{"Event": {"info": "SystemTen (ELF trojan installer, miner, bot and rootkit) / ex-Rocke", "Tag": [{"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#670080", "exportable": true, "name": "ms-caro-malware:malware-platform=\"Linux\""}, {"colour": "#7900c3", "exportable": true, "name": "adversary:infrastructure-state=\"active\""}, {"colour": "#366c00", "exportable": true, "name": "circl:incident-classification=\"malware\""}, {"colour": "#345d00", "exportable": true, "name": "malware_classification:malware-category=\"Downloader\""}, {"colour": "#305600", "exportable": true, "name": "malware_classification:malware-category=\"Rootkit\""}, {"colour": "#22681c", "exportable": true, "name": "malware_classification:malware-category=\"Botnet\""}, {"colour": "#ffffff", "exportable": true, "name": "OSINT"}], "publish_timestamp": "1557738100", "timestamp": "1557739209", "analysis": "1", "Attribute": [{"comment": "MalwareMustDie incident analysis and reports of infection campaign from early March 2019 to end of April 2019", "category": "External analysis", "uuid": "5ccf331e-da90-4718-94c8-49d3950d210f", "timestamp": "1557082910", "to_ids": false, "value": "https://imgur.com/a/H7YuWuj", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "MalwareMustDie incident analysis and reports of infection campaign from early March 2019 to end of April 2019", "category": "External analysis", "uuid": "5ccf331e-1534-4301-9d4c-4d32950d210f", "timestamp": "1557082910", "to_ids": false, "value": "https://old.reddit.com/r/LinuxMalware/comments/bfaea2/fun_in_dissecting_lsd_packer_elf_golang_miner/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338a-a70c-4aef-ae6c-4b95950d210f", "timestamp": "1557083018", "to_ids": false, "value": "/tmp/kerberods (elf trojan installer)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338a-41ec-4332-86d4-4ee9950d210f", "timestamp": "1557083018", "to_ids": false, "value": "/tmp/khugepageds (elf monero miner xmrig)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338a-3788-4d10-8dfb-45b6950d210f", "timestamp": "1557083018", "to_ids": false, "value": "/tmp/kthrotlds (elf trojan bot)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-8d84-4997-9c96-454a950d210f", "timestamp": "1557083018", "to_ids": false, "value": "/tmp/kintegrityds (elf trojan bot)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-2d54-4f22-afff-4296950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/tmp/kpsmouseds (elf trojan installer)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-9b24-43ce-ba79-400f950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/tmp/kerb  (elf trojan bot)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-7164-4214-b2af-489a950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/cron.d/tomcat (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-29f4-4d56-91a8-4ec9950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/cron.d/root (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-8848-4992-830d-4f87950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/var/spool/cron/root (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-0c80-4351-9fe5-4ae4950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/var/spool/cron/crontabs/root (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-e194-463f-86b2-4c83950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/sbin/kthrotlds (elf trojan bot)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-dc8c-4e16-930c-4ea4950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/sbin/kintegrityds (elf trojan bot)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-d720-4e12-9828-400b950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/sbin/kerberods (elf trojan installer)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-9eec-415d-8713-4dba950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/sbin/kpsmouseds (elf trojan installer)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-9ca0-4ff6-906a-4949950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/rc.d/init.d/kthrotlds (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-34c4-4ceb-9797-4327950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/rc.d/init.d/kerberods (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-1e8c-4620-b81d-48a7950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/rc.d/init.d/kpsmouseds (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-d71c-4be9-bf9f-424d950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/etc/rc.d/init.d/kintegrityds (persistence)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-20fc-4572-980b-4937950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/tmp/ld.so.preload (rootkit preload module)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-77c0-4310-b0b8-4155950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/local/lib/libpamcd.so (rootkit preload module)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-5f70-42cf-b488-4660950d210f", "timestamp": "1557083019", "to_ids": false, "value": "/usr/local/lib/libcset.so (rootkit preload module)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5ccf338b-fc44-4109-98ee-4ea1950d210f", "timestamp": "1557739209", "to_ids": false, "value": "/usr/local/lib/libdb-0.1.so (rootkit preload module)", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5ccf33c6-84b8-4b61-8d12-4c63950d210f", "timestamp": "1557083319", "to_ids": false, "value": "8ecf8e7653e6a67d61ff03e0c61f3825", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5ccf33c6-8bd4-4b84-ae73-43ef950d210f", "timestamp": "1557083329", "to_ids": false, "value": "a1e0e218b3b7c063bbf3f21003763548", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5ccf33c6-2c48-49d9-bdc6-4af6950d210f", "timestamp": "1557083348", "to_ids": false, "value": "bedc270205ee06817ab6b3d58f260794", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5ccf33c6-1690-4a1c-a41e-4b65950d210f", "timestamp": "1557083358", "to_ids": false, "value": "5301972a7ef320e894274a38f0bb2b2c", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Artifacts dropped", "uuid": "5ccf33c6-f0d4-4a32-9cc7-405e950d210f", "timestamp": "1557083339", "to_ids": false, "value": "17e9e888b8d0f374b5c623ae6b6d6cc6", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-6444-410e-9d87-415c950d210f", "timestamp": "1557083198", "to_ids": true, "value": "d.heheda.tk.", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-3880-492a-93ba-423d950d210f", "timestamp": "1557083198", "to_ids": true, "value": "c.heheda.tk", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-6234-48a2-88f4-4734950d210f", "timestamp": "1557083198", "to_ids": true, "value": "dd.heheda.tk", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-0500-4226-90d9-477b950d210f", "timestamp": "1557083198", "to_ids": true, "value": "systemten.org", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-59ac-4de1-be7e-408b950d210f", "timestamp": "1557083198", "to_ids": true, "value": "w.3ei.xyz", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-5098-44d0-bb39-4100950d210f", "timestamp": "1557083198", "to_ids": true, "value": "w.21-3n.xyz", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-31a4-4dfe-8318-4e1e950d210f", "timestamp": "1557083198", "to_ids": true, "value": "t.w2wz.cn", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-a4c8-4a2a-99ee-45d6950d210f", "timestamp": "1557083198", "to_ids": true, "value": "1.z9ls.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-f58c-4fdd-95f2-46dd950d210f", "timestamp": "1557083198", "to_ids": true, "value": "yxarsh.shop", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-aa74-4740-8638-495d950d210f", "timestamp": "1557083198", "to_ids": true, "value": "i.ooxx.ooo", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-2c70-41eb-a61c-45b3950d210f", "timestamp": "1557083198", "to_ids": true, "value": "baocangwh.cn", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-f75c-4aae-b652-4e03950d210f", "timestamp": "1557083198", "to_ids": true, "value": "img.sobot.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5ccf343e-0e58-4347-8020-4d32950d210f", "timestamp": "1557083198", "to_ids": true, "value": "sowcar.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-6d0c-41a1-a55a-4dc7950d210f", "timestamp": "1557083487", "to_ids": true, "value": "42.56.76.104", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-04d4-4359-8fbb-47cf950d210f", "timestamp": "1557083487", "to_ids": true, "value": "47.90.213.21", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-93a0-48b2-b7fc-427d950d210f", "timestamp": "1557083487", "to_ids": true, "value": "116.62.232.226", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-39dc-4d46-beeb-4488950d210f", "timestamp": "1557083487", "to_ids": true, "value": "211.91.160.238", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-f5f8-439d-bb9f-49f8950d210f", "timestamp": "1557083487", "to_ids": true, "value": "221.204.60.69", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-9aa4-4759-8b0d-4838950d210f", "timestamp": "1557083487", "to_ids": true, "value": "103.52.216.35", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-3460-4721-8f60-4d31950d210f", "timestamp": "1557083487", "to_ids": true, "value": "45.63.0.102", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-f270-4244-9357-4038950d210f", "timestamp": "1557083487", "to_ids": true, "value": "104.238.151.101", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-c340-44b6-92e4-41db950d210f", "timestamp": "1557083487", "to_ids": true, "value": "104.248.53.213", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-7d68-4c6f-bdd4-41f3950d210f", "timestamp": "1557083487", "to_ids": true, "value": "134.209.104.20", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5ccf355f-2e94-48e5-b56a-42e1950d210f", "timestamp": "1557083487", "to_ids": true, "value": "198.204.231.250", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "The alleged account utilized by adversary", "category": "Social network", "uuid": "5ccf35e3-4f10-4cff-bb9a-4eed950d210f", "timestamp": "1557083619", "to_ids": false, "value": "helegedada", "disable_correlation": false, "object_relation": null, "type": "github-repository"}, {"comment": "The pastebin account that is allegedly owned by adversary", "category": "Social network", "uuid": "5ccf362e-9478-4f19-b38c-41d1950d210f", "timestamp": "1557083694", "to_ids": false, "value": "https://pastebin.com/u/SYSTEMTEN", "disable_correlation": false, "object_relation": null, "type": "other"}, {"comment": "Vulnerabilities used by adversary to infect affected Linux systems", "category": "Payload delivery", "uuid": "5ccf3763-4e98-46e5-b64c-4985950d210f", "timestamp": "1557084003", "to_ids": false, "value": "CVE-2019-3395", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "Vulnerabilities used by adversary to infect affected Linux systems", "category": "Payload delivery", "uuid": "5ccf3763-64f0-41eb-a327-4194950d210f", "timestamp": "1557084003", "to_ids": false, "value": "CVE-2019-3396", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "Vulnerabilities used by adversary to infect affected Linux systems", "category": "Payload delivery", "uuid": "5ccf3763-b7f8-47ae-9128-4942950d210f", "timestamp": "1557084003", "to_ids": false, "value": "CVE-2019-1003033", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "Vulnerabilities used by adversary to infect affected Linux systems", "category": "Payload delivery", "uuid": "5ccf3763-eaf8-4649-9c25-489b950d210f", "timestamp": "1557084003", "to_ids": false, "value": "CVE-2019-1003030", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "Vulnerabilities used by adversary to infect affected Linux systems", "category": "Payload delivery", "uuid": "5ccf3763-2438-4331-92c7-4ddd950d210f", "timestamp": "1557084003", "to_ids": false, "value": "CVE-2019-1003029", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "The data to be grep'ed by the malware for the upgrade and anti-competitive function which is useful to prevent similar threat.", "category": "Internal reference", "uuid": "5ccf37df-cc1c-4c56-9a7d-4079950d210f", "timestamp": "1557084127", "to_ids": false, "value": "hwlh3wlh44lh\r\nCircle_MI\r\nxmr\r\nxig\r\nddgs\r\nqW3xT\r\nwnTKYg\r\nt00ls.ru\r\nsustes\r\nthisxxs\r\nhashfish\r\nkworkerds\r\ntmp/devtool\r\nsystemctI\r\nplfsbce\r\nluyybce\r\n6Tx3Wq\r\ndblaunchs\r\nvmlinuz\r\nget.bi-chi.com\r\nhashvault.pro\r\nnanopool.org\r\n119.9.106.27\r\n104.130.210.206", "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "MalwareMustDie incident analysis and reports of the ELF bot for command execution installed by adversary", "category": "Internal reference", "uuid": "5ccf38a2-4590-42df-a18a-4fe6950d210f", "timestamp": "1557084322", "to_ids": false, "value": "https://community.atlassian.com/t5/Confluence-questions/How-come-my-confluence-installation-was-hacked-by-Kerberods/qaq-p/1054605#M141274", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Certification attached in the malware sample (the ELF binary installer ones)", "category": "Payload delivery", "uuid": "5ccf3940-ddec-4518-b17f-4419950d210f", "timestamp": "1557084480", "to_ids": false, "value": "-----BEGIN CERTIFICATE-----\r\nMIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\nMA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\nMTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\nA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\nCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\nmdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\nYMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\nR7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\nKNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\ngZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\nBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\ndCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\nSsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\nDBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\npjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\nm/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n-----END CERTIFICATE-----", "disable_correlation": false, "object_relation": null, "type": "other"}, {"comment": "SSL Certification used by the adversary for encrypting the SSL traffic communication", "category": "Network activity", "uuid": "5ccf39ae-2d8c-4d58-af04-419e950d210f", "timestamp": "1557084590", "to_ids": false, "value": "Handshake Protocol: Certificate\r\nCertificate Length: 1374\r\nCertificate (id-at-commonName=d.heheda.tk)\r\nversion: v3 (2)\r\nserialNumber : 0x0391959ec679153960186df2c0768f78425e\r\nsignature (sha256WithRSAEncryption)\r\nAlgorithm Id: 1.2.840.113549.1.1.11 (sha256WithRSAEncryption)\r\nrdnSequence: 3 items\r\n(id-at-commonName=Let's Encrypt Authority X3,\r\nid-at-organizationName=Let's Encrypt,\r\nid-at-countryName=US )\r\nValidity not before: utcTime: 19-04-22 01:13:26 (UTC)\r\nValidity not after: utcTime: 19-07-21 01:13:26 (UTC)\r\nissuer: rdnSequence (0) rdnSequence: 2 items\r\n(id-at-commonName=DST Root CA X3,\r\nid-at-organizationName=Digital Signature Trust Co.)", "disable_correlation": false, "object_relation": null, "type": "other"}, {"comment": "Malware (the bot type) is using these hardcoded DNS IP (and port) for lookup C2 hostnames", "category": "Network activity", "uuid": "5ccf3d10-ac0c-447c-814e-43c2950d210f", "timestamp": "1557085456", "to_ids": false, "value": "1.1.1.1|53", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "Malware (the bot type) is using these hardcoded DNS IP (and port) for lookup C2 hostnames", "category": "Network activity", "uuid": "5ccf3d10-b734-4496-b135-4bc8950d210f", "timestamp": "1557085456", "to_ids": false, "value": "8.8.8.8|53", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "Malware (the bot type) is using these hardcoded DNS IP (and port) for lookup C2 hostnames", "category": "Network activity", "uuid": "5ccf3d10-2f7c-4ceb-892e-46f0950d210f", "timestamp": "1557085456", "to_ids": false, "value": "208.67.222.222|5353", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "Malware (the bot type) is using these hardcoded DNS IP (and port) for lookup C2 hostnames", "category": "Network activity", "uuid": "5ccf3d10-bed0-4d85-945b-46d0950d210f", "timestamp": "1557085456", "to_ids": false, "value": "208.67.222.222|443", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "The origin of IP addresses used by the adversaries for their C2 servers", "category": "Network activity", "uuid": "5cd59ac0-f68c-4751-9022-4456950d210f", "timestamp": "1557502656", "to_ids": true, "value": "47.95.85.22", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "Malware contacted C2 hostnames", "category": "Network activity", "uuid": "5cd59b28-c838-44a7-a2d8-48cb950d210f", "timestamp": "1557502760", "to_ids": true, "value": "gwjyhs.com", "disable_correlation": false, "object_relation": null, "type": "hostname"}, {"comment": "QQ identification used by adversary's utilized payload domains  \"gwjyhs .com\", \"baocangwh .cn\"", "category": "Social network", "uuid": "5cd925f5-0688-4fcc-8d9b-4d2f950d210f", "timestamp": "1557738028", "to_ids": false, "value": "4592248@qq.com", "disable_correlation": false, "object_relation": null, "type": "whois-registrant-email"}, {"comment": "The adversary aimed Apache Jenkins on this vulnerability", "category": "Payload delivery", "uuid": "5cd926d2-96a0-4029-b68f-48bb950d210f", "timestamp": "1557735122", "to_ids": false, "value": "CVE-2018-1000861", "disable_correlation": false, "object_relation": null, "type": "vulnerability"}, {"comment": "Same number as QQ ID used to register \"w2wz .cn under Gmail address", "category": "Social network", "uuid": "5cd93263-3988-4927-8996-4817950d210f", "timestamp": "1557738083", "to_ids": false, "value": "4592248@gmail.com", "disable_correlation": false, "object_relation": null, "type": "whois-registrant-email"}], "extends_uuid": "", "published": false, "date": "2019-05-05", "Orgc": {"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f", "name": "MalwareMustDie"}, "threat_level_id": "3", "uuid": "5ccf3134-ea64-43c1-a356-f9f3950d210f"}}