{ "Event": { "analysis": "2", "date": "2016-05-25", "extends_uuid": "", "info": "OSINT - New Wekby Attacks Use DNS Requests As Command and Control Mechanism", "publish_timestamp": "1464162534", "published": true, "threat_level_id": "3", "timestamp": "1464161691", "uuid": "57454ee0-3294-407a-8468-493c950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" } ], "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160375", "to_ids": true, "type": "sha256", "uuid": "57455077-0144-41d3-b61f-4420950d210f", "value": "da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160375", "to_ids": true, "type": "sha256", "uuid": "57455077-e4e8-46e7-8528-4fe1950d210f", "value": "930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160376", "to_ids": true, "type": "sha256", "uuid": "57455078-6e98-4713-ae9a-4370950d210f", "value": "6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160376", "to_ids": true, "type": "sha256", "uuid": "57455078-5aa8-4a30-9f3e-48ee950d210f", "value": "9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160376", "to_ids": true, "type": "sha256", "uuid": "57455078-7a08-49da-a316-463f950d210f", "value": "4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160377", "to_ids": true, "type": "sha256", "uuid": "57455079-8b60-418f-8579-4b4c950d210f", "value": "1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094" }, { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160377", "to_ids": true, "type": "sha256", "uuid": "57455079-d494-4a47-9489-48a9950d210f", "value": "456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb" }, { "category": "Network activity", "comment": "DNS exfiltration", "deleted": false, "disable_correlation": false, "timestamp": "1464160537", "to_ids": true, "type": "hostname", "uuid": "57455119-805c-49dd-b728-4394950d210f", "value": "ns1.logitech-usa.com" }, { "category": "Network activity", "comment": "Delivery of the initial file", "deleted": false, "disable_correlation": false, "timestamp": "1464160537", "to_ids": true, "type": "domain", "uuid": "57455119-2dcc-40d1-aa46-44a9950d210f", "value": "globalprint-us.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1464160537", "to_ids": true, "type": "domain", "uuid": "57455119-880c-48af-a815-4de3950d210f", "value": "intranetwabcam.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1464160538", "to_ids": true, "type": "hostname", "uuid": "5745511a-9328-4035-85c8-456f950d210f", "value": "login.access-mail.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1464160538", "to_ids": true, "type": "hostname", "uuid": "5745511a-e1e4-4728-8b1a-441b950d210f", "value": "glb.it-desktop.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1464160538", "to_ids": true, "type": "hostname", "uuid": "5745511a-1828-434d-bfbe-40fa950d210f", "value": "local.it-desktop.com" }, { "category": "Network activity", "comment": "Imported via the Freetext Import Tool", "deleted": false, "disable_correlation": false, "timestamp": "1464160539", "to_ids": true, "type": "hostname", "uuid": "5745511b-5548-434d-a276-4bb1950d210f", "value": "hi.getgo2.com" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160574", "to_ids": false, "type": "link", "uuid": "5745513e-e4c4-429d-98fb-40f5950d210f", "value": "https://blog.anomali.com/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160575", "to_ids": false, "type": "link", "uuid": "5745513f-68ac-4629-9b82-480d950d210f", "value": "http://www.volexity.com/blog/?p=158" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160575", "to_ids": false, "type": "link", "uuid": "5745513f-79fc-4aa8-a5e4-48bf950d210f", "value": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160575", "to_ids": false, "type": "link", "uuid": "5745513f-98a4-4b12-a221-4f50950d210f", "value": "https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160576", "to_ids": false, "type": "link", "uuid": "57455140-3e14-4530-a551-4326950d210f", "value": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160576", "to_ids": false, "type": "link", "uuid": "57455140-79a4-4aaf-a4e3-4882950d210f", "value": "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1464160642", "to_ids": false, "type": "mutex", "uuid": "57455182-0280-4cee-8e2e-4bbb950d210f", "value": ")!VoqA.I5" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb", "deleted": false, "disable_correlation": false, "timestamp": "1464161691", "to_ids": true, "type": "sha1", "uuid": "5745559b-6988-419d-aa75-4c9302de0b81", "value": "0d620c1c7e64a20a2918c0ec92260afc2716fd17" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb", "deleted": false, "disable_correlation": false, "timestamp": "1464161691", "to_ids": true, "type": "md5", "uuid": "5745559b-b154-4998-98af-425f02de0b81", "value": "07b9b62fb3b1c068837c188fefbd5de9" }, { "category": "External analysis", "comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb", "deleted": false, "disable_correlation": false, "timestamp": "1464161691", "to_ids": false, "type": "link", "uuid": "5745559b-948c-4fe7-9404-4ef902de0b81", "value": "https://www.virustotal.com/file/456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb/analysis/1463822200/" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094", "deleted": false, "disable_correlation": false, "timestamp": "1464161691", "to_ids": true, "type": "sha1", "uuid": "5745559b-e91c-488c-82cb-479a02de0b81", "value": "459d35058d4a5c8ca84638a5ea8fcbc2d4e0c772" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094", "deleted": false, "disable_correlation": false, "timestamp": "1464161692", "to_ids": true, "type": "md5", "uuid": "5745559c-6bac-4960-9e47-445402de0b81", "value": "e5414c5215c9305feeebbe0dbee43567" }, { "category": "External analysis", "comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094", "deleted": false, "disable_correlation": false, "timestamp": "1464161692", "to_ids": false, "type": "link", "uuid": "5745559c-cffc-4030-b815-486102de0b81", "value": "https://www.virustotal.com/file/1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094/analysis/1445829715/" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16", "deleted": false, "disable_correlation": false, "timestamp": "1464161692", "to_ids": true, "type": "sha1", "uuid": "5745559c-c63c-45ac-9f98-43a702de0b81", "value": "326b5dfa775f7479862c8896e1906ba95e530f9b" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16", "deleted": false, "disable_correlation": false, "timestamp": "1464161692", "to_ids": true, "type": "md5", "uuid": "5745559c-4324-4a68-ae68-422f02de0b81", "value": "d0f79de7bd194c1843e7411c473e4288" }, { "category": "External analysis", "comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16", "deleted": false, "disable_correlation": false, "timestamp": "1464161692", "to_ids": false, "type": "link", "uuid": "5745559c-2db8-4f32-af0f-498c02de0b81", "value": "https://www.virustotal.com/file/4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16/analysis/1445828993/" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b", "deleted": false, "disable_correlation": false, "timestamp": "1464161693", "to_ids": true, "type": "sha1", "uuid": "5745559d-dba8-4c1b-9fdc-49db02de0b81", "value": "0e989a0867d6385ed0eda780a86a9229ac5b809e" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b", "deleted": false, "disable_correlation": false, "timestamp": "1464161693", "to_ids": true, "type": "md5", "uuid": "5745559d-9b54-46fc-b82c-44c202de0b81", "value": "985eba97e12c3e5bce9221631fb66d68" }, { "category": "External analysis", "comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b", "deleted": false, "disable_correlation": false, "timestamp": "1464161693", "to_ids": false, "type": "link", "uuid": "5745559d-5274-4cd4-992a-4d6402de0b81", "value": "https://www.virustotal.com/file/9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b/analysis/1437393001/" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274", "deleted": false, "disable_correlation": false, "timestamp": "1464161693", "to_ids": true, "type": "sha1", "uuid": "5745559d-0054-4721-a70e-4d3502de0b81", "value": "1c581a09963109fc526a71adc5cde8e6c89ce615" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274", "deleted": false, "disable_correlation": false, "timestamp": "1464161693", "to_ids": true, "type": "md5", "uuid": "5745559d-5e58-4eaa-bc9b-4d3a02de0b81", "value": "7b24d17e5f29e27b1c17127839be591a" }, { "category": "External analysis", "comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274", "deleted": false, "disable_correlation": false, "timestamp": "1464161694", "to_ids": false, "type": "link", "uuid": "5745559e-fcb4-4847-a533-419402de0b81", "value": "https://www.virustotal.com/file/6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274/analysis/1447119998/" }, { "category": "Payload installation", "comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1", "deleted": false, "disable_correlation": false, "timestamp": "1464161694", "to_ids": true, "type": "sha1", "uuid": "5745559e-c110-4754-af54-43a302de0b81", "value": "c6db4ddc514869a41272abba5e10de70b888476a" }, { "category": "Payload installation", "comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1", "deleted": false, "disable_correlation": false, "timestamp": "1464161694", "to_ids": true, "type": "md5", "uuid": "5745559e-f960-43d3-974a-410702de0b81", "value": "e8d58aa76dd97536ac225949a2767e05" }, { "category": "External analysis", "comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1", "deleted": false, "disable_correlation": false, "timestamp": "1464161694", "to_ids": false, "type": "link", "uuid": "5745559e-b6b0-419c-b1fc-469f02de0b81", "value": "https://www.virustotal.com/file/da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1/analysis/1462960470/" } ] } }