adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5841317a-9604-4ffe-9260-46b9950d210f.json

386 lines
No EOL
16 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "0",
"date": "2016-11-30",
"extends_uuid": "",
"info": "OSINT - Shamoon 2: Return of the Disttrack Wiper",
"publish_timestamp": "1480715122",
"published": true,
"threat_level_id": "3",
"timestamp": "1480715024",
"uuid": "5841317a-9604-4ffe-9260-46b9950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:threat-actor=\"TERBIUM\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667531",
"to_ids": false,
"type": "link",
"uuid": "5841318b-b420-4045-8732-4127950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667558",
"to_ids": false,
"type": "comment",
"uuid": "584131a6-d7c0-4216-8d24-496a950d210f",
"value": "In August 2012, an attack campaign known as Shamoon targeted a Saudi Arabian energy company to deliver a malware called Disttrack. Disttrack is a multipurpose tool that exhibits worm-like behavior by attempting to spread to other systems on a local network using stolen administrator credentials. More importantly, its claim to fame is the ability to destroy data and to render infected systems unusable. The attack four years ago resulted in 30,000 or more systems being damaged.\r\n\r\nLast week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work."
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667635",
"to_ids": true,
"type": "sha256",
"uuid": "584131f3-8ee4-41a4-b93f-4127950d210f",
"value": "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667636",
"to_ids": true,
"type": "sha256",
"uuid": "584131f4-8a10-4e55-9815-4127950d210f",
"value": "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
},
{
"category": "Payload delivery",
"comment": "Communication Components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667636",
"to_ids": true,
"type": "sha256",
"uuid": "584131f4-8f2c-480d-ab3d-4127950d210f",
"value": "772ceedbc2cacf7b16ae967de310350e42aa47e5cef19f4423220d41501d86a5"
},
{
"category": "Payload delivery",
"comment": "Communication Components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667636",
"to_ids": true,
"type": "sha256",
"uuid": "584131f4-2214-48bd-b78e-4127950d210f",
"value": "61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842"
},
{
"category": "Payload delivery",
"comment": "Wiper Components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667636",
"to_ids": true,
"type": "sha256",
"uuid": "584131f4-77b4-46c6-a6ce-4127950d210f",
"value": "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
},
{
"category": "Payload delivery",
"comment": "Wiper Components",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667637",
"to_ids": true,
"type": "sha256",
"uuid": "584131f5-613c-4f10-b689-4127950d210f",
"value": "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667637",
"to_ids": true,
"type": "sha256",
"uuid": "584131f5-87fc-4c17-944a-4127950d210f",
"value": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480667637",
"to_ids": true,
"type": "sha256",
"uuid": "584131f5-0b74-4737-8548-4127950d210f",
"value": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715024",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb10-a028-4116-b3c6-413002de0b81",
"value": "ce549714a11bd43b52be709581c6e144957136ec"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715024",
"to_ids": true,
"type": "md5",
"uuid": "5841eb10-e004-4bb5-aa85-413002de0b81",
"value": "1493d342e7a36553c56b2adea150949e"
},
{
"category": "External analysis",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715024",
"to_ids": false,
"type": "link",
"uuid": "5841eb10-d44c-4a9f-b0f6-413002de0b81",
"value": "https://www.virustotal.com/file/4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6/analysis/1480627726/"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715025",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb11-d71c-4d40-b4bb-413002de0b81",
"value": "1292c7dd60214d96a71e7705e519006b9de7968f"
},
{
"category": "Payload delivery",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715025",
"to_ids": true,
"type": "md5",
"uuid": "5841eb11-98a4-44fa-b804-413002de0b81",
"value": "76c643ab29d497317085e5db8c799960"
},
{
"category": "External analysis",
"comment": "EldoS RawDisk Samples - Xchecked via VT: 5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715025",
"to_ids": false,
"type": "link",
"uuid": "5841eb11-e5d8-4a65-b668-413002de0b81",
"value": "https://www.virustotal.com/file/5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a/analysis/1480709297/"
},
{
"category": "Payload delivery",
"comment": "Wiper Components - Xchecked via VT: 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715026",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb12-f118-4e7c-ac67-413002de0b81",
"value": "ad6744c7ea5fee854261efa403ca06b68761e290"
},
{
"category": "Payload delivery",
"comment": "Wiper Components - Xchecked via VT: 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715026",
"to_ids": true,
"type": "md5",
"uuid": "5841eb12-9c70-4a8f-ab97-413002de0b81",
"value": "2cd0a5f1e9bcce6807e57ec8477d222a"
},
{
"category": "External analysis",
"comment": "Wiper Components - Xchecked via VT: 128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715026",
"to_ids": false,
"type": "link",
"uuid": "5841eb12-e324-4d2a-bd71-413002de0b81",
"value": "https://www.virustotal.com/file/128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd/analysis/1480658187/"
},
{
"category": "Payload delivery",
"comment": "Wiper Components - Xchecked via VT: c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715026",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb12-c558-40d5-ae37-413002de0b81",
"value": "425f02028dcc4e89a07d2892fef9346dac6c140a"
},
{
"category": "Payload delivery",
"comment": "Wiper Components - Xchecked via VT: c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715027",
"to_ids": true,
"type": "md5",
"uuid": "5841eb13-768c-4ef9-a118-413002de0b81",
"value": "c843046e54b755ec63ccb09d0a689674"
},
{
"category": "External analysis",
"comment": "Wiper Components - Xchecked via VT: c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715027",
"to_ids": false,
"type": "link",
"uuid": "5841eb13-94d8-4e1d-b940-413002de0b81",
"value": "https://www.virustotal.com/file/c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a/analysis/1480658982/"
},
{
"category": "Payload delivery",
"comment": "Communication Components - Xchecked via VT: 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715027",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb13-3bac-4932-9ee5-413002de0b81",
"value": "b094d0287dc4d654f0fca38559c3d6248ef09bbb"
},
{
"category": "Payload delivery",
"comment": "Communication Components - Xchecked via VT: 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715027",
"to_ids": true,
"type": "md5",
"uuid": "5841eb13-3134-4f78-9800-413002de0b81",
"value": "5bac4381c00044d7f4e4cbfd368ba03b"
},
{
"category": "External analysis",
"comment": "Communication Components - Xchecked via VT: 61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715028",
"to_ids": false,
"type": "link",
"uuid": "5841eb14-4ecc-4f2c-adbd-413002de0b81",
"value": "https://www.virustotal.com/file/61c1c8fc8b268127751ac565ed4abd6bdab8d2d0f2ff6074291b2d54b0228842/analysis/1480657971/"
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers - Xchecked via VT: 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715028",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb14-e8dc-4c7d-9328-413002de0b81",
"value": "e7c7f41babdb279c099526ece03ede9076edca4e"
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers - Xchecked via VT: 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715028",
"to_ids": true,
"type": "md5",
"uuid": "5841eb14-1750-4fde-ae95-413002de0b81",
"value": "5446f46d89124462ae7aca4fce420423"
},
{
"category": "External analysis",
"comment": "Disttrack Droppers - Xchecked via VT: 394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715028",
"to_ids": false,
"type": "link",
"uuid": "5841eb14-6124-4602-ab99-413002de0b81",
"value": "https://www.virustotal.com/file/394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b/analysis/1480691328/"
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers - Xchecked via VT: 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715029",
"to_ids": true,
"type": "sha1",
"uuid": "5841eb15-2480-44b2-b5ce-413002de0b81",
"value": "5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6"
},
{
"category": "Payload delivery",
"comment": "Disttrack Droppers - Xchecked via VT: 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715029",
"to_ids": true,
"type": "md5",
"uuid": "5841eb15-89c0-42b0-b138-413002de0b81",
"value": "8fbe990c2d493f58a2afa2b746e49c86"
},
{
"category": "External analysis",
"comment": "Disttrack Droppers - Xchecked via VT: 47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34",
"deleted": false,
"disable_correlation": false,
"timestamp": "1480715029",
"to_ids": false,
"type": "link",
"uuid": "5841eb15-6ea0-4083-937f-413002de0b81",
"value": "https://www.virustotal.com/file/47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34/analysis/1480695517/"
}
]
}
}
Reference in a new issue View git blame Copy permalink