{"Event": {"info": "OSINT - Attacks Exploiting Sharepoint CVE-2019-0604", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#0071c3", "exportable": true, "name": "osint:lifetime=\"perpetual\""}, {"colour": "#0087e8", "exportable": true, "name": "osint:certainty=\"50\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-malware=\"China Chopper\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\""}], "publish_timestamp": "1557437226", "timestamp": "1558514319", "Object": [{"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "2e08e347-2a12-4a0f-b4f0-5fd161d71eb0", "sharing_group_id": "0", "timestamp": "1557436955", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "2e08e347-2a12-4a0f-b4f0-5fd161d71eb0", "uuid": "5cd49a1d-9300-408f-8be1-4566950d210f", "timestamp": "1557436957", "referenced_uuid": "2ee4ba30-9841-4fbf-acd0-286bac9c6b35", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "f40e3024-1555-4e1e-89f7-7efba0d533e3", "timestamp": "1557436911", "to_ids": true, "value": "b814532d73c7e5ffd1a2533adc6cfcf8", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "c3d2d5db-6e7f-4766-819a-0790901e2bce", "timestamp": "1557436911", "to_ids": true, "value": "dc8e7b7de41cac9ded920c41b272c885e1aec279", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "4cef7132-6e79-4d91-859b-fd2f51b44a87", "timestamp": "1557436911", "to_ids": true, "value": "05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "2ee4ba30-9841-4fbf-acd0-286bac9c6b35", "sharing_group_id": "0", "timestamp": "1557436955", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "c2763120-8f7b-49cb-b159-6787c01b99bb", "timestamp": "1557436911", "to_ids": false, "value": "2019-05-09 20:57:27", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "939cef4e-14e2-4e83-8544-63aa27e6deef", "timestamp": "1557436911", "to_ids": false, "value": "https://www.virustotal.com/file/05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4/analysis/1557435447/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "c84c63bd-e491-45e8-aa8c-7340da2e7cde", "timestamp": "1557436911", "to_ids": false, "value": "5/59", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "23a2b779-9b25-4053-8780-5dc66bead631", "sharing_group_id": "0", "timestamp": "1557436956", "description": "File object describing a file with meta-information", "template_version": "15", "ObjectReference": [{"comment": "", "object_uuid": "23a2b779-9b25-4053-8780-5dc66bead631", "uuid": "5cd49a1d-a068-4f0a-ad36-45ab950d210f", "timestamp": "1557436957", "referenced_uuid": "f804ed11-1310-477c-ba77-83745ec66f57", "relationship_type": "analysed-with"}], "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "f4c8d1d5-1f7d-4257-889f-084c8204e4a2", "timestamp": "1557436911", "to_ids": true, "value": "198ee041e8f3eb12a19bc321f86ccb88", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "220e56a3-8180-401f-b2a2-bda24ab7ca42", "timestamp": "1557436911", "to_ids": true, "value": "ee583451c832b07d8f2b4d6b8dd36ccb280ff421", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "732a5725-135b-4e6e-bd1f-26996ac3b80e", "timestamp": "1557436911", "to_ids": true, "value": "c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "f804ed11-1310-477c-ba77-83745ec66f57", "sharing_group_id": "0", "timestamp": "1557436957", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "2fa0e40a-0a4d-4b3c-a36b-64e661e70c2d", "timestamp": "1557436911", "to_ids": false, "value": "2019-04-09 09:15:29", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "Payload delivery", "uuid": "12c3d385-2e80-4a3f-905e-0e581e972522", "timestamp": "1557436911", "to_ids": false, "value": "https://www.virustotal.com/file/c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e/analysis/1554801329/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "d8ba684b-7f6f-4c9c-8b11-b7511de95177", "timestamp": "1557436911", "to_ids": false, "value": "13/72", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "2", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "5cd499ee-7528-4e01-aa5e-d56e950d210f", "timestamp": "1557436910", "to_ids": true, "value": "vision2030.tk", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "", "category": "Network activity", "uuid": "5cd499ef-1030-43e0-a68d-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "https://vision2030.tk/static/googleupdate.xn--txt-9o0a", "disable_correlation": false, "object_relation": null, "type": "url"}, {"comment": "", "category": "External analysis", "uuid": "5cd499ef-010c-4a5d-9651-d56e950d210f", "timestamp": "1557436911", "to_ids": false, "value": "CVE-2019-0604", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-2f3c-4b66-b04c-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "c63f425d96365d906604b1529611eefe5524432545a7977ebe2ac8c79f90ad7e", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-8628-440e-ad75-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "198ee041e8f3eb12a19bc321f86ccb88", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-9890-4768-b187-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "ee583451c832b07d8f2b4d6b8dd36ccb280ff421", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Network activity", "uuid": "5cd499ef-c598-4e87-ad5e-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "vision2030.cf", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-9654-4a61-9d18-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "05108ac3c3d708977f2d679bfa6d2eaf63b371e66428018a68efce4b6a45b4b4", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-3d64-4c66-bd11-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "b560c3b9b672f42a005bdeae79eb91dfb0dec8dc04bea51f38731692bc995688", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-6a48-4090-b7b9-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "7d6812947e7eafa8a4cce84b531f8077f7434dbed4ccdaca64225d1b6a0e8604", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-650c-43da-88db-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "0eebeef32a8f676a1717f134f114c8bd", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-169c-42b5-9cd5-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "b814532d73c7e5ffd1a2533adc6cfcf8", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-8230-4cfc-af74-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "708544104809ef2776ddc56e04d27ab1", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-f948-41d2-ba99-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "f0fb0f7553390f203669e53abc16b15e729e5c6f", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-9004-4e76-8feb-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "dc8e7b7de41cac9ded920c41b272c885e1aec279", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-766c-45ad-8c52-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "4c3b262b4134366ad0a67b1a2d6378da428d712b", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-4510-4da0-b0db-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "fafe395967d2ec8022c2c91815b231ee08143031", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-f65c-4426-97c8-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "ce1ef0f88530bb51de8d20c83252fa0f0ff55bc7", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "5cd499ef-b020-4f85-98a7-d56e950d210f", "timestamp": "1557436911", "to_ids": true, "value": "2e4b7c022329e5c21e47d55e8916f6af852aabbbd1798f9e16985f22a8056646", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "External analysis", "uuid": "5cd49a89-1424-4418-93a9-47cf950d210f", "timestamp": "1557437065", "to_ids": false, "value": "https://cyber.gc.ca/fr/avis/maliciel-china-chopper-affectant-les-serveurs-sharepoint", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5cd49a89-f5c0-4980-bfa0-4068950d210f", "timestamp": "1557437065", "to_ids": false, "value": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5cd49a89-adf4-4ea8-a16a-4713950d210f", "timestamp": "1557437065", "to_ids": false, "value": "https://pastebin.com/bUFPhucz", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5cd49a9a-6b20-4905-99ed-f9fa950d210f", "timestamp": "1557437082", "to_ids": false, "value": "https://otx.alienvault.com/pulse/5cd3f89df12b501c477a6fba", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5cd91b97-f1e4-431f-8ba7-56a6950d210f", "timestamp": "1557732247", "to_ids": true, "value": "rule alienvault_webshells_asp : Webshells { \r\n meta: \r\n author = \"AlienVault Labs\" \r\n info = \"Generic detections for possible PHP Web-Shells\" \r\n strings: \r\n $sa = \"<%eval request(\" nocase wide ascii \r\n $sb = \"Server.CreateObject(\\\"WSCRIPT.SHELL\\\")\" nocase wide ascii \r\n $sc = \"Eval(Request(\" nocase wide ascii \r\n $sd = \"ExecuteGlobal(StrReverse\" nocase wide ascii \r\n $se = \"<%eval(Request.Item[\" nocase wide ascii \r\n condition: \r\n any of them\r\n}", "disable_correlation": false, "object_relation": null, "type": "yara"}, {"comment": "", "category": "Network activity", "uuid": "5cd917a1-4898-4142-a317-b753950d210f", "timestamp": "1557731233", "to_ids": true, "value": "114.25.219.100", "disable_correlation": false, "object_relation": null, "type": "ip-src"}], "extends_uuid": "", "published": false, "date": "2019-05-09", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5cd499b7-5584-4d95-864b-d56f950d210f"}}