295 lines
No EOL
10 KiB
JSON
295 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-01-29",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Spotlight on Shamoon",
|
|
"publish_timestamp": "1485688628",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1485688589",
|
|
"uuid": "588dc8e3-8530-4b69-b71c-45ab02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:tool=\"Shamoon\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688566",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "588dc908-c720-44cd-ac77-48ba02de0b81",
|
|
"value": "https://securingtomorrow.mcafee.com/mcafee-labs/spotlight-on-shamoon/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": false,
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#075200",
|
|
"local": false,
|
|
"name": "admiralty-scale:source-reliability=\"b\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485687073",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "588dc921-8708-4d83-bd8d-427c02de0b81",
|
|
"value": "All of the initial analysis pointed to Shamoon emerging in the Middle East. There were a number of similarities that we highlighted in our earlier blogs (on McAfee.com). This however was not the end of the story since the campaign continues to target organizations in the Middle East from a variety of verticals. Indeed reports suggested that a further 15 \u00e2\u20ac\u02dcShamoon incidents\u00e2\u20ac\u2122 had been reported from public to private sector."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485687144",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "588dc968-bb78-4c41-96f1-408b02de0b81",
|
|
"value": "winappupdater.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "hash 146a112cb01cd4b8e06d36304f6bdf7b and bf4b07c7b4a4504c4192bd68476d63b5 were connecting to this site",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485687145",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "588dc969-8bdc-486c-9926-418a02de0b81",
|
|
"value": "update.winupdater.com"
|
|
},
|
|
{
|
|
"category": "Attribution",
|
|
"comment": "winappupdater.com domain registered on 2016-11-25 by benyamin987@mail.com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485687888",
|
|
"to_ids": true,
|
|
"type": "whois-registrant-email",
|
|
"uuid": "588dcc50-9730-4404-8bf4-433e02de0b81",
|
|
"value": "benyamin987@mail.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688309",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "588dcdf5-4d30-4209-a9dc-42da02de0b81",
|
|
"value": "146a112cb01cd4b8e06d36304f6bdf7b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688310",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "588dcdf6-29fc-40c5-8cb4-49f602de0b81",
|
|
"value": "bf4b07c7b4a4504c4192bd68476d63b5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688311",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "588dcdf7-80bc-40f7-9b7b-4cf802de0b81",
|
|
"value": "a96d211795852b6b14e61327bbcc3473"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688311",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "588dcdf7-d8e4-4c84-a739-4a5702de0b81",
|
|
"value": "1507a4fdf65952dfa439e32480f42ccf1460b96f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a96d211795852b6b14e61327bbcc3473",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688382",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "588dce3e-8374-40a5-8022-4b9302de0b81",
|
|
"value": "6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a96d211795852b6b14e61327bbcc3473",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688383",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "588dce3f-ac54-47f8-8b58-460b02de0b81",
|
|
"value": "4c85c5062ece9aec26b6bf6a785ec7e60c824b0b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: a96d211795852b6b14e61327bbcc3473",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688384",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "588dce40-8284-43bc-9271-480b02de0b81",
|
|
"value": "https://www.virustotal.com/file/6b28a43eda5b6f828a65574e3f08a6d00e0acf84cbb94aac5cec5cd448a4649d/analysis/1485493393/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: bf4b07c7b4a4504c4192bd68476d63b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688384",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "588dce40-69b4-44af-a9c6-4cee02de0b81",
|
|
"value": "7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: bf4b07c7b4a4504c4192bd68476d63b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688385",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "588dce41-08fc-43e9-a174-4f7302de0b81",
|
|
"value": "d843a65ad0e3c2f2fd87c30c6cb0f6b66d6355d1"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: bf4b07c7b4a4504c4192bd68476d63b5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688386",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "588dce42-8154-46d5-8412-447f02de0b81",
|
|
"value": "https://www.virustotal.com/file/7f16824e7ad9ee1ad2debca2a22413cde08f02ee9f0d08d64eb4cb318538be9c/analysis/1485493795/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 146a112cb01cd4b8e06d36304f6bdf7b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688386",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "588dce43-c0f0-4c74-b4ef-4a9702de0b81",
|
|
"value": "319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 146a112cb01cd4b8e06d36304f6bdf7b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688387",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "588dce43-d4d8-4cc6-9df0-42af02de0b81",
|
|
"value": "0e47a027651133ab980dd040d3347d2028ffd32d"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 146a112cb01cd4b8e06d36304f6bdf7b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688388",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "588dce44-56e4-463c-af1d-422402de0b81",
|
|
"value": "https://www.virustotal.com/file/319a001d09ee9d754e8789116bbb21a3c624c999dae9cf83fde90a3fbe67ee6c/analysis/1485491896/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688458",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "588dce8a-7690-4918-9ab5-4b9302de0b81",
|
|
"value": "F:\\Projects\\Bot Fresh\\Release\\Bot Fresh.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688459",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "588dce8b-51a0-4787-85a9-490802de0b81",
|
|
"value": "F:\\Projects\\Bot\\Bot\\Release\\Ism.pdb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688460",
|
|
"to_ids": true,
|
|
"type": "pdb",
|
|
"uuid": "588dce8c-fc80-44b6-bd92-41b502de0b81",
|
|
"value": "G:\\Projects\\Bot\\Bots\\Bot5\\Release\\Ism.pdb"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Enriched via the dns module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1485688589",
|
|
"to_ids": false,
|
|
"type": "ip-src",
|
|
"uuid": "588dcf0d-7bac-4f3c-aae3-40a602de0b81",
|
|
"value": "58.158.177.102"
|
|
}
|
|
]
|
|
}
|
|
} |