{ "Event": { "analysis": "2", "date": "2019-09-15", "extends_uuid": "", "info": "On-memory post exploit payloads from encoded binary", "publish_timestamp": "1568643213", "published": true, "threat_level_id": "2", "timestamp": "1568643188", "uuid": "5d7dba44-67d4-4fad-b919-4c2d950d210f", "Orgc": { "name": "MalwareMustDie", "uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#380046", "local": "0", "name": "ms-caro-malware:malware-type=\"HackTool\"", "relationship_type": "" }, { "colour": "#ffc100", "local": "0", "name": "poshc2 beacon", "relationship_type": "" }, { "colour": "#c1e21c", "local": "0", "name": " C2", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:course-of-action=\"PowerShell Mitigation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:course-of-action=\"Network Sniffing Mitigation\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:course-of-action=\"Credential Dumping Mitigation\"", "relationship_type": "" } ], "Attribute": [ { "category": "Internal reference", "comment": "Threat analysis report and analysis screenshots", "deleted": false, "disable_correlation": false, "timestamp": "1568520892", "to_ids": false, "type": "link", "uuid": "5d7dbabc-3ef8-4eb1-9500-448e950d210f", "value": "https://imgur.com/a/k60b8pm" }, { "category": "Network activity", "comment": "The attacker C2", "deleted": false, "disable_correlation": false, "timestamp": "1568520952", "to_ids": true, "type": "ip-dst", "uuid": "5d7dbaf8-3e4c-4334-a278-403c950d210f", "value": "154.121.50.129" }, { "category": "Network activity", "comment": "The attacker C2", "deleted": false, "disable_correlation": false, "timestamp": "1568520989", "to_ids": true, "type": "hostname", "uuid": "5d7dbb1d-a2ec-4534-9e0b-48f0950d210f", "value": "amazon34.duckdns.org" }, { "category": "Payload delivery", "comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1568521103", "to_ids": false, "type": "url", "uuid": "5d7dbb8f-210c-4f25-86d9-4e5c950d210f", "value": "https://pastebin.com/Pgi3pMgj" }, { "category": "Payload delivery", "comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)", "deleted": false, "disable_correlation": false, "timestamp": "1568521103", "to_ids": false, "type": "url", "uuid": "5d7dbb8f-2dec-4875-b15d-4f31950d210f", "value": "https://pastebin.com/SAQRkmef" }, { "category": "Network activity", "comment": "The attacker C2's network AS Number", "deleted": false, "disable_correlation": false, "timestamp": "1568521195", "to_ids": false, "type": "AS", "uuid": "5d7dbbeb-9aa0-4209-beda-4a70950d210f", "value": "AS327712" } ] } }