fn=s3&file=" }, { "category": "External analysis", "comment": "Sysget/HelloBridge HTTP POST request in response to a file upload response received from the C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1504792479", "to_ids": true, "type": "url", "uuid": "59b14f9f-34e0-4d67-a264-429c950d210f", "value": "http://biosnews.info//index.php?fn=s2&item=" }, { "category": "External analysis", "comment": "Sysget/HelloBridge Inital dropper HTTP GET request to C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1504792381", "to_ids": true, "type": "url", "uuid": "59b14f3d-6e74-4d60-bbf6-fc46950d210f", "value": "http://biosnews.info/index.php?fn=s4&name=" }, { "category": "External analysis", "comment": "Sysget/HelloBridge configuration file", "deleted": false, "disable_correlation": false, "timestamp": "1504791939", "to_ids": true, "type": "filename", "uuid": "59b14d83-618c-4a64-925a-43ad950d210f", "value": "%temp%\\ibmCon6.tmp" }, { "category": "External analysis", "comment": "PlugX - windows-service-displayname", "deleted": false, "disable_correlation": false, "timestamp": "1504792904", "to_ids": true, "type": "other", "uuid": "59b15148-7220-4e76-a29d-4638950d210f", "value": "RasTls" }, { "category": "External analysis", "comment": "PlugX - persistence mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1504793006", "to_ids": true, "type": "regkey|value", "uuid": "59b151ae-6c70-461a-8aa1-430f950d210f", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RasTls|%windir%\\system32\\svchost.exe" }, { "category": "External analysis", "comment": "Sysget/HelloBridge - event object name", "deleted": false, "disable_correlation": false, "timestamp": "1504793067", "to_ids": true, "type": "other", "uuid": "59b151eb-c048-4ae7-af03-4e28950d210f", "value": "mcsong[]" }, { "category": "External analysis", "comment": "Sysget/HelloBrisge - persistence mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1504793115", "to_ids": true, "type": "regkey|value", "uuid": "59b1521b-a8d4-4a9c-a26e-4fac950d210f", "value": "HKCU\\software\\microsoft\\windows\\currentversion\\run|%temp%\\notilv.exe" }, { "category": "External analysis", "comment": "FormerFirstRAT - hostname|port", "deleted": false, "disable_correlation": false, "timestamp": "1504794043", "to_ids": true, "type": "other", "uuid": "59b155bb-9a94-4af4-baba-4472950d210f", "value": "https.reweblink.com|443" }, { "category": "External analysis", "comment": "FormerFirstRAT - AES-128 encryption key", "deleted": false, "disable_correlation": false, "timestamp": "1504793926", "to_ids": false, "type": "other", "uuid": "59b15546-37f4-4980-bd47-4976950d210f", "value": "tucwatkins" }, { "category": "External analysis", "comment": "NFlog - event object name", "deleted": false, "disable_correlation": false, "timestamp": "1504793469", "to_ids": false, "type": "other", "uuid": "59b1537d-79c4-456b-bec4-4f9b950d210f", "value": "GoogleZCM" }, { "category": "External analysis", "comment": "NFlog - persistence mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1504793358", "to_ids": true, "type": "regkey", "uuid": "59b1530e-77e4-4484-9645-4972950d210f", "value": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\update" }, { "category": "External analysis", "comment": "FormerFirstRAT - persistence mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1504793245", "to_ids": true, "type": "regkey", "uuid": "59b1529d-2ab0-429b-a8ae-45e8950d210f", "value": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WmdmPmSp" }, { "category": "External analysis", "comment": "FormerFirstRAT - protocol|port for protocol anomaly detection", "deleted": false, "disable_correlation": false, "timestamp": "1504793976", "to_ids": true, "type": "other", "uuid": "59b15578-0c2c-445f-a3de-4d1a950d210f", "value": "HTTP|443" }, { "category": "External analysis", "comment": "FormerFirstRAT - persistence mechanism", "deleted": false, "disable_correlation": false, "timestamp": "1504793245", "to_ids": true, "type": "regkey", "uuid": "59b1529d-6e80-4824-991b-4be5950d210f", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WmdmPmSp" } ] } }