957 lines
No EOL
33 KiB
JSON
957 lines
No EOL
33 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2015-11-10",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Bookworm Trojan: A Model of Modular Architecture by Palo Alto Unit 42",
|
|
"publish_timestamp": "1447223820",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1447223807",
|
|
"uuid": "5642582d-78dc-4e92-b42f-6d9d950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188545",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56425841-0dbc-4bc7-9bb8-6d9d950d210b",
|
|
"value": "http://researchcenter.paloaltonetworks.com/2015/11/bookworm-trojan-a-model-of-modular-architecture/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188624",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425890-6bc4-42f8-8589-606d950d210b",
|
|
"value": "bkmail.blogdns.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188625",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425891-ca24-437a-a590-606d950d210b",
|
|
"value": "debain.servehttp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188625",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425891-52e8-4b07-bb8f-606d950d210b",
|
|
"value": "linuxdns.sytes.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188626",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425892-c1cc-409d-b824-606d950d210b",
|
|
"value": "news.nhknews.hk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188626",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425892-d218-49bd-a652-606d950d210b",
|
|
"value": "sswmail.gotdns.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188627",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425893-28f8-43b4-b8ed-606d950d210b",
|
|
"value": "sswwmail.gotdns.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188627",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425893-1728-4f1a-a6a5-606d950d210b",
|
|
"value": "sysnc.sytes.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188628",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425894-1b78-4686-be13-606d950d210b",
|
|
"value": "systeminfothai.gotdns.ch"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188628",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425894-f18c-4c7a-a608-606d950d210b",
|
|
"value": "thailandbbs.ddns.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188628",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425894-5d20-4a12-868d-606d950d210b",
|
|
"value": "ubuntudns.sytes.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188629",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56425895-1ac8-4007-9445-606d950d210b",
|
|
"value": "web12.nhkews.hk"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188629",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425895-c524-4124-8ed8-606d950d210b",
|
|
"value": "0f41c853a2d522e326f2c30b4b951b04"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188630",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425896-8664-4a0e-9144-606d950d210b",
|
|
"value": "8ae2468d3f208d07fb47ebb1e0e297d7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188630",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425896-47cc-4474-9a75-606d950d210b",
|
|
"value": "35755a6839f3c54e602d777cd11ef557"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188630",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425896-8508-465d-9e55-606d950d210b",
|
|
"value": "87d71401e2b8978c2084eb9a1d59c172"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188631",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425897-8304-4382-a5ea-606d950d210b",
|
|
"value": "599b6e05a38329081b80a461b57cec37"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188631",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425897-e9c0-4c8f-b3c0-606d950d210b",
|
|
"value": "ba1aea40182861e1d1de8c0c2ae78cb7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188632",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425898-f478-4665-b301-606d950d210b",
|
|
"value": "de1595a7585219967a87a909f38acaa2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188632",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425898-e934-4e91-bde0-606d950d210b",
|
|
"value": "f8c8c6683d6ca880293f7c1a78d7f8ce"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188632",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425898-8a9c-420c-a63d-606d950d210b",
|
|
"value": "0b4ad1bd093e0a2eb8968e308e900180"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188633",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425899-ce88-4132-901c-606d950d210b",
|
|
"value": "cba74e507e9741740d251b1fb34a1874"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188633",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56425899-baa4-42a6-b198-606d950d210b",
|
|
"value": "fcd68032c39cca3385c539ea38914735"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188634",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589a-9400-4502-8379-606d950d210b",
|
|
"value": "3e69c34298a8fd5169259a2fef506d63"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188634",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589a-d010-425e-bf07-606d950d210b",
|
|
"value": "04d63e2a3da0a171e5c15d8e904387b9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188634",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589a-50d8-453c-a120-606d950d210b",
|
|
"value": "0d57d2bef1296be62a3e791bfad33bcd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188635",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589b-d870-4df1-b86a-606d950d210b",
|
|
"value": "4389fc820d0edd96bac26fa0b7448aee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188635",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589b-99a4-48c3-b954-606d950d210b",
|
|
"value": "74c293acdda0d2c3b5087763dae27ec6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188636",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589c-417c-43ff-b919-606d950d210b",
|
|
"value": "b030c619bb24804cbcc05065530fcf2e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188636",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589c-fa44-40d3-a416-606d950d210b",
|
|
"value": "29df124f370752a87b3426dcad539ec6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188636",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589c-8cdc-4043-b9ba-606d950d210b",
|
|
"value": "9df45e8d8619e234d0449daf2f617ba3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188637",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589d-9d6c-401b-a50d-606d950d210b",
|
|
"value": "40f1b160b88ff98934017f3f1e7879a5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188637",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589d-096c-4f7e-b788-606d950d210b",
|
|
"value": "210816c8bde338bf206f13bb923327a1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188638",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589e-f7c0-47eb-acdb-606d950d210b",
|
|
"value": "187cdb58fbc30046a35793818229c573"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447188638",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5642589e-c224-4568-ace8-606d950d210b",
|
|
"value": "499ccc8d6d7c08e135a91928ccc2fd7a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 499ccc8d6d7c08e135a91928ccc2fd7a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223472",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b0-e260-47b5-93dd-cf3b950d210b",
|
|
"value": "1fa5d83a5766556cf2ff16ad279e73cb40584746bd388e0a4e818a2cc06613d3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 499ccc8d6d7c08e135a91928ccc2fd7a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223472",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b0-5c74-411d-8cb7-cf3b950d210b",
|
|
"value": "78b2b70ad8e49cd2e8518501a29d1af1e714a16f"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223473",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b1-64d4-4d94-b945-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/1fa5d83a5766556cf2ff16ad279e73cb40584746bd388e0a4e818a2cc06613d3/analysis/1426027731/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 40f1b160b88ff98934017f3f1e7879a5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223473",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b1-f574-4ada-b57f-cf3b950d210b",
|
|
"value": "80bfe4c4758a93e315da8bbcbfbc48cd8f280b871e1bcf1cf6a126454895e05a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 40f1b160b88ff98934017f3f1e7879a5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223474",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b2-c404-400e-95e5-cf3b950d210b",
|
|
"value": "468e2a5779e415ec2df359b410d208d32a279604"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223474",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b2-c460-4c34-bf43-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/80bfe4c4758a93e315da8bbcbfbc48cd8f280b871e1bcf1cf6a126454895e05a/analysis/1445861223/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 29df124f370752a87b3426dcad539ec6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223474",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b2-1b64-4bfe-9838-cf3b950d210b",
|
|
"value": "9044fe4924a76e409a292cc1bd041f3a16aa70acd656e14d904b98dc82cc82ab"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 29df124f370752a87b3426dcad539ec6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223475",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b3-358c-4a4f-89f0-cf3b950d210b",
|
|
"value": "0bcbd480ace28d852a84ecdb36655a2aaabddc9b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223475",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b3-6d30-40c5-97e3-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/9044fe4924a76e409a292cc1bd041f3a16aa70acd656e14d904b98dc82cc82ab/analysis/1446196462/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: b030c619bb24804cbcc05065530fcf2e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223476",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b4-0194-4516-a2e8-cf3b950d210b",
|
|
"value": "c28fd4336214e8836f8eea548d523c1c5ca3df53c9c30b8d720e6d00dc632323"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: b030c619bb24804cbcc05065530fcf2e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223476",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b4-45d8-43b3-9437-cf3b950d210b",
|
|
"value": "07c49d6dbb411b871943ef857be55310a5a4d22e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223476",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b4-2434-4938-9a58-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/c28fd4336214e8836f8eea548d523c1c5ca3df53c9c30b8d720e6d00dc632323/analysis/1444222895/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 74c293acdda0d2c3b5087763dae27ec6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223477",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b5-c668-4109-95d7-cf3b950d210b",
|
|
"value": "e2dce038ea6a354da4d34d579a02f14c67ceba6a1b4acea59d12101aa1c5585d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 74c293acdda0d2c3b5087763dae27ec6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223477",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b5-0a40-4018-bd35-cf3b950d210b",
|
|
"value": "1afd72a119a7261179b2f58d1e9ccec7abdd4353"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223478",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b6-7570-4293-b82b-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/e2dce038ea6a354da4d34d579a02f14c67ceba6a1b4acea59d12101aa1c5585d/analysis/1442205914/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0d57d2bef1296be62a3e791bfad33bcd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223478",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b6-d7b4-4262-b343-cf3b950d210b",
|
|
"value": "c9434a3b15609527d6a986d747aa13a90786d1e86fddd864cbfbaf2f01bfe1fb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0d57d2bef1296be62a3e791bfad33bcd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223478",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b6-7b68-431d-922a-cf3b950d210b",
|
|
"value": "084abcb69b8a1db256b363746ce6ef6f7cd547d8"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223479",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b7-4ef4-4a70-825f-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/c9434a3b15609527d6a986d747aa13a90786d1e86fddd864cbfbaf2f01bfe1fb/analysis/1445869975/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 3e69c34298a8fd5169259a2fef506d63",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223479",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b7-8e10-4fbe-9383-cf3b950d210b",
|
|
"value": "1b0355f699196bc33b3791150fd9b3b58c1208cc18b5b89f5918df8cf026ffb7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 3e69c34298a8fd5169259a2fef506d63",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223480",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b8-0104-4b7b-8000-cf3b950d210b",
|
|
"value": "0ed5dfd91654c715c806595b39b4060af649aafd"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223480",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b8-b6a0-43b1-82f8-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/1b0355f699196bc33b3791150fd9b3b58c1208cc18b5b89f5918df8cf026ffb7/analysis/1446805687/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: fcd68032c39cca3385c539ea38914735",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223480",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0b8-9a84-4225-8595-cf3b950d210b",
|
|
"value": "613d0c5951aa8473982edd766d2e01f542be1280ebaef634c079441686b27978"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: fcd68032c39cca3385c539ea38914735",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223481",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0b9-3258-4d3f-bf85-cf3b950d210b",
|
|
"value": "bb273ce38e24b1fd092a90f785497f5f2d28886f"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223481",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0b9-55e4-440c-a7f0-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/613d0c5951aa8473982edd766d2e01f542be1280ebaef634c079441686b27978/analysis/1441600914/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: cba74e507e9741740d251b1fb34a1874",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223482",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0ba-52d8-428e-94bd-cf3b950d210b",
|
|
"value": "755a4b2ec15da6bb01248b2dfbad206c340ba937eae9c35f04f6cedfe5e99d63"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: cba74e507e9741740d251b1fb34a1874",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223482",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0ba-4018-480f-a451-cf3b950d210b",
|
|
"value": "56ee57de81ecea6a2c83d5430238fa98a041e8eb"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223482",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0ba-a664-4cdd-88ee-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/755a4b2ec15da6bb01248b2dfbad206c340ba937eae9c35f04f6cedfe5e99d63/analysis/1441858084/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: de1595a7585219967a87a909f38acaa2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223483",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0bb-6d9c-46c0-99a1-cf3b950d210b",
|
|
"value": "e96b37592d42800a5a46e3bb3bc9ceb6dbaaaf5448f84cf69098815f8c233566"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: de1595a7585219967a87a909f38acaa2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223483",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0bb-3fa0-4e26-8593-cf3b950d210b",
|
|
"value": "bad66e5bbf8775c0f5683428f93a64eb84c75772"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223484",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0bc-d580-4ae1-a7e1-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/e96b37592d42800a5a46e3bb3bc9ceb6dbaaaf5448f84cf69098815f8c233566/analysis/1441609817/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ba1aea40182861e1d1de8c0c2ae78cb7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223484",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0bc-b8d0-4dca-9fcb-cf3b950d210b",
|
|
"value": "ca7cd0d3b5582ac4257c8ed31799d4fd577cdff1bf7ff018946b6284c0bbd617"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ba1aea40182861e1d1de8c0c2ae78cb7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223484",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0bc-289c-4a58-a9c1-cf3b950d210b",
|
|
"value": "f3fda6f46c7316381a65ccc26e94cb0ac448ec46"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223485",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0bd-3d48-4b93-a322-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/ca7cd0d3b5582ac4257c8ed31799d4fd577cdff1bf7ff018946b6284c0bbd617/analysis/1442660730/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 599b6e05a38329081b80a461b57cec37",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223485",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0bd-06b8-4594-b6fd-cf3b950d210b",
|
|
"value": "e52b87d95794977261728f9a25c3f59df86a3a7246f7607fbb1fbf9a0e85631d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 599b6e05a38329081b80a461b57cec37",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223486",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0be-8460-46a9-8503-cf3b950d210b",
|
|
"value": "2c4d72f47165bfd207d6c52f1bf5ab4fd1c27513"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223486",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0be-7718-4d56-880c-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/e52b87d95794977261728f9a25c3f59df86a3a7246f7607fbb1fbf9a0e85631d/analysis/1442604140/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 87d71401e2b8978c2084eb9a1d59c172",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223486",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0be-7f4c-4836-9096-cf3b950d210b",
|
|
"value": "a7bfa55f4e228edf7add4879728be2640cce5f6cfda9dcaa574d53f4c9bfbcef"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 87d71401e2b8978c2084eb9a1d59c172",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223487",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0bf-6a88-48e1-885f-cf3b950d210b",
|
|
"value": "30308413fa56398d096ae41f6fa323940ef279cd"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223487",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0bf-2d84-47bf-875f-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/a7bfa55f4e228edf7add4879728be2640cce5f6cfda9dcaa574d53f4c9bfbcef/analysis/1441776206/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 35755a6839f3c54e602d777cd11ef557",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223488",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0c0-ada8-457f-b058-cf3b950d210b",
|
|
"value": "ac5742bf871c7cabf9415721d88f38834d6f73bb926479b338861ab398090f81"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 35755a6839f3c54e602d777cd11ef557",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223488",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0c0-8274-4588-b098-cf3b950d210b",
|
|
"value": "8d3de4210bc0dd68df7d9a47fa6081043b268852"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223488",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0c0-e790-4e70-ba95-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/ac5742bf871c7cabf9415721d88f38834d6f73bb926479b338861ab398090f81/analysis/1444808057/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 8ae2468d3f208d07fb47ebb1e0e297d7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223489",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0c1-d174-4ffe-bb82-cf3b950d210b",
|
|
"value": "2e3a2cea18bb9cd7a65df2a9c972ee1d4553acd67925b5d42aff24d5a61adae3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 8ae2468d3f208d07fb47ebb1e0e297d7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223489",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0c1-e6f8-4658-be72-cf3b950d210b",
|
|
"value": "4e1ae6a67262c263f2b73226e8156b372af946c2"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223490",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0c2-5228-470c-ad18-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/2e3a2cea18bb9cd7a65df2a9c972ee1d4553acd67925b5d42aff24d5a61adae3/analysis/1444376908/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0f41c853a2d522e326f2c30b4b951b04",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223490",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5642e0c2-1764-40e4-b33a-cf3b950d210b",
|
|
"value": "2b02460613d888536b83ec9e658e33e98cb8d8d89eb811cf5528fed78cebd062"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0f41c853a2d522e326f2c30b4b951b04",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223490",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5642e0c2-f640-4dd8-80b3-cf3b950d210b",
|
|
"value": "34e1450acc35a3d18c5dcd2e27331fff67e873fa"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223491",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5642e0c3-3ba4-4d18-b464-cf3b950d210b",
|
|
"value": "https://www.virustotal.com/file/2b02460613d888536b83ec9e658e33e98cb8d8d89eb811cf5528fed78cebd062/analysis/1444641135/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1447223807",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5642e1ff-38a8-4008-9817-a5c4950d210b",
|
|
"value": "Recently, while researching attacks on targets in Thailand, Unit 42 discovered a tool that initially appeared to be a variant of the well-known PlugX RAT based on similar observed behavior such as the usage of DLL side-loading and a shellcode file. After closer inspection, it appears to be a completely distinct Trojan, which we have dubbed Bookworm and track in Autofocus using the tag Bookworm.\r\n\r\nBookworm\u00e2\u20ac\u2122s functional code is radically different from PlugX and has a rather unique modular architecture that warranted additional analysis by Unit 42. Bookworm has little malicious functionality built-in, with its only core ability involving stealing keystrokes and clipboard contents. However, Bookworm expands on its capabilities through its ability to load additional modules directly from its command and control (C2) server. This blog will provide an analysis of the Bookworm Trojan and known indicators of compromise. A later blog will explore the associated attack campaigns and attributions surrounding Bookworm."
|
|
}
|
|
]
|
|
}
|
|
} |