{ "Event": { "analysis": "2", "date": "2015-05-18", "extends_uuid": "", "info": "OSINT Cmstar Downloader: Lurid and Enfal\u00e2\u20ac\u2122s New Cousin by Palo Alto Unit 42", "publish_timestamp": "1456150625", "published": true, "threat_level_id": "2", "timestamp": "1432209524", "uuid": "555cacaa-4a44-43f0-909e-919a950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432136885", "to_ids": false, "type": "link", "uuid": "555cacb5-6720-417f-b869-cd10950d210b", "value": "http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432136957", "to_ids": false, "type": "text", "uuid": "555cacfd-4428-40f9-b5d3-3e56950d210b", "value": "Cmstar" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432136957", "to_ids": false, "type": "text", "uuid": "555cacfd-be3c-43b1-97c6-3e56950d210b", "value": "Lurid" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432136957", "to_ids": false, "type": "text", "uuid": "555cacfd-4e08-40e1-ace6-3e56950d210b", "value": "Enfal" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432137084", "to_ids": true, "type": "url", "uuid": "555cad7c-a468-4122-b90c-4669950d210b", "value": "http://happy.launchtrue.com:8080/cgl-bin/update.cgi" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432137098", "to_ids": true, "type": "url", "uuid": "555cad8a-da98-4257-a20d-23b4950d210b", "value": "/cgl-bin/update.cgi" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432137141", "to_ids": true, "type": "mutex", "uuid": "555cadb5-a460-482d-81ee-b9ab950d210b", "value": "{53A4988C-F91F-4054-9076-220AC5EC03F3}" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-7bc4-4da4-98dd-175c950d210b", "value": "links.dogsforhelp.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-ce8c-40ff-a218-175c950d210b", "value": "three.earewq.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-fbcc-4b72-afba-175c950d210b", "value": "question.eboregi.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-3690-4dcb-970d-175c950d210b", "value": "here.pechooin.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-27ec-4b57-bb0e-175c950d210b", "value": "sarey.phdreport.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208810", "to_ids": true, "type": "hostname", "uuid": "555dc5aa-4144-4158-a885-175c950d210b", "value": "bakler.featurvoice.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208978", "to_ids": true, "type": "hostname", "uuid": "555dc652-b4b4-48ba-8167-177c950d210b", "value": "help.ubxpi0s.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208978", "to_ids": true, "type": "hostname", "uuid": "555dc652-4498-4298-aab7-177c950d210b", "value": "forever.cowforhelp.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208978", "to_ids": true, "type": "hostname", "uuid": "555dc652-c2b0-4fec-877b-177c950d210b", "value": "question.shiesiido.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208978", "to_ids": true, "type": "hostname", "uuid": "555dc652-bb88-41f9-a014-177c950d210b", "value": "endline.biortherm.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208978", "to_ids": true, "type": "hostname", "uuid": "555dc652-c760-4328-9c5e-177c950d210b", "value": "right.marubir.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-7694-4757-a90c-177c950d210b", "value": "baby.brabbq.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-8450-43e4-ba34-177c950d210b", "value": "lind.kruptcy.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-0c34-410e-8b3e-177c950d210b", "value": "under.suttgte.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-d348-49e7-bb7a-177c950d210b", "value": "finally.basiccompare.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-f220-4ab8-9440-177c950d210b", "value": "crystal.diskfunc.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-41bc-4974-9741-177c950d210b", "value": "queenfansclub.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-69ec-4e80-a444-177c950d210b", "value": "novnitie.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208979", "to_ids": true, "type": "hostname", "uuid": "555dc653-04e4-4d97-91a1-177c950d210b", "value": "flash-vip.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208980", "to_ids": true, "type": "hostname", "uuid": "555dc654-e080-43c9-be8c-177c950d210b", "value": "replyfunt.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208980", "to_ids": true, "type": "hostname", "uuid": "555dc654-0834-4af6-bd30-177c950d210b", "value": "natcongress.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208980", "to_ids": true, "type": "hostname", "uuid": "555dc654-8b9c-48cd-996b-177c950d210b", "value": "keep.regebky.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432208980", "to_ids": true, "type": "hostname", "uuid": "555dc654-0c10-4370-8cc8-177c950d210b", "value": "love.regebky.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209081", "to_ids": true, "type": "hostname", "uuid": "555dc6b9-3be8-4503-b4bb-175d950d210b", "value": "happy.launchtrue.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209081", "to_ids": true, "type": "hostname", "uuid": "555dc6b9-bed0-4a52-9c11-175d950d210b", "value": "turber.xoxcobbs.com" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209100", "to_ids": true, "type": "filename", "uuid": "555dc6cc-a63c-45f0-9d2f-175b950d210b", "value": "coyote_load.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209100", "to_ids": true, "type": "filename", "uuid": "555dc6cc-6c04-4024-a65e-175b950d210b", "value": "xpsfiltsvcs.dll" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209100", "to_ids": true, "type": "filename", "uuid": "555dc6cc-5090-437a-8943-175b950d210b", "value": "xpsfiltsvcs.tmp" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209100", "to_ids": true, "type": "filename", "uuid": "555dc6cc-c53c-4bbd-bab4-175b950d210b", "value": "xpsfiltsvcs.txt" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-43c0-4539-9bb4-1754950d210b", "value": "239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-43f4-4114-9dfd-1754950d210b", "value": "2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-328c-4439-b8e4-1754950d210b", "value": "42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-ef98-47f8-bd36-1754950d210b", "value": "6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-85c4-4feb-abf3-1754950d210b", "value": "7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209132", "to_ids": true, "type": "sha256", "uuid": "555dc6ec-9e14-44d8-93ea-1754950d210b", "value": "88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-9f30-487b-b87c-1754950d210b", "value": "9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-9514-4db1-9903-1754950d210b", "value": "a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-a56c-4afb-8fc1-1754950d210b", "value": "a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-6438-4289-8043-1754950d210b", "value": "adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-f584-414b-b98a-1754950d210b", "value": "b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-e5f4-4fe8-b413-1754950d210b", "value": "c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-e504-47aa-bcb1-1754950d210b", "value": "d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209133", "to_ids": true, "type": "sha256", "uuid": "555dc6ed-4c58-4108-a113-1754950d210b", "value": "e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209134", "to_ids": true, "type": "sha256", "uuid": "555dc6ee-06cc-4338-8501-1754950d210b", "value": "f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-bf20-4425-8ae6-175b950d210b", "value": "3d41e3c902502c8b0ea30f5947307d56" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-4ac8-4991-bc59-175b950d210b", "value": "46bf922d9ae07a9bc3667a374605bdbb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-2e48-4923-8027-175b950d210b", "value": "510b3272342765743a202373261c08da" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-25ac-4916-a97f-175b950d210b", "value": "5aeb8a5aa8f6e2408016cbd13b3dfaf0" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-3c2c-47d6-bdcf-175b950d210b", "value": "6fdeadacfe1dafd2293ce5c4e178b668" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-0d50-4d3f-bd14-175b950d210b", "value": "76ffb9c2d8d0ae46e8ea792ffacc8018" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-48e0-43a2-998d-175b950d210b", "value": "783a423f5e285269126d0d98f53c795b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209234", "to_ids": true, "type": "md5", "uuid": "555dc752-8194-48eb-898e-175b950d210b", "value": "94499ff857451ab7ef8823bf067189e7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209235", "to_ids": true, "type": "md5", "uuid": "555dc753-f3d0-48d7-af3d-175b950d210b", "value": "9da10a36daf845367e0fc2f3e7e54336" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209235", "to_ids": true, "type": "md5", "uuid": "555dc753-e044-4ddd-ac35-175b950d210b", "value": "c5ae7bd6aec1e01aa53edcf41962ac04" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209235", "to_ids": true, "type": "md5", "uuid": "555dc753-3f50-45d9-ab55-175b950d210b", "value": "f7d47e1de4f5f4ad530bca0fc080ea53" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-6e10-48ea-b776-4b5c950d210b", "value": "0a10d7bb317dceccd05d18408fd6b8b12c784910e5f7e035ee22c2c5d7e4cbf5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-94a8-4af4-a78b-4093950d210b", "value": "45027d11ab783993c413f97e8e29759d04b04564f8916f005f5c632f291697bb" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-25d0-461a-9102-4c1c950d210b", "value": "4883286b8229a2c43db17eb1e1c5bd79d1933e840cdfedff80d5b99a84c9e39f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-f414-4d85-b127-46d3950d210b", "value": "5b338decffe665a2141d1079c32b2d612057d1fdbfddf198cc28003dae7f0516" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-cd40-47bd-a0e4-4cb6950d210b", "value": "671dfc4d47a43cf0bd9205a0f654dcd5050175aef54b69388b0c5f4610896c6a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-73b0-4a45-bb17-4fd0950d210b", "value": "7dc78caf515d1d3d2b84be7c023ccbd0b4fd670a42babcbcbd5a5ba65bbdd166" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-25a8-4580-8157-4997950d210b", "value": "87bcc6d18c6a81d92d826b232703dee84b522bd1d0cae56f74bcf58fdca0930e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209248", "to_ids": true, "type": "sha256", "uuid": "555dc760-98a0-43f2-a20b-44ee950d210b", "value": "a0aeb172a72442d2c2c02e1d32b48accb9975c4da7742df24d9350a8ccd401f2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209249", "to_ids": true, "type": "sha256", "uuid": "555dc761-8aa0-4eec-baf7-4406950d210b", "value": "b65dd4da9f83c11fcb5beaec43fabd0df0f7cb61de94d874f969ca926e085515" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209249", "to_ids": true, "type": "sha256", "uuid": "555dc761-bed0-4697-866f-42d3950d210b", "value": "c26c67eac20614038aaadfda19b604862926433333893d65332928b5e36796aa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209249", "to_ids": true, "type": "sha256", "uuid": "555dc761-64e8-49c8-b2a6-47c6950d210b", "value": "df34aa9c8021f1f0bdf33249908efc4a9628941453ad79b281b3a46bf9a7f37f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209249", "to_ids": true, "type": "sha256", "uuid": "555dc761-6da0-4a83-b09a-4e75950d210b", "value": "e39b0e777ef0135c1f737b67988df70c2e6303c3d2b01d3cdea3efc1d03d9ad9" }, { "category": "Attribution", "comment": "Registrant", "deleted": false, "disable_correlation": false, "timestamp": "1432209274", "to_ids": false, "type": "text", "uuid": "555dc77a-a7cc-474b-878b-4453950d210b", "value": "WANGMINGHUA6@GMAIL.COM" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-7054-4521-a4ca-175d950d210b", "value": "dns.thinkttun.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-0b4c-4ca3-aab0-175d950d210b", "value": "error.yandex-pro.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-3494-4f92-b2ed-175d950d210b", "value": "help.redhag.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-6a14-46f2-94e6-175d950d210b", "value": "mssage.hotoicq.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-2fcc-4d08-81e8-175d950d210b", "value": "new.hoticq.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-97c4-48bf-b5ae-175d950d210b", "value": "stone.timmf.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209353", "to_ids": true, "type": "hostname", "uuid": "555dc7c9-c020-477b-901a-175d950d210b", "value": "xphome.mailru-vip.com" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209372", "to_ids": true, "type": "md5", "uuid": "555dc7dc-4fd8-400c-a514-175b950d210b", "value": "30a6c3c7723fe14c4b6960fa3e4e57ba" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209372", "to_ids": true, "type": "md5", "uuid": "555dc7dc-ee50-4360-8e92-175b950d210b", "value": "3fff0bf6847d0d056636caef9c3056c3" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209372", "to_ids": true, "type": "md5", "uuid": "555dc7dc-ccc8-4d1c-b3ce-175b950d210b", "value": "d05f012c9c1a7fb669a07070be821072" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209372", "to_ids": true, "type": "md5", "uuid": "555dc7dc-4c8c-4cbb-9a28-175b950d210b", "value": "e0417547ba54b58bb2c8f795bca0345c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209385", "to_ids": true, "type": "sha256", "uuid": "555dc7e9-9160-4fe2-827f-42dd950d210b", "value": "13c1d7eb2fd64591e224dec9534d8252f4b91e425e8f047b36605138d15cbf2d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209385", "to_ids": true, "type": "sha256", "uuid": "555dc7e9-9c20-429f-9339-464e950d210b", "value": "1cf44815f9eb735e095f68c929d5549e0ebc44af9988cccaf1852baeb96bb386" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209385", "to_ids": true, "type": "sha256", "uuid": "555dc7e9-0710-42ed-8cb9-4b45950d210b", "value": "a37f337d0bc3cebede2039b0a3bd5afd0624e181d2dcc9614d2f7d816b5a7a6b" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209385", "to_ids": true, "type": "sha256", "uuid": "555dc7e9-9c7c-400f-91cb-4b23950d210b", "value": "ab934c6177be0fdc3b6dfbf21f60ce7837a30e6599dcfb111b43008c75ceb91f" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209417", "to_ids": true, "type": "yara", "uuid": "555dc809-2c04-442c-a28c-177c950d210b", "value": "rule ce_enfal_cmstar_debug_msg\r\n \r\n{\r\n \r\nmeta:\r\n \r\nauthor = \"rfalcone\"\r\n \r\ndescription = \"Detects the static debug strings within CMSTAR\"\r\n \r\nreference = \"9b9cc7e2a2481b0472721e6b87f1eba4faf2d419d1e2c115a91ab7e7e6fc7f7c\"\r\n \r\ndate = \"5/10/2015\"\r\n \r\nstrings:\r\n \r\n$d1 = \"EEE\\x0d\\x0a\" fullword\r\n \r\n$d2 = \"TKE\\x0d\\x0a\" fullword\r\n \r\n$d3 = \"VPE\\x0d\\x0a\" fullword\r\n \r\n$d4 = \"VPS\\x0d\\x0a\" fullword\r\n \r\n$d5 = \"WFSE\\x0d\\x0a\" fullword\r\n \r\n$d6 = \"WFSS\\x0d\\x0a\" fullword\r\n \r\n$d7 = \"CM**\\x0d\\x0a\" fullword\r\n \r\ncondition:\r\n \r\nuint16(0) == 0x5a4d and all of ($d*)\r\n \r\n}" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209524", "to_ids": false, "type": "link", "uuid": "555dc874-6224-441d-8c57-175d950d210b", "value": "http://la.trendmicro.com/media/misc/lurid-downloader-enfal-report-en.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209525", "to_ids": false, "type": "link", "uuid": "555dc875-5c98-497e-85e7-175d950d210b", "value": "http://researchcenter.paloaltonetworks.com/2014/08/attacks-east-asia-using-google-code-command-control/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432209525", "to_ids": false, "type": "link", "uuid": "555dc875-d69c-4ba3-9689-175d950d210b", "value": "https://www.bluecoat.com/security-blog/2014-10-08/linking-apts-2011-and-2014-active-scam-network" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840326", "to_ids": true, "type": "md5", "uuid": "56c65c46-8458-40ca-896a-40ef950d210f", "value": "fa101bee034e93a1fa8e8f08d1bf76e7" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02)", "deleted": false, "disable_correlation": false, "timestamp": "1455840328", "to_ids": true, "type": "md5", "uuid": "56c65c48-6024-414a-a083-41eb950d210f", "value": "26adc7c88e36a5d5a4ed25044a28133d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d)", "deleted": false, "disable_correlation": false, "timestamp": "1455840330", "to_ids": true, "type": "md5", "uuid": "56c65c4a-8858-42df-9b42-c651950d210f", "value": "233dc425e5fd546113754b0a21a81bcd" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7)", "deleted": false, "disable_correlation": false, "timestamp": "1455840331", "to_ids": true, "type": "md5", "uuid": "56c65c4b-c0f0-41eb-8546-59a0950d210f", "value": "f1b341d3383b808ecfacfa22dcbe9196" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e)", "deleted": false, "disable_correlation": false, "timestamp": "1455840333", "to_ids": true, "type": "md5", "uuid": "56c65c4d-3ed8-4edd-98e7-59a2950d210f", "value": "bec23274b5f687076d201cd48b7e2e17" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001)", "deleted": false, "disable_correlation": false, "timestamp": "1455840335", "to_ids": true, "type": "md5", "uuid": "56c65c4f-1408-4cca-a419-4889950d210f", "value": "16f75d28634a7d098400648dabc4d013" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e)", "deleted": false, "disable_correlation": false, "timestamp": "1455840337", "to_ids": true, "type": "md5", "uuid": "56c65c51-3c40-4830-8daa-59a0950d210f", "value": "1f53a261d499dfedeb692017f9ca8dc2" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840338", "to_ids": true, "type": "md5", "uuid": "56c65c52-84d8-465a-bb6b-c654950d210f", "value": "7e9989ba7e3d242d53ad3e2d9f034f93" }, { "category": "Artifacts dropped", "comment": "Automatically added (via adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc)", "deleted": false, "disable_correlation": false, "timestamp": "1455840340", "to_ids": true, "type": "md5", "uuid": "56c65c54-f3a8-4b60-a7db-59a1950d210f", "value": "9fe76b7d67afdc8c1746e5b412edb4dc" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593)", "deleted": false, "disable_correlation": false, "timestamp": "1455840342", "to_ids": true, "type": "md5", "uuid": "56c65c56-f490-49b5-9555-c654950d210f", "value": "37ec95e655c6035b09dffb363f03449a" }, { "category": "Artifacts dropped", "comment": "Automatically added (via c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840343", "to_ids": true, "type": "md5", "uuid": "56c65c58-9680-4018-a0a9-5f51950d210f", "value": "e13912b7e353013dfcbfba2233f7188d" }, { "category": "Artifacts dropped", "comment": "Automatically added (via d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23)", "deleted": false, "disable_correlation": false, "timestamp": "1455840345", "to_ids": true, "type": "md5", "uuid": "56c65c59-5164-4826-b929-42f6950d210f", "value": "989abcb07abf8fe504e5f0909bb34913" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5)", "deleted": false, "disable_correlation": false, "timestamp": "1455840348", "to_ids": true, "type": "md5", "uuid": "56c65c5c-d68c-4042-b4b4-59a1950d210f", "value": "38d421ae46061a3f311f12be51bc2101" }, { "category": "Artifacts dropped", "comment": "Automatically added (via f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da)", "deleted": false, "disable_correlation": false, "timestamp": "1455840349", "to_ids": true, "type": "md5", "uuid": "56c65c5d-1a64-4ffa-9460-c650950d210f", "value": "a122f65e0c2253de83ad914d176a5664" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 30a6c3c7723fe14c4b6960fa3e4e57ba)", "deleted": false, "disable_correlation": false, "timestamp": "1455840323", "to_ids": true, "type": "sha1", "uuid": "56c65c43-7c2c-42e7-a79c-59a3950d210f", "value": "48d034f6a7a615adcba22c1a1a6db7f1a6d575e7" }, { "category": "Artifacts dropped", "comment": "Automatically added (via d05f012c9c1a7fb669a07070be821072)", "deleted": false, "disable_correlation": false, "timestamp": "1455840324", "to_ids": true, "type": "sha1", "uuid": "56c65c44-e774-4a38-bd44-5ca1950d210f", "value": "999a181f598442c25a36edc952f6606c080671b7" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e0417547ba54b58bb2c8f795bca0345c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840325", "to_ids": true, "type": "sha1", "uuid": "56c65c45-e174-4cf7-8f6f-c651950d210f", "value": "6697eba412b8eaf7c88e1fd0f3aff04fdeaa4d64" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 239a25ac2b38f0be9392ceeaeab0d64cb239f033af07ed56565ba9d6a7ddcf1f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840327", "to_ids": true, "type": "sha1", "uuid": "56c65c47-b4bc-41ae-ad18-59a2950d210f", "value": "6d484daba3927fc0744b1bbd7981a56ebef95790" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 2e00a98212c5a2015d12612f0d26039a0c2dfee3e1b384675f613e683f276e02)", "deleted": false, "disable_correlation": false, "timestamp": "1455840329", "to_ids": true, "type": "sha1", "uuid": "56c65c49-debc-4a80-952d-5ca1950d210f", "value": "44f835f3b32a4bd55a17e02d0be254817b8615c6" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 42ed2edc37b957266ff7b02955a007dd82d955c09ef7be23e685d938e40ad61d)", "deleted": false, "disable_correlation": false, "timestamp": "1455840330", "to_ids": true, "type": "sha1", "uuid": "56c65c4a-3740-4a85-b31d-c652950d210f", "value": "513c6d99a225b47c67ae1304f225ad317a7e5d5f" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 6b557c22ab12e8ea43d29e4f9f8a9483e3e75cd41338a674c9069b6dacdf7ba7)", "deleted": false, "disable_correlation": false, "timestamp": "1455840332", "to_ids": true, "type": "sha1", "uuid": "56c65c4c-0564-4276-84ed-c654950d210f", "value": "695f73cf0f85ebaca280e265b9acefc8967ce1cb" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 7ade616a8f1750cecba944a02e2bce1340b18a55697b29f721ccc4701aadba6e)", "deleted": false, "disable_correlation": false, "timestamp": "1455840334", "to_ids": true, "type": "sha1", "uuid": "56c65c4e-3f90-4e21-acd0-59a3950d210f", "value": "8e032507f987251fa2b8e70501dc3b8d6efcd0a4" }, { "category": "Artifacts dropped", "comment": "Automatically added (via 88184983733f4d4fa767ad4e7993b01c5754f868470dd78ac1bad2b02c9e5001)", "deleted": false, "disable_correlation": false, "timestamp": "1455840335", "to_ids": true, "type": "sha1", "uuid": "56c65c4f-ad98-4e1b-a1b7-599c950d210f", "value": "6c7c8b804cc76e2c208c6e3b6453cb134d01fa41" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a330c52b7643de9d8be51a4ae0150b7b8390dbabaea9704069694835fbd3298e)", "deleted": false, "disable_correlation": false, "timestamp": "1455840337", "to_ids": true, "type": "sha1", "uuid": "56c65c51-9788-4de7-9d0c-59a2950d210f", "value": "c6ad47c7a6741d928dee5530c7652e432eada0b1" }, { "category": "Artifacts dropped", "comment": "Automatically added (via a8fa487d9f2152738bf49c8c69e8a147aae55c06f37c7e25026a28f21601ad7f)", "deleted": false, "disable_correlation": false, "timestamp": "1455840339", "to_ids": true, "type": "sha1", "uuid": "56c65c53-8798-4ef0-b2e3-4be2950d210f", "value": "ab0e193091ee11b2ccda3bb069c72de91c75fe73" }, { "category": "Artifacts dropped", "comment": "Automatically added (via adb05c1eecd789582886b3354b53831df9c9a06e891bb687633ee7ce21417edc)", "deleted": false, "disable_correlation": false, "timestamp": "1455840341", "to_ids": true, "type": "sha1", "uuid": "56c65c55-9908-4fbf-a6e8-c651950d210f", "value": "1b31166a38b76ec4c7b509d176bf680e462b5404" }, { "category": "Artifacts dropped", "comment": "Automatically added (via b9d597aea53023727d8564e47e903b652f5e98a2c32bdc23bc4936448fb2d593)", "deleted": false, "disable_correlation": false, "timestamp": "1455840342", "to_ids": true, "type": "sha1", "uuid": "56c65c56-97d8-467b-9e0d-423a950d210f", "value": "abbab91a36d18d2deb72c5b429d5d0b1233ac6f8" }, { "category": "Artifacts dropped", "comment": "Automatically added (via c99c0b37f2fd64fa523d39c35ead6416a684ae203ae728feb5feff8490eb902c)", "deleted": false, "disable_correlation": false, "timestamp": "1455840344", "to_ids": true, "type": "sha1", "uuid": "56c65c58-55c4-47e5-9b27-59a0950d210f", "value": "dace298f72328a5c8d8d1b0f444569d1e66edcc7" }, { "category": "Artifacts dropped", "comment": "Automatically added (via d541280b37dd5e2101cc5cd47b0991b8320714f5627b37646330136cddef0c23)", "deleted": false, "disable_correlation": false, "timestamp": "1455840346", "to_ids": true, "type": "sha1", "uuid": "56c65c5a-4b70-4275-a51a-c651950d210f", "value": "a3b29f51c47cfe5a92384b1eecc3b278d2903ad6" }, { "category": "Artifacts dropped", "comment": "Automatically added (via e0b3cc07d3a9b509480b240368dee2a29713ea1e240674c0ccf610c84810a7c5)", "deleted": false, "disable_correlation": false, "timestamp": "1455840348", "to_ids": true, "type": "sha1", "uuid": "56c65c5c-7608-4141-b377-59a0950d210f", "value": "b19735b68ee06d1422ff11b4142ec9637a38b970" }, { "category": "Artifacts dropped", "comment": "Automatically added (via f4b8f71c0e10a345a855763e01033e2144e949c8f98c271755cc025e3f55b7da)", "deleted": false, "disable_correlation": false, "timestamp": "1455840351", "to_ids": true, "type": "sha1", "uuid": "56c65c5f-7ac0-4eb7-97d4-5f51950d210f", "value": "511040e5128908b3d8ebb96e6dad0635307912ca" } ] } }