{ "Event": { "analysis": "2", "date": "2013-08-23", "extends_uuid": "", "info": "OSINT Operation Molerats: Middle East Cyber Attacks Using Poison Ivy by Fire Eye", "publish_timestamp": "1498161566", "published": true, "threat_level_id": "2", "timestamp": "1498161545", "uuid": "55c7524c-e510-453a-93dc-c2c9950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439126109", "to_ids": false, "type": "link", "uuid": "55c7525e-d474-4ed0-a478-c2c9950d210b", "value": "https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886535", "to_ids": true, "type": "md5", "uuid": "55d2ebcc-0278-4b56-8b29-7c5e950d210b", "value": "7084f3a2d63a16a191b7fcb2b19f0e0d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886296", "to_ids": true, "type": "mutex", "uuid": "55d2ebd8-092c-48cc-a41d-966f950d210b", "value": "gdfgdfgdg" }, { "category": "Attribution", "comment": "Password used", "deleted": false, "disable_correlation": false, "timestamp": "1439886311", "to_ids": false, "type": "text", "uuid": "55d2ebe7-30a8-486a-83f9-9675950d210b", "value": "!@#GooD#@!" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886378", "to_ids": true, "type": "md5", "uuid": "55d2ec2a-a434-4f1d-b1e2-9804950d210b", "value": "16346b95e6deef9da7fe796c31b9dec4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886379", "to_ids": true, "type": "md5", "uuid": "55d2ec2b-4958-4ca6-9c55-9804950d210b", "value": "fc554a0ad7cf9d4f47ec4f297dbde375" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886379", "to_ids": true, "type": "md5", "uuid": "55d2ec2b-08cc-438a-973c-9804950d210b", "value": "a8714aac274a18f1724d9702d40030bf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886379", "to_ids": true, "type": "md5", "uuid": "55d2ec2b-b49c-4e7e-aaa9-9804950d210b", "value": "d9a7c4a100cfefef995785f707be895c" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886394", "to_ids": true, "type": "hostname", "uuid": "55d2ec3a-84b8-4b12-88ea-7c5e950d210b", "value": "toornt.servegame.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886394", "to_ids": true, "type": "hostname", "uuid": "55d2ec3a-b1e4-436b-a630-7c5e950d210b", "value": "updateo.servegame.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886394", "to_ids": true, "type": "hostname", "uuid": "55d2ec3a-d668-4526-be3a-7c5e950d210b", "value": "egypttv.sytes.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886394", "to_ids": true, "type": "hostname", "uuid": "55d2ec3a-f498-428a-84c1-7c5e950d210b", "value": "skype.servemp3.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886394", "to_ids": true, "type": "hostname", "uuid": "55d2ec3a-f1b0-4307-930f-7c5e950d210b", "value": "natco2.no-ip.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886428", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5c-4a24-422c-895c-9673950d210b", "value": "209.200.39.48" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886429", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5d-c21c-43ad-822a-9673950d210b", "value": "209.200.39.88" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886429", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5d-c4e4-43fb-9584-9673950d210b", "value": "173.225.126.166" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886429", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5d-c8e0-4024-96bd-9673950d210b", "value": "173.225.126.103" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886429", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5d-8ef8-420d-931a-9673950d210b", "value": "209.200.39.220" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886429", "to_ids": true, "type": "ip-dst", "uuid": "55d2ec5d-36c0-4e7f-86ca-9673950d210b", "value": "173.225.126.179" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1498161545", "to_ids": true, "type": "yara", "uuid": "55d2ec7e-be34-4690-ba35-966f950d210b", "value": "rule Molerats_certs\n{\nmeta:\n author = \"FireEye Labs\"\n description = \"this rule detections code signed with certificates used by the Molerats actor\"\n\nstrings:\n $cert1 = {06 50 11 A5 BC BF 83 C0 93 28 16 5E 7E 85 27 75}\n $cert2 = {03 e1 e1 aa a5 bc a1 9f ba 8c 42 05 8b 4a bf 28}\n $cert3 = {0c c0 35 9c 9c 3c da 00 d7 e9 da 2d c6 ba 7b 6d}\n\ncondition:\n 1 of ($cert*)\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886515", "to_ids": true, "type": "md5", "uuid": "55d2ecb3-aba8-4a4e-a1e9-876d950d210b", "value": "9dff139bbbe476770294fb86f4e156ac" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886515", "to_ids": true, "type": "md5", "uuid": "55d2ecb3-ede8-46c1-ada5-876d950d210b", "value": "6350d1039742b87b7917a5e26de2c25c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886515", "to_ids": true, "type": "md5", "uuid": "55d2ecb3-d644-402a-98d5-876d950d210b", "value": "b0a9abc76a2b4335074a13939c59bfc9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886516", "to_ids": true, "type": "md5", "uuid": "55d2ecb4-cbbc-4cba-9aeb-876d950d210b", "value": "5b740b4623b2d1049c0036a6aae684b0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886516", "to_ids": true, "type": "md5", "uuid": "55d2ecb4-443c-42fa-b9dc-876d950d210b", "value": "cf31aea415e7013e85d1687a1c0f5daa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886516", "to_ids": true, "type": "md5", "uuid": "55d2ecb4-20d8-4a64-b332-876d950d210b", "value": "973b5f2a5608d243e7305ee4f9249302" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886516", "to_ids": true, "type": "md5", "uuid": "55d2ecb4-5fd4-4777-b900-876d950d210b", "value": "e85fc76362c2e9dc7329fddda8acc89e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886516", "to_ids": true, "type": "md5", "uuid": "55d2ecb4-cee0-4dc1-b27e-876d950d210b", "value": "b05603938a888018d4dcdc551c4be8ac" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1439886517", "to_ids": true, "type": "md5", "uuid": "55d2ecb5-23b4-4842-be8d-876d950d210b", "value": "9ef9a631160b96322010a5238defc673" }, { "category": "Payload delivery", "comment": "Automatically added (via 16346b95e6deef9da7fe796c31b9dec4)", "deleted": false, "disable_correlation": false, "timestamp": "1455846383", "to_ids": true, "type": "sha1", "uuid": "56c673ef-24a8-47b3-b427-4249950d210f", "value": "4662aa7b63d4377c38c38c6ed092b88e13883150" }, { "category": "Payload delivery", "comment": "Automatically added (via a8714aac274a18f1724d9702d40030bf)", "deleted": false, "disable_correlation": false, "timestamp": "1455846385", "to_ids": true, "type": "sha1", "uuid": "56c673f1-b2dc-42aa-b601-599c950d210f", "value": "d5da2c4e6024056ca07958d8b6336d17f7109cf8" }, { "category": "Payload delivery", "comment": "Automatically added (via d9a7c4a100cfefef995785f707be895c)", "deleted": false, "disable_correlation": false, "timestamp": "1455846386", "to_ids": true, "type": "sha1", "uuid": "56c673f2-ed28-4341-be11-5f51950d210f", "value": "2ae0ba3873b44d2bacf026ad547e65b69fbbb641" }, { "category": "Payload delivery", "comment": "Automatically added (via 9dff139bbbe476770294fb86f4e156ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455846388", "to_ids": true, "type": "sha1", "uuid": "56c673f4-a5c4-4f07-ab2f-c650950d210f", "value": "cbd95c2d6209e7db9cb5af62b986d6fdf3b0b032" }, { "category": "Payload delivery", "comment": "Automatically added (via 6350d1039742b87b7917a5e26de2c25c)", "deleted": false, "disable_correlation": false, "timestamp": "1455846389", "to_ids": true, "type": "sha1", "uuid": "56c673f5-bf90-4d53-9f6d-5f51950d210f", "value": "336151283faff1cd5bd9ced42b8cf9e15c3bffc7" }, { "category": "Payload delivery", "comment": "Automatically added (via 5b740b4623b2d1049c0036a6aae684b0)", "deleted": false, "disable_correlation": false, "timestamp": "1455846391", "to_ids": true, "type": "sha1", "uuid": "56c673f7-1394-4e3b-a50c-59a1950d210f", "value": "a684da91db91fe1b8b4c1d842d739da85e065e45" }, { "category": "Payload delivery", "comment": "Automatically added (via 973b5f2a5608d243e7305ee4f9249302)", "deleted": false, "disable_correlation": false, "timestamp": "1455846392", "to_ids": true, "type": "sha1", "uuid": "56c673f8-76c8-4d94-b222-4bdb950d210f", "value": "e27729038d209e9b67577387f8164d5e7c5b921d" }, { "category": "Payload delivery", "comment": "Automatically added (via e85fc76362c2e9dc7329fddda8acc89e)", "deleted": false, "disable_correlation": false, "timestamp": "1455846393", "to_ids": true, "type": "sha1", "uuid": "56c673f9-79d4-4d33-93c3-c650950d210f", "value": "eebf9abe5c8aea61bc083e44089accb5dca36041" }, { "category": "Payload delivery", "comment": "Automatically added (via b05603938a888018d4dcdc551c4be8ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455846394", "to_ids": true, "type": "sha1", "uuid": "56c673fa-57f0-4ce3-980b-c652950d210f", "value": "52fae7e11829a4e3979ae719c92f44ffd102b4d8" }, { "category": "Payload delivery", "comment": "Automatically added (via 9ef9a631160b96322010a5238defc673)", "deleted": false, "disable_correlation": false, "timestamp": "1455846396", "to_ids": true, "type": "sha1", "uuid": "56c673fc-f658-4f61-a69c-c653950d210f", "value": "a2c051fac0f5f5b42a5b7ec94411a70c16dc239c" }, { "category": "Payload delivery", "comment": "Automatically added (via 16346b95e6deef9da7fe796c31b9dec4)", "deleted": false, "disable_correlation": false, "timestamp": "1455846384", "to_ids": true, "type": "sha256", "uuid": "56c673f0-e658-4060-a4b0-599f950d210f", "value": "b745cf098e8643fb92723dedaef3343ec659baa288fffe847e961a8e62c2075f" }, { "category": "Payload delivery", "comment": "Automatically added (via a8714aac274a18f1724d9702d40030bf)", "deleted": false, "disable_correlation": false, "timestamp": "1455846386", "to_ids": true, "type": "sha256", "uuid": "56c673f2-de38-4262-92c5-c654950d210f", "value": "4f3bd6a74ddb04a5c4ae2f0b7290e1fe06123fbb681039962b3b291d143ebbc3" }, { "category": "Payload delivery", "comment": "Automatically added (via d9a7c4a100cfefef995785f707be895c)", "deleted": false, "disable_correlation": false, "timestamp": "1455846387", "to_ids": true, "type": "sha256", "uuid": "56c673f3-c984-4362-b914-5ca1950d210f", "value": "bc2c1e2d23058a9277e8f3550fb7b0dfbb2c6e8a19e7981e24a72ea725682ecf" }, { "category": "Payload delivery", "comment": "Automatically added (via 9dff139bbbe476770294fb86f4e156ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455846388", "to_ids": true, "type": "sha256", "uuid": "56c673f4-4f5c-4a34-904c-59a3950d210f", "value": "faf73608255525a2a62825178f79d592a7a7a2597385d7887178d89cc67e7265" }, { "category": "Payload delivery", "comment": "Automatically added (via 6350d1039742b87b7917a5e26de2c25c)", "deleted": false, "disable_correlation": false, "timestamp": "1455846390", "to_ids": true, "type": "sha256", "uuid": "56c673f6-698c-4590-8c77-4556950d210f", "value": "48d671f419d957e4a1cd1a0cc54a0cd72b259b9558c2e95cf6d06850bf12e0f8" }, { "category": "Payload delivery", "comment": "Automatically added (via 5b740b4623b2d1049c0036a6aae684b0)", "deleted": false, "disable_correlation": false, "timestamp": "1455846391", "to_ids": true, "type": "sha256", "uuid": "56c673f7-164c-44e8-8ec5-5ca1950d210f", "value": "34c13f37fa7f31b0143509b1545ab5b248def00827880708103ce427621fdfa6" }, { "category": "Payload delivery", "comment": "Automatically added (via 973b5f2a5608d243e7305ee4f9249302)", "deleted": false, "disable_correlation": false, "timestamp": "1455846393", "to_ids": true, "type": "sha256", "uuid": "56c673f9-1d4c-4328-ade7-c653950d210f", "value": "4754fb852c5c82c8b94ae6a0cbb2edd1e82b369b0fdbc3bf8a04bed293b0f4fe" }, { "category": "Payload delivery", "comment": "Automatically added (via e85fc76362c2e9dc7329fddda8acc89e)", "deleted": false, "disable_correlation": false, "timestamp": "1455846394", "to_ids": true, "type": "sha256", "uuid": "56c673fa-2610-4a95-b832-599d950d210f", "value": "23aa514a00838624795a13bcc0b7ff54d462a3cf12c53a00ee877424a180dd81" }, { "category": "Payload delivery", "comment": "Automatically added (via b05603938a888018d4dcdc551c4be8ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455846395", "to_ids": true, "type": "sha256", "uuid": "56c673fb-e8a8-4807-a7a3-4cd5950d210f", "value": "9bdbfd5a70750f02b094786710fefb50ba839ed50ca3546dedd39cb92cc5156b" }, { "category": "Payload delivery", "comment": "Automatically added (via 9ef9a631160b96322010a5238defc673)", "deleted": false, "disable_correlation": false, "timestamp": "1455846396", "to_ids": true, "type": "sha256", "uuid": "56c673fc-74b8-4e7a-8b7c-59a3950d210f", "value": "6766177387cd1deda85fcda715fa6ffac3216c206e11857ac5d719ff408d930d" } ] } }