{ "Event": { "analysis": "0", "date": "2020-01-22", "extends_uuid": "", "info": "Muhstik Botnet Attacks Tomato Routers", "publish_timestamp": "1579684468", "published": true, "threat_level_id": "2", "timestamp": "1579678870", "uuid": "5e27f3d8-e238-4290-8b2c-422e950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:botnet=\"Muhstik\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"Tsunami (ELF)\"", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676721", "to_ids": true, "type": "ip-dst", "uuid": "5e27f431-6074-4393-8d36-4643950d210f", "value": "46.149.233.35" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "ip-dst", "uuid": "5e27f432-029c-415b-b8f7-4884950d210f", "value": "68.66.253.100" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "ip-dst", "uuid": "5e27f432-268c-444b-b628-4a10950d210f", "value": "185.61.149.22" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "url", "uuid": "5e27f432-0558-4d1c-a3aa-444a950d210f", "value": "http://y.fd6fq54s6df541q23sdxfg.eu/nvr" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "url", "uuid": "5e27f432-b7b8-4264-af32-43e6950d210f", "value": "http://159.89.156.190/.y/pty1" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "url", "uuid": "5e27f432-6fb4-4896-a5a4-4ec5950d210f", "value": "http://159.89.156.190/.y/pty3" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "url", "uuid": "5e27f432-f41c-4b03-b2e8-4854950d210f", "value": "http://159.89.156.190/.y/pty5" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "url", "uuid": "5e27f432-cd80-4a00-9121-4536950d210f", "value": "http://159.89.156.190/.y/pty6" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676722", "to_ids": true, "type": "hostname", "uuid": "5e27f432-f3fc-4a5b-b104-40a3950d210f", "value": "s.shadow.mods.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-9754-44e2-8360-49a1950d210f", "value": "492780a9ac9f03305538b360d8a836c038da4920e8c1ae620988b120613c0b1f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-f6b8-4a7f-aac6-4a66950d210f", "value": "2548f5b1613f6ebba2ff589c7b3416ccdd066b73644d4d212232beb1cecd9c31" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-b2dc-430c-a7e2-4e01950d210f", "value": "a4ba50129408f9f52ddabe5bfd5bfb46aea0ca48fb616f495f2610b2f1729687" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-ded0-4a34-b6c6-47c9950d210f", "value": "7325742dc0d939542d4c04ae2ae8f2792711203de50d3d16de3a9f83baaf5435" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-4ab0-485f-930d-4fb5950d210f", "value": "72123c51bcdf8c1784654d9e2470e69131872407408aa3cf775ea0ace87bb9a0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-ec38-4063-94da-4e10950d210f", "value": "cee20e79f20d35b95645f0cbda1897302e6e554c50f3e6754ce9293e3c1ba11c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "5e27f454-b2e4-4773-a425-4766950d210f", "value": "dc52a1193ecf6096192f771ae663de6e0389840cb5ceb7b979091333ce6f7f02" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1579677461", "to_ids": false, "type": "link", "uuid": "5e27f61d-4a0c-426c-b827-42f1950d210f", "value": "https://unit42.paloaltonetworks.com/muhstik-botnet-attacks-tomato-routers-to-harvest-new-iot-devices/", "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1579677913", "uuid": "ca140315-88e6-4fa3-913c-6d3b95cb2014", "ObjectReference": [ { "comment": "", "object_uuid": "ca140315-88e6-4fa3-913c-6d3b95cb2014", "referenced_uuid": "e9108fdc-2a51-4bcb-bf26-d96fc21ff641", "relationship_type": "analysed-with", "timestamp": "1579677928", "uuid": "5e27f8e8-7b1c-4b69-a459-42d1950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1579676756", "to_ids": true, "type": "md5", "uuid": "841dac8f-c06c-442a-a4e8-4276e1c4baca", "value": "2d8a62b8a27e14f741098fe1ced8eae4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1579676756", "to_ids": true, "type": "sha1", "uuid": "ab05c7fe-a7ee-4208-9562-c09a5ab3c74c", "value": "e9a8aebc6822f01199ff311b94641044c4a38dd3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "cbdee7a7-4828-401f-a28d-d63ef6b484b8", "value": "492780a9ac9f03305538b360d8a836c038da4920e8c1ae620988b120613c0b1f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1579677926", "uuid": "e9108fdc-2a51-4bcb-bf26-d96fc21ff641", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1579676756", "to_ids": false, "type": "datetime", "uuid": "08464849-dffa-4bfe-981b-c6ac353080c5", "value": "2020-01-22T02:13:52" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1579676756", "to_ids": false, "type": "link", "uuid": "62282ccb-bfe8-4f86-9345-c1ed07e2c6b3", "value": "https://www.virustotal.com/file/492780a9ac9f03305538b360d8a836c038da4920e8c1ae620988b120613c0b1f/analysis/1579659232/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1579676756", "to_ids": false, "type": "text", "uuid": "b2164fbc-0292-4439-9a3f-556c2873ed7f", "value": "32/57" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1579677926", "uuid": "ff1fbce4-7021-46b8-bc3b-5626cf7558a4", "ObjectReference": [ { "comment": "", "object_uuid": "ff1fbce4-7021-46b8-bc3b-5626cf7558a4", "referenced_uuid": "59005259-d99c-4501-b679-27cc1352be06", "relationship_type": "analysed-with", "timestamp": "1579677928", "uuid": "5e27f8e8-1b44-4ded-be6c-4012950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1579676756", "to_ids": true, "type": "md5", "uuid": "4d650fae-6576-461f-8f2f-a24bc4e931f0", "value": "8154ace62f0dcf7c47447153746c4be5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1579676756", "to_ids": true, "type": "sha1", "uuid": "63e33802-7547-40e7-b476-b14de144a6ad", "value": "6c9f004c977d3ce1ebda3b6e50313556f977d654" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "f1545d46-b106-43c6-9ddf-e12b7c463861", "value": "a4ba50129408f9f52ddabe5bfd5bfb46aea0ca48fb616f495f2610b2f1729687" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1579677926", "uuid": "59005259-d99c-4501-b679-27cc1352be06", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1579676756", "to_ids": false, "type": "datetime", "uuid": "62de76cd-7eeb-4c9b-bf8e-917137803cd6", "value": "2020-01-22T02:11:30" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1579676756", "to_ids": false, "type": "link", "uuid": "6858ce27-5914-41ea-a246-40cfdc33e04a", "value": "https://www.virustotal.com/file/a4ba50129408f9f52ddabe5bfd5bfb46aea0ca48fb616f495f2610b2f1729687/analysis/1579659090/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1579676756", "to_ids": false, "type": "text", "uuid": "9089e013-f176-4f78-a05e-8624247c7115", "value": "32/57" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1579677927", "uuid": "d0e82d91-4339-424a-9b54-4b665bec0acd", "ObjectReference": [ { "comment": "", "object_uuid": "d0e82d91-4339-424a-9b54-4b665bec0acd", "referenced_uuid": "0cb1df1f-6f48-4c96-b8b4-d1f852c7e97b", "relationship_type": "analysed-with", "timestamp": "1579677928", "uuid": "5e27f8e8-4cdc-4201-b2f3-4e29950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1579676756", "to_ids": true, "type": "md5", "uuid": "4302de46-edb9-4acf-8e7b-ac3c76754eb5", "value": "167c2f5e0d6abe5b9b35348fd0269928" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1579676756", "to_ids": true, "type": "sha1", "uuid": "7211f48d-b2b0-43c7-864c-e8165c722aff", "value": "7914fb8e72e6a7a57998f8b7817c2508ce9ec865" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "a66a7987-142f-4390-85a8-ede2d81e54be", "value": "7325742dc0d939542d4c04ae2ae8f2792711203de50d3d16de3a9f83baaf5435" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1579677927", "uuid": "0cb1df1f-6f48-4c96-b8b4-d1f852c7e97b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1579676756", "to_ids": false, "type": "datetime", "uuid": "ee761208-581a-463f-bd07-a6a16db38a4f", "value": "2020-01-22T02:14:04" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1579676756", "to_ids": false, "type": "link", "uuid": "fa0222dd-230a-4c6d-9ac8-4f382cd21ef9", "value": "https://www.virustotal.com/file/7325742dc0d939542d4c04ae2ae8f2792711203de50d3d16de3a9f83baaf5435/analysis/1579659244/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1579676756", "to_ids": false, "type": "text", "uuid": "55ee0b95-4cb9-4805-8669-e8766e01ceb2", "value": "34/57" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1579677927", "uuid": "7751dc85-88e3-4c9b-97c9-ebfdedb1ad56", "ObjectReference": [ { "comment": "", "object_uuid": "7751dc85-88e3-4c9b-97c9-ebfdedb1ad56", "referenced_uuid": "fbe12b3c-849a-4b2e-8ef8-7fa83af759fe", "relationship_type": "analysed-with", "timestamp": "1579677928", "uuid": "5e27f8e8-7a84-4c94-be85-49a8950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1579676756", "to_ids": true, "type": "md5", "uuid": "6ea29b48-7a86-4d10-b675-c6a76941bb46", "value": "a3e3809eb10bae7d19787f6c52d2b289" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1579676756", "to_ids": true, "type": "sha1", "uuid": "f2b296e3-e879-4776-ba87-bd6f04d8f71e", "value": "00e4457de90df173b51757fcf120bc31ce16040e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "6b5f4b97-bde1-4746-8401-d5d585c74522", "value": "72123c51bcdf8c1784654d9e2470e69131872407408aa3cf775ea0ace87bb9a0" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1579677927", "uuid": "fbe12b3c-849a-4b2e-8ef8-7fa83af759fe", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1579676756", "to_ids": false, "type": "datetime", "uuid": "5d6040e0-a8c8-44e4-ac5e-8f7ca6fd856a", "value": "2020-01-22T02:12:09" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1579676756", "to_ids": false, "type": "link", "uuid": "a1431de8-5639-40e8-b902-f7f51a47c035", "value": "https://www.virustotal.com/file/72123c51bcdf8c1784654d9e2470e69131872407408aa3cf775ea0ace87bb9a0/analysis/1579659129/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1579676756", "to_ids": false, "type": "text", "uuid": "0abc5f32-ac9a-435d-9ae4-3f26fc75c0bf", "value": "32/57" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1579677927", "uuid": "bd930756-f6fa-414c-ab91-40111e80a4c7", "ObjectReference": [ { "comment": "", "object_uuid": "bd930756-f6fa-414c-ab91-40111e80a4c7", "referenced_uuid": "b9d8b1eb-c098-4e3a-af07-cd37c40d345a", "relationship_type": "analysed-with", "timestamp": "1579677928", "uuid": "5e27f8e8-b614-45cd-80f3-4f95950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1579676756", "to_ids": true, "type": "md5", "uuid": "70153d72-c7d2-4630-9410-dca6c537ac66", "value": "b66fbdec14a7f7b0087aebb9c176ac12" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1579676756", "to_ids": true, "type": "sha1", "uuid": "56dc42e2-d589-4dcf-868f-c98ac64d81e2", "value": "0c6484d5bc91a75cb0d94a55795d543c409b3fb8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1579676756", "to_ids": true, "type": "sha256", "uuid": "31c4c70c-8dd5-48fd-b840-0f77d9fe625d", "value": "cee20e79f20d35b95645f0cbda1897302e6e554c50f3e6754ce9293e3c1ba11c" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1579677928", "uuid": "b9d8b1eb-c098-4e3a-af07-cd37c40d345a", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1579676756", "to_ids": false, "type": "datetime", "uuid": "ce51439d-924b-4d65-b570-88a97c546fdc", "value": "2020-01-22T02:12:56" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1579676756", "to_ids": false, "type": "link", "uuid": "d5f26a7b-7151-43d4-91d3-03f7456f886b", "value": "https://www.virustotal.com/file/cee20e79f20d35b95645f0cbda1897302e6e554c50f3e6754ce9293e3c1ba11c/analysis/1579659176/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1579676756", "to_ids": false, "type": "text", "uuid": "b2de9ec0-3be3-462b-9250-e457f57ba795", "value": "32/57" } ] } ] } }