{ "Event": { "analysis": "2", "date": "2015-03-10", "extends_uuid": "", "info": "OSINT Tibetan Uprising Day Malware Attacks by Citizen Labs", "publish_timestamp": "1426149018", "published": true, "threat_level_id": "2", "timestamp": "1426147474", "uuid": "55014406-fd90-4fc1-a814-4638950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": "0", "name": "tlp:green", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146321", "to_ids": false, "type": "link", "uuid": "55014411-d4cc-4047-bc11-4dd5950d210b", "value": "https://citizenlab.org/2015/03/tibetan-uprising-day-malware-attacks/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146351", "to_ids": true, "type": "email-attachment", "uuid": "5501442f-79a8-4594-a548-310e950d210b", "value": "10th March.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146373", "to_ids": false, "type": "vulnerability", "uuid": "55014445-9d54-4f18-a108-4f7f950d210b", "value": "CVE-2012-0158" }, { "category": "Network activity", "comment": "MsAttacker", "deleted": false, "disable_correlation": false, "timestamp": "1426147197", "to_ids": true, "type": "ip-dst", "uuid": "5501445e-a540-44d5-801d-4c2c950d210b", "value": "122.10.117.152" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146418", "to_ids": true, "type": "url", "uuid": "55014472-b0d8-48fe-800e-ca98950d210b", "value": "http://122.10.117.152/download/ms/MiniJs.dll" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146418", "to_ids": true, "type": "url", "uuid": "55014472-1174-4e76-838f-ca98950d210b", "value": "/download/ms/MiniJs.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146445", "to_ids": true, "type": "filename", "uuid": "5501448d-2ed8-43ef-8476-492b950d210b", "value": "%WINDIR%\\system32\\teamviewsvc.dll" }, { "category": "Network activity", "comment": "MsAttacker", "deleted": false, "disable_correlation": false, "timestamp": "1426147197", "to_ids": true, "type": "ip-dst", "uuid": "550144a0-0f58-4165-94d0-48f2950d210b", "value": "23.27.127.200" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146474", "to_ids": false, "type": "text", "uuid": "550144aa-d8d4-43f4-b4cc-45f2950d210b", "value": "MsAttacker" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146502", "to_ids": true, "type": "email-attachment", "uuid": "550144c6-705c-4176-a9aa-9778950d210b", "value": "WTO. non-market status China _1_.doc" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146517", "to_ids": false, "type": "link", "uuid": "550144d5-fc14-4bf8-a9af-4fe8950d210b", "value": "https://malwr.com/analysis/MDE4MDMzNGQ0MjY2NDY1OWE5ZTVhMDRmZjQzNTlkYWM/" }, { "category": "Artifacts dropped", "comment": "MiniJS.dll", "deleted": false, "disable_correlation": false, "timestamp": "1426146735", "to_ids": true, "type": "md5", "uuid": "550145af-46c8-4980-8fab-ca98950d210b", "value": "2782c233ddde25040fb1febf9b13611e" }, { "category": "Artifacts dropped", "comment": "MiniJS.dll", "deleted": false, "disable_correlation": false, "timestamp": "1426146735", "to_ids": true, "type": "sha1", "uuid": "550145af-1cd8-4470-bddc-ca98950d210b", "value": "be50ef6c94f3b630886e1b337e89f4ea9d6e7649" }, { "category": "Artifacts dropped", "comment": "MiniJS.dll", "deleted": false, "disable_correlation": false, "timestamp": "1426146735", "to_ids": true, "type": "sha256", "uuid": "550145af-1448-4610-9e15-ca98950d210b", "value": "50aebd2a1e3b8917d6c2b5e88c2e2999b2368fca550c548d0836aa57e35c463f" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146758", "to_ids": false, "type": "text", "uuid": "550145c6-f97c-4ba4-aa09-9778950d210b", "value": "ShadowNet" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146796", "to_ids": true, "type": "url", "uuid": "550145ec-ddf8-4a02-b69f-49fb950d210b", "value": "http://johnsmith152.typepad.com/blog/rss.xml" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146797", "to_ids": true, "type": "url", "uuid": "550145ed-a194-4be4-ae2d-49c2950d210b", "value": "http://mynewshemm.wordpress.com/feed/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146797", "to_ids": true, "type": "url", "uuid": "550145ed-4940-425d-8b3d-4532950d210b", "value": "http://johnsmith5382.thoughts.com/feed" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146820", "to_ids": true, "type": "url", "uuid": "55014604-fde8-40d8-a01a-9778950d210b", "value": "http://www.semamail.info/firex/test.php" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146847", "to_ids": true, "type": "ip-dst", "uuid": "5501461f-b418-4dc1-a388-ca98950d210b", "value": "122.10.117.5" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146868", "to_ids": false, "type": "AS", "uuid": "55014634-3e34-4ce2-94d9-4d15950d210b", "value": "24544" }, { "category": "Attribution", "comment": "Registrant of semamail.info", "deleted": false, "disable_correlation": false, "timestamp": "1426146912", "to_ids": false, "type": "text", "uuid": "55014660-9d28-4cca-98bc-4cb7950d210b", "value": "mike.fly@email.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426146923", "to_ids": true, "type": "domain", "uuid": "5501466b-005c-467a-9862-47c4950d210b", "value": "semamail.info" }, { "category": "Network activity", "comment": "Same registrant as semamail.info", "deleted": false, "disable_correlation": false, "timestamp": "1426146986", "to_ids": true, "type": "domain", "uuid": "5501468b-374c-4fec-a0d3-4a94950d210b", "value": "conamail.info" }, { "category": "Network activity", "comment": "Same registrant as semamail.info", "deleted": false, "disable_correlation": false, "timestamp": "1426146986", "to_ids": true, "type": "domain", "uuid": "5501468b-2338-4833-bb8e-456d950d210b", "value": "convmail.info" }, { "category": "Network activity", "comment": "Same registrant as semamail.info", "deleted": false, "disable_correlation": false, "timestamp": "1426146986", "to_ids": true, "type": "domain", "uuid": "5501468b-4f98-4f19-a158-435a950d210b", "value": "fifamp3.info" }, { "category": "Network activity", "comment": "Also resolved to 122.10.117.35", "deleted": false, "disable_correlation": false, "timestamp": "1426147024", "to_ids": true, "type": "hostname", "uuid": "550146d0-f174-4578-a83d-ca98950d210b", "value": "rukiyeangel.dyndns.pro" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "md5", "uuid": "5501471c-d41c-4568-91e3-41ad950d210b", "value": "8346b50c3954b5c25bf13fcd281eb11a" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "sha1", "uuid": "5501471c-4798-4566-a48c-48ad950d210b", "value": "d9a74528bb56a841cea1fe5fa3e0c777a8e96402" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "sha256", "uuid": "5501471c-1f40-458f-8f17-40f5950d210b", "value": "de7058700f06c5310c26944b28203bc82035f9ff74021649db39a24470517fd1" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "md5", "uuid": "5501471c-58e8-47c0-9fe2-48dc950d210b", "value": "6fc909a57650daff9a8b9264f38444a7" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "sha1", "uuid": "5501471c-f594-446e-9879-4b61950d210b", "value": "2a2a1fae6be0468d388aa2c721a0edd93fb37649" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147100", "to_ids": true, "type": "sha256", "uuid": "5501471c-51cc-4abf-b1d9-4f6e950d210b", "value": "a264cec4096a04c47013d41dcddab9f99482f8f83d61e13be4bcf4614f79b7a0" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147142", "to_ids": true, "type": "md5", "uuid": "55014746-35d0-487a-9f31-4410950d210b", "value": "69a0f490de6ae9fdde0ad9cc35305a7d" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147142", "to_ids": true, "type": "sha1", "uuid": "55014746-0bb8-43fe-98a9-4058950d210b", "value": "e3532fc890f659fb6afb9115b388e0024565888c" }, { "category": "Artifacts dropped", "comment": "MsAttacker Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147142", "to_ids": true, "type": "sha256", "uuid": "55014746-1458-4bcd-aabf-4688950d210b", "value": "3de8fb09d79166f10f4a10aef1202c2cb45849943f224dc6c61df8d18435e064" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426147229", "to_ids": true, "type": "url", "uuid": "5501479d-ffe8-4bdf-b1ba-0959950d210b", "value": "http://122.10.117.152/download/ms/CryptBase.32.cab" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426147229", "to_ids": true, "type": "url", "uuid": "5501479d-07b8-45b9-aaf3-0959950d210b", "value": "http://122.10.117.152/download/ms/CryptBase.64.cab" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147266", "to_ids": true, "type": "md5", "uuid": "550147c2-aeb8-44cc-84eb-4c8f950d210b", "value": "72707089512762fce576e29a0472eb16" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147266", "to_ids": true, "type": "sha1", "uuid": "550147c2-ef78-4730-9051-4e54950d210b", "value": "4ab039da14acf7d80fbb11034ef9ccc861c5ed24" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 0", "deleted": false, "disable_correlation": false, "timestamp": "1426147266", "to_ids": true, "type": "sha256", "uuid": "550147c2-f8e0-49e2-ac9f-4140950d210b", "value": "ddfa44ebb181282e815e965a1c531c7e145128aa7306b508a563e10d5f9f03fb" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147316", "to_ids": true, "type": "md5", "uuid": "550147f4-84c0-4e82-bc24-0955950d210b", "value": "d8ae44cd65f97654f066edbcb501d999" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147317", "to_ids": true, "type": "sha1", "uuid": "550147f5-6850-4f1d-9a7f-0955950d210b", "value": "602a762dca46f7639210e60c59f89a6e7a16391b" }, { "category": "Artifacts dropped", "comment": "ShadowNet Stage 1", "deleted": false, "disable_correlation": false, "timestamp": "1426147317", "to_ids": true, "type": "sha256", "uuid": "550147f5-3fa4-48f9-ac44-0955950d210b", "value": "e8f36317e29206d48bd0e6dd6570872122be44f82ca1de01aef373b3cdb2c0e1" } ] } }