{ "Event": { "analysis": "2", "date": "2015-03-09", "extends_uuid": "", "info": "OSINT Hacking Team Reloaded? US-Based Ethiopian Journalists Again Targeted with Spyware by Citizen Lab", "publish_timestamp": "1426156071", "published": true, "threat_level_id": "4", "timestamp": "1426151431", "uuid": "55014970-d82c-4b60-ba8e-0958950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#33FF00", "name": "tlp:green" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426147710", "to_ids": false, "type": "link", "uuid": "5501497e-f5b4-4d6b-92bf-0ff5950d210b", "value": "https://citizenlab.org/2015/03/hacking-team-reloaded-us-based-ethiopian-journalists-targeted-spyware/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426147719", "to_ids": false, "type": "text", "uuid": "55014987-3a78-406d-aa41-9778950d210b", "value": "Hacking Team" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148028", "to_ids": false, "type": "email-attachment", "uuid": "55014abc-9460-4b8b-a820-42d2950d210b", "value": "u121Du122Du132B 2007.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148057", "to_ids": true, "type": "sha256", "uuid": "55014ad9-d5b8-4fe7-bf8a-1c3d950d210b", "value": "b2683b3a214cda3f741fe5ff0850e69420d94174852a194ce9fc5f0db05c1633" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148057", "to_ids": true, "type": "sha1", "uuid": "55014ad9-e458-4f10-b3ac-1c3d950d210b", "value": "03ae6619c2e6dc93d1d3cd218db337aa797b480a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148057", "to_ids": true, "type": "md5", "uuid": "55014ad9-a528-4287-a16c-1c3d950d210b", "value": "91961aad912dc790943a1cb23b6e8297" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148085", "to_ids": true, "type": "sha256", "uuid": "55014af5-d320-4de2-b480-0958950d210b", "value": "5509462906e832350ea48f37e2e399669214c90b18023c94949036b254f7a681" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148085", "to_ids": true, "type": "sha1", "uuid": "55014af5-5ea8-43de-8acb-0958950d210b", "value": "f9bebcc72bf7bb51e3e3cbd002bf7f8eea398f2c" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148085", "to_ids": true, "type": "md5", "uuid": "55014af5-d6f4-4664-96ed-0958950d210b", "value": "f6a793a177447e3cab4108a707db65cd" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148187", "to_ids": false, "type": "comment", "uuid": "55014b5b-1f84-4f2c-be35-4822950d210b", "value": "The payload is signed by the following code signing certificate:\r\n\r\nSerial Number: 4fc13d6220c629043a26f81b1cad72d8\r\n\r\nIssuer\r\nCN = Certum Level III CA\r\nOU = Certum Certification Authority\r\nO = Unizeto Technologies S.A.\r\nC = PL\r\n\r\nSubject\r\nE = meicunge@gmail.com\r\nCN = Open Source Developer, meicun ge\r\nO = Meicun Ge\r\nC = CN" }, { "category": "Attribution", "comment": "Code signing certificate subject email", "deleted": false, "disable_correlation": false, "timestamp": "1426148235", "to_ids": false, "type": "text", "uuid": "55014b8b-151c-42a3-a79f-0ff5950d210b", "value": "meicunge@gmail.com" }, { "category": "Attribution", "comment": "Code signing certificate serial number", "deleted": false, "disable_correlation": false, "timestamp": "1426148253", "to_ids": false, "type": "text", "uuid": "55014b8b-d5dc-499f-9195-0ff5950d210b", "value": "4fc13d6220c629043a26f81b1cad72d8" }, { "category": "Payload delivery", "comment": "Samples on VT signed with same certificate", "deleted": false, "disable_correlation": false, "timestamp": "1426148285", "to_ids": true, "type": "sha256", "uuid": "55014bbd-ba10-4461-adaf-094a950d210b", "value": "e5cc130dbea95c78cf88807852fad7dcca3a1d6bd7ec86488b6157ba3451a0c9" }, { "category": "Payload delivery", "comment": "Samples on VT signed with same certificate", "deleted": false, "disable_correlation": false, "timestamp": "1426148285", "to_ids": true, "type": "sha256", "uuid": "55014bbd-ead8-48e6-bc6b-094a950d210b", "value": "299f1f25c268d814a85b37fb36e83b891b094baee95c8b739c04b5c134db84c8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148464", "to_ids": true, "type": "ip-dst", "uuid": "55014c70-ccec-4df0-aef8-1c3d950d210b", "value": "176.74.178.202" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148464", "to_ids": true, "type": "ip-dst", "uuid": "55014c70-a0ec-449f-a810-1c3d950d210b", "value": "176.74.178.203" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148494", "to_ids": true, "type": "ip-dst", "uuid": "55014c8e-3628-4ee7-88df-0959950d210b", "value": "46.4.69.25" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148537", "to_ids": true, "type": "email-src", "uuid": "55014cb9-e1b0-4579-8dac-9778950d210b", "value": "fretar19@yahoo.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148565", "to_ids": true, "type": "ip-dst", "uuid": "55014cd5-a430-42d2-a64a-0958950d210b", "value": "197.156.68.130" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148585", "to_ids": true, "type": "ip-dst", "uuid": "55014ce9-1a58-4546-8f32-0ff5950d210b", "value": "216.118.233.250" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148665", "to_ids": true, "type": "email-attachment", "uuid": "55014d39-e548-4875-8c18-9778950d210b", "value": "Seminar Anti G7 Movement.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148665", "to_ids": true, "type": "email-attachment", "uuid": "55014d39-d250-462a-ac15-9778950d210b", "value": "Please save our dad from execution.doc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148705", "to_ids": true, "type": "sha256", "uuid": "55014d61-8b34-4970-879e-0958950d210b", "value": "47f9a2daa161eeb0f7c88af92d3b346ee140ffbb0c310d0e6fbc7c91d42faace" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148705", "to_ids": true, "type": "sha1", "uuid": "55014d61-80e0-4a38-96f4-0958950d210b", "value": "b39dcf93c88d202a582ab4a589cacae3e5d6650c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148705", "to_ids": true, "type": "md5", "uuid": "55014d61-edf4-4c05-99e9-0958950d210b", "value": "4faeaed1065815e40bc7c4d9b943f439" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148734", "to_ids": true, "type": "sha256", "uuid": "55014d7e-02e4-48a2-9e51-9778950d210b", "value": "af6137a1fe785cc865ea5ba2310cb81b4c6996f224dda2425d0c5b6995983e3d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148734", "to_ids": true, "type": "sha1", "uuid": "55014d7e-1624-4baf-8040-9778950d210b", "value": "519bb2b2c3d0c7e67be735c4d384d832fcc89d67" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148734", "to_ids": true, "type": "md5", "uuid": "55014d7e-7a88-4f1e-af39-9778950d210b", "value": "3a7ef9a8c216bcdbbfecef934196d9c1" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148769", "to_ids": true, "type": "sha256", "uuid": "55014da1-60c4-4a27-8eba-2983950d210b", "value": "84f87c6d85211fe7c7f7fb1321e7f4db917bc6a7f2e51b7a8357fb4351b5a58d" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148769", "to_ids": true, "type": "sha1", "uuid": "55014da1-c904-4a5f-8b8d-2983950d210b", "value": "669246636ec6e3422a81ee2cb77c78c8420f9006" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1426148770", "to_ids": true, "type": "md5", "uuid": "55014da2-1340-4185-a32c-2983950d210b", "value": "b7f54924450ae0675ce67c5edad1f243" } ] } }