{ "Event": { "analysis": "0", "date": "2019-06-26", "extends_uuid": "", "info": "Soft Cell case - guessed indicators (via Twitter discussion)", "publish_timestamp": "1561575125", "published": true, "threat_level_id": "3", "timestamp": "1561575047", "uuid": "5d13bc95-ecbc-4af9-b684-423602de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1561574568", "to_ids": false, "type": "link", "uuid": "5d13bca8-77cc-4742-90d0-4e1502de0b81", "value": "https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574629", "to_ids": true, "type": "hostname", "uuid": "5d13bce5-dd84-486e-a09b-415002de0b81", "value": "asyspy256.ddns.net" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574630", "to_ids": true, "type": "hostname", "uuid": "5d13bce6-acc4-4222-8d5d-4f7602de0b81", "value": "cvdfhjh1231.myftp.biz" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574630", "to_ids": true, "type": "hostname", "uuid": "5d13bce6-80a8-4a42-a24d-462b02de0b81", "value": "dffwescwer4325.myftp.biz" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574630", "to_ids": true, "type": "hostname", "uuid": "5d13bce6-ee08-479c-a459-4e7b02de0b81", "value": "hotkillmail9sddcc.ddns.net" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574630", "to_ids": true, "type": "hostname", "uuid": "5d13bce6-c1c4-47f5-9dab-486e02de0b81", "value": "rosaf112.ddns.net" }, { "category": "Network activity", "comment": "A few C2s associated with the hashes Tom posted:", "deleted": false, "disable_correlation": false, "timestamp": "1561574630", "to_ids": true, "type": "hostname", "uuid": "5d13bce6-ac00-4d05-9a1c-43a002de0b81", "value": "sz2016rose.ddns.net" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "5d13bcfe-4314-4e44-b0c2-43c702de0b81", "value": "fa599fddd6b6df4b654e022fe7a91c82152f983e1ce0b97406eb27bb2fb4c3ab" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "5d13bcfe-9fd8-4d8c-9b64-4c0c02de0b81", "value": "12979d85d37a7e246757d5ebf238c6ac91e6641950cf45d95b104eb7dbb7db71" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "5d13bcfe-60e4-4863-82dc-412f02de0b81", "value": "c81dd8dd3623181cbc117ca7255e6ea530f770c05624c6896362f03fbfc06280" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "timestamp": "1561574705", "to_ids": true, "type": "sha256", "uuid": "5d13bd31-d2ac-4a2e-99e7-4e7902de0b81", "value": "5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "timestamp": "1561574706", "to_ids": true, "type": "sha256", "uuid": "5d13bd32-2c90-4102-b8b4-4ba602de0b81", "value": "95817d8c742dd667225273847ea15f46445ab1439e634c05785084af7cb39a58" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1561574865", "to_ids": false, "type": "link", "uuid": "5d13bdd1-5c0c-49b8-8671-4b3302de0b81", "value": "https://twitter.com/tlansec/status/1143451202736336896" }, { "category": "Network activity", "comment": "Attribute #7381380 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1561574884", "to_ids": false, "type": "ip-src", "uuid": "5d13bde4-1b68-4c06-ae4c-5385e387cbd9", "value": "210.56.60.240" }, { "category": "Network activity", "comment": "Attribute #7381381 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1561574884", "to_ids": false, "type": "ip-src", "uuid": "5d13bde4-31ac-4368-922a-5385e387cbd9", "value": "45.121.48.106" }, { "category": "Network activity", "comment": "Attribute #7381382 enriched by dns.", "deleted": false, "disable_correlation": false, "timestamp": "1561574884", "to_ids": false, "type": "ip-src", "uuid": "5d13bde4-9e8c-42cb-bfc9-5385e387cbd9", "value": "45.77.226.209" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1561574752", "uuid": "a84950f4-4292-4648-a458-571a4adf25a9", "ObjectReference": [ { "comment": "", "object_uuid": "a84950f4-4292-4648-a458-571a4adf25a9", "referenced_uuid": "b5a0e459-5c77-470f-9237-ebbbc696c22d", "relationship_type": "analysed-with", "timestamp": "1561574754", "uuid": "5d13bd62-b0b4-4947-a6f1-4c2902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1561574654", "to_ids": true, "type": "md5", "uuid": "117266c8-7aac-4451-a7eb-1f3752f48ecf", "value": "e435b961048c2fecc2e8e697dc9bd666" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1561574654", "to_ids": true, "type": "sha1", "uuid": "aaf3b3fd-a2ab-431c-bcf2-aaf43f8f196c", "value": "5d17fd6904db389040767f8474ca88be4b43de07" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "0433a67e-1f79-4227-9c1c-d6bd06e56dfd", "value": "fa599fddd6b6df4b654e022fe7a91c82152f983e1ce0b97406eb27bb2fb4c3ab" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1561574753", "uuid": "b5a0e459-5c77-470f-9237-ebbbc696c22d", "Attribute": [ { "category": "Other", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1561574654", "to_ids": false, "type": "datetime", "uuid": "6759f955-ea4a-4d4f-a238-5936eeed21a3", "value": "2019-06-25T22:39:22" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1561574654", "to_ids": false, "type": "link", "uuid": "fdd7a321-97b2-4ce4-a4e7-ff904f5c71de", "value": "https://www.virustotal.com/file/fa599fddd6b6df4b654e022fe7a91c82152f983e1ce0b97406eb27bb2fb4c3ab/analysis/1561502362/" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1561574654", "to_ids": false, "type": "text", "uuid": "c9f21984-4969-42ba-9260-08f63be6d4d2", "value": "49/71" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1561574753", "uuid": "f04d4630-aae5-4603-b43a-f905aacf83c5", "ObjectReference": [ { "comment": "", "object_uuid": "f04d4630-aae5-4603-b43a-f905aacf83c5", "referenced_uuid": "21e4d20a-add1-41f7-84c2-c38beaafd633", "relationship_type": "analysed-with", "timestamp": "1561574754", "uuid": "5d13bd62-5a7c-45d1-b752-49cd02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1561574706", "to_ids": true, "type": "md5", "uuid": "183da0f8-57ae-4ac6-a19d-1e0b6a4ad967", "value": "185ad2bfaa924571c492ee1d3f281bac" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1561574706", "to_ids": true, "type": "sha1", "uuid": "574490ac-219e-459a-a5c4-644f0c264b35", "value": "722dc399e6048127e52843075fd652006b8c85a4" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1561574706", "to_ids": true, "type": "sha256", "uuid": "2725594e-beb5-484d-aee3-2a21b2d544b1", "value": "95817d8c742dd667225273847ea15f46445ab1439e634c05785084af7cb39a58" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1561574753", "uuid": "21e4d20a-add1-41f7-84c2-c38beaafd633", "Attribute": [ { "category": "Other", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1561574706", "to_ids": false, "type": "datetime", "uuid": "42fed8da-db9b-4cce-9cae-f00f52b51482", "value": "2019-06-25T04:55:52" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1561574706", "to_ids": false, "type": "link", "uuid": "c0e15224-5bc2-4290-8766-dc9654b59d5c", "value": "https://www.virustotal.com/file/95817d8c742dd667225273847ea15f46445ab1439e634c05785084af7cb39a58/analysis/1561438552/" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1561574706", "to_ids": false, "type": "text", "uuid": "2a6f9f10-9e74-4f1c-a56b-dd93c48c5faa", "value": "34/67" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1561574753", "uuid": "18448777-1668-45b1-a0d5-821d348e970c", "ObjectReference": [ { "comment": "", "object_uuid": "18448777-1668-45b1-a0d5-821d348e970c", "referenced_uuid": "cf10a26e-de17-4073-9445-50f0519dce18", "relationship_type": "analysed-with", "timestamp": "1561574754", "uuid": "5d13bd62-af80-4e11-a45c-40b802de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1561574654", "to_ids": true, "type": "md5", "uuid": "5e18f5dc-775c-4d56-b42a-1c30745bef5b", "value": "fb8c172c964e6740963eb223407a917c" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1561574654", "to_ids": true, "type": "sha1", "uuid": "9c853617-7a99-4880-bda8-4cb4f3e28848", "value": "4448a3cd278d6c7b85987f0c9ba5dfeef7be8dad" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "a92e9ad7-2e1a-4332-9295-5df6dd5661cb", "value": "12979d85d37a7e246757d5ebf238c6ac91e6641950cf45d95b104eb7dbb7db71" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1561574753", "uuid": "cf10a26e-de17-4073-9445-50f0519dce18", "Attribute": [ { "category": "Other", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1561574654", "to_ids": false, "type": "datetime", "uuid": "1213473d-68a4-4940-a71b-9f786124f235", "value": "2019-06-25T22:39:18" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1561574654", "to_ids": false, "type": "link", "uuid": "6a5f1012-9ec0-4c37-825d-28343f4b1bc3", "value": "https://www.virustotal.com/file/12979d85d37a7e246757d5ebf238c6ac91e6641950cf45d95b104eb7dbb7db71/analysis/1561502358/" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1561574654", "to_ids": false, "type": "text", "uuid": "94582d67-0fce-45f4-ba0b-96e6f7e46aaf", "value": "52/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1561574753", "uuid": "eceee0ff-b9ce-47fd-b34e-ee27ec26f394", "ObjectReference": [ { "comment": "", "object_uuid": "eceee0ff-b9ce-47fd-b34e-ee27ec26f394", "referenced_uuid": "6cae530d-e8f6-4513-95e4-0ccddf9c7a84", "relationship_type": "analysed-with", "timestamp": "1561574754", "uuid": "5d13bd62-d928-455b-8e6a-443d02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1561574654", "to_ids": true, "type": "md5", "uuid": "9de022bb-c85a-48d3-b9b4-8cbfa521302d", "value": "89d0cdd3617c118c6ba1a720e9f9bd62" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1561574654", "to_ids": true, "type": "sha1", "uuid": "1b2477a8-0b27-4463-bdeb-21bb01d54f90", "value": "b69594d1fc9d44bb89fa09cacfbf61723b7fe1bd" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1561574654", "to_ids": true, "type": "sha256", "uuid": "4783fb4d-dfe5-432b-a852-82a5362cb466", "value": "c81dd8dd3623181cbc117ca7255e6ea530f770c05624c6896362f03fbfc06280" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1561574753", "uuid": "6cae530d-e8f6-4513-95e4-0ccddf9c7a84", "Attribute": [ { "category": "Other", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1561574654", "to_ids": false, "type": "datetime", "uuid": "4116418a-2b61-46a0-a3a2-f0a8519e5d9b", "value": "2019-06-25T22:39:23" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1561574654", "to_ids": false, "type": "link", "uuid": "9f8cf8f5-392a-4d3e-aeed-d86554b90293", "value": "https://www.virustotal.com/file/c81dd8dd3623181cbc117ca7255e6ea530f770c05624c6896362f03fbfc06280/analysis/1561502363/" }, { "category": "Payload delivery", "comment": "Based on the writeup, likely associated file", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1561574654", "to_ids": false, "type": "text", "uuid": "3ba84440-48e6-4138-b1e2-b28e6bd10df8", "value": "54/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1561574753", "uuid": "9ab69867-6fa8-49ec-96f2-8276c622a426", "ObjectReference": [ { "comment": "", "object_uuid": "9ab69867-6fa8-49ec-96f2-8276c622a426", "referenced_uuid": "baca908c-f701-4c24-8c83-4b5840ba7558", "relationship_type": "analysed-with", "timestamp": "1561574754", "uuid": "5d13bd62-48bc-489f-a3c9-417502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1561574705", "to_ids": true, "type": "md5", "uuid": "d4d6000e-5141-4c78-8855-a25b72a2cd3b", "value": "9a97ddbb141d01ce0b1b994399cfb7dc" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1561574705", "to_ids": true, "type": "sha1", "uuid": "70289b0e-0959-4c5e-9b99-195463ae59cd", "value": "e841a63e47361a572db9a7334af459ddca11347a" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1561574705", "to_ids": true, "type": "sha256", "uuid": "a76dfbff-40fb-4581-ac93-1c75aa9d096c", "value": "5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1561574754", "uuid": "baca908c-f701-4c24-8c83-4b5840ba7558", "Attribute": [ { "category": "Other", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1561574705", "to_ids": false, "type": "datetime", "uuid": "6e0656fd-9975-4200-b7f4-601aed707e4f", "value": "2019-02-14T01:23:14" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1561574705", "to_ids": false, "type": "link", "uuid": "03c6dda3-fceb-466b-a741-59590d4dd000", "value": "https://www.virustotal.com/file/5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022/analysis/1550107394/" }, { "category": "Payload delivery", "comment": "Adding two more hashes of mal-ssMUIDLL.dlls:", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1561574705", "to_ids": false, "type": "text", "uuid": "779f1fd3-da3e-4e43-b7e7-580f9fbf9296", "value": "42/69" } ] } ] } }