{ "Event": { "analysis": "2", "date": "2019-05-09", "extends_uuid": "", "info": "OSINT - keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site.", "publish_timestamp": "1557415440", "published": true, "threat_level_id": "3", "timestamp": "1557415377", "uuid": "5cd4446a-b318-40d6-8120-473a950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Unconditional client-side exploitation/Injected Website/Driveby - T1372\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557415099", "to_ids": true, "type": "sha256", "uuid": "5cd444bb-5100-4607-ab39-4e98950d210f", "value": "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557415099", "to_ids": true, "type": "sha256", "uuid": "5cd444bb-b15c-4760-b152-4fda950d210f", "value": "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1557415149", "to_ids": true, "type": "domain", "uuid": "5cd444ed-5814-49ff-a3f9-466a950d210f", "value": "lifopp-sacoho.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1557415108", "uuid": "9bc5279d-fa53-4c2f-92f1-9aac47fe4658", "ObjectReference": [ { "comment": "", "object_uuid": "9bc5279d-fa53-4c2f-92f1-9aac47fe4658", "referenced_uuid": "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6", "relationship_type": "analysed-with", "timestamp": "1557415108", "uuid": "5cd444c4-dc64-44bb-b6bc-45ec950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1557415099", "to_ids": true, "type": "md5", "uuid": "74f7c0dd-c91b-40c0-8f79-2a166f238326", "value": "3590c4b2cfa63655dc14bef32659f675" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1557415099", "to_ids": true, "type": "sha1", "uuid": "62f22eb0-6df4-4280-8141-68c00d1b25d8", "value": "5b0825a4436e4908501667e1cfa91e9e39e82302" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1557415099", "to_ids": true, "type": "sha256", "uuid": "1876d114-6aff-4578-bdb3-fb33a4177b40", "value": "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1557415108", "uuid": "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1557415099", "to_ids": false, "type": "datetime", "uuid": "9268cd71-c418-4b6c-8ae7-b2755788dedc", "value": "2019-05-08T10:03:22" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1557415099", "to_ids": false, "type": "link", "uuid": "fea2b397-1408-4777-ab45-308963ac7d8b", "value": "https://www.virustotal.com/file/4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966/analysis/1557309802/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1557415099", "to_ids": false, "type": "text", "uuid": "584d4279-982a-4ca3-bedf-933dd6a5b6bb", "value": "31/72" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1557415108", "uuid": "2ec00d74-5d8a-4db5-9d43-1845fcfd8917", "ObjectReference": [ { "comment": "", "object_uuid": "2ec00d74-5d8a-4db5-9d43-1845fcfd8917", "referenced_uuid": "b6b594cd-778d-4c19-a1e8-b04a78d6154d", "relationship_type": "analysed-with", "timestamp": "1557415108", "uuid": "5cd444c4-2080-4e51-8579-47de950d210f" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1557415099", "to_ids": true, "type": "md5", "uuid": "81add71e-e549-4b98-9afe-695b617f0642", "value": "0211036d4f551610892d3da2f2377b95" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1557415099", "to_ids": true, "type": "sha1", "uuid": "addec366-d1b1-446f-ba62-24d6bcfbb96f", "value": "b4f5d93b0eb93812018646f6b358da9592ae6499" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1557415099", "to_ids": true, "type": "sha256", "uuid": "3dc10670-ea31-4e41-984c-2bd669198b13", "value": "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1557415108", "uuid": "b6b594cd-778d-4c19-a1e8-b04a78d6154d", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1557415099", "to_ids": false, "type": "datetime", "uuid": "a6d53689-a303-42fe-8c7f-def94d11e653", "value": "2019-05-07T11:36:35" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1557415099", "to_ids": false, "type": "link", "uuid": "eceb9e59-eff8-433b-8169-b854da49308d", "value": "https://www.virustotal.com/file/41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e/analysis/1557228995/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1557415099", "to_ids": false, "type": "text", "uuid": "05cda147-431f-4496-807b-50aa24c3c031", "value": "14/56" } ] }, { "comment": "", "deleted": false, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "name": "microblog", "template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", "template_version": "5", "timestamp": "1557415316", "uuid": "5cd44594-ead8-4e11-8ccb-4a0e950d210f", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "post", "timestamp": "1557415317", "to_ids": false, "type": "text", "uuid": "5cd44595-8944-400e-b668-4629950d210f", "value": "keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site. @malwrhunterteam" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1557415317", "to_ids": false, "type": "text", "uuid": "5cd44595-c004-4e7e-83c1-442b950d210f", "value": "Twitter" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "url", "timestamp": "1557415317", "to_ids": false, "type": "url", "uuid": "5cd44595-d14c-4a3d-bb69-4f53950d210f", "value": "https://twitter.com/berkcgoksel/status/1125727590440931329" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1557415317", "to_ids": false, "type": "text", "uuid": "5cd44595-720c-4b7b-9eb2-42a8950d210f", "value": "berkcgoksel" } ] } ] } }