{"Event": {"info": "OSINT - FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:threat-actor=\"NEODYMIUM\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:tool=\"FINSPY\""}], "publish_timestamp": "1513181030", "timestamp": "1513864888", "Object": [{"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "464d0f0b-6099-49b3-ba40-22d814748a54", "sharing_group_id": "0", "timestamp": "1513181006", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "464d0f0b-6099-49b3-ba40-22d814748a54", "uuid": "5a314f4c-1df0-4f78-a6cd-4e1802de0b81", "timestamp": "1513181004", "referenced_uuid": "140e42c3-999a-4d9b-8a3f-86d7ce069a3c", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a314f4b-cff0-425b-af03-439a02de0b81", "timestamp": "1513181003", "to_ids": true, "value": "fe5c4d6bb78e170abf5cf3741868ea4c", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a314f4b-0d60-4a46-bcca-4f0502de0b81", "timestamp": "1513181003", "to_ids": true, "value": "0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a314f4b-0478-4fea-b0f5-47b702de0b81", "timestamp": "1513181003", "to_ids": true, "value": "2377f3aa486ac9a1ecf28771d5b0e9848ec08654", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "140e42c3-999a-4d9b-8a3f-86d7ce069a3c", "sharing_group_id": "0", "timestamp": "1513181003", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a314f4c-c680-47c1-8486-46be02de0b81", "timestamp": "1513181004", "to_ids": false, "value": "https://www.virustotal.com/file/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684/analysis/1512091986/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a314f4c-40bc-4f90-92e4-47e602de0b81", "timestamp": "1513181004", "to_ids": false, "value": "36/59", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a314f4c-3458-4144-93be-4e8302de0b81", "timestamp": "1513181004", "to_ids": false, "value": "2017-12-01 01:33:06", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "db5266a6-7508-474b-bf46-84b96ce1483d", "sharing_group_id": "0", "timestamp": "1513181007", "description": "File object describing a file with meta-information", "template_version": "7", "ObjectReference": [{"comment": "", "object_uuid": "db5266a6-7508-474b-bf46-84b96ce1483d", "uuid": "5a314f4c-bba4-451b-a59a-435602de0b81", "timestamp": "1513181004", "referenced_uuid": "6be28daf-acae-455f-9f46-bf709016b34e", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a314f4c-2cb0-4fb8-87e6-416202de0b81", "timestamp": "1513181004", "to_ids": true, "value": "a7b990d5f57b244dd17e9a937a41e7f5", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5a314f4c-2880-49b5-a4fa-487802de0b81", "timestamp": "1513181004", "to_ids": true, "value": "b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5a314f4c-b7b4-4778-ab4a-4eed02de0b81", "timestamp": "1513181004", "to_ids": true, "value": "c217d48c4ac1555491348721cc7cfd1143fe0b16", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "6be28daf-acae-455f-9f46-bf709016b34e", "sharing_group_id": "0", "timestamp": "1513181004", "description": "VirusTotal report", "template_version": "1", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a314f4c-5530-420c-abd9-4b0702de0b81", "timestamp": "1513181004", "to_ids": false, "value": "https://www.virustotal.com/file/b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8/analysis/1512091627/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "5a314f4c-0bd0-416e-8b4d-4cae02de0b81", "timestamp": "1513181004", "to_ids": false, "value": "54/68", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5a314f4c-d1f8-4fc2-9b08-439b02de0b81", "timestamp": "1513181004", "to_ids": false, "value": "2017-12-01 01:27:07", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "59b8f421-7570-485e-8c75-821c950d210f", "timestamp": "1513181003", "to_ids": false, "value": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "59b8f42d-dd44-460b-9613-41d2950d210f", "timestamp": "1513181003", "to_ids": false, "value": "https://otx.alienvault.com/pulse/59b88b26ca3c6b07c87086c8/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f4bd-dbdc-4643-9634-821d950d210f", "timestamp": "1513181003", "to_ids": true, "value": "\u041f\u0440\u043e\u0435\u043a\u0442.doc|fe5c4d6bb78e170abf5cf3741868ea4c", "disable_correlation": false, "object_relation": null, "type": "filename|md5"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f4bd-bb48-427d-a3e1-821d950d210f", "timestamp": "1513181003", "to_ids": true, "value": "left.jpg|a7b990d5f57b244dd17e9a937a41e7f5", "disable_correlation": false, "object_relation": null, "type": "filename|md5"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-77c8-4086-ab00-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-a0c8-41e9-b450-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "2377f3aa486ac9a1ecf28771d5b0e9848ec08654", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Network activity", "uuid": "59b8f738-873c-435c-ac71-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "91.219.236.207", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-f694-4cfe-838c-8226950d210f", "timestamp": "1505294136", "to_ids": true, "value": "a7b990d5f57b244dd17e9a937a41e7f5", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-c508-4a42-83fd-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "b035ca2d174e5e4fd2d66fd3c8ce4ae5c1e75cf3290af872d1adb2658852afb8", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-a2b8-4649-b659-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "c217d48c4ac1555491348721cc7cfd1143fe0b16", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "59b8f738-93e8-4e3b-8806-8226950d210f", "timestamp": "1505294136", "to_ids": true, "value": "fe5c4d6bb78e170abf5cf3741868ea4c", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Network activity", "uuid": "59b8f738-6c08-44ca-8942-8226950d210f", "timestamp": "1513181003", "to_ids": true, "value": "http://91.219.236.207/img/left.jpg", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "External analysis", "uuid": "59b8fcfe-0740-4e5f-a279-8113950d210f", "timestamp": "1513181003", "to_ids": false, "value": "FireEye recently detected a malicious Microsoft Office RTF document that leveraged CVE-2017-8759, a SOAP WSDL parser code injection vulnerability. This vulnerability allows a malicious actor to inject arbitrary code during the parsing of SOAP WSDL definition contents. FireEye analyzed a Microsoft Word document where attackers used the arbitrary code injection to download and execute a Visual Basic script that contained PowerShell commands.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}], "extends_uuid": "", "published": false, "date": "2017-09-12", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "59b8f415-41d0-4335-8f82-8101950d210f"}}