{ "Event": { "analysis": "2", "date": "2015-10-15", "extends_uuid": "", "info": "OSINT Pay No Attention to the Server Behind the Proxy: Mapping FinFisher\u00e2\u20ac\u2122s Continuing Proliferation by Citizen Lab", "publish_timestamp": "1446737270", "published": true, "threat_level_id": "2", "timestamp": "1450794956", "uuid": "56266091-a774-467e-b0f8-4d9c950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445355751", "to_ids": false, "type": "link", "uuid": "562660e7-4764-4382-ba31-4ea2950d210b", "value": "https://citizenlab.org/2015/10/mapping-finfishers-continuing-proliferation/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356212", "to_ids": true, "type": "sha256", "uuid": "562662b4-1140-4793-8ef8-431b950d210b", "value": "1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356213", "to_ids": true, "type": "sha256", "uuid": "562662b5-a1f8-438d-a4fd-431b950d210b", "value": "94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356213", "to_ids": true, "type": "hostname", "uuid": "562662b5-0724-41a2-8447-431b950d210b", "value": "oogle.wwwhost.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356213", "to_ids": true, "type": "hostname", "uuid": "562662b5-fa90-4116-bb04-431b950d210b", "value": "google.wwwhost.biz" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356214", "to_ids": true, "type": "ip-dst", "uuid": "562662b6-3008-4959-9571-431b950d210b", "value": "200.74.241.111" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356214", "to_ids": true, "type": "hostname", "uuid": "562662b6-90f0-42a5-908e-431b950d210b", "value": "info.dynamic-dns.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356215", "to_ids": true, "type": "ip-dst", "uuid": "562662b7-f508-454c-ac53-431b950d210b", "value": "192.161.48.59" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356215", "to_ids": true, "type": "hostname", "uuid": "562662b7-8e44-441d-a45c-431b950d210b", "value": "update.ciscofreak.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356599", "to_ids": true, "type": "ip-dst", "uuid": "562662b7-8ab0-419f-b71e-431b950d210b", "value": "162.220.246.117" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356306", "to_ids": true, "type": "domain", "uuid": "562662b8-02bc-44c5-9d59-431b950d210b", "value": "uae.kim" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356217", "to_ids": true, "type": "hostname", "uuid": "562662b9-6eb0-4a23-a7f0-431b950d210b", "value": "r.ddns.me" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356217", "to_ids": true, "type": "ip-dst", "uuid": "562662b9-9790-40cc-8d4a-431b950d210b", "value": "198.105.125.158" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356217", "to_ids": true, "type": "hostname", "uuid": "562662b9-d808-4e0e-b3c3-431b950d210b", "value": "a.ddns.me" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356218", "to_ids": true, "type": "ip-dst", "uuid": "562662ba-f03c-45ee-bb92-431b950d210b", "value": "23.229.3.37" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356218", "to_ids": true, "type": "hostname", "uuid": "562662ba-0d64-4643-86e5-431b950d210b", "value": "test.cable-modem.org" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356219", "to_ids": true, "type": "md5", "uuid": "562662bb-f058-4639-9a04-431b950d210b", "value": "64c1ef8e0923bf44aaa96caeb28a6c11" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356219", "to_ids": true, "type": "hostname", "uuid": "562662bb-33d0-418a-96ff-431b950d210b", "value": "googlecombq6xx.ddns.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356219", "to_ids": true, "type": "ip-dst", "uuid": "562662bb-f3a8-4faa-a1a0-431b950d210b", "value": "131.72.136.28" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356220", "to_ids": true, "type": "hostname", "uuid": "562662bc-9070-48ef-8156-431b950d210b", "value": "tvnew.otzo.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1446737264", "to_ids": false, "type": "ip-dst", "uuid": "562662bc-62d8-4480-8488-431b950d210b", "value": "172.227.95.162" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356221", "to_ids": true, "type": "md5", "uuid": "562662bd-e2e4-431e-b611-431b950d210b", "value": "57ab5f60198d311226cdc246598729ea" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356655", "to_ids": true, "type": "hostname", "uuid": "562662bd-ad60-47de-9df6-431b950d210b", "value": "google.com.r3irv2ykn0qnd7vr7sqv7kg2qho3ab5tngl5avxi5iimz1jxw9pa9.uae.kim" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356222", "to_ids": true, "type": "hostname", "uuid": "562662be-cb74-4ef4-9c7f-431b950d210b", "value": "natco1.no-ip.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356222", "to_ids": true, "type": "hostname", "uuid": "562662be-5ea8-4a57-9450-431b950d210b", "value": "natco2.no-ip.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356222", "to_ids": true, "type": "hostname", "uuid": "562662be-5fb4-46df-9c41-431b950d210b", "value": "natco3.no-ip.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356223", "to_ids": true, "type": "hostname", "uuid": "562662bf-7790-4849-87a5-431b950d210b", "value": "natco4.no-ip.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356223", "to_ids": true, "type": "hostname", "uuid": "562662bf-f128-4ef6-8a70-431b950d210b", "value": "natco5.no-ip.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356224", "to_ids": true, "type": "sha256", "uuid": "562662c0-2940-45e7-a806-431b950d210b", "value": "22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356224", "to_ids": true, "type": "url", "uuid": "562662c0-cd50-42d1-bbbf-431b950d210b", "value": "http://workingulf.net/dfserv.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356224", "to_ids": true, "type": "sha256", "uuid": "562662c0-f4b4-4802-90a8-431b950d210b", "value": "e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356225", "to_ids": true, "type": "domain", "uuid": "562662c1-bc20-46fa-8c38-431b950d210b", "value": "workingulf.net" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356225", "to_ids": true, "type": "sha256", "uuid": "562662c1-83dc-45f0-a91a-431b950d210b", "value": "d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356226", "to_ids": true, "type": "url", "uuid": "562662c2-7f5c-484d-b8f4-431b950d210b", "value": "http://wp.piedslibres.com/wp/wp-includes/js/next.scr" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356226", "to_ids": true, "type": "sha256", "uuid": "562662c2-d2e8-41c9-a93d-431b950d210b", "value": "08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356575", "to_ids": true, "type": "md5", "uuid": "5626641f-3868-460a-83b6-431b950d210b", "value": "b53c492168e5b389b0e6a2fc8b4355f5" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356576", "to_ids": true, "type": "ip-dst", "uuid": "56266420-a3d8-4bab-a13f-431b950d210b", "value": "212.59.240.98" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356576", "to_ids": true, "type": "hostname", "uuid": "56266420-6e24-4b43-9bbf-431b950d210b", "value": "news.redirectme.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356577", "to_ids": true, "type": "ip-dst", "uuid": "56266421-12a8-40ef-bf88-431b950d210b", "value": "37.123.112.5" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356577", "to_ids": true, "type": "hostname", "uuid": "56266421-b968-4fed-b0f9-431b950d210b", "value": "docs.gmailserver.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356578", "to_ids": true, "type": "ip-dst", "uuid": "56266422-e1e0-42c2-ad42-431b950d210b", "value": "37.123.112.169" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356578", "to_ids": true, "type": "hostname", "uuid": "56266422-e228-410c-9e84-431b950d210b", "value": "office.gmailserver.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356578", "to_ids": true, "type": "domain", "uuid": "56266422-d968-4fb6-822a-431b950d210b", "value": "verify-login.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356579", "to_ids": true, "type": "hostname", "uuid": "56266423-80d4-48bc-a89b-431b950d210b", "value": "western.gmailserver.net" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655", "deleted": false, "disable_correlation": false, "timestamp": "1445356849", "to_ids": true, "type": "sha1", "uuid": "56266531-f698-405d-b709-432e950d210b", "value": "44529ffbfeb5bdfab852795c6d995616522ae63d" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655", "deleted": false, "disable_correlation": false, "timestamp": "1445356850", "to_ids": true, "type": "md5", "uuid": "56266532-5628-4c7f-8f0f-432e950d210b", "value": "6b8f4dcfea0b4e9cbeb19cfad7f11e9e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356850", "to_ids": false, "type": "link", "uuid": "56266532-a820-4819-bb9d-432e950d210b", "value": "https://www.virustotal.com/file/08b32da8995ae094bfb703d7d975c3816cf04c075c32281e51158164d76cd655/analysis/1444961310/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8", "deleted": false, "disable_correlation": false, "timestamp": "1445356851", "to_ids": true, "type": "sha1", "uuid": "56266533-3a48-4a84-9b40-432e950d210b", "value": "5ef1bf0fbc1e7543e65558bea6090ae2f92ec756" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8", "deleted": false, "disable_correlation": false, "timestamp": "1445356851", "to_ids": true, "type": "md5", "uuid": "56266533-5320-4fdc-8de7-432e950d210b", "value": "111a622b041bf2e9813c831ef46403b5" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356851", "to_ids": false, "type": "link", "uuid": "56266533-33d4-48ae-a553-432e950d210b", "value": "https://www.virustotal.com/file/d759dcbebee18a65fda434ba1da5d348c16d9d3775fe1652a1dacf983ffc93b8/analysis/1432824292/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119", "deleted": false, "disable_correlation": false, "timestamp": "1445356852", "to_ids": true, "type": "sha1", "uuid": "56266534-6460-4878-b7ed-432e950d210b", "value": "874e41967e8c34b444ccecd365add06ab263165e" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356852", "to_ids": false, "type": "link", "uuid": "56266534-8d84-4c98-8e82-432e950d210b", "value": "https://www.virustotal.com/file/e2ecf89a49c125e0b4292645a41b5e97c0f7bf15d418faeac0d592205f083119/analysis/1444961305/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114", "deleted": false, "disable_correlation": false, "timestamp": "1445356853", "to_ids": true, "type": "sha1", "uuid": "56266535-3ecc-4379-937d-432e950d210b", "value": "41e9c2e4935a2b39c7b5b066588986a363c58390" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114", "deleted": false, "disable_correlation": false, "timestamp": "1445356853", "to_ids": true, "type": "md5", "uuid": "56266535-8ddc-4658-b1c3-432e950d210b", "value": "3e766f5cedbc5a669622ced136f53fc9" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356853", "to_ids": false, "type": "link", "uuid": "56266535-5a00-4a05-9850-432e950d210b", "value": "https://www.virustotal.com/file/22deea26981bc6183ac3945da8274111e7fd7a35fbb6da601348cc6d66240114/analysis/1432101483/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389", "deleted": false, "disable_correlation": false, "timestamp": "1445356854", "to_ids": true, "type": "sha1", "uuid": "56266536-c094-4474-a143-432e950d210b", "value": "5e98486f941091eae2fbb89eedc36082fd5d9153" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389", "deleted": false, "disable_correlation": false, "timestamp": "1445356854", "to_ids": true, "type": "md5", "uuid": "56266536-7fe8-42a9-bfe2-432e950d210b", "value": "4395feba04c6cafba33fa659df1ec5a3" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356855", "to_ids": false, "type": "link", "uuid": "56266537-23d0-48a2-b897-432e950d210b", "value": "https://www.virustotal.com/file/94abf6df38f26530da2864d80e1a0b7cdfce63fd27b142993b89c52b3cee0389/analysis/1439466209/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48", "deleted": false, "disable_correlation": false, "timestamp": "1445356855", "to_ids": true, "type": "sha1", "uuid": "56266537-f308-400a-acca-432e950d210b", "value": "ce3d62ca9d3ae2cc0e2d64c50745522503200ee0" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48", "deleted": false, "disable_correlation": false, "timestamp": "1445356855", "to_ids": true, "type": "md5", "uuid": "56266537-d774-412f-9835-432e950d210b", "value": "471848024b7f7eb717a9597f54802428" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356856", "to_ids": false, "type": "link", "uuid": "56266538-a9fc-469b-903e-432e950d210b", "value": "https://www.virustotal.com/file/1610fc805f980f5c70cec8e138ba800b01ebc86919f42b375cfb161ce6365a48/analysis/1427332547/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 57ab5f60198d311226cdc246598729ea", "deleted": false, "disable_correlation": false, "timestamp": "1445356856", "to_ids": true, "type": "sha256", "uuid": "56266538-1904-4744-9993-432e950d210b", "value": "089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 57ab5f60198d311226cdc246598729ea", "deleted": false, "disable_correlation": false, "timestamp": "1445356856", "to_ids": true, "type": "sha1", "uuid": "56266538-a5d0-484c-9faa-432e950d210b", "value": "1d1c24ee7dd77f742e59f54626ff68211d24b64a" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356857", "to_ids": false, "type": "link", "uuid": "56266539-4848-4794-b0dc-432e950d210b", "value": "https://www.virustotal.com/file/089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41/analysis/1444029943/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 64c1ef8e0923bf44aaa96caeb28a6c11", "deleted": false, "disable_correlation": false, "timestamp": "1445356857", "to_ids": true, "type": "sha256", "uuid": "56266539-c514-478b-b868-432e950d210b", "value": "6001692fde7a070df22a184fa8ecd844ab7b304a79fc7852aac8d81466ec3860" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 64c1ef8e0923bf44aaa96caeb28a6c11", "deleted": false, "disable_correlation": false, "timestamp": "1445356858", "to_ids": true, "type": "sha1", "uuid": "5626653a-27a0-41f9-9e77-432e950d210b", "value": "8aad6f55c47e7079977b107918c1e4cd30613379" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445356858", "to_ids": false, "type": "link", "uuid": "5626653a-0084-4b65-a86f-432e950d210b", "value": "https://www.virustotal.com/file/6001692fde7a070df22a184fa8ecd844ab7b304a79fc7852aac8d81466ec3860/analysis/1422287826/" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445357044", "to_ids": true, "type": "domain", "uuid": "562665f4-171c-4c6f-b471-432e950d210b", "value": "pal4u.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445357044", "to_ids": true, "type": "domain", "uuid": "562665f4-6c30-4efd-887c-432e950d210b", "value": "pal2me.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445357045", "to_ids": true, "type": "domain", "uuid": "562665f5-afec-4d12-94bf-432e950d210b", "value": "shop8d.net" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445357204", "to_ids": true, "type": "domain", "uuid": "56266694-656c-4cf8-9c4e-432e950d210b", "value": "news-youm7.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1445357205", "to_ids": true, "type": "domain", "uuid": "56266695-8bf4-4ddf-ab03-432e950d210b", "value": "to70.org" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1450794956", "to_ids": true, "type": "link", "uuid": "56795fcc-8df8-4ac3-9fa1-49d5950d210f", "value": "https://www.virustotal.com/file/089a31178bff1a4001016e51b4f59ae90c8847a9d5397a611c6fbeb028fc8d41/analysis/1447091115/" } ] } }