{ "Event": { "analysis": "2", "date": "2015-05-13", "extends_uuid": "", "info": "OSINT Cylance SPEAR Team: A Threat Actor Resurfaces from Cylance", "publish_timestamp": "1432807341", "published": true, "threat_level_id": "3", "timestamp": "1432800092", "uuid": "555de343-19c0-42e9-b793-ab11950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432216400", "to_ids": false, "type": "link", "uuid": "555de350-80d8-4e46-baa7-f22a950d210b", "value": "http://blog.cylance.com/spear-a-threat-actor-resurfaces" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799161", "to_ids": true, "type": "sha256", "uuid": "5566c7b9-5c2c-4dcc-93b6-460e950d210b", "value": "6ba1d42c6493b18548e30bd60ca3d07a140d9d1945cf4e2b542e4a6d23913f40" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799162", "to_ids": true, "type": "sha256", "uuid": "5566c7ba-c9e4-412e-bbee-4fa5950d210b", "value": "9d838fd9d21778ed9dc02226302b486d70ed13d4b3d914a3b512ea07bf67e165" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799175", "to_ids": true, "type": "filename", "uuid": "5566c7c7-36b0-4d4d-a057-4b43950d210b", "value": "ISIS_twitter_list.doc" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799200", "to_ids": true, "type": "filename", "uuid": "5566c7e0-2dd0-4bc1-b327-4224950d210b", "value": "%APPDATA%\\Microsoft\\Systemcertificates\\Certificates.ocx" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799232", "to_ids": true, "type": "regkey|value", "uuid": "5566c800-ab24-4cc1-b8b0-44d9950d210b", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Certificates|Rundll32.exe \"%APPDATA%\\Microsoft\\SystemCertificates\\Certificates.ocx\",Setup" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1432799298", "to_ids": true, "type": "hostname", "uuid": "5566c842-7bd8-4b53-8ff1-4741950d210b", "value": "www.microsoftservices.proxydns.com" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1432799770", "to_ids": true, "type": "hostname", "uuid": "5566c842-1e54-4664-81b4-42f4950d210b", "value": "fighthard.mooo.com" }, { "category": "Network activity", "comment": "Imported via the freetext import.", "deleted": false, "disable_correlation": false, "timestamp": "1432799299", "to_ids": true, "type": "hostname", "uuid": "5566c843-bd4c-4aac-8863-4f24950d210b", "value": "rampage.freetcp.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799315", "to_ids": true, "type": "ip-dst", "uuid": "5566c853-a9bc-48a8-9f4c-418c950d210b", "value": "103.229.125.157" }, { "category": "Attribution", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799338", "to_ids": false, "type": "text", "uuid": "5566c86a-0b0c-4233-b704-48c8950d210b", "value": "C:\\Codes\\Eoehttp\\Release\\Eoehttp.pdb" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1432799377", "to_ids": true, "type": "pattern-in-traffic", "uuid": "5566c891-7614-47a7-99f2-4d9d950d210b", "value": "