{ "Event": { "analysis": "2", "date": "2019-10-07", "extends_uuid": "", "info": "Operation Ghost - White Paper", "publish_timestamp": "1622612225", "published": true, "threat_level_id": "1", "timestamp": "1622553001", "uuid": "5d9b516c-e5f0-4e7c-a958-5d8c0a019371", "Orgc": { "name": "ESET", "uuid": "55f6ea5e-51ac-4344-bc8c-4170950d210f" }, "Tag": [ { "colour": "#12e100", "local": "0", "name": "misp-galaxy:threat-actor=\"APT 29\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Execution through API - T1106\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Execution through Module Load - T1129\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1086\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Rundll32 - T1085\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Service Execution - T1035\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Valid Accounts - T1078\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"File Deletion - T1107\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Modify Registry - T1112\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1060\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Scheduled Task - T1053\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Software Packing - T1045\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Windows Management Instrumentation Event Subscription - T1084\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Connection Proxy - T1090\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Data Obfuscation - T1001\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Data from Local System - T1005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Data from Network Shared Drive - T1039\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Data from Removable Media - T1025\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Network Share Discovery - T1135\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Process Discovery - T1057\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Standard Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"System Network Connections Discovery - T1049\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Windows Admin Shares - T1077\"", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460074", "to_ids": false, "type": "sha1", "uuid": "5d9b51aa-15c8-4405-af09-68700a019371", "value": "4ba559c403ff3f5cc2571ae0961eaff6cf0a50f6" }, { "category": "Artifacts dropped", "comment": "PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460074", "to_ids": false, "type": "sha1", "uuid": "5d9b51aa-ace8-4da0-8312-68700a019371", "value": "cf14ac569a63df214128f375c12d90e535770395" }, { "category": "Artifacts dropped", "comment": "PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460074", "to_ids": false, "type": "sha1", "uuid": "5d9b51aa-9458-4ae0-9484-68700a019371", "value": "539d021cd17d901539a5e1132ecaab7164ed5db5" }, { "category": "Artifacts dropped", "comment": "PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460074", "to_ids": false, "type": "sha1", "uuid": "5d9b51aa-6afc-451f-bab9-68700a019371", "value": "0e25ee58b119dd48b7c9931879294ac3fc433f50" }, { "category": "Artifacts dropped", "comment": "PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460074", "to_ids": false, "type": "sha1", "uuid": "5d9b51aa-12dc-4dcc-9417-68700a019371", "value": "d625c7ce9dc7e56a29ec9a81650280edc6189616" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-0580-40ee-9b20-5d8c0a019371", "value": "0a5a7dd4ad0f2e50f3577f8d43a4c55ddc1d80cf" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-51b0-4b23-ae70-5d8c0a019371", "value": "f7fd63c0534d2f717fd5325d4397597c9ee4065f" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-73f8-40d1-bb26-5d8c0a019371", "value": "194d8e2ae4c723ce5fe11c4d9cfefbba32dcf766" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-09fc-40b5-8a60-5d8c0a019371", "value": "64d6c11fff2c2aadaacee01b294afcc751316176" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-cd7c-41b9-a8bc-5d8c0a019371", "value": "6acc0b1230303f8cf46152697d3036d69ea5a849" }, { "category": "Artifacts dropped", "comment": "RegDuke loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460097", "to_ids": false, "type": "sha1", "uuid": "5d9b51c1-e304-4f81-907a-5d8c0a019371", "value": "170be45669026f3c1fc5ba2d48817dbf950da3f6" }, { "category": "Artifacts dropped", "comment": "RegDuke backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1570460111", "to_ids": false, "type": "sha1", "uuid": "5d9b51cf-0878-4c96-be15-5c5f0a019371", "value": "5905c55189c683bc37258aec28e916c41948cd1c" }, { "category": "Artifacts dropped", "comment": "MiniDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460132", "to_ids": false, "type": "sha1", "uuid": "5d9b51e4-1e94-460f-be39-5d8c0a019371", "value": "b05caba461000c6ebd8b237f318577e9bccd6047" }, { "category": "Artifacts dropped", "comment": "MiniDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460132", "to_ids": false, "type": "sha1", "uuid": "5d9b51e4-4a34-44ca-9a39-5d8c0a019371", "value": "718c2ce6170d6ca505297b41de072d8d3b873456" }, { "category": "Artifacts dropped", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460150", "to_ids": false, "type": "sha1", "uuid": "5d9b51f6-2f00-44e4-b4dc-68530a019371", "value": "a88da2dd033775f7abc8d6fb3ad5dd48efbeade1" }, { "category": "Artifacts dropped", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460150", "to_ids": false, "type": "sha1", "uuid": "5d9b51f6-ce40-4e22-96e3-68530a019371", "value": "db19171b239ef6de8e83b2926eadc652e74a5afa" }, { "category": "Artifacts dropped", "comment": "FatDuke Loader", "deleted": false, "disable_correlation": false, "timestamp": "1570460165", "to_ids": false, "type": "sha1", "uuid": "5d9b5205-1218-43d1-9cad-5c610a019371", "value": "9e96b00e9f7eb94a944269108b9e02d97142eedc" }, { "category": "Artifacts dropped", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460178", "to_ids": false, "type": "sha1", "uuid": "5d9b5212-dd04-4116-8f9a-68700a019371", "value": "af2b46d4371ce632e2669fea1959ee8af4ec39ce" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-47f4-4e45-ae18-68700a019371", "value": "Win32/Agent.ZWH" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-13e0-488a-b58d-68700a019371", "value": "Win32/Agent.AAPY" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-50dc-48fd-987d-68700a019371", "value": "Win64/Agent.OL" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-2f2c-4a50-b04d-68700a019371", "value": "MSIL/Tiny.BG" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-4388-4d08-8fff-68700a019371", "value": "MSIL/Agent.TGC" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-dbec-4dda-a107-68700a019371", "value": "MSIL/Agent.SVP" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-5dfc-4b5e-8514-68700a019371", "value": "MSIL/Agent.SXO" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-b3f8-4c0c-af39-68700a019371", "value": "MSIL/Agent.SYC" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-9fb4-4c4f-adfe-68700a019371", "value": "MSIL/Agent.CAW" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-2ce8-4cbc-a8aa-68700a019371", "value": "Win32/Agent.TSG" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-8d30-48e8-ab45-68700a019371", "value": "Win32/Agent.TUF" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-eddc-4911-b1b5-68700a019371", "value": "Win32/Agent.TSH" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1570460262", "to_ids": false, "type": "text", "uuid": "5d9b5266-ccf4-4375-92c4-68700a019371", "value": "Win32/Agent.AART" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-4ba0-4020-9d93-244b0a019371", "value": "http://ibb.co/hVhaAq" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-6ec4-4c3f-8491-244b0a019371", "value": "http://imgur.com/1RzfF7r" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-02dc-4d44-baee-244b0a019371", "value": "http://imgur.com/6wjspWp" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-08c4-4135-b041-244b0a019371", "value": "http://imgur.com/d4ObKL0" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-e778-4c75-a841-244b0a019371", "value": "http://imgur.com/D6U06Ci" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-d990-4a08-b579-244b0a019371", "value": "http://imgur.com/GZSK9zI" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-c0dc-4d7c-9d79-244b0a019371", "value": "http://imgur.com/wcMk7a2" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-19f8-4153-9e84-244b0a019371", "value": "http://imgur.com/WMTwSMJ" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-4754-4a4a-bc66-244b0a019371", "value": "http://imgur.com/WOKHonk" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-e4a8-42be-9860-244b0a019371", "value": "http://imgur.com/XFa7Ee1" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-34c8-45be-b9c6-244b0a019371", "value": "http://jack998899jack.imgbb.com" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-1c78-424a-8957-244b0a019371", "value": "http://simp.ly/publish/pBn8Jt" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-684c-45e0-bf7d-244b0a019371", "value": "http://thinkery.me/billywilliams/5a0170161cb602262f000d2c" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-4b70-4e3c-97d7-244b0a019371", "value": "http://twitter.com/aimeefleming25" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-af58-4b15-bc0c-244b0a019371", "value": "http://twitter.com/hen_rivero" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-7e08-40df-bc6d-244b0a019371", "value": "http://twitter.com/JamesScott1990" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-f4d4-499e-9ad1-244b0a019371", "value": "http://twitter.com/KarimM_traveler" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-23a8-4073-a28b-244b0a019371", "value": "http://twitter.com/lerg5pvo1i" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-ee28-414f-b997-244b0a019371", "value": "http://twitter.com/m63vhd7ach3" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-2a28-4405-8359-244b0a019371", "value": "http://twitter.com/MarlinTarin" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-8e90-4f56-a4f2-244b0a019371", "value": "http://twitter.com/np8j7ovqdl" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-57c0-4f8b-b4fd-244b0a019371", "value": "http://twitter.com/q5euqysfu5" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-ebd8-4e88-8f89-244b0a019371", "value": "http://twitter.com/qistp743li" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-1fd8-449a-bcca-244b0a019371", "value": "http://twitter.com/t8t842io2" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-f204-4212-9bf0-244b0a019371", "value": "http://twitter.com/ua6ivyxkfv" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-f86c-4c2c-8488-244b0a019371", "value": "http://twitter.com/utyi5asko02" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-3374-45d5-9e50-244b0a019371", "value": "http://twitter.com/vgmmmyqaq" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-43e8-42db-9dff-244b0a019371", "value": "http://twitter.com/vvwc63tgz" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-8d00-4008-a567-244b0a019371", "value": "http://twitter.com/wekcddkg2ra" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-92e8-4fb5-a248-244b0a019371", "value": "http://twitter.com/xzg3a2e2z" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571218510", "to_ids": false, "type": "url", "uuid": "5d9b5280-d0ac-4e23-8073-244b0a019371", "value": "http://www.evernote.com/shard/s675/sh/6686ff4e-8896-499b-8cdb-a2bbf2cc4db9/fc7fbe66c820f17c30147235e95d31b8" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-dd60-40ae-8193-244b0a019371", "value": "http://www.fotolog.com/g1h4wuiz6" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-5b00-4262-a7b8-244b0a019371", "value": "http://www.fotolog.com/gf3z425rr0" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-7810-479d-83f3-244b0a019371", "value": "http://www.fotolog.com/i4ntff47xfw" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-1d58-475f-b0a1-244b0a019371", "value": "http://www.fotolog.com/joannevil/121000000000030009/" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-e1e0-4b90-ac29-244b0a019371", "value": "http://www.fotolog.com/o2rh2s2x7pu" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-fa88-455d-81df-244b0a019371", "value": "http://www.fotolog.com/q4tusizx9xb" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-f454-4a69-800d-244b0a019371", "value": "http://www.fotolog.com/rypnil03sl6" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-8a20-4d7c-9c2b-244b0a019371", "value": "http://www.fotolog.com/shx8hypubt" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-cc94-4a3f-8188-244b0a019371", "value": "http://www.fotolog.com/u99aliw5g" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-6850-4edc-a27a-244b0a019371", "value": "http://www.fotolog.com/uq44y4j19m8" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-9718-4951-a03f-244b0a019371", "value": "http://www.fotolog.com/vq21p34" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-b344-4e20-83df-244b0a019371", "value": "http://www.fotolog.com/vz1g3wmwu" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-bcb0-4d3c-8399-244b0a019371", "value": "http://www.fotolog.com/zu2of5vyfl6" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-af10-419a-a616-244b0a019371", "value": "http://www.google.com/?gws_rd=ssl#q=Heiofjskghwe+Hjwefkbqw" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-32e4-4037-907f-244b0a019371", "value": "http://www.kiwibox.com/AfricanRugby/info/" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-2990-4c1a-af9d-244b0a019371", "value": "http://www.kiwibox.com/GaryPhotographe/info/" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-ce34-4474-8848-244b0a019371", "value": "http://www.reddit.com/user/BeaumontV/" }, { "category": "Network activity", "comment": "Public webpage used by PolyglotDuke", "deleted": false, "disable_correlation": false, "timestamp": "1570460288", "to_ids": false, "type": "url", "uuid": "5d9b5280-8ef8-4149-8f81-244b0a019371", "value": "http://www.reddit.com/user/StevensThomasWis/" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-d71c-4634-b0cd-5d8c0a019371", "value": "acciaio.com.br" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-9690-4856-93cc-5d8c0a019371", "value": "ceycarb.com" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-aed4-4bd9-a01f-5d8c0a019371", "value": "coachandcook.at" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-ecbc-47bd-9803-5d8c0a019371", "value": "fisioterapiabb.it" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-ffac-4393-a3bd-5d8c0a019371", "value": "lorriratzlaff.com" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-78ac-44c7-939a-5d8c0a019371", "value": "mavin21c.dothome.co.kr" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-279c-4661-a5cf-5d8c0a019371", "value": "motherlodebulldogclub.com" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-8b04-4f83-9e97-5d8c0a019371", "value": "powerpolymerindustry.com" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-08fc-46c2-bb47-5d8c0a019371", "value": "publiccouncil.org" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-a39c-4b8e-b592-5d8c0a019371", "value": "rulourialuminiu.co.uk" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-4584-4b2c-bf57-5d8c0a019371", "value": "sistemikan.com" }, { "category": "Network activity", "comment": "PolyglotDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460313", "to_ids": false, "type": "domain", "uuid": "5d9b5299-8a10-48d9-abd0-5d8c0a019371", "value": "varuhusmc.org" }, { "category": "Network activity", "comment": "MiniDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460339", "to_ids": false, "type": "domain", "uuid": "5d9b52b3-692c-42fd-8777-68ba0a019371", "value": "ecolesndmessines.org" }, { "category": "Network activity", "comment": "MiniDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460339", "to_ids": false, "type": "domain", "uuid": "5d9b52b3-a030-462c-841c-68ba0a019371", "value": "salesappliances.com" }, { "category": "Network activity", "comment": "FatDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460356", "to_ids": false, "type": "domain", "uuid": "5d9b52c4-6a88-4f09-8ce9-646f0a019371", "value": "busseylawoffice.com" }, { "category": "Network activity", "comment": "FatDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460356", "to_ids": false, "type": "domain", "uuid": "5d9b52c4-44c0-421c-bbf8-646f0a019371", "value": "fairfieldsch.org" }, { "category": "Network activity", "comment": "FatDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460356", "to_ids": false, "type": "domain", "uuid": "5d9b52c4-d48c-473f-a0f5-646f0a019371", "value": "ministernetwork.org" }, { "category": "Network activity", "comment": "FatDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460356", "to_ids": false, "type": "domain", "uuid": "5d9b52c4-ac58-483f-9134-646f0a019371", "value": "skagenyoga.com" }, { "category": "Network activity", "comment": "FatDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460356", "to_ids": false, "type": "domain", "uuid": "5d9b52c4-a184-4467-b8a8-646f0a019371", "value": "westmedicalgroup.net" }, { "category": "Network activity", "comment": "LiteDuke C&C", "deleted": false, "disable_correlation": false, "timestamp": "1570460370", "to_ids": false, "type": "domain", "uuid": "5d9b52d2-12f4-4be6-9e91-5c5f0a019371", "value": "bandabonga.fr" }, { "category": "External analysis", "comment": "Research White Paper", "deleted": false, "disable_correlation": false, "timestamp": "1571855044", "to_ids": false, "type": "link", "uuid": "5da6e0e8-c12c-42c3-a3c3-7b6a0a019371", "value": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1622553001", "to_ids": false, "type": "link", "uuid": "5da84c74-3a94-4f8d-87ee-2de0ac1d4fa4", "value": "https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/" }, { "category": "Network activity", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571322096", "to_ids": true, "type": "user-agent", "uuid": "5da878f0-1300-4ce9-9e0a-2132ac1d4fa4", "value": "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0" }, { "category": "Network activity", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571322096", "to_ids": true, "type": "user-agent", "uuid": "5da878f0-6e74-4476-8910-2132ac1d4fa4", "value": "Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13(KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13" }, { "category": "Network activity", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571322096", "to_ids": true, "type": "user-agent", "uuid": "5da878f0-69d0-4357-b2b1-2132ac1d4fa4", "value": "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.19.4 (KHTML, like Gecko) Version/5.0.3 Safari/533.19.4" }, { "category": "Network activity", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571322096", "to_ids": true, "type": "user-agent", "uuid": "5da878f0-6bd0-4eb2-9b79-2132ac1d4fa4", "value": "Opera/9.80 (Windows NT 5.1; U; en-US) Presto/2.7.62 Version/11.01" }, { "category": "Network activity", "comment": "LiteDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571322096", "to_ids": true, "type": "user-agent", "uuid": "5da878f0-6990-4395-b64b-2132ac1d4fa4", "value": "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729)" }, { "category": "Network activity", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571319903", "to_ids": true, "type": "user-agent", "uuid": "5da8705f-99a8-47bd-a02d-2180ac1d4fa4", "value": "Mozilla/5.0 (Windows; Windows NT 6.1) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2" }, { "category": "Network activity", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571319903", "to_ids": true, "type": "user-agent", "uuid": "5da8705f-7d18-4de8-b4e2-2180ac1d4fa4", "value": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.35 Safari/537.36 OPR/24.0.1558.21" }, { "category": "Network activity", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1598525977", "to_ids": false, "type": "user-agent", "uuid": "5da8705f-fc2c-405f-80a4-2180ac1d4fa4", "value": "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)" }, { "category": "Network activity", "comment": "FatDuke", "deleted": false, "disable_correlation": false, "timestamp": "1571319903", "to_ids": true, "type": "user-agent", "uuid": "5da8705f-daa8-4319-9aea-2180ac1d4fa4", "value": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571319814", "to_ids": true, "type": "user-agent", "uuid": "5da86f11-6b00-48fc-9e42-2d68ac1d4fa4", "value": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571319286", "to_ids": true, "type": "user-agent", "uuid": "5da86085-6120-4903-b787-5986ac1d4fa4", "value": "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; GTB7.4; InfoPath.2; SV1; .NET CLR 3.3.69573; WOW64; en-US)" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-be44-4698-9b1c-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\4.0|MSBuildOverride-TasksPath" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-1678-4340-85c8-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\4.0|DefaultLibs" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-2efc-4817-9207-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\hw64-s1-1|RootPath" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-5818-4164-bc18-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\hw64-s1-1|APIModule" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-ffa8-451d-84a2-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\hw64-s1-1|Stack" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-a774-43ec-8f0e-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\0102|PathCPA" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-d6bc-4d24-9bfa-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\0102|CPAModule" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-ca38-4e38-894a-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSBuild\\4.0|BinaryCache" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1571317309", "to_ids": true, "type": "regkey|value", "uuid": "5da8663d-4f90-4517-a01f-571cac1d4fa4", "value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\MediaSDK\\Dispatch\\0102|Init" } ] } }