{ "Event": { "analysis": "2", "date": "2017-08-31", "extends_uuid": "", "info": "OSINT - Gazing at Gazer", "publish_timestamp": "1504295748", "published": true, "threat_level_id": "3", "timestamp": "1504295666", "uuid": "59a7f10d-f0ec-431b-b99d-4fe4950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#002b4a", "local": false, "name": "osint:source-type=\"technical-report\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-b3a4-43c4-ba9c-4ddc950d210f", "value": "%TEMP%\\KB943729.log" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-fbf0-4c99-a6d3-4b5b950d210f", "value": "%TEMP%\\CVRG72B5.tmp.cvr" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-7988-47f3-af38-417c950d210f", "value": "%TEMP%\\CVRG1A6B.tmp.cvr" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-0e2c-40a2-9421-4e22950d210f", "value": "%TEMP%\\CVRG38D9.tmp.cvr" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-a8ec-4c13-be4a-44d0950d210f", "value": "%TEMP%\\~DF1E06.tmp" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-a97c-4afc-91bb-4603950d210f", "value": "%HOMEPATH%\\ntuser.dat.LOG3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "filename", "uuid": "59a7f135-0fe4-4cf2-a333-4796950d210f", "value": "%HOMEPATH%\\AppData\\Local\\Adobe\\AdobeUpdater.exe" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": false, "type": "comment", "uuid": "59a7f1fa-c298-4a57-966a-4e26950d210f", "value": "Herein we release our analysis of a previously undocumented backdoor that has been targeted against embassies and consulates around the world leads us to attribute it, with high confidence, to the Turla group. Turla is a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphishing campaigns to better pinpoint their targets. Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere. Based on strings found in the samples we analyzed, we have named this backdoor \u00e2\u20ac\u0153Gazer\u00e2\u20ac\u009d.\r\nRecently, the Turla APT group has seen extensive news coverage surrounding its campaigns, something we haven\u00e2\u20ac\u2122t seen for a long time. The Intercept reported that there exists a 2011 presentation by Canada\u00e2\u20ac\u2122s Communication Security Establishment (CSE) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced. The codename for Turla APT group in this presentation is MAKERSMARK. Gazer is, similar to its siblings in the Turla family, using advanced methods to spy and persist on its targets. This whitepaper highlights the campaigns in which Gazer was used and also contains a technical analysis of its functionalities.", "Tag": [ { "colour": "#002b4a", "local": false, "name": "osint:source-type=\"technical-report\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": false, "type": "link", "uuid": "59a7f2c4-9810-404a-8501-4950950d210f", "value": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", "Tag": [ { "colour": "#002b4a", "local": false, "name": "osint:source-type=\"technical-report\"", "relationship_type": "" } ] }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": false, "type": "regkey", "uuid": "59a7f306-a5b8-475e-ac10-4819950d210f", "value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ScreenSaver" }, { "category": "Persistence mechanism", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": false, "type": "regkey", "uuid": "59a7f306-f5f8-4562-a15e-45ec950d210f", "value": "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Explorer\\ScreenSaver" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-5838-401c-a1fc-4509950d210f", "value": "daybreakhealthcare.co.uk/wp-includes/themees.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-bd88-4024-8df0-44f5950d210f", "value": "simplecreative.design/wp-content/plugins/calculated-fields-form/single.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-1e14-4d8b-a77a-4461950d210f", "value": "169.255.137.203/rss_0.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-03f0-4322-b6fa-49a9950d210f", "value": "outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-ed60-4e38-91ad-40ce950d210f", "value": "zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-4688-4ff0-b545-4ecd950d210f", "value": "ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-f770-46a1-a5a4-4292950d210f", "value": "dyskurs.com.ua/wp-admin/includes/map-menu.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-0d70-443b-87c7-43f6950d210f", "value": "warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-a34c-4264-9dc0-480d950d210f", "value": "217.171.86.137/config.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-4cd0-4b6d-a0c9-438c950d210f", "value": "217.171.86.137/rss_0.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-8700-4482-b4b0-4563950d210f", "value": "shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-29e0-4c5a-8cc4-4921950d210f", "value": "www.aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-2548-473c-a616-4597950d210f", "value": "baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-60c0-4c83-8970-4ca1950d210f", "value": "soligro.com/wp-includes/pomo/db.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-8f54-4407-8ebc-47bc950d210f", "value": "giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-f070-46d1-99cc-4fe3950d210f", "value": "tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-0324-4c56-9f10-49fb950d210f", "value": "kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-a78c-469c-8c18-48a4950d210f", "value": "test/Reader/BuildTest.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-9994-494f-af6e-479d950d210f", "value": "sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-247c-406d-8064-422d950d210f", "value": "chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-a644-42ae-bccb-49c1950d210f", "value": "hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-4d28-428d-a4b8-44bd950d210f", "value": "zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php" }, { "category": "Network activity", "comment": "C&C", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "url", "uuid": "59a7f380-dc5c-467c-ab0a-4db0950d210f", "value": "weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-6ff8-49ef-90bb-46f7950d210f", "value": "27fa78de705ebaa4b11c4b5fe7277f91906b3f92" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-94b4-43a7-9787-4270950d210f", "value": "35f205367e2e5f8a121925bbae6ff07626b526a7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-71b0-455d-b325-409e950d210f", "value": "b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-4b78-47af-a932-4e07950d210f", "value": "e40bb5beec5678537e8fe537f872b2ad6b77e08a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-27d8-4641-9e14-41d3950d210f", "value": "522e5f02c06ad215c9d0c23c5a6a523d34ae4e91" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-653c-4486-8351-411e950d210f", "value": "c380038a57ffb8c064851b898f630312fabcbba7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-b4fc-48b1-8957-4dc8950d210f", "value": "267f144d771b4e2832798485108decd505cb824a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-9c70-439b-bd16-4851950d210f", "value": "52f6d09cccdbc38d66c184521e7ccf6b28c4b4d9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-ce1c-4884-b7d7-48b6950d210f", "value": "475c59744accb09724dae610763b7284646ab63f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-51ec-40e6-a397-428e950d210f", "value": "22542a3245d52b7bcdb3eaef5b8b2693f451f497" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-97e8-4083-8edc-4ce0950d210f", "value": "2b9faa8b0fcadac710c7b2b93d492ff1028b5291" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-eaec-442c-a5ed-4856950d210f", "value": "e05ab6978c17724b7c874f44f8a6cbfb1c56418d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-12e4-4e6b-8316-4fe5950d210f", "value": "6dec3438d212b67356200bbac5ec7fa41c716d86" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-3648-450c-bccd-47fa950d210f", "value": "b548863df838069455a76d2a63327434c02d0d9d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-49e0-460b-8368-40b1950d210f", "value": "c3e6511377dfe85a34e19b33575870dda8884c3c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-d564-4190-aed1-4415950d210f", "value": "9ff4f59ca26388c37d0b1f0e0b22322d926e294a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-2588-4bbb-b048-4232950d210f", "value": "029aa51549d0b9222db49a53d2604d79ad1c1e59" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-73b8-4a85-a811-4fee950d210f", "value": "cecc70f2b2d50269191336219a8f893d45f5e979" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-5550-4519-b790-43e9950d210f", "value": "7fac4fc130637afab31c56ce0a01e555d5dea40d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-eee4-4d0b-8c9d-4bc5950d210f", "value": "5838a51426ca6095b1c92b87e1be22276c21a044" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-98bc-4f42-bc01-439c950d210f", "value": "3944253f6b7019eed496fad756f4651be0e282b4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-1824-4364-bec3-4795950d210f", "value": "228da957a9ed661e17e00efba8e923fd17fae054" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-c3b0-424b-bb55-418d950d210f", "value": "295d142a7bdced124fdcc8edfe49b9f3acceab8a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-73fc-45bc-b350-411e950d210f", "value": "0f97f599fab7f8057424340c246d3a836c141782" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-3530-4960-b9ea-42d2950d210f", "value": "dbb185e493a0fdc959763533d86d73f986409f1b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-1994-4758-8d47-4c02950d210f", "value": "4701828dee543b994ed2578b9e0d3991f22bd827" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-9ac0-4e36-b595-4384950d210f", "value": "6fd611667ba19691958b5b72673b9b802edd7ff8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-fd10-4c92-b900-407c950d210f", "value": "fcabeb735c51e2b8eb6fb07bda8b95401d069bd8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-3b30-4742-813e-4784950d210f", "value": "75831df9cbcfd7bf812511148d2a0f117324a75f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-3ca0-4133-858f-4941950d210f", "value": "bae3ae65c32838fb52a0f5ad2cde8659d2bff9f3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-9144-4d5d-a4f1-4299950d210f", "value": "37ff6841419adc51eeb8756660b2fb46f3eb24ed" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-dfa8-40d5-b9ff-461a950d210f", "value": "9e6de3577b463451b7afce24ab646ef62ad6c2bd" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-0f30-4733-9240-4981950d210f", "value": "795c6ee27b147ff0a05c0477f70477e315916e0e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-3620-4bfc-bf16-40f1950d210f", "value": "8184ad9d6bbd03e99a397f8e925fa66cfbe5cf1b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-5dd8-432b-9b61-4d3f950d210f", "value": "7ced96b08d7593e28fee616eccbc6338896517cf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-8e28-4524-b985-4ad0950d210f", "value": "63c534630c2ce0070ad203f9704f1526e83ae586" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-7160-496e-8475-4b17950d210f", "value": "23f1e3be3175d49e7b262cd88cfd517694dcba18" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-0998-4d01-a6b0-428c950d210f", "value": "7a6f1486269abdc1d658db618dc3c6f2ac85a4a7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-7228-4d01-923b-4864950d210f", "value": "11b35320fb1cf21d2e57770d8d8b237eb4330eaa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-aca0-43d4-a7ae-4357950d210f", "value": "e8a2bad87027f2bf3ecae477f805de13fccc0181" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-aa8c-4ec7-9d98-41ae950d210f", "value": "950f0b0c7701835c5fbdb6c5698a04b8afe068e6" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-8fdc-4575-b62f-4c34950d210f", "value": "a5eec8c6aadf784994bf68d9d937bb7af3684d5c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-f678-4aaa-bc65-4d6f950d210f", "value": "411ef895fe8dd4e040e8bf4048f4327f917e5724" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-26c8-475d-8df1-4b36950d210f", "value": "c1288df9022bcd2c0a217b1536dfa83928768d06" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-5c2c-4d74-8c23-45ed950d210f", "value": "4b6ef62d5d59f2fe7f245dd3042dc7b83e3cc923" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": true, "type": "sha1", "uuid": "59a7f64b-7a84-446f-a7c4-43e6950d210f", "value": "7f54f9f2a6909062988ae87c1337f3cf38d68d35" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1504295665", "to_ids": false, "type": "yara", "uuid": "59a7f6e6-5934-4fa2-94d1-4db5950d210f", "value": "import \u00e2\u20ac\u0153pe\u00e2\u20ac\u009d\r\nimport \u00e2\u20ac\u0153math\u00e2\u20ac\u009d\r\nimport \u00e2\u20ac\u0153hash\u00e2\u20ac\u009d\r\nrule Gazer_certificate_subject {\r\n condition:\r\n for any i in (0..pe.number_of_signatures - 1):\r\n (pe.signatures[i].subject contains \u00e2\u20ac\u0153Solid Loop\u00e2\u20ac\u009d or \r\npe.signatures[i].subject contains \u00e2\u20ac\u0153Ultimate Computer Support\u00e2\u20ac\u009d)\r\n}\r\nrule Gazer_certificate\r\n{\r\n strings:\r\n $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02}\r\n $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c}\r\n condition:\r\n (uint16(0) == 0x5a4d) and 1 of them and filesize < 2MB\r\n}\r\nrule Gazer_logfile_name\r\n{\r\n strings:\r\n $s1 = \u00e2\u20ac\u0153CVRG72B5.tmp.cvr\u00e2\u20ac\u009d\r\n $s2 = \u00e2\u20ac\u0153CVRG1A6B.tmp.cvr\u00e2\u20ac\u009d\r\n $s3 = \u00e2\u20ac\u0153CVRG38D9.tmp.cvr\u00e2\u20ac\u009d\r\n condition:\r\n (uint16(0) == 0x5a4d) and 1 of them\r\n}" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "sha256", "uuid": "59a9baf2-6c64-4121-a01c-49a502de0b81", "value": "93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "md5", "uuid": "59a9baf2-7580-46ee-93bf-491102de0b81", "value": "ccc172686bc7afc51349713178e2e45e" }, { "category": "External analysis", "comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": false, "type": "link", "uuid": "59a9baf2-d000-4de0-87fb-4c7802de0b81", "value": "https://www.virustotal.com/file/93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c/analysis/1504156268/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "sha256", "uuid": "59a9baf2-b870-4ac5-b7e7-497902de0b81", "value": "4013d3c221c6924e8c525aac7ed0402bd5349a28dcbc20bc1ff6bd09079faacf" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "md5", "uuid": "59a9baf2-8268-4aec-8206-43a402de0b81", "value": "fd7e0ecc41735d3ba0329e1e311689f8" }, { "category": "External analysis", "comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": false, "type": "link", "uuid": "59a9baf2-7d34-45a7-b496-478402de0b81", "value": "https://www.virustotal.com/file/4013d3c221c6924e8c525aac7ed0402bd5349a28dcbc20bc1ff6bd09079faacf/analysis/1504278816/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "sha256", "uuid": "59a9baf2-bd24-454d-813b-47d702de0b81", "value": "a65bc4adbd61c098acf40ef81dc8b6b10269af0d9ebbdc18b48439df76c18cb3" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "md5", "uuid": "59a9baf2-1358-450e-8816-480002de0b81", "value": "0c6bb4ce1251c34365b8eb2a933dc431" }, { "category": "External analysis", "comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": false, "type": "link", "uuid": "59a9baf2-982c-46bd-aa57-438c02de0b81", "value": "https://www.virustotal.com/file/a65bc4adbd61c098acf40ef81dc8b6b10269af0d9ebbdc18b48439df76c18cb3/analysis/1504263553/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "sha256", "uuid": "59a9baf2-b0e8-4da9-9061-4e1a02de0b81", "value": "d0b169d2e753191a5c366a863d216bc5a9eb5e173f0bd5a61f126c4fd16484ac" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "md5", "uuid": "59a9baf2-813c-4fcd-8510-4af702de0b81", "value": "5a2acbc101a8323f876bdd26948ee8a7" }, { "category": "External analysis", "comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": false, "type": "link", "uuid": "59a9baf2-f00c-4a55-b56a-465002de0b81", "value": "https://www.virustotal.com/file/d0b169d2e753191a5c366a863d216bc5a9eb5e173f0bd5a61f126c4fd16484ac/analysis/1504183815/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "sha256", "uuid": "59a9baf2-44b0-4e39-b77d-423802de0b81", "value": "473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": true, "type": "md5", "uuid": "59a9baf2-6ccc-4ade-a349-445702de0b81", "value": "b099b82acb860d9a9a571515024b35f0" }, { "category": "External analysis", "comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7", "deleted": false, "disable_correlation": false, "timestamp": "1504295666", "to_ids": false, "type": "link", "uuid": "59a9baf2-98ac-43c0-a0a8-445f02de0b81", "value": "https://www.virustotal.com/file/473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0/analysis/1504278826/" } ] } }