misp-circl-feed/feeds/circl/misp/5a04081b-1654-407b-80f9-46a9950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT -  OilRig Deploys \u201cALMA Communicator\u201d \u2013 DNS Tunneling Trojan", "Tag": [{"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:threat-actor=\"OilRig\""}, {"colour": "#004646", "exportable": true, "name": "type:OSINT"}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "publish_timestamp": "0", "timestamp": "1510215719", "Object": [{"comment": "ALMA Communicator", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a040b9c-8a74-4aa8-9fda-4da5950d210f", "sharing_group_id": "0", "timestamp": "1510214556", "description": "File object describing a file with meta-information", "template_version": "4", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a040b9c-69b4-486e-9c0e-4c45950d210f", "timestamp": "1510214556", "to_ids": true, "value": "SystemSyncs.exe", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a040b9c-dd98-4702-beeb-4dc8950d210f", "timestamp": "1510214556", "to_ids": true, "value": "2fc7810a316863a5a5076bf3078ac6fad246bc8773a5fb835e0993609e5bb62e", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "Mimikatz", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5a040c07-dba0-4d92-aa66-49b0950d210f", "sharing_group_id": "0", "timestamp": "1510214663", "description": "File object describing a file with meta-information", "template_version": "4", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5a040c07-ba6c-4e88-b7e3-4d53950d210f", "timestamp": "1510214663", "to_ids": true, "value": "m6.e", "disable_correlation": false, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5a040c07-d6fc-493d-bfb8-4876950d210f", "timestamp": "1510214663", "to_ids": true, "value": "2d6f06d8ee0da16d2335f26eb18cd1f620c4db3e880efa6a5999eff53b12415c", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5a040c07-dbc4-4746-acbb-4405950d210f", "timestamp": "1510214663", "to_ids": false, "value": "Harmless", "disable_correlation": false, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5a040899-ff14-4f6e-8fce-4ac8950d210f", "timestamp": "1510215712", "to_ids": false, "value": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "", "category": "External analysis", "uuid": "5a0408ac-f5e0-430a-8d0e-490f950d210f", "timestamp": "1510215712", "to_ids": false, "value": "Unit 42 has been closely tracking the OilRig threat group since May 2016. One technique we\u2019ve been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016. In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing Efforts we showed how we observed the OilRig threat group developing and refining these Clayside delivery documents.", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "comment"}, {"comment": "Clayslide", "category": "Payload delivery", "uuid": "5a040988-82c0-48fa-8bad-40a1950d210f", "timestamp": "1510215712", "to_ids": true, "value": "f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Network activity", "uuid": "5a040988-580c-4788-ae7a-474c950d210f", "timestamp": "1510215712", "to_ids": true, "value": "prosalar.com", "disable_correlation": false, "object_relation": null, "type": "domain"}, {"comment": "", "category": "Payload delivery", "uuid": "5a040a7a-14ac-42ec-b859-4917950d210f", "timestamp": "1510215713", "to_ids": true, "value": "cfg", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "", "category": "Network activity", "uuid": "5a040cb2-1658-4d1a-ab52-48dd950d210f", "timestamp": "1510215713", "to_ids": true, "value": "36.37.94.33", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Network activity", "uuid": "5a040cb2-d864-46ee-8d33-4b0f950d210f", "timestamp": "1510215713", "to_ids": true, "value": "33.33.94.94", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Payload delivery", "uuid": "5a040ceb-7ed8-468b-ac4f-4444950d210f", "timestamp": "1510215713", "to_ids": true, "value": "_DnsInit.bat", "disable_correlation": false, "object_relation": null, "type": "filename"}, {"comment": "Clayslide - Xchecked via VT: f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111", "category": "Payload delivery", "uuid": "5a041021-e6ec-4cd3-bde9-4f6a02de0b81", "timestamp": "1510215713", "to_ids": true, "value": "fdf5cda685a6adee0cb8afb8e080f1de472effda", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Clayslide - Xchecked via VT: f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111", "category": "Payload delivery", "uuid": "5a041021-aa14-4a95-b6fc-4cf102de0b81", "timestamp": "1510215713", "to_ids": true, "value": "f4de44ed5e6c4c6f19fba5856f0dac40", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Clayslide - Xchecked via VT: f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111", "category": "External analysis", "uuid": "5a041021-e614-4721-837e-415e02de0b81", "timestamp": "1510215713", "to_ids": false, "value": "https://www.virustotal.com/file/f37b1bbf5a07759f10e0298b861b354cee13f325bc76fbddfaacd1ea7505e111/analysis/1510205105/", "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-11-08", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5a04081b-1654-407b-80f9-46a9950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink