misp-circl-feed/feeds/circl/misp/5a02c71a-9144-4f76-96c3-45ec950d210f.json

1 line
No EOL
10 KiB
JSON

{"Event": {"info": "OSINT - Sowbug: Cyber espionage group targets South American and Southeast Asian governments", "Tag": [{"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:rat=\"Felismus RAT\""}], "publish_timestamp": "0", "timestamp": "1510213600", "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a02c783-a28c-4dd3-b432-44c7950d210f", "timestamp": "1510213581", "to_ids": false, "value": "Symantec has identified a previously unknown group called Sowbug that has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "", "category": "External analysis", "uuid": "5a02c976-0e10-4345-be87-497a950d210f", "timestamp": "1510213581", "to_ids": false, "value": "https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor.Felismus", "category": "Payload delivery", "uuid": "5a02cda9-90e0-4813-b94a-4dcd950d210f", "timestamp": "1510213581", "to_ids": true, "value": "514f85ebb05cad9e004eee89dde2ed07", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Backdoor.Felismus", "category": "Payload delivery", "uuid": "5a02cda9-90e0-4f4e-9aab-4965950d210f", "timestamp": "1510213581", "to_ids": true, "value": "00d356a7cf9f67dd5bb8b2a88e289bc8", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Backdoor.Felismus", "category": "Payload delivery", "uuid": "5a02cda9-5ac0-4772-b6f3-4963950d210f", "timestamp": "1510213581", "to_ids": true, "value": "c1f65ddabcc1f23d9ba1600789eb581b", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Backdoor.Felismus", "category": "Payload delivery", "uuid": "5a02cda9-cdc4-4e6c-aa54-44aa950d210f", "timestamp": "1510213581", "to_ids": true, "value": "967d60c417d70a02030938a2ee8a0b74", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Trojan.Starloader", "category": "Payload delivery", "uuid": "5a02ce42-3990-47bf-808f-49a7950d210f", "timestamp": "1510213581", "to_ids": true, "value": "4984e9e1a5d595c079cc490a22d67490", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Hacktool.Mimikatz", "category": "Payload delivery", "uuid": "5a02ce42-f094-4100-b610-4219950d210f", "timestamp": "1510213581", "to_ids": true, "value": "e4e1c98feac9356dbfcac1d8c362ab22", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a02ceb7-9b2c-4301-b86f-456b950d210f", "timestamp": "1510213581", "to_ids": false, "value": "%WINDOWS%\\debug", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "Persistence mechanism", "uuid": "5a02ceb7-8abc-44fe-a221-4606950d210f", "timestamp": "1510213581", "to_ids": false, "value": "%APPDATA%\\microsoft\\security", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "Command and control infrastructure", "category": "Network activity", "uuid": "5a02ced2-9fbc-4ce4-b9e4-4b28950d210f", "timestamp": "1510213581", "to_ids": true, "value": "nasomember.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Command and control infrastructure", "category": "Network activity", "uuid": "5a02ced2-f778-4615-9e06-4ebf950d210f", "timestamp": "1510213581", "to_ids": true, "value": "cosecman.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Command and control infrastructure", "category": "Network activity", "uuid": "5a02ced2-ac6c-4ae1-a886-49aa950d210f", "timestamp": "1510213581", "to_ids": true, "value": "unifoxs.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "Hacktool.Mimikatz - Xchecked via VT: e4e1c98feac9356dbfcac1d8c362ab22", "category": "External analysis", "uuid": "5a0407cd-31c4-451f-8cc7-40a902de0b81", "timestamp": "1510213581", "to_ids": false, "value": "https://www.virustotal.com/file/cfd73f28a85ea63cedba5e4c3b09dc5b68117e65e19203a274c5cf7bef57e6c8/analysis/1510110893/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Hacktool.Mimikatz - Xchecked via VT: e4e1c98feac9356dbfcac1d8c362ab22", "category": "Payload delivery", "uuid": "5a0407cd-47b0-4601-8b70-447402de0b81", "timestamp": "1510213581", "to_ids": true, "value": "12346fb48c5307470d2d761033f7cf1d2faba010", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Hacktool.Mimikatz - Xchecked via VT: e4e1c98feac9356dbfcac1d8c362ab22", "category": "Payload delivery", "uuid": "5a0407cd-a098-477e-937e-415b02de0b81", "timestamp": "1510213581", "to_ids": true, "value": "cfd73f28a85ea63cedba5e4c3b09dc5b68117e65e19203a274c5cf7bef57e6c8", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Trojan.Starloader - Xchecked via VT: 4984e9e1a5d595c079cc490a22d67490", "category": "Payload delivery", "uuid": "5a0407cd-be24-47aa-99a7-4cce02de0b81", "timestamp": "1510213581", "to_ids": true, "value": "2154a8c899dc488ca11c4cef5fec35e1bb65efc89f7a1ced6efa1aa9879f6557", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Trojan.Starloader - Xchecked via VT: 4984e9e1a5d595c079cc490a22d67490", "category": "Payload delivery", "uuid": "5a0407cd-6a80-44d1-bbc8-4e6002de0b81", "timestamp": "1510213581", "to_ids": true, "value": "e1d40c5f366134f966b2ae1ba66ba4c38743f661", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Trojan.Starloader - Xchecked via VT: 4984e9e1a5d595c079cc490a22d67490", "category": "External analysis", "uuid": "5a0407cd-53f0-4338-b9b2-450d02de0b81", "timestamp": "1510213581", "to_ids": false, "value": "https://www.virustotal.com/file/2154a8c899dc488ca11c4cef5fec35e1bb65efc89f7a1ced6efa1aa9879f6557/analysis/1510110900/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 967d60c417d70a02030938a2ee8a0b74", "category": "Payload delivery", "uuid": "5a0407cd-35dc-4d03-a4e0-42df02de0b81", "timestamp": "1510213581", "to_ids": true, "value": "d922f00862682369baa9ec966bc2f4de51c76f6e7d9d03aaf2e0683200a6462f", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 967d60c417d70a02030938a2ee8a0b74", "category": "Payload delivery", "uuid": "5a0407ce-5300-496b-b969-40e302de0b81", "timestamp": "1510213582", "to_ids": true, "value": "28eb0013ead27c20add397818752f541492d63b4", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 967d60c417d70a02030938a2ee8a0b74", "category": "External analysis", "uuid": "5a0407ce-af30-496e-81fb-43d202de0b81", "timestamp": "1510213582", "to_ids": false, "value": "https://www.virustotal.com/file/d922f00862682369baa9ec966bc2f4de51c76f6e7d9d03aaf2e0683200a6462f/analysis/1510137094/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 00d356a7cf9f67dd5bb8b2a88e289bc8", "category": "Payload delivery", "uuid": "5a0407ce-0e98-4535-8eef-4ed402de0b81", "timestamp": "1510213582", "to_ids": true, "value": "dcd8dc99aceb617cbba658d1b7d776013f53b00d818999d3d619a73eec8e6a8d", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 00d356a7cf9f67dd5bb8b2a88e289bc8", "category": "Payload delivery", "uuid": "5a0407ce-6694-41c8-966d-44cb02de0b81", "timestamp": "1510213582", "to_ids": true, "value": "fd5ec9ad13281ffa2b19b521788daddd7ffe06ae", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 00d356a7cf9f67dd5bb8b2a88e289bc8", "category": "External analysis", "uuid": "5a0407ce-0a18-42b3-9fed-4d3302de0b81", "timestamp": "1510213582", "to_ids": false, "value": "https://www.virustotal.com/file/dcd8dc99aceb617cbba658d1b7d776013f53b00d818999d3d619a73eec8e6a8d/analysis/1510168279/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 514f85ebb05cad9e004eee89dde2ed07", "category": "Payload delivery", "uuid": "5a0407ce-d31c-4e08-a64b-4f3602de0b81", "timestamp": "1510213582", "to_ids": true, "value": "44108ae87289132294232616d54bdab768005fbdcf6fdc8aaf0a016d6a98a540", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 514f85ebb05cad9e004eee89dde2ed07", "category": "Payload delivery", "uuid": "5a0407ce-b264-49fb-833e-493b02de0b81", "timestamp": "1510213582", "to_ids": true, "value": "d2e374b62878ec8fa4b3b0be626d6016f71afbd7", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Backdoor.Felismus - Xchecked via VT: 514f85ebb05cad9e004eee89dde2ed07", "category": "External analysis", "uuid": "5a0407ce-4904-48ba-ae9f-4a1902de0b81", "timestamp": "1510213582", "to_ids": false, "value": "https://www.virustotal.com/file/44108ae87289132294232616d54bdab768005fbdcf6fdc8aaf0a016d6a98a540/analysis/1510164484/", "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-11-07", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5a02c71a-9144-4f76-96c3-45ec950d210f"}}