{ "Event": { "analysis": "0", "date": "2015-11-27", "extends_uuid": "", "info": "OSINT Expansion on APT-28 - Evolving Threats: dissection of a Cyber-Espionage attack", "publish_timestamp": "1468246298", "published": true, "threat_level_id": "1", "timestamp": "1448612175", "uuid": "56580480-2738-4888-98be-b742950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#33FF00", "name": "tlp:green" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448608932", "to_ids": false, "type": "text", "uuid": "565804a4-6bc8-4dbb-88c4-4b02950d210b", "value": "APT28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448608932", "to_ids": false, "type": "text", "uuid": "565804a4-5b60-4e42-a2db-4a6c950d210b", "value": "Sednit" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448608933", "to_ids": false, "type": "text", "uuid": "565804a5-7c14-4b8f-8ad5-40cc950d210b", "value": "Sofacy" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608981", "to_ids": true, "type": "domain", "uuid": "565804d5-38bc-4e6e-9cc0-b791950d210b", "value": "microsofthelpcenter.info" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608982", "to_ids": true, "type": "domain", "uuid": "565804d6-aa04-48b1-99ee-b791950d210b", "value": "1oo7.net" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608982", "to_ids": true, "type": "domain", "uuid": "565804d6-f130-4582-8c10-b791950d210b", "value": "microsoftdriver.com" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608983", "to_ids": true, "type": "ip-dst", "uuid": "565804d7-4408-4786-b006-b791950d210b", "value": "198.105.125.74" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608983", "to_ids": true, "type": "ip-dst", "uuid": "565804d7-d8f4-4eba-a35a-b791950d210b", "value": "66.172.12.133" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608984", "to_ids": true, "type": "ip-dst", "uuid": "565804d8-a4fc-4721-8b3a-b791950d210b", "value": "45.64.105.23" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608984", "to_ids": true, "type": "ip-dst", "uuid": "565804d8-e720-4012-b480-b791950d210b", "value": "176.31.112.10" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608985", "to_ids": true, "type": "ip-dst", "uuid": "565804d9-6174-41e1-a430-b791950d210b", "value": "176.31.96.178" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608985", "to_ids": true, "type": "ip-dst", "uuid": "565804d9-df2c-490e-95fb-b791950d210b", "value": "87.236.215.13" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608986", "to_ids": true, "type": "ip-dst", "uuid": "565804da-08a8-40f5-9bd1-b791950d210b", "value": "46.19.138.66" }, { "category": "Network activity", "comment": "CnC list paragraph", "deleted": false, "disable_correlation": false, "timestamp": "1448608986", "to_ids": true, "type": "ip-dst", "uuid": "565804da-f894-4f3d-8fed-b791950d210b", "value": "5.199.171.58" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448609035", "to_ids": false, "type": "link", "uuid": "5658050b-9fe8-45be-bf50-b742950d210b", "value": "http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448609036", "to_ids": false, "type": "link", "uuid": "5658050c-3aec-4100-b938-b742950d210b", "value": "https://github.com/gasgas4/APTnotes/blob/master/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf" }, { "category": "Network activity", "comment": "Combing through screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1448609210", "to_ids": true, "type": "domain", "uuid": "565805ba-f6fc-43db-90bb-b376950d210b", "value": "militaryexponews.com" }, { "category": "Network activity", "comment": "Combing through screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1448609212", "to_ids": true, "type": "domain", "uuid": "565805bc-f64c-4cc5-b5a3-b376950d210b", "value": "irwing.org" }, { "category": "Network activity", "comment": "Combing through screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1448609212", "to_ids": true, "type": "domain", "uuid": "565805bc-10fc-4f47-a3a9-b376950d210b", "value": "eservicesystems.net" }, { "category": "Network activity", "comment": "Combing through screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1448609213", "to_ids": true, "type": "domain", "uuid": "565805bd-6630-4743-ba10-b376950d210b", "value": "windowsappstore.net" }, { "category": "Network activity", "comment": "Combing through screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1448609213", "to_ids": true, "type": "ip-dst", "uuid": "565805bd-4320-414c-9afd-b376950d210b", "value": "131.72.136.10" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448611989", "to_ids": false, "type": "comment", "uuid": "56581095-fba8-4c69-bd27-b376950d210b", "value": "Additional IOCs found combing through screenshots & using threatCrowd.org" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1448612064", "to_ids": false, "type": "comment", "uuid": "565810e0-b624-4b74-9335-401f950d210b", "value": "GET to URLs containing the follwoing tokens: /find/?itwm= &from= &utm= &oprnd= &from=\r\nPOST to URLs containing the follwoing tokens: /open/?ags= &ags= &oprnd= &channel= &itwm=" }, { "category": "Network activity", "comment": "Resolution of domain irwing.org", "deleted": false, "disable_correlation": false, "timestamp": "1448612173", "to_ids": true, "type": "ip-dst", "uuid": "5658114d-bc94-4a40-8080-485d950d210b", "value": "204.12.244.58" }, { "category": "Network activity", "comment": "Resolution of domain irwing.org", "deleted": false, "disable_correlation": false, "timestamp": "1448612174", "to_ids": true, "type": "ip-dst", "uuid": "5658114e-9a4c-4fac-92a3-4868950d210b", "value": "104.200.17.202" }, { "category": "Network activity", "comment": "Resolution of domain irwing.org", "deleted": false, "disable_correlation": false, "timestamp": "1448612174", "to_ids": true, "type": "ip-dst", "uuid": "5658114e-1b48-4304-87ec-4fc9950d210b", "value": "104.200.17.53" } ] } }