{ "Event": { "analysis": "2", "date": "2016-11-02", "extends_uuid": "", "info": "OSINT - Flying Dragon Eye: Uyghur Themed Threat Activity", "publish_timestamp": "1478073799", "published": true, "threat_level_id": "2", "timestamp": "1478073601", "uuid": "5819948b-b170-4872-b8f6-5934950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" }, { "colour": "#002b4a", "name": "osint:source-type=\"technical-report\"" }, { "colour": "#043400", "name": "misp-galaxy:tool=\"PlugX\"" }, { "colour": "#ffffff", "name": "tlp:white" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1478071510", "to_ids": false, "type": "comment", "uuid": "581994d6-aa60-461d-9870-5930950d210f", "value": "This paper documents attempted exploitation activity aimed at Uyghur interests outside of China. Exploitation is being attempted via the usual tactic of spear phishing containing malicious attachments to targets. The exploit code attached used for dropping the malware is older \u00e2\u20ac\u201c CVE-2012-0158 \u00e2\u20ac\u201c and from our vantage point, we have no indication of successful or failed exploitation. Nonetheless, we can obtain targeting information and insight into tactics from the spearphish messages used by the threat actors. Successful exploitation typically results in malware calling back to one or more Uyghur themed domain names. The malware payloads observed to be associated with the Uyghur themed C2 domains so far consist of PlugX, Gh0st RAT, and Saker/Xbox, although there may be others that are yet to be discovered.\r\n\r\nIt is possible that additional targeting well beyond CVE-2012-0158 is at play, although in this case it appears that threat actors still thought they could obtain benefit from using a four-year-old vulnerability that has been widely associated with numerous cyber-espionage operations over the years. This may be due to the weakness of defensive posture among those targeted and an attempt at higher return on investment by using exploit code that might still be adequate considering the targets. Pivots on threat infrastructure suggest that the same or related threat actors have direct or indirect access to other types of exploit code such as the \u00e2\u20ac\u0153Four Element Sword\u00e2\u20ac\u009d builder and the numerous types of malware delivered with it (PlugX, 9002 RAT 3102 variant, T9000, Grabber, Gh0st RAT LURK0 variant and perhaps others), profiled in previous ASERT threat intelligence products." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1478071587", "to_ids": false, "type": "link", "uuid": "58199523-6178-43d6-8b1f-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/flying-dragon-eye-uyghur-themed-threat-activity/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1478071587", "to_ids": false, "type": "link", "uuid": "58199523-0100-4667-81dc-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/11/TLP-WHITE-Flying-Dragon-Eye-Uyghur-Themed-Threat-Activity.pdf" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1478071587", "to_ids": false, "type": "link", "uuid": "58199523-3db4-4c81-b411-592e950d210f", "value": "https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/09/FlyingDragonEye_IOC.csv" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071906", "to_ids": true, "type": "hostname", "uuid": "58199662-6d4c-4bf8-9d4e-69a2950d210f", "value": "www.turkistanuyghur.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071906", "to_ids": true, "type": "hostname", "uuid": "58199662-0a20-4530-8464-69a2950d210f", "value": "www.yawropauyghur.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071906", "to_ids": true, "type": "hostname", "uuid": "58199662-4f08-47d8-aa1e-69a2950d210f", "value": "www.whitewall.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071907", "to_ids": true, "type": "hostname", "uuid": "58199663-b44c-4e29-b015-69a2950d210f", "value": "dtsx.uygurinfo.com" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071907", "to_ids": true, "type": "hostname", "uuid": "58199663-f604-4123-b0c1-69a2950d210f", "value": "ks.uygurinfo.com" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071907", "to_ids": true, "type": "domain", "uuid": "58199663-3e64-4c5f-b2d9-69a2950d210f", "value": "uygurinfo.com" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071907", "to_ids": true, "type": "domain", "uuid": "58199663-c4d8-41ac-812f-69a2950d210f", "value": "tibettimes.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071908", "to_ids": true, "type": "hostname", "uuid": "58199664-74ac-4083-b6c9-69a2950d210f", "value": "www.amerikauyghur.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071908", "to_ids": true, "type": "hostname", "uuid": "58199664-66a8-477a-8f98-69a2950d210f", "value": "www.japanuyghur.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071908", "to_ids": true, "type": "hostname", "uuid": "58199664-51f8-41dd-a14a-69a2950d210f", "value": "www.hotansft.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071908", "to_ids": true, "type": "domain", "uuid": "58199664-95d0-4232-8769-69a2950d210f", "value": "turkiyeuyghur.com" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071908", "to_ids": true, "type": "hostname", "uuid": "58199664-c480-4c4d-b02b-69a2950d210f", "value": "www.tibetimes.com" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071909", "to_ids": true, "type": "domain", "uuid": "58199665-68f4-440a-8c11-69a2950d210f", "value": "freetibet.top" }, { "category": "Network activity", "comment": "suspicious domain", "deleted": false, "disable_correlation": false, "timestamp": "1478071909", "to_ids": true, "type": "domain", "uuid": "58199665-e514-45d4-b192-69a2950d210f", "value": "russiauyghur.top" }, { "category": "Network activity", "comment": "suspicious IP", "deleted": false, "disable_correlation": false, "timestamp": "1478071909", "to_ids": true, "type": "ip-dst", "uuid": "58199665-59c4-4e69-b920-69a2950d210f", "value": "59.188.83.144" }, { "category": "Network activity", "comment": "suspicious IP", "deleted": false, "disable_correlation": false, "timestamp": "1478071909", "to_ids": true, "type": "ip-dst", "uuid": "58199665-2eac-4570-aa90-69a2950d210f", "value": "118.193.225.133" }, { "category": "Network activity", "comment": "suspicious IP", "deleted": false, "disable_correlation": false, "timestamp": "1478071910", "to_ids": true, "type": "ip-dst", "uuid": "58199666-07a0-443d-84aa-69a2950d210f", "value": "118.193.240.218" }, { "category": "Network activity", "comment": "suspicious IP", "deleted": false, "disable_correlation": false, "timestamp": "1478071910", "to_ids": true, "type": "ip-dst", "uuid": "58199666-fec4-48b9-88d1-69a2950d210f", "value": "118.193.240.195" }, { "category": "Payload delivery", "comment": "suspicious email", "deleted": false, "disable_correlation": false, "timestamp": "1478071963", "to_ids": true, "type": "email-src", "uuid": "5819969b-6a80-454a-86c3-7756950d210f", "value": "2732115454@qq.com" }, { "category": "Payload delivery", "comment": "PlugX malware", "deleted": false, "disable_correlation": false, "timestamp": "1478072080", "to_ids": true, "type": "md5", "uuid": "58199710-c854-4314-a62c-5936950d210f", "value": "fa85f8a332ac26892a8ad6f21491404a" }, { "category": "Payload delivery", "comment": "PlugX malware", "deleted": false, "disable_correlation": false, "timestamp": "1478072081", "to_ids": true, "type": "sha256", "uuid": "58199711-6b68-4151-a624-5936950d210f", "value": "a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8" }, { "category": "Payload delivery", "comment": "Gh0stRAT LURK0", "deleted": false, "disable_correlation": false, "timestamp": "1478072211", "to_ids": true, "type": "sha256", "uuid": "58199793-682c-4562-8b4b-5930950d210f", "value": "b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e" }, { "category": "Payload delivery", "comment": "Gh0stRAT LURK0", "deleted": false, "disable_correlation": false, "timestamp": "1478072211", "to_ids": true, "type": "md5", "uuid": "58199793-7cac-4fea-976e-5930950d210f", "value": "4edda0e2a8a415272f475f3af4d17dc1" }, { "category": "Payload delivery", "comment": "Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478072251", "to_ids": true, "type": "sha256", "uuid": "581997bb-ace0-406a-9f0b-69b0950d210f", "value": "c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59" }, { "category": "Payload delivery", "comment": "Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478072252", "to_ids": true, "type": "md5", "uuid": "581997bc-5918-45e0-9e31-69b0950d210f", "value": "86088922528b4d0a5493046527b29822" }, { "category": "Network activity", "comment": "IP before sinkholing - www.turkiyeuyghur.com - Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478072792", "to_ids": true, "type": "ip-dst", "uuid": "581999d8-b7bc-4e14-9b82-5931950d210f", "value": "210.209.118.87" }, { "category": "Payload delivery", "comment": "Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478072831", "to_ids": true, "type": "sha256", "uuid": "581999ff-a8a8-4c8c-b647-5932950d210f", "value": "3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c" }, { "category": "Payload delivery", "comment": "Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478072831", "to_ids": true, "type": "md5", "uuid": "581999ff-ea9c-4ad2-8984-5932950d210f", "value": "e490174855b8548161613fd5d9955e7a" }, { "category": "Payload delivery", "comment": "Mutex match", "deleted": false, "disable_correlation": false, "timestamp": "1478073006", "to_ids": true, "type": "sha256", "uuid": "58199aae-5a18-4ced-86c8-69b0950d210f", "value": "f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c" }, { "category": "Payload delivery", "comment": "Mutex match", "deleted": false, "disable_correlation": false, "timestamp": "1478073006", "to_ids": true, "type": "md5", "uuid": "58199aae-14dc-4896-969c-69b0950d210f", "value": "e49e235b301a4316ef58753c093279f0" }, { "category": "Payload delivery", "comment": "Mutex match", "deleted": false, "disable_correlation": false, "timestamp": "1478073006", "to_ids": true, "type": "sha256", "uuid": "58199aae-c690-4324-b536-69b0950d210f", "value": "97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78" }, { "category": "Payload delivery", "comment": "Mutex match", "deleted": false, "disable_correlation": false, "timestamp": "1478073007", "to_ids": true, "type": "md5", "uuid": "58199aaf-1e80-4115-be88-69b0950d210f", "value": "0ea68dd9463626082bb96ad373bd84e0" }, { "category": "Payload delivery", "comment": "PEHash of Prior samples", "deleted": false, "disable_correlation": false, "timestamp": "1478073007", "to_ids": true, "type": "pehash", "uuid": "58199aaf-18e8-4d01-8825-69b0950d210f", "value": "59781db8be6bb162f5c8ee8cf950fe191417baa4" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073007", "to_ids": true, "type": "sha256", "uuid": "58199aaf-1df0-4c0d-8ce4-69b0950d210f", "value": "444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073007", "to_ids": true, "type": "md5", "uuid": "58199aaf-1514-452d-b6ee-69b0950d210f", "value": "1a169a7e52879bad47e2834abfe50361" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073008", "to_ids": true, "type": "sha256", "uuid": "58199ab0-3254-498e-b91c-69b0950d210f", "value": "ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073008", "to_ids": true, "type": "md5", "uuid": "58199ab0-e800-497f-9335-69b0950d210f", "value": "731a9761626e39bb84b34343bdae67b0" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073008", "to_ids": true, "type": "sha256", "uuid": "58199ab0-341c-4644-ae0c-69b0950d210f", "value": "62a033fc586c6220ee0c0ea8ff207ab038776455505fa2137e9591433ada26e1" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073008", "to_ids": true, "type": "md5", "uuid": "58199ab0-eab8-4ba6-9506-69b0950d210f", "value": "1dc2e57dbf63051608cff83d8b88d352" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073009", "to_ids": true, "type": "sha256", "uuid": "58199ab1-0700-4e3e-88a2-69b0950d210f", "value": "087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e" }, { "category": "Payload delivery", "comment": "Sample matching PEHash", "deleted": false, "disable_correlation": false, "timestamp": "1478073009", "to_ids": true, "type": "md5", "uuid": "58199ab1-bb2c-4631-9ef1-69b0950d210f", "value": "de07dc9e83bfd445ad7cc58baab671f2" }, { "category": "Artifacts dropped", "comment": "suspicious mutex in Saker/Xbox", "deleted": false, "disable_correlation": false, "timestamp": "1478073029", "to_ids": true, "type": "mutex", "uuid": "58199ac5-c9dc-4d15-bd66-5932950d210f", "value": "pcdebug.1" }, { "category": "Payload delivery", "comment": "Google aqsakla Rabiye isming.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073232", "to_ids": true, "type": "sha256", "uuid": "58199b90-8720-459a-9cc4-69b0950d210f", "value": "3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f" }, { "category": "Payload delivery", "comment": "agahlandurushname.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073232", "to_ids": true, "type": "sha256", "uuid": "58199b90-a7c4-44fa-9165-69b0950d210f", "value": "7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698" }, { "category": "Payload delivery", "comment": "chaqiriq.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073232", "to_ids": true, "type": "sha256", "uuid": "58199b90-87d0-4d4a-8edd-69b0950d210f", "value": "4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d" }, { "category": "Payload delivery", "comment": "chaqiriq.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073232", "to_ids": true, "type": "sha256", "uuid": "58199b90-ad1c-4a4e-a85a-69b0950d210f", "value": "940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69" }, { "category": "Payload delivery", "comment": "chqiriq.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073233", "to_ids": true, "type": "sha256", "uuid": "58199b91-80b4-4ef5-b984-69b0950d210f", "value": "0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6" }, { "category": "Payload delivery", "comment": "tetqiqat doklati.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073233", "to_ids": true, "type": "sha256", "uuid": "58199b91-9930-4730-abd7-69b0950d210f", "value": "5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337" }, { "category": "Payload delivery", "comment": "istepaname.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073233", "to_ids": true, "type": "sha256", "uuid": "58199b91-41ec-43b9-b895-69b0950d210f", "value": "e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601" }, { "category": "Payload delivery", "comment": "jedwel.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073233", "to_ids": true, "type": "sha256", "uuid": "58199b91-8928-4177-8bc6-69b0950d210f", "value": "45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767" }, { "category": "Payload delivery", "comment": "teklipname.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073233", "to_ids": true, "type": "sha256", "uuid": "58199b91-8910-4c5b-84d5-69b0950d210f", "value": "f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54" }, { "category": "Payload delivery", "comment": "Tetqiqat doklati.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073234", "to_ids": true, "type": "sha256", "uuid": "58199b92-3990-40e3-99ae-69b0950d210f", "value": "9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8" }, { "category": "Payload delivery", "comment": "uqturush.doc", "deleted": false, "disable_correlation": false, "timestamp": "1478073234", "to_ids": true, "type": "sha256", "uuid": "58199b92-5f60-4bc9-bc55-69b0950d210f", "value": "3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2" }, { "category": "Payload delivery", "comment": "malware", "deleted": false, "disable_correlation": false, "timestamp": "1478073234", "to_ids": true, "type": "sha256", "uuid": "58199b92-1da0-4cd8-aa4a-69b0950d210f", "value": "69c2da4061890050dc0ca28db6f240c8ed6c4897f4174bcd5d1bca00ade537d5" }, { "category": "Payload delivery", "comment": "malware", "deleted": false, "disable_correlation": false, "timestamp": "1478073234", "to_ids": true, "type": "md5", "uuid": "58199b92-fa98-476a-b72c-69b0950d210f", "value": "9de14f249afc4e6979d8f2106e405b21" }, { "category": "Payload delivery", "comment": "malware", "deleted": false, "disable_correlation": false, "timestamp": "1478073235", "to_ids": true, "type": "sha256", "uuid": "58199b93-fbd0-4a5f-bf4c-69b0950d210f", "value": "be7a14927ff11536a5bfd6c21d3f4a304659001f1f13b6d90ce0e031522817e5" }, { "category": "Payload delivery", "comment": "malware", "deleted": false, "disable_correlation": false, "timestamp": "1478073235", "to_ids": true, "type": "md5", "uuid": "58199b93-cc98-4b20-8bed-69b0950d210f", "value": "2f981ac92284f1c710e53a5a2d41257a" }, { "category": "Payload delivery", "comment": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2", "deleted": false, "disable_correlation": false, "timestamp": "1478073601", "to_ids": true, "type": "sha1", "uuid": "58199d01-ddbc-4294-976e-593002de0b81", "value": "3f4719e1132fbe99c61ba2860c01a59c1bb9eee4" }, { "category": "Payload delivery", "comment": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2", "deleted": false, "disable_correlation": false, "timestamp": "1478073601", "to_ids": true, "type": "md5", "uuid": "58199d01-e758-4f49-8c30-593002de0b81", "value": "e680b0b3e1679d64044795ea9800d52e" }, { "category": "External analysis", "comment": "uqturush.doc - Xchecked via VT: 3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2", "deleted": false, "disable_correlation": false, "timestamp": "1478073601", "to_ids": false, "type": "link", "uuid": "58199d01-d9a0-4d93-a953-593002de0b81", "value": "https://www.virustotal.com/file/3bbf0f821c89ba03d30deb63eec59c8e9e76c20578ad805de9971bdbcd2855d2/analysis/1457003870/" }, { "category": "Payload delivery", "comment": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8", "deleted": false, "disable_correlation": false, "timestamp": "1478073602", "to_ids": true, "type": "sha1", "uuid": "58199d02-52cc-4f23-903b-593002de0b81", "value": "2fd166e52f0a4daa795763eb66207b1a14d8e59e" }, { "category": "Payload delivery", "comment": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8", "deleted": false, "disable_correlation": false, "timestamp": "1478073602", "to_ids": true, "type": "md5", "uuid": "58199d02-16a8-4a5c-9879-593002de0b81", "value": "7d808f496a8e66adfa6af76838f1c3a4" }, { "category": "External analysis", "comment": "Tetqiqat doklati.doc - Xchecked via VT: 9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8", "deleted": false, "disable_correlation": false, "timestamp": "1478073602", "to_ids": false, "type": "link", "uuid": "58199d02-d948-4059-8c23-593002de0b81", "value": "https://www.virustotal.com/file/9feee2a3fe49fe774d414999ac393655255e7c035ffc93bbd031a2331fd89dc8/analysis/1467389786/" }, { "category": "Payload delivery", "comment": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54", "deleted": false, "disable_correlation": false, "timestamp": "1478073603", "to_ids": true, "type": "sha1", "uuid": "58199d03-955c-4de5-9ba9-593002de0b81", "value": "ec8816b82bab16ae26777b17eea95883bea5c3fb" }, { "category": "Payload delivery", "comment": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54", "deleted": false, "disable_correlation": false, "timestamp": "1478073603", "to_ids": true, "type": "md5", "uuid": "58199d03-c30c-48a2-bc88-593002de0b81", "value": "190b6d19b3d2088acbd56323dbd98973" }, { "category": "External analysis", "comment": "teklipname.doc - Xchecked via VT: f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54", "deleted": false, "disable_correlation": false, "timestamp": "1478073603", "to_ids": false, "type": "link", "uuid": "58199d03-0da4-4b22-96c6-593002de0b81", "value": "https://www.virustotal.com/file/f4fd8554710017caa042b52122d7985c7f510df8e2c26f1ffa6e27233bfe9b54/analysis/1467397149/" }, { "category": "Payload delivery", "comment": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767", "deleted": false, "disable_correlation": false, "timestamp": "1478073603", "to_ids": true, "type": "sha1", "uuid": "58199d03-6b38-470f-aaf8-593002de0b81", "value": "3b59b1b2d5416bbb4a28da2a45414bc0605bcead" }, { "category": "Payload delivery", "comment": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767", "deleted": false, "disable_correlation": false, "timestamp": "1478073604", "to_ids": true, "type": "md5", "uuid": "58199d04-ace4-4566-b96d-593002de0b81", "value": "9985b1ab655f26e8a05f8402ad0ea300" }, { "category": "External analysis", "comment": "jedwel.doc - Xchecked via VT: 45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767", "deleted": false, "disable_correlation": false, "timestamp": "1478073604", "to_ids": false, "type": "link", "uuid": "58199d04-8f68-4815-b5fd-593002de0b81", "value": "https://www.virustotal.com/file/45e39db2a877ff2663efc4d66ed4084ffdb6ddb4926112b7c471872208b96767/analysis/1467395826/" }, { "category": "Payload delivery", "comment": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601", "deleted": false, "disable_correlation": false, "timestamp": "1478073604", "to_ids": true, "type": "sha1", "uuid": "58199d04-b1fc-4c68-973e-593002de0b81", "value": "fbc27bcf672d1ea3d4ff9cb3a8fd6a55d92d8b74" }, { "category": "Payload delivery", "comment": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601", "deleted": false, "disable_correlation": false, "timestamp": "1478073604", "to_ids": true, "type": "md5", "uuid": "58199d04-22e4-42fc-a180-593002de0b81", "value": "6d9091def6fbf3ead3136eaa1861113c" }, { "category": "External analysis", "comment": "istepaname.doc - Xchecked via VT: e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601", "deleted": false, "disable_correlation": false, "timestamp": "1478073604", "to_ids": false, "type": "link", "uuid": "58199d05-e6d4-46c7-809f-593002de0b81", "value": "https://www.virustotal.com/file/e55912a134902ab73c52cb42f32051745214275b59a95d565cfcb7560d32f601/analysis/1458644189/" }, { "category": "Payload delivery", "comment": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337", "deleted": false, "disable_correlation": false, "timestamp": "1478073605", "to_ids": true, "type": "sha1", "uuid": "58199d05-a17c-4c0b-8842-593002de0b81", "value": "29283c126924dca11b05af968a1de2ad46e8dc9c" }, { "category": "Payload delivery", "comment": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337", "deleted": false, "disable_correlation": false, "timestamp": "1478073605", "to_ids": true, "type": "md5", "uuid": "58199d05-3dec-4053-9bd8-593002de0b81", "value": "dad5fca029351bde31de9fff3541fdf5" }, { "category": "External analysis", "comment": "tetqiqat doklati.doc - Xchecked via VT: 5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337", "deleted": false, "disable_correlation": false, "timestamp": "1478073605", "to_ids": false, "type": "link", "uuid": "58199d05-a3d4-4ab0-8d16-593002de0b81", "value": "https://www.virustotal.com/file/5e818eeb0cffeb6f65f611a17f522560912ae19372e7f734be6df5e35ba82337/analysis/1467970728/" }, { "category": "Payload delivery", "comment": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6", "deleted": false, "disable_correlation": false, "timestamp": "1478073606", "to_ids": true, "type": "sha1", "uuid": "58199d06-8b1c-41bf-9739-593002de0b81", "value": "4d697c3afd6b948ec28b7c4e9b0f1d63577ef170" }, { "category": "Payload delivery", "comment": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6", "deleted": false, "disable_correlation": false, "timestamp": "1478073606", "to_ids": true, "type": "md5", "uuid": "58199d06-2f2c-40dc-b101-593002de0b81", "value": "740d347f595983b88d8c4b415e900388" }, { "category": "External analysis", "comment": "chqiriq.doc - Xchecked via VT: 0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6", "deleted": false, "disable_correlation": false, "timestamp": "1478073606", "to_ids": false, "type": "link", "uuid": "58199d06-5488-450d-95a0-593002de0b81", "value": "https://www.virustotal.com/file/0c35a508ece0c9269e176b6b278a96f7ca29e04a2ca2319a91b585f27abfe2f6/analysis/1467385502/" }, { "category": "Payload delivery", "comment": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69", "deleted": false, "disable_correlation": false, "timestamp": "1478073606", "to_ids": true, "type": "sha1", "uuid": "58199d06-7d04-48bd-9241-593002de0b81", "value": "f7eab4176799794121cd9a8b288bcea09ad7e695" }, { "category": "Payload delivery", "comment": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69", "deleted": false, "disable_correlation": false, "timestamp": "1478073606", "to_ids": true, "type": "md5", "uuid": "58199d06-0020-414d-adda-593002de0b81", "value": "24b6088b65b1f67cf04dfadd4719f807" }, { "category": "External analysis", "comment": "chaqiriq.doc - Xchecked via VT: 940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69", "deleted": false, "disable_correlation": false, "timestamp": "1478073607", "to_ids": false, "type": "link", "uuid": "58199d07-c2c4-4782-9cd6-593002de0b81", "value": "https://www.virustotal.com/file/940d0770e644c152d60a13f9d40015a1089419361de33fe127e032f4bb446c69/analysis/1467396978/" }, { "category": "Payload delivery", "comment": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d", "deleted": false, "disable_correlation": false, "timestamp": "1478073607", "to_ids": true, "type": "sha1", "uuid": "58199d07-78e4-4225-8b38-593002de0b81", "value": "e4ad541c4386f24a7ab6e8f9be46e5100c759704" }, { "category": "Payload delivery", "comment": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d", "deleted": false, "disable_correlation": false, "timestamp": "1478073607", "to_ids": true, "type": "md5", "uuid": "58199d07-36c0-4736-a131-593002de0b81", "value": "62d2cdce3736dc5d9a2f036d27ffc780" }, { "category": "External analysis", "comment": "chaqiriq.doc - Xchecked via VT: 4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d", "deleted": false, "disable_correlation": false, "timestamp": "1478073607", "to_ids": false, "type": "link", "uuid": "58199d07-898c-486b-8f12-593002de0b81", "value": "https://www.virustotal.com/file/4ab388b1310918144ad95e418ebe12251a97cb69fbed3f0dd9f04d780ddd132d/analysis/1457591232/" }, { "category": "Payload delivery", "comment": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698", "deleted": false, "disable_correlation": false, "timestamp": "1478073607", "to_ids": true, "type": "sha1", "uuid": "58199d07-b870-4c96-a744-593002de0b81", "value": "911d6bcf69b881df38971ae4c0d07c624cea9daf" }, { "category": "Payload delivery", "comment": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698", "deleted": false, "disable_correlation": false, "timestamp": "1478073608", "to_ids": true, "type": "md5", "uuid": "58199d08-c570-45d7-a8ec-593002de0b81", "value": "5ddded4e5686ad25a02db8ef534173f1" }, { "category": "External analysis", "comment": "agahlandurushname.doc - Xchecked via VT: 7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698", "deleted": false, "disable_correlation": false, "timestamp": "1478073608", "to_ids": false, "type": "link", "uuid": "58199d08-efcc-4637-9a08-593002de0b81", "value": "https://www.virustotal.com/file/7b587b104219784e9fd3dc9c13a0f652e73baed01e8c3b24828a92f151f3c698/analysis/1458310333/" }, { "category": "Payload delivery", "comment": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f", "deleted": false, "disable_correlation": false, "timestamp": "1478073608", "to_ids": true, "type": "sha1", "uuid": "58199d08-6324-4078-8911-593002de0b81", "value": "4879022a39c2917e629edffc3af1c57cf81c58ad" }, { "category": "Payload delivery", "comment": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f", "deleted": false, "disable_correlation": false, "timestamp": "1478073608", "to_ids": true, "type": "md5", "uuid": "58199d08-8cac-4304-afaf-593002de0b81", "value": "5d16e305ef6dc2db9c0ff1b498277e8c" }, { "category": "External analysis", "comment": "Google aqsakla Rabiye isming.doc - Xchecked via VT: 3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f", "deleted": false, "disable_correlation": false, "timestamp": "1478073609", "to_ids": false, "type": "link", "uuid": "58199d09-9b1c-40a9-8c1b-593002de0b81", "value": "https://www.virustotal.com/file/3f3d0a5aa2799d6afe74c5cb6e077e375078b173263c5ca887ffe2e22164b10f/analysis/1456781229/" }, { "category": "Payload delivery", "comment": "Sample matching PEHash - Xchecked via VT: 087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e", "deleted": false, "disable_correlation": false, "timestamp": "1478073609", "to_ids": true, "type": "sha1", "uuid": "58199d09-cb20-4457-b416-593002de0b81", "value": "24378312a80c9be83f2b7c294a168dd8e030a8b5" }, { "category": "External analysis", "comment": "Sample matching PEHash - Xchecked via VT: 087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e", "deleted": false, "disable_correlation": false, "timestamp": "1478073609", "to_ids": false, "type": "link", "uuid": "58199d09-e9f0-446e-85be-593002de0b81", "value": "https://www.virustotal.com/file/087e45f63ce00c4df07f81837eceb0b322773822feee01cfc005e5fc14e50f5e/analysis/1442671182/" }, { "category": "Payload delivery", "comment": "Sample matching PEHash - Xchecked via VT: ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e", "deleted": false, "disable_correlation": false, "timestamp": "1478073609", "to_ids": true, "type": "sha1", "uuid": "58199d09-2004-4f16-964d-593002de0b81", "value": "94b9a2835df032a5907cdd6bac8172270a4b7282" }, { "category": "External analysis", "comment": "Sample matching PEHash - Xchecked via VT: ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e", "deleted": false, "disable_correlation": false, "timestamp": "1478073610", "to_ids": false, "type": "link", "uuid": "58199d0a-66e0-416c-9dcb-593002de0b81", "value": "https://www.virustotal.com/file/ef3e7b1c37aef1d8359169cca9409db4709632b9aa8bf44febe0d91e93ab537e/analysis/1462788842/" }, { "category": "Payload delivery", "comment": "Sample matching PEHash - Xchecked via VT: 444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488", "deleted": false, "disable_correlation": false, "timestamp": "1478073610", "to_ids": true, "type": "sha1", "uuid": "58199d0a-a2c4-4ab5-9e4d-593002de0b81", "value": "9ccf2631deab313232966ec49ddb8be4c6c4467d" }, { "category": "External analysis", "comment": "Sample matching PEHash - Xchecked via VT: 444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488", "deleted": false, "disable_correlation": false, "timestamp": "1478073610", "to_ids": false, "type": "link", "uuid": "58199d0a-7e44-45e0-9fa5-593002de0b81", "value": "https://www.virustotal.com/file/444c6589ed030da41ba49d20ac38029e5213978fadef2ee94408e4f91395b488/analysis/1441268734/" }, { "category": "Payload delivery", "comment": "Mutex match - Xchecked via VT: 97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78", "deleted": false, "disable_correlation": false, "timestamp": "1478073610", "to_ids": true, "type": "sha1", "uuid": "58199d0a-3c70-422f-ab84-593002de0b81", "value": "1142f615293497837744d81e53b8490caf490c27" }, { "category": "External analysis", "comment": "Mutex match - Xchecked via VT: 97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78", "deleted": false, "disable_correlation": false, "timestamp": "1478073610", "to_ids": false, "type": "link", "uuid": "58199d0a-9d4c-4a30-b875-593002de0b81", "value": "https://www.virustotal.com/file/97ec795227818fedc70fad9f2df8cb839d9fb75b502f3598614610d4e8e1be78/analysis/1442165720/" }, { "category": "Payload delivery", "comment": "Mutex match - Xchecked via VT: f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c", "deleted": false, "disable_correlation": false, "timestamp": "1478073611", "to_ids": true, "type": "sha1", "uuid": "58199d0b-98f8-44bb-999b-593002de0b81", "value": "9db5c270a803e98b0135d16a1fa51c212de5d07d" }, { "category": "External analysis", "comment": "Mutex match - Xchecked via VT: f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c", "deleted": false, "disable_correlation": false, "timestamp": "1478073611", "to_ids": false, "type": "link", "uuid": "58199d0b-a2ac-4420-aa83-593002de0b81", "value": "https://www.virustotal.com/file/f15840fbade7a5611391193a4a53f63ef465ab451f7783da21cad7303ea3b68c/analysis/1442165665/" }, { "category": "Payload delivery", "comment": "Saker/Xbox - Xchecked via VT: 3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c", "deleted": false, "disable_correlation": false, "timestamp": "1478073612", "to_ids": true, "type": "sha1", "uuid": "58199d0c-45cc-4ac6-816e-593002de0b81", "value": "f2d65afc2c1f59dc0bd4e1faaa41c0c976195408" }, { "category": "External analysis", "comment": "Saker/Xbox - Xchecked via VT: 3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c", "deleted": false, "disable_correlation": false, "timestamp": "1478073612", "to_ids": false, "type": "link", "uuid": "58199d0c-6ec8-4d0b-a9cc-593002de0b81", "value": "https://www.virustotal.com/file/3714058d90b2149169188418773165b620abd1481b47d1551d79679bfe21d28c/analysis/1462960434/" }, { "category": "Payload delivery", "comment": "Saker/Xbox - Xchecked via VT: c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59", "deleted": false, "disable_correlation": false, "timestamp": "1478073613", "to_ids": true, "type": "sha1", "uuid": "58199d0d-41e0-4732-9124-593002de0b81", "value": "2dbd9349bcfb243398648e46f9994b727642e7cd" }, { "category": "External analysis", "comment": "Saker/Xbox - Xchecked via VT: c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59", "deleted": false, "disable_correlation": false, "timestamp": "1478073613", "to_ids": false, "type": "link", "uuid": "58199d0d-5df0-4539-9c22-593002de0b81", "value": "https://www.virustotal.com/file/c39e0fc30c2604b3eb9694591789a8e3d4cee7bcc4f9b03349e10c45304aef59/analysis/1471881852/" }, { "category": "Payload delivery", "comment": "Gh0stRAT LURK0 - Xchecked via VT: b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e", "deleted": false, "disable_correlation": false, "timestamp": "1478073614", "to_ids": true, "type": "sha1", "uuid": "58199d0e-6504-460f-8263-593002de0b81", "value": "b6a78ea984a34a3ae00b5aca3445f1c12118029c" }, { "category": "External analysis", "comment": "Gh0stRAT LURK0 - Xchecked via VT: b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e", "deleted": false, "disable_correlation": false, "timestamp": "1478073614", "to_ids": false, "type": "link", "uuid": "58199d0e-a3a0-4794-96ac-593002de0b81", "value": "https://www.virustotal.com/file/b625e605932196efbc6c80a18f61a71d27d82935209a1abde2ec591973fed31e/analysis/1462776856/" }, { "category": "Payload delivery", "comment": "PlugX malware - Xchecked via VT: a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8", "deleted": false, "disable_correlation": false, "timestamp": "1478073615", "to_ids": true, "type": "sha1", "uuid": "58199d0f-9834-4d37-9332-593002de0b81", "value": "9a19a983e5c9db7f7675bbb93173699b12df3955" }, { "category": "External analysis", "comment": "PlugX malware - Xchecked via VT: a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8", "deleted": false, "disable_correlation": false, "timestamp": "1478073615", "to_ids": false, "type": "link", "uuid": "58199d0f-7bbc-447e-8b45-593002de0b81", "value": "https://www.virustotal.com/file/a351040c0da2837f19b357baea4bffe194b0cd0d86bf262f8be1126e3a9d44d8/analysis/1458560323/" } ] } }