{ "Event": { "analysis": "2", "date": "2020-11-09", "extends_uuid": "", "info": "OSINT - Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware \"one\" Group via Cobalt Strike", "publish_timestamp": "1604914975", "published": true, "threat_level_id": "1", "timestamp": "1604914828", "uuid": "0fadc113-6e22-4524-96b1-7b8fc98fa64c", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "name": "misp-galaxy:ransomware=\"Ryuk ransomware\"" }, { "colour": "#0088cc", "name": "misp-galaxy:malpedia=\"Cobalt Strike\"" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "6b0610ec-fe93-41e9-b23b-379b25e2f544", "value": "check1domains.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "2536fb8b-dd20-41ef-a580-55deb79446af", "value": "sweetmonsterr.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "399d130a-0c71-4194-9d11-b3483a5e9041", "value": "qascker.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "b382bd4c-76c3-4ec2-b768-eb45849ce068", "value": "remotessa.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "1e625f9b-493c-4015-ab47-72b1971202cd", "value": "havemosts.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "4fc21643-6cb7-4e5f-aea7-bad4024e54df", "value": "unlockwsa.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "c41b1b8f-50e8-45d1-8542-1e26b9908f94", "value": "sobcase.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "3101bc91-74a3-4163-b5ee-2207f757c20c", "value": "zhameharden.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "48935a10-cc47-4880-af23-4364c7e7ae37", "value": "mixunderax.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "f75c74f9-f2b5-4b5a-8404-57e33c04c014", "value": "bugsbunnyy.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "b4c14a73-44cf-4d93-aabc-6175f062786a", "value": "fastbloodhunter.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "8459d57b-4d03-4a94-8bec-78cfa1a318a1", "value": "serviceboosterr.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "b177c07b-94c6-4c88-851d-3d3e36bf604b", "value": "servicewikii.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "fb90a640-17e3-4c26-b50f-e0861295c262", "value": "secondlivve.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "beab0436-d5bf-4625-a71d-9d9bdaf10ad0", "value": "luckyhunterrs.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "da14c486-89e5-44c8-8722-0989f7691ecf", "value": "wodemayaa.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "83bc6856-3a5b-49c7-866a-c8e05d8f49f2", "value": "hybriqdjs.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "a670a832-fa18-4cfb-8e9c-4f4f788542f7", "value": "gunsdrag.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "f56a75d5-db37-4b15-b8d7-5d09d1f078a2", "value": "gungameon.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "207008f3-f173-4774-86d1-5c1be1cc383b", "value": "servicemount.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "05a70842-6bbc-4441-b5c6-fac100840497", "value": "servicesupdater.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "128049f4-898d-4d60-821c-b9e80f5b335e", "value": "service-boosterr.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "f0ef8f00-71d4-411c-96f6-5e3409677484", "value": "serviceupdatter.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914434", "to_ids": true, "type": "domain", "uuid": "64c4fe90-54c0-49d0-ac60-dbdc6d0015fe", "value": "dotmaingame.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1604914593", "to_ids": false, "type": "link", "uuid": "01b3d607-413e-4343-a336-c4684d0aa060", "value": "https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike" } ] } }