{ "Event": { "analysis": "0", "date": "2022-08-03", "extends_uuid": "", "info": "Github Repo Compromise Domain MyJino RU", "publish_timestamp": "1659524114", "published": true, "threat_level_id": "1", "timestamp": "1659520660", "uuid": "f811ccb3-5724-4ff4-a920-36d81100e7b8", "Orgc": { "name": "BSK", "uuid": "56024f6c-da70-4584-b689-48ef950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#053a00", "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"" }, { "colour": "#002642", "name": "osint:source-type=\"microblog-post\"" } ], "Attribute": [ { "category": "Network activity", "comment": "C2 domain", "deleted": false, "disable_correlation": false, "timestamp": "1659513139", "to_ids": true, "type": "hostname", "uuid": "0ea045af-c19c-4dc9-8aba-51bdb8643a74", "value": "ovz1.j19544519.pr46m.vps.myjino.ru" } ], "Object": [ { "comment": "ovz1.j19544519.pr46m.vps.myjino.ru: Enriched via the farsight_passivedns module", "deleted": false, "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html", "first_seen": "2022-07-28T11:22:53+00:00", "last_seen": "2022-08-03T06:19:30+00:00", "meta-category": "network", "name": "passive-dns", "template_uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", "template_version": "5", "timestamp": "1659520432", "uuid": "afdb4f8e-08ca-4beb-b105-c91605eb5513", "ObjectReference": [ { "comment": "", "object_uuid": "afdb4f8e-08ca-4beb-b105-c91605eb5513", "referenced_uuid": "0ea045af-c19c-4dc9-8aba-51bdb8643a74", "relationship_type": "related-to", "timestamp": "1659519047", "uuid": "9cd1bcb7-2c93-4308-b98d-dcdbbd3e967a" } ], "Attribute": [ { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": false, "object_relation": "rdata", "timestamp": "1659520428", "to_ids": true, "type": "text", "uuid": "84fd5844-44f6-49b4-ae39-9a77413b8152", "value": "195.161.41.221" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": true, "object_relation": "count", "timestamp": "1659519079", "to_ids": false, "type": "counter", "uuid": "517487e4-8ecf-4023-9601-cdeae8d5178e", "value": "4" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": true, "object_relation": "time_first", "timestamp": "1659519079", "to_ids": false, "type": "datetime", "uuid": "64322d63-ac27-458a-8e57-3f9b7215b163", "value": "2022-07-28T11:22:53+00:00" }, { "category": "Other", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": true, "object_relation": "time_last", "timestamp": "1659519079", "to_ids": false, "type": "datetime", "uuid": "d5b73acf-82da-4d12-ad2f-557ee481435c", "value": "2022-08-03T06:19:30+00:00" }, { "category": "Network activity", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": false, "object_relation": "rrname", "timestamp": "1659520432", "to_ids": true, "type": "text", "uuid": "411cb6d9-2de2-45fe-8858-b31f98e52ce0", "value": "ovz1.j19544519.pr46m.vps.myjino.ru." }, { "category": "Network activity", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": true, "object_relation": "rrtype", "timestamp": "1659519079", "to_ids": false, "type": "text", "uuid": "ceaec1aa-ea20-46c9-aa26-6e526cc58e4c", "value": "A" }, { "category": "Network activity", "comment": "Result from a rrset lookup on DNSDB about the hostname: ovz1.j19544519.pr46m.vps.myjino.ru", "deleted": false, "disable_correlation": true, "object_relation": "bailiwick", "timestamp": "1659520417", "to_ids": false, "type": "domain", "uuid": "1e73df86-ce7c-445d-9dfa-7c84158a46f6", "value": "myjino.ru" } ] }, { "comment": "Origin: https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/gen_github_repo_compromise_myjino_ru.yar", "deleted": false, "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "name": "yara", "template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "template_version": "5", "timestamp": "1659519265", "uuid": "62e6afb6-4237-41f9-8be7-986c83f038fa", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659519265", "to_ids": false, "type": "text", "uuid": "657fa3c5-8a6f-44a3-a1b2-db62db18ae7e", "value": "all" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara", "timestamp": "1659519265", "to_ids": true, "type": "yara", "uuid": "537e39eb-37f4-42d5-8944-39022aa38b47", "value": "rule MAL_Github_Repo_Compromise_MyJino_Ru_Aug22 {\r\n meta:\r\n description = \"Detects URL mentioned in report on compromised Github repositories in August 2022\"\r\n author = \"Florian Roth\"\r\n reference = \"https://twitter.com/stephenlacy/status/1554697077430505473\"\r\n date = \"2022-08-03\"\r\n score = 90\r\n strings:\r\n $x1 = \"curl http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n $x2 = \"http__.Post(\\\"http://ovz1.j19544519.pr46m.vps.myjino.ru\" ascii wide\r\n condition:\r\n 1 of them\r\n}" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "yara-rule-name", "timestamp": "1659519265", "to_ids": false, "type": "text", "uuid": "8bc7d3cf-71b6-441b-aa53-0c0a21375995", "value": "MAL_Github_Repo_Compromise_MyJino_Ru_Aug22" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1659520396", "uuid": "284f1a37-a166-4b5b-b5b3-4a1e41bae212", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "comment", "timestamp": "1659520396", "to_ids": false, "type": "comment", "uuid": "51bf417d-6e35-4fa9-ac51-889898fcb4e5", "value": "Detects connections to the host used in a big repository compromise discovered in August 2022" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659520396", "to_ids": false, "type": "text", "uuid": "2b7d7317-6a7b-4245-b72e-860e99a8ae29", "value": "dns" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659520396", "to_ids": false, "type": "text", "uuid": "b4455c25-2f5b-4665-8900-dbf1af77bd57", "value": "network" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1659520396", "to_ids": false, "type": "link", "uuid": "ecb93db6-01ee-43ec-a51f-9f858630970a", "value": "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/network_connection/net_connection_win_github_myjino_ru.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1659520396", "to_ids": true, "type": "sigma", "uuid": "a6cd4477-de96-479a-85ca-7c709bf3dd33", "value": "title: Github Repo Compromise Domain MyJino RU\r\nid: 3a9f4c77-8e2e-45eb-abc1-4754f670d3a9\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: network_connection\r\n product: windows\r\ndetection:\r\n selection:\r\n Initiated: 'true'\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1659520396", "to_ids": false, "type": "text", "uuid": "45dce477-cec0-4a94-a6e9-b23136dc282a", "value": "Github Repo Compromise Domain MyJino RU" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1659520547", "uuid": "18ab09f0-b623-40df-8920-eadfbcb0d5e0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659520547", "to_ids": false, "type": "text", "uuid": "5954ae33-cbf4-468d-b11a-7ae33f6bc965", "value": "dns" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659520547", "to_ids": false, "type": "text", "uuid": "80d8f09b-51e8-47c4-9d22-244973f6a526", "value": "network" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "reference", "timestamp": "1659520547", "to_ids": false, "type": "link", "uuid": "68adb1fd-fa19-4a9d-8e4d-dd3724e8db04", "value": "https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/linux/network_connection/net_connection_github_myjino_ru.yml" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1659520547", "to_ids": true, "type": "sigma", "uuid": "70294bb6-60d9-439f-b7ca-be754d7162d4", "value": "title: Github Repo Compromise Domain MyJino RU\r\nid: 242e0911-294a-44ea-a54e-7eea97aa2622\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n product: linux\r\n category: network_connection\r\ndetection:\r\n selection:\r\n DestinationHostname: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1659520547", "to_ids": false, "type": "text", "uuid": "d5f1cfed-c4b0-4c90-8158-21e9e76c28d1", "value": "Github Repo Compromise Domain MyJino RU" } ] }, { "comment": "", "deleted": false, "description": "An object describing a Sigma rule (or a Sigma rule name).", "meta-category": "misc", "name": "sigma", "template_uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", "template_version": "1", "timestamp": "1659520633", "uuid": "9d47dc79-72a0-457a-af87-022323dd74c9", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "context", "timestamp": "1659520633", "to_ids": false, "type": "text", "uuid": "0fe60ee6-7182-4441-a471-d71f9d76fc2f", "value": "dns" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma", "timestamp": "1659520633", "to_ids": true, "type": "sigma", "uuid": "60048328-51d0-433c-b979-8fe5b6726458", "value": "title: DNS Lookup Github Repo Compromise Domain MyJino RU\r\nid: 6b0dd2e4-13ff-4eff-b79b-4444fad43644\r\nstatus: test\r\ndescription: Detects connections to the host used in a big repository compromise discovered in August 2022\r\nreferences:\r\n - https://twitter.com/stephenlacy/status/1554697077430505473\r\ndate: 2022/08/03\r\nauthor: Florian Roth\r\nlogsource:\r\n category: dns\r\ndetection:\r\n selection:\r\n query: 'ovz1.j19544519.pr46m.vps.myjino.ru'\r\n condition: selection\r\nfalsepositives:\r\n - Users looking up that domain after reading the report (unlikely)\r\n - Web proxy or other security device DNS lookups of the domain\r\nlevel: high" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sigma-rule-name", "timestamp": "1659520633", "to_ids": false, "type": "text", "uuid": "c306254d-9b71-46c3-ae7a-b3143ce96092", "value": "DNS Lookup Github Repo Compromise Domain MyJino RU" } ] } ] } }