{ "Event": { "analysis": "2", "date": "2015-07-14", "extends_uuid": "", "info": "OSINT An In-Depth Look at How Pawn Storm\u00e2\u20ac\u2122s Java Zero-Day Was Used by Trend Micro", "publish_timestamp": "1437650831", "published": true, "threat_level_id": "2", "timestamp": "1454273686", "uuid": "55a76999-52e4-45c0-ac44-2ce2950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437034929", "to_ids": false, "type": "link", "uuid": "55a769b1-faf0-4553-b131-e4fd950d210b", "value": "http://blog.trendmicro.com/trendlabs-security-intelligence/an-in-depth-look-at-how-pawn-storms-java-zero-day-was-used/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437034949", "to_ids": false, "type": "text", "uuid": "55a769c5-83c8-41f9-a020-266f950d210b", "value": "APT28" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437034949", "to_ids": false, "type": "text", "uuid": "55a769c5-904c-44d3-a10e-266f950d210b", "value": "Pawn Storm" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437034949", "to_ids": false, "type": "text", "uuid": "55a769c5-3b70-40c6-8030-266f950d210b", "value": "Sednit" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437034950", "to_ids": false, "type": "text", "uuid": "55a769c6-70cc-469e-bae4-266f950d210b", "value": "Sofacy" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126452", "to_ids": true, "type": "sha1", "uuid": "55a8cf34-5c94-40bf-9cfc-4301950d210b", "value": "95dc765700f5af406883d07f165011d2ff8dd0fb" }, { "category": "Network activity", "comment": "Marked as not for IDS since it includes a regexp", "deleted": false, "disable_correlation": false, "timestamp": "1437126493", "to_ids": false, "type": "url", "uuid": "55a8cf34-29cc-480a-8bfd-43b9950d210b", "value": "http://ausameetings.com/url?=[a-za-z0-9]{7}/2015annualmeeting/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126452", "to_ids": true, "type": "sha1", "uuid": "55a8cf34-0550-4b1f-b183-42ae950d210b", "value": "b4a515ef9de037f18d96b9b0e48271180f5725b7" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126453", "to_ids": true, "type": "url", "uuid": "55a8cf35-add8-4854-b6c3-443b950d210b", "value": "vhgg5hkvn25.exe" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126453", "to_ids": true, "type": "sha1", "uuid": "55a8cf35-3b68-473a-8347-49c9950d210b", "value": "21835aafe6d46840bb697e8b0d4aac06dec44f5b" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126453", "to_ids": true, "type": "url", "uuid": "55a8cf35-e610-4d0b-b99a-44a5950d210b", "value": "api-ms-win-downlevel-profile-l1-1-0.dll" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126700", "to_ids": true, "type": "domain", "uuid": "55a8d02c-f300-4479-a2e9-1e08950d210b", "value": "ausameetings.com" }, { "category": "Network activity", "comment": "Low precision", "deleted": false, "disable_correlation": false, "timestamp": "1437126700", "to_ids": true, "type": "ip-dst", "uuid": "55a8d02c-8f64-4dd0-a81e-1e08950d210b", "value": "95.215.45.189" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126700", "to_ids": true, "type": "ip-dst", "uuid": "55a8d02c-4300-4109-9e0d-1e08950d210b", "value": "87.236.215.132" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "url", "uuid": "55a8d02d-3cb4-424d-980f-1e08950d210b", "value": "arrayreplace.class" }, { "category": "Payload delivery", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "filename", "uuid": "55a8d02d-e680-47d6-ada7-1e08950d210b", "value": "App$PassHandleController.class" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "url", "uuid": "55a8d02d-5a2c-49e1-bd33-1e08950d210b", "value": "converter.class" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "url", "uuid": "55a8d02d-30f4-48a7-9ae8-1e08950d210b", "value": "mybytearrayinputstream.class" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "url", "uuid": "55a8d02d-9718-48ec-8566-1e08950d210b", "value": "none2.class" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126701", "to_ids": true, "type": "url", "uuid": "55a8d02d-b774-4483-bf97-1e08950d210b", "value": "none.class" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126702", "to_ids": true, "type": "url", "uuid": "55a8d02e-384c-4a0e-b776-1e08950d210b", "value": "cormac.mcr" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126702", "to_ids": true, "type": "ip-dst", "uuid": "55a8d02e-fa20-43d0-9a16-1e08950d210b", "value": "192.111.146.185" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126702", "to_ids": true, "type": "ip-dst", "uuid": "55a8d02e-71e4-484a-b446-1e08950d210b", "value": "37.187.116.240" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126722", "to_ids": true, "type": "domain", "uuid": "55a8d02e-c688-4242-b2b6-1e08950d210b", "value": "acledit.com" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1437126730", "to_ids": true, "type": "domain", "uuid": "55a8d02e-d3c4-41d0-adfe-1e08950d210b", "value": "biocpl.org" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437126787", "to_ids": false, "type": "text", "uuid": "55a8d083-0df0-41d5-aaff-0a95950d210b", "value": "JAVA_DLOADR.EFD" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437126787", "to_ids": false, "type": "text", "uuid": "55a8d083-889c-4378-8a87-0a95950d210b", "value": "TROJ_DROPPR.CXC" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1437126787", "to_ids": false, "type": "text", "uuid": "55a8d083-b298-4191-b334-0a95950d210b", "value": "TSPY_SEDNIT.C" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b", "deleted": false, "disable_correlation": false, "timestamp": "1454273686", "to_ids": true, "type": "sha256", "uuid": "56ae7496-ac98-437d-ba17-4bfa02de0b81", "value": "3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 21835aafe6d46840bb697e8b0d4aac06dec44f5b", "deleted": false, "disable_correlation": false, "timestamp": "1454273686", "to_ids": true, "type": "md5", "uuid": "56ae7496-ab14-4ad0-a447-44be02de0b81", "value": "211b7100fd799e9eaabeb13cfa446231" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454273687", "to_ids": false, "type": "link", "uuid": "56ae7497-80f0-4165-be41-49d402de0b81", "value": "https://www.virustotal.com/file/3d13f2e5b241168005425b15410556bcf26d04078da6b2ef42bc0c2be7654bf8/analysis/1451306949/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7", "deleted": false, "disable_correlation": false, "timestamp": "1454273687", "to_ids": true, "type": "sha256", "uuid": "56ae7497-8098-4ffc-b65e-47d302de0b81", "value": "d93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: b4a515ef9de037f18d96b9b0e48271180f5725b7", "deleted": false, "disable_correlation": false, "timestamp": "1454273687", "to_ids": true, "type": "md5", "uuid": "56ae7497-5968-4028-ac90-4fb202de0b81", "value": "afe09fb5a2b97f9e119f70292092604e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454273688", "to_ids": false, "type": "link", "uuid": "56ae7498-0774-4bcb-ae08-492402de0b81", "value": "https://www.virustotal.com/file/d93f22d46090bfc19ef51963a781eeb864390c66d9347e86e03bba25a1fc29c5/analysis/1449817909/" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb", "deleted": false, "disable_correlation": false, "timestamp": "1454273688", "to_ids": true, "type": "sha256", "uuid": "56ae7498-5770-4232-9152-4a3102de0b81", "value": "3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349" }, { "category": "Payload delivery", "comment": "Imported via the freetext import. - Xchecked via VT: 95dc765700f5af406883d07f165011d2ff8dd0fb", "deleted": false, "disable_correlation": false, "timestamp": "1454273688", "to_ids": true, "type": "md5", "uuid": "56ae7498-cf28-4e29-81fb-47be02de0b81", "value": "0c345969a5974e8b1ec6a5e23b2cf777" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1454273688", "to_ids": false, "type": "link", "uuid": "56ae7498-af00-40a5-9683-420102de0b81", "value": "https://www.virustotal.com/file/3f2d8744205b59f7bee5a8f13e6a15201f04663ce2c6f33b1684968778e44349/analysis/1443100024/" } ] } }