{ "Event": { "analysis": "2", "date": "2014-09-10", "extends_uuid": "", "info": "OSINT The Path to Mass-Producing Cyber Attacks by FireEye", "publish_timestamp": "1511190239", "published": true, "threat_level_id": "2", "timestamp": "1511190235", "uuid": "552e7e46-62f4-4908-9fd6-488f950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#f71212", "local": "0", "name": "APT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110366", "to_ids": false, "type": "link", "uuid": "552e7e5e-aafc-4c3b-b173-288a950d210b", "value": "https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110366", "to_ids": false, "type": "link", "uuid": "552e7e5e-8170-46e5-bb7d-288a950d210b", "value": "https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110406", "to_ids": false, "type": "text", "uuid": "552e7e86-05bc-4290-9f28-2d4e950d210b", "value": "Moafee" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110406", "to_ids": false, "type": "text", "uuid": "552e7e86-69b4-4a18-9db2-2d4e950d210b", "value": "DragonOK" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110459", "to_ids": false, "type": "comment", "uuid": "552e7ebb-9c0c-4983-8f4d-2d4c950d210b", "value": "The \u00e2\u20ac\u0153DragonOK\u00e2\u20ac\u009d group in particular is known\r\nto use password-protected documents\r\ndelivered as attachments in emails, with the\r\npassword listed in the contents of the email.\r\nThis method probably is used to evade\r\ndetection by AV software, gateway firewalls\r\nand malware sandboxes. One such example\r\nusing the password \u00e2\u20ac\u0153888888\u00e2\u20ac\u009d is shown in\r\nFigure 2 and Figure 6, and has been observed\r\nby FireEye7 before. Another similar sample\r\nwas referenced by the \u00e2\u20ac\u0153contagio\u00e2\u20ac\u009d blog8 and\r\nused the password \u00e2\u20ac\u01538861\u00e2\u20ac\u009d." }, { "category": "Attribution", "comment": "Password for password-protected documents sent as emails", "deleted": false, "disable_correlation": false, "timestamp": "1429110507", "to_ids": false, "type": "text", "uuid": "552e7eeb-8194-435b-b481-2d36950d210b", "value": "8861" }, { "category": "Attribution", "comment": "Password for password-protected documents sent as emails", "deleted": false, "disable_correlation": false, "timestamp": "1429110508", "to_ids": false, "type": "text", "uuid": "552e7eec-cba8-45cd-9ed0-2d36950d210b", "value": "888888" }, { "category": "Payload delivery", "comment": "NewCT 1st stage", "deleted": false, "disable_correlation": false, "timestamp": "1429110564", "to_ids": true, "type": "md5", "uuid": "552e7f24-3428-49f0-b6e4-288a950d210b", "value": "46e55cdf507ef10b11d74dad6af8b94e" }, { "category": "Artifacts dropped", "comment": "NewCT", "deleted": false, "disable_correlation": false, "timestamp": "1429110614", "to_ids": true, "type": "md5", "uuid": "552e7f56-6734-44dc-a033-2d3e950d210b", "value": "ccff6e0a6f5e7715bdaf62adf0cbed4f" }, { "category": "Network activity", "comment": "NewCT", "deleted": false, "disable_correlation": false, "timestamp": "1429110662", "to_ids": true, "type": "hostname", "uuid": "552e7f86-3b1c-4fd2-b362-2d37950d210b", "value": "http.jpaols.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110739", "to_ids": true, "type": "domain", "uuid": "552e7fd3-eba4-4e04-9b2a-26d8950d210b", "value": "jpaols.com" }, { "category": "Artifacts dropped", "comment": "CTRat DLL", "deleted": false, "disable_correlation": false, "timestamp": "1429110808", "to_ids": true, "type": "md5", "uuid": "552e8018-b0e8-4ce7-8f1a-288a950d210b", "value": "ebd1f5e471774bb283de44e121efa3e5" }, { "category": "Payload delivery", "comment": "Password-protected document delivering NewCT", "deleted": false, "disable_correlation": false, "timestamp": "1429110854", "to_ids": true, "type": "md5", "uuid": "552e8046-cdc8-45fd-b5a9-2d36950d210b", "value": "46ac122183c32858581e95ef40bd31b3" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110876", "to_ids": true, "type": "hostname", "uuid": "552e805c-ed10-4f3c-a946-2d37950d210b", "value": "ct.datangcun.com" }, { "category": "Network activity", "comment": "Sysget/HelloBridge", "deleted": false, "disable_correlation": false, "timestamp": "1429110972", "to_ids": true, "type": "ip-dst", "uuid": "552e80bc-eebc-499b-948e-26d8950d210b", "value": "122.10.62.137" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110990", "to_ids": true, "type": "url", "uuid": "552e80ce-b5e8-4111-980b-2d3d950d210b", "value": "/el/slogin.php?uid=" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110990", "to_ids": true, "type": "url", "uuid": "552e80ce-4138-488c-88f1-2d3d950d210b", "value": "/el/suploadfile.php?item=" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429110990", "to_ids": true, "type": "url", "uuid": "552e80ce-bb60-4310-b099-2d3d950d210b", "value": "/el/suploadfile.php" }, { "category": "Network activity", "comment": "Mongall", "deleted": false, "disable_correlation": false, "timestamp": "1429111024", "to_ids": true, "type": "hostname", "uuid": "552e80f0-afb8-41a9-ad0d-288a950d210b", "value": "mail.jpaols.com" }, { "category": "Artifacts dropped", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429111056", "to_ids": true, "type": "md5", "uuid": "552e8110-174c-4014-a7ac-2d36950d210b", "value": "65fcc9b9ff608801edc697552438cfee" }, { "category": "Network activity", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429111089", "to_ids": true, "type": "hostname", "uuid": "552e8131-c888-48d3-8280-2d37950d210b", "value": "ftp.skydnastwm.com" }, { "category": "Network activity", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429111118", "to_ids": true, "type": "hostname", "uuid": "552e814e-4b10-4271-bd80-26d8950d210b", "value": "afp.mozjlla.com" }, { "category": "Artifacts dropped", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429111171", "to_ids": true, "type": "mutex", "uuid": "552e8183-7244-4e45-989d-2d3d950d210b", "value": "fftp" }, { "category": "Artifacts dropped", "comment": "Poison Ivy", "deleted": false, "disable_correlation": false, "timestamp": "1429111171", "to_ids": true, "type": "mutex", "uuid": "552e8183-affc-4449-9b84-2d3d950d210b", "value": ")!afpA.I4" }, { "category": "Network activity", "comment": "C&C server for Moafee group", "deleted": false, "disable_correlation": false, "timestamp": "1429111223", "to_ids": true, "type": "ip-dst", "uuid": "552e81b7-bacc-4b17-a67c-288a950d210b", "value": "58.64.201.229" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-b3dc-49e3-bcfc-2d36950d210b", "value": "ph.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-20e4-40d3-95ff-2d36950d210b", "value": "mofa.mozjlla.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-e150-41a4-9d09-2d36950d210b", "value": "acer.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-87c8-404e-9fb8-2d36950d210b", "value": "del.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-77f4-4e25-8c3c-2d36950d210b", "value": "jnt.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-ce08-4176-826d-2d36950d210b", "value": "pcg.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-063c-465d-bf3e-2d36950d210b", "value": "sslc.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111364", "to_ids": true, "type": "hostname", "uuid": "552e8244-cd38-4e11-91fc-2d36950d210b", "value": "at.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-d288-4cab-8f4e-2d36950d210b", "value": "lw.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-fb5c-4894-acbc-2d36950d210b", "value": "ks.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-4598-409f-8170-2d36950d210b", "value": "oa.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-7c08-4e42-9079-2d36950d210b", "value": "xxpp.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-7f9c-4a95-9705-2d36950d210b", "value": "hp.moafee.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-9ae4-44fd-b87b-2d36950d210b", "value": "gumm.mozjlla.com" }, { "category": "Network activity", "comment": "Linked to Moafee group and resolved to 58.64.201.229", "deleted": false, "disable_correlation": false, "timestamp": "1429111365", "to_ids": true, "type": "hostname", "uuid": "552e8245-18b4-4a5c-9550-2d36950d210b", "value": "msn.moafee.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111395", "to_ids": false, "type": "comment", "uuid": "552e8263-d674-438e-bd0e-2d36950d210b", "value": "During this same time frame, the HTRAN client\r\nat 58.64.201.229 was observed\r\nattempting to connect to a number of different\r\nbackend HTRAN servers. All of these HTRAN\r\nservers were located in the Guangdong\r\nProvince and operated by CHINANET." }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111427", "to_ids": true, "type": "hostname", "uuid": "552e8283-3244-45ca-a9f8-2d3e950d210b", "value": "phi.crabdance.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111492", "to_ids": true, "type": "ip-dst", "uuid": "552e82c4-b61c-45ab-82d5-2d37950d210b", "value": "98.126.91.66" }, { "category": "Network activity", "comment": "Destination of connections from HTRAN proxy running on 98.126.91.66", "deleted": false, "disable_correlation": false, "timestamp": "1429111522", "to_ids": true, "type": "ip-dst", "uuid": "552e82e2-7440-4b6a-9d0b-2d36950d210b", "value": "113.66.248.60" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-9ea0-446b-a5f5-2d3d950d210b", "value": "113.65.22.148" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-c320-45d8-87d6-2d3d950d210b", "value": "113.65.41.28" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-2bdc-4136-8e3f-2d3d950d210b", "value": "113.65.43.42" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-3090-4042-805a-2d3d950d210b", "value": "113.66.12.112" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-66ec-4424-8974-2d3d950d210b", "value": "113.68.108.62" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111629", "to_ids": true, "type": "ip-dst", "uuid": "552e834d-a664-437f-9ad5-2d3d950d210b", "value": "113.68.110.239" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111630", "to_ids": true, "type": "ip-dst", "uuid": "552e834e-5e14-4338-9113-2d3d950d210b", "value": "113.68.111.111" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111630", "to_ids": true, "type": "ip-dst", "uuid": "552e834e-368c-4916-bb39-2d3d950d210b", "value": "113.68.168.73" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111630", "to_ids": true, "type": "ip-dst", "uuid": "552e834e-96a4-45ef-8863-2d3d950d210b", "value": "113.68.171.67" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1511190235", "to_ids": false, "type": "ip-dst", "uuid": "552e834e-e264-4582-ac4d-2d3d950d210b", "value": "169.254.163.19" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1511190232", "to_ids": false, "type": "ip-dst", "uuid": "552e834e-df34-48b6-af5b-2d3d950d210b", "value": "169.254.61.191" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1511190229", "to_ids": false, "type": "ip-dst", "uuid": "552e834e-1c58-488e-a8fb-2d3d950d210b", "value": "169.254.92.25" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111653", "to_ids": true, "type": "domain", "uuid": "552e8365-4648-49a8-9526-2d3e950d210b", "value": "ndbssh.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111693", "to_ids": true, "type": "ip-dst", "uuid": "552e838d-0d54-480e-8b42-288a950d210b", "value": "58.217.168.205" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111693", "to_ids": true, "type": "ip-dst", "uuid": "552e838d-1274-4bfe-9281-288a950d210b", "value": "222.95.171.178" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111693", "to_ids": true, "type": "ip-dst", "uuid": "552e838d-bf58-435e-87de-288a950d210b", "value": "58.217.169.95" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111774", "to_ids": true, "type": "hostname", "uuid": "552e83de-c6fc-42b9-a7a1-2d4e950d210b", "value": "www.ghostale.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111774", "to_ids": true, "type": "hostname", "uuid": "552e83de-7568-4858-a111-2d4e950d210b", "value": "www.ycbackap.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111774", "to_ids": true, "type": "hostname", "uuid": "552e83de-55f0-4c10-80c7-2d4e950d210b", "value": "asp.skyppee.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111774", "to_ids": true, "type": "hostname", "uuid": "552e83de-c538-42e1-800a-2d4e950d210b", "value": "facebook.skyppee.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111774", "to_ids": true, "type": "hostname", "uuid": "552e83de-2b18-42a6-9c57-2d4e950d210b", "value": "pop.skyppee.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111775", "to_ids": true, "type": "hostname", "uuid": "552e83df-9638-4ad8-8ff9-2d4e950d210b", "value": "mail.skyppee.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111775", "to_ids": true, "type": "hostname", "uuid": "552e83df-0304-4ce7-a6b0-2d4e950d210b", "value": "mil.skyppee.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111775", "to_ids": true, "type": "hostname", "uuid": "552e83df-0104-4db0-abec-2d4e950d210b", "value": "web.pktmedia.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111775", "to_ids": true, "type": "hostname", "uuid": "552e83df-314c-497f-b308-2d4e950d210b", "value": "bbs.pktmedia.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1429111811", "to_ids": true, "type": "ip-dst", "uuid": "552e8403-9fa4-47b3-8523-4268950d210b", "value": "206.161.216.219" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1505115151", "to_ids": false, "type": "link", "uuid": "59b63c0f-2264-46b4-a74c-1450950d210f", "value": "https://www.fireeye.com/blog/threat-research/2013/02/hackers-targeting-taiwanese-technology-firm.html" } ] } }