{ "Event": { "analysis": "0", "date": "2019-01-24", "extends_uuid": "", "info": "IOCs Associated with DNS Infrastructure Tampering", "publish_timestamp": "1548364252", "published": true, "threat_level_id": "3", "timestamp": "1548364213", "uuid": "5c4a2972-fd10-4470-936d-4d2a02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" } ], "Attribute": [ { "category": "Other", "comment": "Imported from STIX header description", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": false, "type": "comment", "uuid": "95924852-631e-42e7-aa8b-c6a33b8b6f55", "value": "The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), is aware of a global Domain Name System (DNS) infrastructure hijacking campaign. Using compromised credentials, an attacker can modify the location to which an organization\u00e2\u20ac\u2122s domain name resources resolve. This enables the attacker to redirect user traffic to attacker-controlled infrastructure and obtain valid encryption certificates for an organization\u00e2\u20ac\u2122s domain names, enabling man-in-the-middle attacks." }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "url", "uuid": "e0bc1d90-2009-11e9-82a3-d89ef344f46d", "value": "http://hr-suncor.com/Suncor_employment_form.doc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "url", "uuid": "e0bc1d93-2009-11e9-88e3-d89ef344f46d", "value": "http://hr-wipro.com/Wipro_Working_Conditions.doc" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "domain", "uuid": "e0bc1d96-2009-11e9-9efa-d89ef344f46d", "value": "hr-wipro.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "domain", "uuid": "e0bc1d99-2009-11e9-9294-d89ef344f46d", "value": "hr-suncor.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "domain", "uuid": "e0bc1d9c-2009-11e9-af0f-d89ef344f46d", "value": "0ffice36o.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1d9f-2009-11e9-8bc6-d89ef344f46d", "value": "185.20.184.138" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1da2-2009-11e9-9b93-d89ef344f46d", "value": "185.161.211.72" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1db7-2009-11e9-b508-d89ef344f46d", "value": "107.161.23.204" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1da5-2009-11e9-b493-d89ef344f46d", "value": "185.20.187.8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1da8-2009-11e9-b8b3-d89ef344f46d", "value": "185.174.101.168" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1db1-2009-11e9-8d13-d89ef344f46d", "value": "192.161.187.200" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1dab-2009-11e9-9492-d89ef344f46d", "value": "185.161.211.79" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1dae-2009-11e9-881a-d89ef344f46d", "value": "185.236.78.63" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548364147", "to_ids": true, "type": "ip-dst", "uuid": "e0bc1db4-2009-11e9-a9d7-d89ef344f46d", "value": "209.141.38.71" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1548364147", "uuid": "e0bc1dba-2009-11e9-babc-d89ef344f46d", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548364147", "to_ids": true, "type": "md5", "uuid": "dbcb73a9-0d0d-4f20-bd52-b7d3d1e49f35", "value": "9c8507a1fd7d2579777723b53fee1f3e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548364147", "to_ids": true, "type": "sha1", "uuid": "4383b10e-f3ad-48c2-b1cc-e35a1677fda3", "value": "48b620df71087bd333284c91e52f0cfed1f2d00e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548364147", "to_ids": true, "type": "sha256", "uuid": "1361adb9-5eb2-4e86-92c3-5941526bef83", "value": "82285b6743cc5e3545d8e67740a4d04c5aed138d9f31d7c16bd11188a2042969" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1548364189", "uuid": "e0be6782-2009-11e9-b60b-d89ef344f46d", "ObjectReference": [ { "comment": "", "object_uuid": "e0be6782-2009-11e9-b60b-d89ef344f46d", "referenced_uuid": "d6bc7998-9cad-4353-851f-f31860ed8366", "relationship_type": "analysed-with", "timestamp": "1548364190", "uuid": "5c4a299e-afcc-42d9-99a8-cf2902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548364147", "to_ids": true, "type": "md5", "uuid": "5f21eaaa-080c-4691-8089-a05353c60139", "value": "807482efce3397ece64a1ded3d436139" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548364147", "to_ids": true, "type": "sha1", "uuid": "52ba1f40-444d-42a9-a65e-e98f5e58f248", "value": "9ea865e000e3e15cec15efc466801bb181ba40a1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548364147", "to_ids": true, "type": "sha256", "uuid": "a75749b1-7257-4518-b391-d1051acc2d59", "value": "9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1548364147", "to_ids": true, "type": "ssdeep", "uuid": "eb3b1e93-e901-410b-b868-40e88d36b7d1", "value": "6144:2LOUuU4uDIOjsHFtXwIUPgTiN13sh/2xWoV/hGkWC92Vr3Lu19RmAMZQzm18IBHf:tU4jdltXwnQ01txj4kB257qmJkm1ldU" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1548364147", "to_ids": true, "type": "filename", "uuid": "f416e4da-0063-4bdc-887d-9a70375865ac", "value": "Suncor_employment_form.doc" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1548364147", "to_ids": true, "type": "size-in-bytes", "uuid": "b7ca8d21-53d2-4414-a9c9-a3716fc79d77", "value": "623616" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1548364189", "uuid": "e0be6785-2009-11e9-9867-d89ef344f46d", "ObjectReference": [ { "comment": "", "object_uuid": "e0be6785-2009-11e9-9867-d89ef344f46d", "referenced_uuid": "a576549e-7bae-4dd1-a5f3-4e0a66209a64", "relationship_type": "analysed-with", "timestamp": "1548364190", "uuid": "5c4a299e-794c-44f7-9897-cf2902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548364147", "to_ids": true, "type": "md5", "uuid": "d1aac8b5-6e51-4c62-b9c1-8d31dddc3514", "value": "c00c9f6ebf2979292d524acff19dd306" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548364147", "to_ids": true, "type": "sha1", "uuid": "0bce9b59-6af6-4841-9055-efc24a52c639", "value": "1022620da25db2497dc237adedb53755e6b859e3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548364147", "to_ids": true, "type": "sha256", "uuid": "91a51b5c-475f-48c5-b028-7878ba19fe3f", "value": "45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1548364147", "to_ids": true, "type": "ssdeep", "uuid": "35956850-ee9f-4d71-a1c1-a84fcb2282e9", "value": "3072:t3zwUAyRvKFnQStbQQYZrmQC2mCe0t4zu9Cv/QQ3TFnDSF0bNg0+B0tguKtEfT5s:dydXtbiktzu96QItD46NgjA0mFs" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1548364147", "to_ids": true, "type": "size-in-bytes", "uuid": "35d474a6-33e2-4417-bd09-df305a94d0f4", "value": "368640" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "15", "timestamp": "1548364189", "uuid": "e0be6788-2009-11e9-9b1e-d89ef344f46d", "ObjectReference": [ { "comment": "", "object_uuid": "e0be6788-2009-11e9-9b1e-d89ef344f46d", "referenced_uuid": "1b2a8dae-f9e6-4d7a-bb5a-e5e27d5966e0", "relationship_type": "analysed-with", "timestamp": "1548364190", "uuid": "5c4a299e-3688-4c89-b54d-cf2902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548364147", "to_ids": true, "type": "md5", "uuid": "a0e34c9c-3527-48d5-a32b-ce8a6a43b2f2", "value": "d2052cb9016dab6592c532d5ea47cb7e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548364147", "to_ids": true, "type": "sha1", "uuid": "2aa9d360-7963-49c4-989e-4644c03af4c5", "value": "1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548364147", "to_ids": true, "type": "sha256", "uuid": "624311a5-630e-4fe5-bc73-9700e7a15168", "value": "2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1548364147", "to_ids": true, "type": "ssdeep", "uuid": "405ac9d7-8048-4810-882f-45e2c726468e", "value": "3072:OL1w0Cyf/TYsq6wjRbQC2mCr2v4Q/DfvBgLCOledbqIyWu0jPhVyWxg/MB/RzS:Oz4xI1Q/DxWleNqgu0jpjZS" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1548364147", "to_ids": true, "type": "size-in-bytes", "uuid": "c5ebf0a0-f8a6-43a0-94ff-f165c17c7ea9", "value": "372736" } ] }, { "comment": "", "deleted": false, "description": "Object describing the original file used to import data in MISP.", "meta-category": "file", "name": "original-imported-file", "template_uuid": "4cd560e9-2cfe-40a1-9964-7b2e797ecac5", "template_version": "2", "timestamp": "1548364147", "uuid": "5c4a2973-421c-4138-9787-4b8902de0b81", "Attribute": [ { "category": "External analysis", "comment": "", "data": "", "deleted": false, "disable_correlation": false, "object_relation": "imported-sample", "timestamp": "1548364148", "to_ids": false, "type": "attachment", "uuid": "5c4a2974-2724-4cc3-a3f4-44a402de0b81", "value": "AA19-024_IOCs.stix.xml" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "format", "timestamp": "1548364148", "to_ids": false, "type": "text", "uuid": "5c4a2974-7748-4706-8091-4c4802de0b81", "value": "STIX 1.1" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548364189", "uuid": "1b2a8dae-f9e6-4d7a-bb5a-e5e27d5966e0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548364189", "to_ids": false, "type": "datetime", "uuid": "cfe9477f-3ede-4bce-8564-222ef3d4cda5", "value": "2018-12-21T08:26:28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548364190", "to_ids": false, "type": "link", "uuid": "f20424f6-7426-4b05-888f-29ecb1ba2442", "value": "https://www.virustotal.com/file/2010f38ef300be4349e7bc287e720b1ecec678cacbf0ea0556bcf765f6e073ec/analysis/1545380788/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548364190", "to_ids": false, "type": "text", "uuid": "255ad5e5-bbea-4778-9210-91b1f6dc2b55", "value": "47/69" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548364190", "uuid": "a576549e-7bae-4dd1-a5f3-4e0a66209a64", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548364190", "to_ids": false, "type": "datetime", "uuid": "a7fc880f-5658-46fb-93f5-d846f65d468b", "value": "2019-01-24T11:12:00" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548364190", "to_ids": false, "type": "link", "uuid": "8565d497-f3c7-4a33-9e07-9188424467be", "value": "https://www.virustotal.com/file/45a9edb24d4174592c69d9d37a534a518fbe2a88d3817fc0cc739e455883b8ff/analysis/1548328320/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548364190", "to_ids": false, "type": "text", "uuid": "949483e4-f6f1-423e-8a7a-1401a5ff37a4", "value": "45/68" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548364190", "uuid": "d6bc7998-9cad-4353-851f-f31860ed8366", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548364190", "to_ids": false, "type": "datetime", "uuid": "7fb9f7c7-be46-49b9-a7c3-f8138f713052", "value": "2018-12-22T03:41:06" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548364190", "to_ids": false, "type": "link", "uuid": "ccb14e9f-f755-496f-be9a-ec2bbb0f74e4", "value": "https://www.virustotal.com/file/9ea577a4b3faaf04a3bddbfcb934c9752bed0d0fc579f2152751c5f6923f7e14/analysis/1545450066/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548364190", "to_ids": false, "type": "text", "uuid": "6777c875-4914-40a7-a8ab-1e0d02b1f494", "value": "36/60" } ] } ] } }