{ "Event": { "analysis": "2", "date": "2019-05-28", "extends_uuid": "", "info": "Emissary Panda Attacks Middle East Government Sharepoint Servers by Palo Alto Unit42", "publish_timestamp": "1559307617", "published": true, "threat_level_id": "1", "timestamp": "1559307564", "uuid": "5cf0f134-f504-42dd-b11e-9071950d210f", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Threat Group-3390\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-intrusion-set=\"Threat Group-3390 - G0027\"", "relationship_type": "" }, { "colour": "#10c700", "local": "0", "name": "misp-galaxy:threat-actor=\"Emissary Panda\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:threat-actor=\"LuckyMouse\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "OSINT", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302011", "to_ids": false, "type": "link", "uuid": "5cf10f7b-00d4-443f-b2b0-4531950d210f", "value": "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302022", "to_ids": false, "type": "vulnerability", "uuid": "5cf10f86-a5f8-4de9-8883-4d73950d210f", "value": "CVE-2019-0604" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302334", "to_ids": true, "type": "sha256", "uuid": "5cf11062-7c4c-4b1d-ac88-4cc5950d210f", "value": "006569f0a7e501e58fe15a4323eedc08f9865239131b28dc5f95f750b4767b38" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302340", "to_ids": true, "type": "filename", "uuid": "5cf11062-9fa0-4692-9750-4257950d210f", "value": "/_layouts/15/error2.aspx" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302343", "to_ids": true, "type": "filename", "uuid": "5cf11062-1914-4a55-b137-41d6950d210f", "value": "/_layouts/15/errr.aspx" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302348", "to_ids": true, "type": "filename", "uuid": "5cf11062-894c-4f76-b99c-4639950d210f", "value": "stylecs.aspx" }, { "category": "Artifacts dropped", "comment": "stylecs.aspx", "deleted": false, "disable_correlation": false, "timestamp": "1559302330", "to_ids": true, "type": "sha256", "uuid": "5cf11062-c2d4-4269-be73-4db5950d210f", "value": "2feae7574a2cc4dea2bff4eceb92e3a77cf682c0a1e78ee70be931a251794b86" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302325", "to_ids": true, "type": "filename", "uuid": "5cf11062-377c-4de2-9448-4a0a950d210f", "value": "stylecss.aspx" }, { "category": "Artifacts dropped", "comment": "stylecss.aspx", "deleted": false, "disable_correlation": false, "timestamp": "1559302310", "to_ids": true, "type": "sha256", "uuid": "5cf11062-99ec-40c0-9281-4512950d210f", "value": "d1ab0dff44508bac9005e95299704a887b0ffc42734a34b30ebf6d3916053dbe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302314", "to_ids": true, "type": "filename", "uuid": "5cf11062-8234-4c77-8250-4850950d210f", "value": "test.aspx" }, { "category": "Artifacts dropped", "comment": "test.aspx", "deleted": false, "disable_correlation": false, "timestamp": "1559302319", "to_ids": true, "type": "sha256", "uuid": "5cf11062-f5e0-4d73-915e-4ab8950d210f", "value": "6b3f835acbd954af168184f57c9d8e6798898e9ee650bd543ea6f2e9d5cf6378" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302291", "to_ids": true, "type": "filename", "uuid": "5cf11062-9538-4612-a125-4dc8950d210f", "value": "tool.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302242", "to_ids": false, "type": "vulnerability", "uuid": "5cf11062-b3a8-48bd-84b1-4da8950d210f", "value": "CVE-2017-0144" }, { "category": "Artifacts dropped", "comment": "used to check to see if they are vulnerable to CVE-2017-0144 (EternalBlue) patched in MS07-010", "deleted": false, "disable_correlation": false, "timestamp": "1559302258", "to_ids": true, "type": "filename", "uuid": "5cf11062-a1c4-488d-ac46-4eee950d210f", "value": "checker1.exe" }, { "category": "Artifacts dropped", "comment": "Not the psexec from sysinternals but a remote execution functionality offered by a tool similar to PsExec offered by Impacket", "deleted": false, "disable_correlation": false, "timestamp": "1559302467", "to_ids": true, "type": "filename", "uuid": "5cf110fa-0344-4fbd-bca7-eea7950d210f", "value": "psexec.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-4024-41aa-be42-44d3950d210f", "value": "m2.exe" }, { "category": "Artifacts dropped", "comment": "m2.exe", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-1334-42c9-9570-4b16950d210f", "value": "b279a41359367408c627ffa8d80051ed0f04c76fbf6aed79b3b2963203e08ade" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-ebb0-46ec-80c2-40f2950d210f", "value": "7eea6e15bb13a3b65cca9405829123761bf7d12c6dc3b81ce499d8f6a0b25fb7" }, { "category": "Artifacts dropped", "comment": "HyperBro backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-58f4-4cbf-8c66-4045950d210f", "value": "s.exe" }, { "category": "Artifacts dropped", "comment": "HyperBro backdoor", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-254c-4d8f-9e26-41be950d210f", "value": "04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462" }, { "category": "Artifacts dropped", "comment": "Legitimate cURL.", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-50bc-4182-a819-430f950d210f", "value": "curl.exe" }, { "category": "Artifacts dropped", "comment": "Legitimate cURL", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-2d28-46e0-8572-4b45950d210f", "value": "abc16344cdfc78f532870f4dcfbb75794c9a7074e796477382564d7ba2122c7d" }, { "category": "Artifacts dropped", "comment": "Legitimate cURL.", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-b518-4e6d-a90d-44c3950d210f", "value": "bbb9cd70fdc581812822679e6a875dcf5b7d32fd529a1d564948a5a3f6f9e3ab" }, { "category": "Artifacts dropped", "comment": "Compiled EternalBlue checker script", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-b34c-4a3e-b0b4-4b9f950d210f", "value": "090cefebef655be7f879f2f14bd849ac20c4051d0c13e55410a49789738fad98" }, { "category": "Artifacts dropped", "comment": "C# Tool, likely from https://github.com/mubix/netview", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-d3cc-4c2c-85b1-414d950d210f", "value": "etool.exe" }, { "category": "Artifacts dropped", "comment": "C# Tool, likely from https://github.com/mubix/netview", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-4f10-4eb6-8b1c-4ff7950d210f", "value": "38fa396770e0ecf60fe1ce089422283e2dc8599489bd18d5eb033255dd8e370c" }, { "category": "Artifacts dropped", "comment": "Legitimate Sublime Text plugin host", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-c4dc-42c8-9d67-44e5950d210f", "value": "plugin_host.exe" }, { "category": "Artifacts dropped", "comment": "Legitimate Sublime Text plugin host", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-4df0-4ddd-a140-43ae950d210f", "value": "738abaa80e8b6ed21e16302cb91f6566f9322aebf7a22464f11ee9f4501da711" }, { "category": "Artifacts dropped", "comment": "Sideloaded DLL loaded by Sublime Text", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "filename", "uuid": "5cf111e1-c7e4-4ed5-9635-4af9950d210f", "value": "PYTHON33.dll" }, { "category": "Artifacts dropped", "comment": "Sideloaded DLL loaded by Sublime Text", "deleted": false, "disable_correlation": false, "timestamp": "1559302625", "to_ids": true, "type": "sha256", "uuid": "5cf111e1-d158-42da-8dbe-4828950d210f", "value": "2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528" }, { "category": "Artifacts dropped", "comment": "SMB backdoor based on smbrelay3", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-a61c-4572-a3c6-eea7950d210f", "value": "smb1.exe" }, { "category": "Artifacts dropped", "comment": "SMB backdoor based on smbrelay3", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-b5e8-46e1-a5dd-eea7950d210f", "value": "88027a44dc82a97e21f04121eea2e86b4ddf1bd7bbaa4ad009b97b50307570bd" }, { "category": "Artifacts dropped", "comment": "Compiled zzz_exploit.py", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-8b94-42cd-a8e7-eea7950d210f", "value": "mcmd.exe" }, { "category": "Artifacts dropped", "comment": "Compiled zzz_exploit.py", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-6c9c-4b25-8078-eea7950d210f", "value": "738128b4f42c8d2335d68383d72734130c0c4184725c06851498a4cf0374a841" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-52b8-41c9-a7a0-eea7950d210f", "value": "zzz_exploit.py" }, { "category": "Artifacts dropped", "comment": "Compiled zzz_exploit.py", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-7308-40da-bd53-eea7950d210f", "value": "mcafee.exe" }, { "category": "Artifacts dropped", "comment": "Compiled zzz_exploit.py", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-dc00-44b0-8e34-eea7950d210f", "value": "3bca0bb708c5dad1c683c6ead857a5ebfa15928a59211432459a3efa6a1afc59" }, { "category": "Artifacts dropped", "comment": "pwdump", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-5a74-409c-9602-eea7950d210f", "value": "dump.exe" }, { "category": "Artifacts dropped", "comment": "pwdump", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-323c-46cd-b6ec-eea7950d210f", "value": "29897f2ae25017455f904595872f2430b5f7fedd00ff1a46f1ea77e50940128e" }, { "category": "Artifacts dropped", "comment": "Compiled MS17-010 checker", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-2bd8-467f-91d5-eea7950d210f", "value": "d0df8e1dcf30785a964ecdda9bd86374d35960e1817b25a6b0963da38e0b1333" }, { "category": "Artifacts dropped", "comment": "Packed Mimikatz", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-b070-45e2-b7dd-eea7950d210f", "value": "memory.exe" }, { "category": "Artifacts dropped", "comment": "Packed Mimikatz", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-4ef4-4334-af42-eea7950d210f", "value": "a18326f929229da53d4cc340bde830f75e810122c58b523460c8d6ba62ede0e5" }, { "category": "Artifacts dropped", "comment": "Compiled MS17-010 checker", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-7f90-4c5f-b7bb-eea7950d210f", "value": "checker.exe" }, { "category": "Artifacts dropped", "comment": "SMB backdoor based on smbrelay3", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-ac9c-44c1-9bd7-eea7950d210f", "value": "smb.exe" }, { "category": "Artifacts dropped", "comment": "SMB backdoor based on smbrelay3", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-b28c-4298-b433-eea7950d210f", "value": "4a26ec5fd16ee13d869d6b0b6177e570444f6a007759ea94f1aa18fa831290a8" }, { "category": "Artifacts dropped", "comment": "Termite", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-a4fc-4db4-ba07-eea7950d210f", "value": "agent_Win32.exe" }, { "category": "Artifacts dropped", "comment": "Termite", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-5d40-45c1-942b-eea7950d210f", "value": "b2b2e900aa2e96ff44610032063012aa0435a47a5b416c384bd6e4e58a048ac9" }, { "category": "Artifacts dropped", "comment": "httprelay", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-0750-4a43-b314-eea7950d210f", "value": "smb_exec.exe" }, { "category": "Artifacts dropped", "comment": "httprelay", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-098c-4c83-925d-eea7950d210f", "value": "475c7e88a6d73e619ec585a7c9e6e57d2efc8298b688ebc10a3c703322f1a4a7" }, { "category": "Artifacts dropped", "comment": "Incognito", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-3b3c-4982-a3ff-eea7950d210f", "value": "incognito.exe" }, { "category": "Artifacts dropped", "comment": "Incognito", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-83ec-41db-aa5a-eea7950d210f", "value": "9f5f3a9ce156213445d08d1a9ea99356d2136924dc28a8ceca6d528f9dbd718b" }, { "category": "Artifacts dropped", "comment": "nbtscan", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-241c-4f87-8049-eea7950d210f", "value": "nbtscan.exe" }, { "category": "Artifacts dropped", "comment": "nbtscan", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-c35c-4c47-977d-eea7950d210f", "value": "c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e" }, { "category": "Artifacts dropped", "comment": "pwdump", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "filename", "uuid": "5cf113e1-58b8-426c-9116-eea7950d210f", "value": "fgdump.exe" }, { "category": "Artifacts dropped", "comment": "pwdump", "deleted": false, "disable_correlation": false, "timestamp": "1559303137", "to_ids": true, "type": "sha256", "uuid": "5cf113e1-1e04-46d5-b0e2-eea7950d210f", "value": "a6cad2d0f8dc05246846d2a9618fc93b7d97681331d5826f8353e7c3a3206e86" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559303138", "to_ids": true, "type": "filename", "uuid": "5cf113e2-85a4-4b17-8a79-eea7950d210f", "value": "smbexec.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559303138", "to_ids": true, "type": "sha256", "uuid": "5cf113e2-a6fc-489d-830d-eea7950d210f", "value": "e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee" }, { "category": "Artifacts dropped", "comment": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager", "deleted": false, "disable_correlation": false, "timestamp": "1559303316", "to_ids": true, "type": "filename", "uuid": "5cf11443-5c1c-4ec6-8361-4188950d210f", "value": "CreateMedia.exe" }, { "category": "Artifacts dropped", "comment": "Legitimate CreateMedia.exe application from Microsoft\u00e2\u20ac\u2122s System Center 2012 Configuration Manager", "deleted": false, "disable_correlation": false, "timestamp": "1559303325", "to_ids": true, "type": "sha256", "uuid": "5cf11443-71e0-4c02-9469-4fea950d210f", "value": "2bb22c7b97e4c4d07e17a259cbc48d72f7e3935aa873e3dd78d01c5bbf426088" }, { "category": "Artifacts dropped", "comment": "Sideloaded DLL loaded by CreateMedia.exe", "deleted": false, "disable_correlation": false, "timestamp": "1559303335", "to_ids": true, "type": "filename", "uuid": "5cf11443-5c00-4428-957f-4052950d210f", "value": "CreateTsMediaAdm.dll" }, { "category": "Artifacts dropped", "comment": "Symantec pcAnywhere thinprobe application", "deleted": false, "disable_correlation": false, "timestamp": "1559303294", "to_ids": true, "type": "filename", "uuid": "5cf1146c-8d1c-45c7-b23f-4985950d210f", "value": "thinprobe.exe" }, { "category": "Artifacts dropped", "comment": "Symantec pcAnywhere thinprobe application", "deleted": false, "disable_correlation": false, "timestamp": "1559303297", "to_ids": true, "type": "sha256", "uuid": "5cf1146c-a964-4838-8be2-4434950d210f", "value": "76d2e897ca235beab44ee7eaab9ede7bc7868bbaeb7d6cb10b4323c07eb216af" }, { "category": "Artifacts dropped", "comment": "Sideloaded DLL loaded by thinprobe.exe", "deleted": false, "disable_correlation": false, "timestamp": "1559303300", "to_ids": true, "type": "filename", "uuid": "5cf1146c-d820-4389-a536-4ab5950d210f", "value": "thinhostprobedll.dll" }, { "category": "Artifacts dropped", "comment": "Sideloaded DLL loaded by thinprobe.exe", "deleted": false, "disable_correlation": false, "timestamp": "1559303305", "to_ids": true, "type": "sha256", "uuid": "5cf1146c-048c-4a4c-83e4-4c94950d210f", "value": "d40414b1173d59597ed1122361fe60303d3526f15320aede355c6ad9e7e239af" }, { "category": "Artifacts dropped", "comment": "thumb.db Contains encrypted and compressed DLL payload run by sideloaded DLL", "deleted": false, "disable_correlation": false, "timestamp": "1559303310", "to_ids": true, "type": "sha256", "uuid": "5cf1146c-8c60-486c-a98a-4965950d210f", "value": "270ea24f2cef655bd89439ab76c1d49c80caaa8899ffa6f0ef36dc1beb894530" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559303420", "to_ids": true, "type": "url", "uuid": "5cf114fc-4dbc-4f3a-a659-4540950d210f", "value": "https://185.12.45.134:443/ajax" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559303437", "to_ids": true, "type": "ip-dst", "uuid": "5cf1150d-6518-4fbe-b7c1-4dcf950d210f", "value": "185.12.45.134" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1559307454", "to_ids": true, "type": "named pipe", "uuid": "5cf124be-1fa4-49c1-81e4-de6c950d210f", "value": "\\\\.\\pipe\\testpipe" } ] } }