{ "Event": { "analysis": "2", "date": "2018-08-08", "extends_uuid": "", "info": "OSINT - Familiar Feeling A Malware Campaign Targeting the Tibetan Diaspora Resurfaces", "publish_timestamp": "1537215875", "published": true, "threat_level_id": "3", "timestamp": "1537215802", "uuid": "5b6c44c2-e8cc-4c56-8eb9-4f0a950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#3a7300", "local": "0", "name": "circl:incident-classification=\"malware\"", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"PowerShell - T1086\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537189076", "to_ids": false, "type": "link", "uuid": "5b6c44d2-6094-4926-a919-48a3950d210f", "value": "https://citizenlab.ca/2018/08/familiar-feeling-a-malware-campaign-targeting-the-tibetan-diaspora-resurfaces/", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174539", "to_ids": true, "type": "domain", "uuid": "5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f", "value": "commail.co" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174540", "to_ids": true, "type": "domain", "uuid": "5b9f6c0c-6bb8-4353-88d2-d8a3950d210f", "value": "tibetnews.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174540", "to_ids": true, "type": "domain", "uuid": "5b9f6c0c-f6c8-466a-b35f-d8a3950d210f", "value": "comemails.email" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174541", "to_ids": true, "type": "ip-dst", "uuid": "5b9f6c0d-265c-4879-8048-d8a3950d210f", "value": "27.126.186.222" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174541", "to_ids": true, "type": "ip-dst", "uuid": "5b9f6c0d-3360-4aae-a319-d8a3950d210f", "value": "103.55.24.196" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537174542", "to_ids": true, "type": "ip-dst", "uuid": "5b9f6c0e-5760-4610-8e19-d8a3950d210f", "value": "203.189.232.207" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537176051", "to_ids": true, "type": "ip-dst", "uuid": "5b9f71f3-d42c-46dc-a8df-d052950d210f", "value": "45.127.97.222" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537176052", "to_ids": true, "type": "domain", "uuid": "5b9f71f4-bd0c-4a10-bafb-d052950d210f", "value": "tibetnews.today" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537176052", "to_ids": true, "type": "ip-dst", "uuid": "5b9f71f4-96d4-4c41-843c-d052950d210f", "value": "115.126.86.151" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537178791", "to_ids": true, "type": "domain", "uuid": "5b9f7ca7-2330-438c-a9ba-43f1950d210f", "value": "tibethouse.info" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537178794", "to_ids": true, "type": "domain", "uuid": "5b9f7caa-aa08-47db-af9c-479f950d210f", "value": "daynew.today" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537178798", "to_ids": true, "type": "domain", "uuid": "5b9f7cae-9a30-4928-a17a-4f2d950d210f", "value": "daynews.today" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537189105", "to_ids": false, "type": "text", "uuid": "5b9fa4dd-15a8-44c8-87a8-489f950d210f", "value": "In January 2018, a Tibetan activist received a mundane-looking email purporting to be program updates from a human rights NGO. Attached to the message were a PowerPoint presentation and a document. The activist, like many in the Tibetan diaspora, had grown wary of unsolicited emails with attachments, and instead of opening the documents, shared the files with Citizen Lab researchers.\r\n\r\nThe suspicion was warranted: the attachments were malicious. If clicked, the files would run recent exploits to infect Windows computers with custom malware. This email was the start of a malware campaign active between January to March 2018 that targeted Tibetan activists, journalists, members of the Tibetan Parliament in exile, and the Central Tibetan Administration. We worked closely with the targeted groups to collect the malicious messages, and also engaged in incident response with a compromised organization. This collaboration enabled us to gain further insights into the tactics, techniques, and procedures used by the operators.\r\n\r\nThe campaign used social engineering to trick targets into opening exploit-laden PowerPoint (CVE-2017-0199) and Microsoft Rich Text Format (RTF) documents (CVE-2017-11882) attached to e-mail messages. The malware includes a PowerShell payload we call DMShell++, a backdoor known as TSSL, and a post-compromise tool we call DSNGInstaller.\r\n\r\nWe call this recent campaign the \u00e2\u20ac\u0153Resurfaced Campaign\u00e2\u20ac\u009d because of connections to a 2016 campaign that targeted Tibetan Parliamentarians (which we refer to as the \u00e2\u20ac\u0153Parliamentary Campaign\u00e2\u20ac\u009d). These connections suggest that the same group may be involved or tools and infrastructure are being shared between multiple groups.", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537190954", "to_ids": true, "type": "url", "uuid": "5b9fac2a-3ad4-456c-910f-408a950d210f", "value": "commail.co:5453/qqqzqa" }, { "category": "Network activity", "comment": "On port 6001", "deleted": false, "disable_correlation": false, "timestamp": "1537190954", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2a-60e0-4df7-b188-4000950d210f", "value": "27.126.186.222|6001" }, { "category": "Network activity", "comment": "On port 6002", "deleted": false, "disable_correlation": false, "timestamp": "1537190955", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2b-0454-4ae0-abe4-4f2a950d210f", "value": "27.126.186.222|6002" }, { "category": "Network activity", "comment": "On port 6003", "deleted": false, "disable_correlation": false, "timestamp": "1537190956", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2c-a7a8-400d-bee5-49fd950d210f", "value": "27.126.186.222|6003" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537190957", "to_ids": true, "type": "url", "uuid": "5b9fac2d-32b8-451b-ad3d-4c50950d210f", "value": "tibetnews.info:8026/qqqzqa" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1537190957", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2d-43a0-4cbd-bdd2-44ee950d210f", "value": "103.55.24.196|80" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1537190958", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2e-2c38-4491-b0bd-471a950d210f", "value": "103.55.24.196|443" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1537190959", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac2f-ce44-4c61-8f50-427a950d210f", "value": "45.127.97.222|443" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1537190960", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac30-3800-4895-b7da-4795950d210f", "value": "27.126.186.222|80" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1537190961", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac31-4418-4328-9f94-4c82950d210f", "value": "27.126.186.222|443" }, { "category": "Network activity", "comment": "On port 8080", "deleted": false, "disable_correlation": false, "timestamp": "1537190962", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac32-3fa8-469e-82b7-4a14950d210f", "value": "27.126.186.222|8080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1537190963", "to_ids": true, "type": "url", "uuid": "5b9fac33-2688-4056-b9a2-42bd950d210f", "value": "comemails.email:1234/hgf" }, { "category": "Network activity", "comment": "On port 80", "deleted": false, "disable_correlation": false, "timestamp": "1537190963", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac33-b9cc-492f-9271-4c9c950d210f", "value": "203.189.232.207|80" }, { "category": "Network activity", "comment": "On port 443", "deleted": false, "disable_correlation": false, "timestamp": "1537190964", "to_ids": true, "type": "ip-dst|port", "uuid": "5b9fac34-9494-4180-97f4-494a950d210f", "value": "203.189.232.207|443" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "14", "timestamp": "1537171463", "uuid": "5b9f6007-36ec-49cc-b7cc-e30b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1537171463", "to_ids": true, "type": "md5", "uuid": "5b9f6007-47a8-4e3c-a5e9-e30b950d210f", "value": "11e0f3e1c7d8855ed7f1dcfce4b7702a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537171463", "to_ids": false, "type": "text", "uuid": "5b9f6007-9970-48cf-b364-e30b950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "5", "timestamp": "1537172313", "uuid": "5b9f6302-18e0-4459-a463-e6f4950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "cvss-score", "timestamp": "1537172313", "to_ids": false, "type": "float", "uuid": "5b9f6302-f2e4-4422-9159-e6f4950d210f", "value": "9.3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537172313", "to_ids": false, "type": "link", "uuid": "5b9f6303-ac3c-4c20-a111-e6f4950d210f", "value": "http://reversingminds-blog.logdown.com/posts/3907313-fileless-attack-in-word-without-macros-cve-2017-11882" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537172313", "to_ids": false, "type": "link", "uuid": "5b9f6303-c8d4-40a5-ab8e-e6f4950d210f", "value": "http://www.securityfocus.com/bid/101757" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537172313", "to_ids": false, "type": "link", "uuid": "5b9f6304-0060-4649-a3e5-e6f4950d210f", "value": "http://www.securitytracker.com/id/1039783" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537172313", "to_ids": false, "type": "link", "uuid": "5b9f6304-e490-458d-aed8-e6f4950d210f", "value": "https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537172313", "to_ids": false, "type": "link", "uuid": "5b9f6304-678c-435e-a60c-e6f4950d210f", "value": "https://0patch.blogspot.com/2017/11/official-patch-for-cve-2017-11882-meets.html" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537172313", "to_ids": false, "type": "text", "uuid": "5b9f6305-ff90-4ab8-8e89-e6f4950d210f", "value": "Published" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1537172313", "to_ids": false, "type": "text", "uuid": "5b9f6305-fcd4-4c7f-8d0b-e6f4950d210f", "value": "Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka \"Microsoft Office Memory Corruption Vulnerability\". This CVE ID is unique from CVE-2017-11884." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1537172313", "to_ids": false, "type": "text", "uuid": "5b9f6305-6f0c-46d8-acb3-e6f4950d210f", "value": "CVE-2017-11882" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "published", "timestamp": "1537172316", "to_ids": false, "type": "datetime", "uuid": "5b9f635c-eb60-4583-bec1-e6f4950d210f", "value": "2017-11-14T22:29:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537172316", "to_ids": false, "type": "text", "uuid": "5b9f635c-9f98-46f2-9a5e-e6f4950d210f", "value": "Microsoft Office 2007 Service Pack 3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537172317", "to_ids": false, "type": "text", "uuid": "5b9f635d-b704-48ba-a42b-e6f4950d210f", "value": "cpe:2.3:a:microsoft:office:2010:sp2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537172317", "to_ids": false, "type": "text", "uuid": "5b9f635d-3ca0-458e-a3cb-e6f4950d210f", "value": "Microsoft Office 2013 SP1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537172318", "to_ids": false, "type": "text", "uuid": "5b9f635e-ca54-4722-85d1-e6f4950d210f", "value": "Microsoft Office 2016" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "modified", "timestamp": "1537172318", "to_ids": false, "type": "datetime", "uuid": "5b9f635e-d0fc-412f-bc5e-e6f4950d210f", "value": "2017-12-30T21:29:00" } ] }, { "comment": "", "deleted": false, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "name": "vulnerability", "template_uuid": "81650945-f186-437b-8945-9f31715d32da", "template_version": "5", "timestamp": "1537174420", "uuid": "5b9f6b94-f650-4701-be1d-e6f5950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "cvss-score", "timestamp": "1537174421", "to_ids": false, "type": "float", "uuid": "5b9f6b95-16fc-4c8a-8f49-e6f5950d210f", "value": "9.3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174421", "to_ids": false, "type": "link", "uuid": "5b9f6b95-5e2c-4a80-9638-e6f5950d210f", "value": "http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174421", "to_ids": false, "type": "link", "uuid": "5b9f6b95-36d8-4470-99d6-e6f5950d210f", "value": "https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174422", "to_ids": false, "type": "link", "uuid": "5b9f6b96-87a8-4818-b0b7-e6f5950d210f", "value": "https://www.exploit-db.com/exploits/41934/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174422", "to_ids": false, "type": "link", "uuid": "5b9f6b96-5238-4d66-a799-e6f5950d210f", "value": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174423", "to_ids": false, "type": "link", "uuid": "5b9f6b97-5ccc-45a3-9bc1-e6f5950d210f", "value": "https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174423", "to_ids": false, "type": "link", "uuid": "5b9f6b97-81e0-4372-8fe3-e6f5950d210f", "value": "http://www.securitytracker.com/id/1038224" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174424", "to_ids": false, "type": "link", "uuid": "5b9f6b98-a4ac-4e94-b14c-e6f5950d210f", "value": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174424", "to_ids": false, "type": "link", "uuid": "5b9f6b98-84d4-4871-a8c7-e6f5950d210f", "value": "http://www.securityfocus.com/bid/97498" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174425", "to_ids": false, "type": "link", "uuid": "5b9f6b99-7738-4c7b-b9b8-e6f5950d210f", "value": "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174425", "to_ids": false, "type": "link", "uuid": "5b9f6b99-0b58-4de3-8738-e6f5950d210f", "value": "https://www.exploit-db.com/exploits/42995/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "references", "timestamp": "1537174426", "to_ids": false, "type": "link", "uuid": "5b9f6b9a-e87c-433d-beff-e6f5950d210f", "value": "https://www.exploit-db.com/exploits/41894/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537174426", "to_ids": false, "type": "text", "uuid": "5b9f6b9a-c684-44c4-a71f-e6f5950d210f", "value": "Published" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "published", "timestamp": "1537174426", "to_ids": false, "type": "datetime", "uuid": "5b9f6b9a-670c-49d4-b0f8-e6f5950d210f", "value": "2017-12-04T10:59:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1537174426", "to_ids": false, "type": "text", "uuid": "5b9f6b9a-6238-47ef-87d1-e6f5950d210f", "value": "Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka \"Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.\"" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174427", "to_ids": false, "type": "text", "uuid": "5b9f6b9b-bc64-4992-8547-e6f5950d210f", "value": "cpe:2.3:a:microsoft:office:2010:sp2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174427", "to_ids": false, "type": "text", "uuid": "5b9f6b9b-36fc-4425-b2a5-e6f5950d210f", "value": "Microsoft Office 2007 Service Pack 3" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174428", "to_ids": false, "type": "text", "uuid": "5b9f6b9c-6630-4daa-93a7-e6f5950d210f", "value": "Microsoft Windows Server 2008 Service Pack 2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174428", "to_ids": false, "type": "text", "uuid": "5b9f6b9c-fa74-4b6c-afc5-e6f5950d210f", "value": "Microsoft Office 2016" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174429", "to_ids": false, "type": "text", "uuid": "5b9f6b9d-9600-474e-94bd-e6f5950d210f", "value": "cpe:2.3:o:microsoft:windows_7:-:sp1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174429", "to_ids": false, "type": "text", "uuid": "5b9f6b9d-5d80-4ae0-8fe4-e6f5950d210f", "value": "Microsoft Windows Vista Service Pack 2" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174430", "to_ids": false, "type": "text", "uuid": "5b9f6b9e-a930-4fe2-8030-e6f5950d210f", "value": "Microsoft Windows Server 2008 R2 Service Pack 1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174430", "to_ids": false, "type": "text", "uuid": "5b9f6b9e-1f34-47a0-b77c-e6f5950d210f", "value": "Microsoft Office 2013 SP1" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vulnerable_configuration", "timestamp": "1537174431", "to_ids": false, "type": "text", "uuid": "5b9f6b9f-fbec-460a-88c0-e6f5950d210f", "value": "Microsoft Windows Server 2012" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "modified", "timestamp": "1537174431", "to_ids": false, "type": "datetime", "uuid": "5b9f6b9f-22d4-4d35-84c2-e6f5950d210f", "value": "2018-03-27T21:29:00" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "id", "timestamp": "1537174431", "to_ids": false, "type": "text", "uuid": "5b9f6b9f-7c48-4507-b345-e6f5950d210f", "value": "CVE-2017-0199" } ] }, { "comment": "", "deleted": false, "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "name": "whois", "template_uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "template_version": "10", "timestamp": "1537178039", "uuid": "5b9f78e4-1670-4c68-bcca-e3a7950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b9f78e4-1670-4c68-bcca-e3a7950d210f", "referenced_uuid": "5b9f6c0b-d8b4-4acd-a92e-d8a3950d210f", "relationship_type": "uses", "timestamp": "1537177994", "uuid": "5b9f798a-7bbc-4a32-9dc3-4359950d210f" }, { "comment": "", "object_uuid": "5b9f78e4-1670-4c68-bcca-e3a7950d210f", "referenced_uuid": "5b9f6c0c-6bb8-4353-88d2-d8a3950d210f", "relationship_type": "derived-from", "timestamp": "1537178019", "uuid": "5b9f7990-3014-4686-b8ff-499f950d210f" }, { "comment": "", "object_uuid": "5b9f78e4-1670-4c68-bcca-e3a7950d210f", "referenced_uuid": "5b9f6c0c-6bb8-4353-88d2-d8a3950d210f", "relationship_type": "uses", "timestamp": "1537178029", "uuid": "5b9f79ad-150c-4bc4-b204-4e82950d210f" }, { "comment": "", "object_uuid": "5b9f78e4-1670-4c68-bcca-e3a7950d210f", "referenced_uuid": "5b9f71f4-bd0c-4a10-bafb-d052950d210f", "relationship_type": "uses", "timestamp": "1537178036", "uuid": "5b9f79b4-1468-4df9-a900-4b4c950d210f" } ], "Attribute": [ { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "registrant-email", "timestamp": "1537177828", "to_ids": false, "type": "whois-registrant-email", "uuid": "5b9f78e4-e480-487c-a060-e3a7950d210f", "value": "bqfkdrmnhh0623[@]gmail.com" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "registrant-name", "timestamp": "1537177830", "to_ids": false, "type": "whois-registrant-name", "uuid": "5b9f78e6-19b8-4185-969d-e3a7950d210f", "value": "huang ning" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "registrant-phone", "timestamp": "1537177833", "to_ids": false, "type": "whois-registrant-phone", "uuid": "5b9f78e9-0aa4-4e65-91e3-e3a7950d210f", "value": "8677687877" } ] }, { "comment": "", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "6", "timestamp": "1537179167", "uuid": "5b9f7e1f-8f14-4416-9f3a-452a950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537179167", "to_ids": true, "type": "ip-dst", "uuid": "5b9f7e1f-565c-4741-b0ca-4236950d210f", "value": "115.126.86.29" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1537179171", "to_ids": true, "type": "domain", "uuid": "5b9f7e23-9dd0-4849-8613-4e1d950d210f", "value": "google.comemails.email" } ] }, { "comment": "", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "6", "timestamp": "1537179207", "uuid": "5b9f7e47-4ddc-4470-987c-459e950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537179207", "to_ids": true, "type": "ip-dst", "uuid": "5b9f7e47-54b0-4cf3-95f0-4ae5950d210f", "value": "115.126.98.78" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1537179210", "to_ids": true, "type": "domain", "uuid": "5b9f7e4a-8e6c-4445-84d0-443e950d210f", "value": "mail.google.commail.co" } ] }, { "comment": "", "deleted": false, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "6", "timestamp": "1537179261", "uuid": "5b9f7e7d-f3ac-44cb-8d2a-4866950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537179261", "to_ids": true, "type": "ip-dst", "uuid": "5b9f7e7d-43e8-44c6-8170-464e950d210f", "value": "118.99.59.214" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1537179265", "to_ids": true, "type": "domain", "uuid": "5b9f7e81-b274-43fe-b947-48c0950d210f", "value": "google.comemail.email" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "14", "timestamp": "1537188384", "uuid": "5b9f8073-bb3c-481d-b7b1-dc87950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b9f8073-bb3c-481d-b7b1-dc87950d210f", "referenced_uuid": "5b9f7e1f-8f14-4416-9f3a-452a950d210f", "relationship_type": "related-to", "timestamp": "1537188380", "uuid": "5b9fa21c-8cb4-4b03-8b43-e337950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1537179763", "to_ids": true, "type": "sha1", "uuid": "5b9f8073-ece4-40d9-95f2-dc87950d210f", "value": "6a4690f454c91fdc559a223d43f0a77d40b59b2a" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537179763", "to_ids": false, "type": "text", "uuid": "5b9f8073-7130-4dca-89d3-dc87950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "14", "timestamp": "1537187589", "uuid": "5b9f8086-5f30-4482-891d-475b950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b9f8086-5f30-4482-891d-475b950d210f", "referenced_uuid": "5b9f7e47-4ddc-4470-987c-459e950d210f", "relationship_type": "derived-from", "timestamp": "1537187586", "uuid": "5b9f9ef4-f650-4882-adb6-e337950d210f" }, { "comment": "", "object_uuid": "5b9f8086-5f30-4482-891d-475b950d210f", "referenced_uuid": "5b9f7e47-4ddc-4470-987c-459e950d210f", "relationship_type": "related-to", "timestamp": "1537187579", "uuid": "5b9f9efb-7da0-4156-8863-4554950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1537179783", "to_ids": true, "type": "sha1", "uuid": "5b9f8087-258c-46f2-9236-4f25950d210f", "value": "e55cea25ecc118fd798f84eb5395be0678bdbc51" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537179783", "to_ids": false, "type": "text", "uuid": "5b9f8087-4ee8-426f-9c1b-49df950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "14", "timestamp": "1537187205", "uuid": "5b9f8098-16dc-4483-8b05-d04e950d210f", "ObjectReference": [ { "comment": "", "object_uuid": "5b9f8098-16dc-4483-8b05-d04e950d210f", "referenced_uuid": "5b9f7e7d-f3ac-44cb-8d2a-4866950d210f", "relationship_type": "related-to", "timestamp": "1537187202", "uuid": "5b9f9d82-0464-4fe9-93fb-4c83950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1537179800", "to_ids": true, "type": "sha1", "uuid": "5b9f8098-554c-477c-8525-d04e950d210f", "value": "cdd2fd64a4996b7d901d4a899d660cc5ff118e73" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1537179800", "to_ids": false, "type": "text", "uuid": "5b9f8098-6c40-46f4-aa5f-d04e950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "Email object describing an email with meta-information", "meta-category": "network", "name": "email", "template_uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "template_version": "12", "timestamp": "1537190429", "uuid": "5b9faa1d-28a8-4957-b2ab-4b2b950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "from", "timestamp": "1537190430", "to_ids": true, "type": "email-src", "uuid": "5b9faa1e-6ad8-4f5b-8f42-4942950d210f", "value": "tibetanparliarnent@yahoo.com" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "7", "timestamp": "1537193094", "uuid": "5b9fb486-9674-4e70-9077-4614950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537193095", "to_ids": true, "type": "ip-dst", "uuid": "5b9fb487-f794-43ee-bdb8-4dbb950d210f", "value": "27.126.186.222" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-2298-44ad-b6a1-4667950d210f", "value": "6001" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-ba34-4d44-8076-4304950d210f", "value": "6002" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-78ec-4c54-be54-47dd950d210f", "value": "6003" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-b77c-48ac-88bb-4816950d210f", "value": "80" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-4a08-4bcd-a751-484a950d210f", "value": "8080" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537193096", "to_ids": false, "type": "port", "uuid": "5b9fb488-8960-4217-8b08-4d66950d210f", "value": "443" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "7", "timestamp": "1537194880", "uuid": "5b9fbb80-f010-4a72-a7ab-4f41950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537194880", "to_ids": true, "type": "ip-dst", "uuid": "5b9fbb80-2f00-4b53-9268-4c9d950d210f", "value": "103.55.24.196" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537194880", "to_ids": false, "type": "port", "uuid": "5b9fbb80-ad20-4584-b1cb-497e950d210f", "value": "443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537194880", "to_ids": false, "type": "port", "uuid": "5b9fbb80-8440-46ef-87d6-484e950d210f", "value": "80" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "7", "timestamp": "1537194902", "uuid": "5b9fbb96-36dc-47c1-a0b3-4173950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537194902", "to_ids": true, "type": "ip-dst", "uuid": "5b9fbb96-8e8c-4d13-a456-4bb1950d210f", "value": "45.127.97.222" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537194903", "to_ids": false, "type": "port", "uuid": "5b9fbb97-70a8-454c-a54c-4ac4950d210f", "value": "443" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "7", "timestamp": "1537194923", "uuid": "5b9fbbab-e5b8-4120-99fd-40b2950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1537194923", "to_ids": true, "type": "ip-dst", "uuid": "5b9fbbab-8a80-40a2-8dfd-4b0f950d210f", "value": "203.189.232.207" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537194923", "to_ids": false, "type": "port", "uuid": "5b9fbbab-3770-4593-af40-46c8950d210f", "value": "443" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1537194923", "to_ids": false, "type": "port", "uuid": "5b9fbbab-a8c8-4db4-9565-4547950d210f", "value": "80" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1537215759", "uuid": "d2f5d552-96c4-43ad-84e1-fb8cebbf6000", "ObjectReference": [ { "comment": "", "object_uuid": "d2f5d552-96c4-43ad-84e1-fb8cebbf6000", "referenced_uuid": "857a21fc-b3c9-47ae-93e4-9e5fe62dc79b", "relationship_type": "analysed-with", "timestamp": "1537215772", "uuid": "5ba00d1c-ff94-4943-8629-48f302de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1537215758", "to_ids": true, "type": "md5", "uuid": "ed307627-2220-4407-99c5-affe8a1f6d27", "value": "11e0f3e1c7d8855ed7f1dcfce4b7702a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1537215760", "to_ids": true, "type": "sha1", "uuid": "e194e107-af6f-4b8e-8561-332af810ab23", "value": "9bb47262664b10b60a853002eace4db083ee10af" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1537215763", "to_ids": true, "type": "sha256", "uuid": "40b0b152-ef0e-47ad-8e2b-a731d121f6b2", "value": "1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1537215765", "uuid": "857a21fc-b3c9-47ae-93e4-9e5fe62dc79b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1537215768", "to_ids": false, "type": "datetime", "uuid": "87f7f5c5-40a4-465d-ba91-e82e4595f4e7", "value": "2018-08-10T08:33:52" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1537215770", "to_ids": false, "type": "link", "uuid": "2236a126-0d1a-4f18-b8b4-87d5424a7b7b", "value": "https://www.virustotal.com/file/1b156c7d2cc651d0a58c8dac1353332614b489e4d21e51ca7a0a929295e6ad40/analysis/1533890032/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1537215772", "to_ids": false, "type": "text", "uuid": "4e295ad5-8545-422f-8c7d-683e1a2de6f4", "value": "24/67" } ] } ] } }