1595 lines
No EOL
52 KiB
JSON
1595 lines
No EOL
52 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2014-02-14",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Analysis of DHS NCCIC Indicators blog post by Secureworks",
|
|
"publish_timestamp": "1456149981",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1416315104",
|
|
"uuid": "546b1b80-904c-4534-abf1-4b36950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#33FF00",
|
|
"local": false,
|
|
"name": "tlp:green",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305547",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "546b1b8b-88d4-4b3b-8e31-46f9950d210b",
|
|
"value": "http://www.secureworks.com/cyber-threat-intelligence/threats/analysis-of-dhs-nccic-indicators/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305559",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "546b1b97-d8a0-4a46-a664-4ad0950d210b",
|
|
"value": "Data entered by David Andr\u00c3\u00a9"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-1c90-4447-80aa-4f35950d210b",
|
|
"value": "18c66484e3129643a274086671da4efa"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-e128-4da7-83a7-447a950d210b",
|
|
"value": "1f3c731aed7d8085eb2d15132819cb8b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-f7b0-48d6-a3c0-44dd950d210b",
|
|
"value": "3a282da31bf93cfaaa8b5a11d441483b"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-1fe8-4b84-ac7c-46eb950d210b",
|
|
"value": "3aa3846284b6e7112da90e1d5e4e7711"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-7a3c-45ff-8e47-4438950d210b",
|
|
"value": "463a12f92652fc82b3c6e53bb917ecf2"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-c7ac-472b-ad56-4f0f950d210b",
|
|
"value": "52b8063f663563d549ec414a7caf38f9"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-1fa8-40fd-af42-451e950d210b",
|
|
"value": "54dc517c9f62dc5d435fb8bac0fd59f9"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-9554-4b5a-bab1-4fc6950d210b",
|
|
"value": "660b856f485fb8fa0ecb3533d88d405e"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-f4bc-47ba-b3ee-4fad950d210b",
|
|
"value": "6b8ea95a729551fde76a28244cb95ac1"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305653",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf5-78dc-4e9e-a923-4d8e950d210b",
|
|
"value": "99f67381b3b389f0e6120603019e0ef9"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-0a68-43cc-8b07-481b950d210b",
|
|
"value": "a0f71497ca4c4c62c094c1843693381e"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-5724-4082-8502-4c14950d210b",
|
|
"value": "e8ee22223b6475d7b3ef8f51383df1ef"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-6dc8-4ac6-8981-4606950d210b",
|
|
"value": "0625b5b010a1acb92f02338b8e61bb34"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-52e8-4a3b-aab0-40bb950d210b",
|
|
"value": "4e95cb057f351af0f7c972800a07f350"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-8258-4f3c-8b52-4959950d210b",
|
|
"value": "59534c90c3234fbdc82492d1c1b38e59"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-a518-4e5e-a106-4ee1950d210b",
|
|
"value": "726d77fe00b4c00df1bb2c5afd05ad21"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-e040-4be6-9a95-4d0c950d210b",
|
|
"value": "d5caf69c7a2ac416131133e0b1623066"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-90a8-4f2c-aa82-4371950d210b",
|
|
"value": "15cb44831bdd295bb3c0decf7cea0dc0"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-fe84-47c9-a11e-4a1b950d210b",
|
|
"value": "2393b93a762d4990ec88d25c9e809510"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-7250-4d39-ab09-48a9950d210b",
|
|
"value": "3c6ff8b69513bf338a2d5b3440b9a8cd"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-253c-4965-ba12-4386950d210b",
|
|
"value": "5e5917967bb61704a473b1ad20c36769"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "BeepService Reverse shell to C2 server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305654",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1bf6-76b4-487b-85ad-45fd950d210b",
|
|
"value": "73b8facac3e946354a89e58d308d8ebd"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305669",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "546b1c05-ff20-46da-8e09-47cd950d210b",
|
|
"value": "Beepservice"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "DD Keylogger, remote control",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305768",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1c68-9b3c-41d2-97c3-43dd950d210b",
|
|
"value": "12b0e0525c4dc2510a26d4f1f2863c75"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "DD Keylogger, remote control",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305768",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1c68-6140-4545-bb5b-43ca950d210b",
|
|
"value": "78f2acc3309e1e743f98109a16c2b481"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "DD Keylogger, remote control",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305768",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1c68-4fe0-47c9-b7cd-4635950d210b",
|
|
"value": "96c28bddba400ddc9a4b12d6cc806aa3"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "DD Keylogger, remote control",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305768",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1c68-0674-4e85-be79-4945950d210b",
|
|
"value": "0e058126f26b54b3a4a950313ec5dbce"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "DD Keylogger, remote control",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305768",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1c68-38e0-43ee-a4bc-43c9950d210b",
|
|
"value": "b13ab523e89d9bb055aee4d4566ab34f"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305843",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b1cb3-1e90-4614-99f6-40ee950d210b",
|
|
"value": "status.acmetoy.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305843",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b1cb3-7484-47e8-9417-4e27950d210b",
|
|
"value": "gfans.onmypc.us"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305843",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b1cb3-a3fc-44b2-b9cd-4db7950d210b",
|
|
"value": "arf.dns1.us"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305863",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "546b1cc7-63c0-40db-8530-4181950d210b",
|
|
"value": "23.19.122.231"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305863",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "546b1cc7-6278-4a42-b4d1-4821950d210b",
|
|
"value": "198.199.75.95"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305864",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "546b1cc8-17a8-4586-b779-4f42950d210b",
|
|
"value": "192.154.111.200"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Campaign ID",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305894",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b1ce6-c1f4-429a-b487-401e950d210b",
|
|
"value": "DD5ShowNewsID"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Campaign ID",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305894",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b1ce6-0fb0-4b54-adab-4918950d210b",
|
|
"value": "WW3-ID"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Campaign ID",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305894",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b1ce6-49bc-4dd8-8a6a-4c55950d210b",
|
|
"value": "Arf2-ShowNewsID"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "jspRAT JSP web-based backdoor",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d2c-8fa4-4e0b-a174-4215950d210b",
|
|
"value": "364691d4de2bbead973f31e06ecaf210"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "jspRAT JSP web-based backdoor",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d2c-9db4-414e-984e-4a0e950d210b",
|
|
"value": "69f187a3072be5e6edf1486ad473016b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "jspRAT JSP web-based backdoor",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305964",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d2c-66f8-49c6-aa46-4264950d210b",
|
|
"value": "79867b86281293c7f5e4aeccc51cfab9"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416305980",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "546b1d3c-c7e8-4d29-9761-44e7950d210b",
|
|
"value": "jspRAT"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "File transfer server - broken PE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416306032",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d70-aa88-476a-b961-4235950d210b",
|
|
"value": "a4fcff8ea2263e661889b030974a9166"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "File transfer server - fixed PE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416306048",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d80-316c-40af-8d87-4877950d210b",
|
|
"value": "b4634b18b8b1c24c117fc8c640916998"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "File transfer server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416306074",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b1d9a-e348-4fb1-b430-469d950d210b",
|
|
"value": "a462d9a24bc6175d356bec99d5e4eca8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aa9-2594-47ab-9530-89b5950d210b",
|
|
"value": "0f171ff1a80822934439edaa7be1023b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aa9-bae8-41e1-9f47-89b5950d210b",
|
|
"value": "3f7601f0aeb5e391638a597c15f80c9f"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aa9-6d74-4a2e-921d-89b5950d210b",
|
|
"value": "5fa46b686c3a5e27fd4dfe0e1fbb1145"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aa9-33dc-46a6-9b53-89b5950d210b",
|
|
"value": "9951f026f491ef90037a59f305269273"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aa9-3194-49b0-8c1e-89b5950d210b",
|
|
"value": "b14ad1298928bb33613eb8e549c93e9e"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-c460-4ed1-b7c2-89b5950d210b",
|
|
"value": "35185b8c5e3cb928c97919aa5ad01315"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-788c-4bf4-abf1-89b5950d210b",
|
|
"value": "47803deb563d9ff917369b8c97c22a7e"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-0350-4635-b121-89b5950d210b",
|
|
"value": "89e9bed692611692e244ed294c9904cc"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-64d0-408b-ac20-89b5950d210b",
|
|
"value": "a9a53cd80a12519429a9a40f9d34e563"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-3280-4870-8937-89b5950d210b",
|
|
"value": "e4cdfa15a38034e6ae7f80334e7d6a14"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-6d20-4061-9b5e-89b5950d210b",
|
|
"value": "10d7989355b5fc2915a18004df4f9074"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-e800-4759-98ba-89b5950d210b",
|
|
"value": "156085a7cd31d272486193df10d7e26e"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-b2dc-497a-9038-89b5950d210b",
|
|
"value": "1a56c6eb1cd54ce642bdfd59168da127"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-d874-468d-b371-89b5950d210b",
|
|
"value": "49361de55268ff2ee67add42d359248d"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-6488-4000-9c25-89b5950d210b",
|
|
"value": "5a5d2c6fe70521efd875fecc961ff75a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aaa-358c-46ae-84db-89b5950d210b",
|
|
"value": "d414c721c60df0282481df77c0c1cdae"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server (ASPACK packed)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313578",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aea-4350-4901-a09a-0e7f950d210b",
|
|
"value": "356c9314ae95a18f3fef630e04f4d8b6"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server (ASPACK packed)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313578",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aea-3f68-472d-94a9-0e7f950d210b",
|
|
"value": "4734d158048c398f2ae44c035487e249"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "ONHAT SOCKS5 proxy server (ASPACK packed)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313578",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3aea-3bd0-450d-b469-0e7f950d210b",
|
|
"value": "a90194c071aefeb21331385ad7115fbc"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313691",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5b-83d8-4c4d-8fed-29c7950d210b",
|
|
"value": "5d7c34b6854d48d3da4f96b71550a221"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313691",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5b-2300-4645-a5fd-29c7950d210b",
|
|
"value": "9f546188e0955737deffc5cec8696d9a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313691",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-5d5c-48a4-8284-29c7950d210b",
|
|
"value": "9cf67106cd1644125b773133f83b3d64"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-f250-48a1-ba83-29c7950d210b",
|
|
"value": "00d0382fe1b02b529701a48a1ee4a543"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-7d38-4c4c-9499-29c7950d210b",
|
|
"value": "36093314059a9e7b95025437d523d259"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-f200-4bd4-85b0-29c7950d210b",
|
|
"value": "59ee8762316018862d7405b595267d8d"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-ed3c-4f3b-8cd9-29c7950d210b",
|
|
"value": "721c56a617dfd2cecade790d9e9fa9ce"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-5f88-461a-ac2b-29c7950d210b",
|
|
"value": "8f73b7653ebf20f66a961cc39249b2e3"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transfer arbitrary files (RC4)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313692",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b5c-f2e4-41a2-aeab-29c7950d210b",
|
|
"value": "dc1a284e82f4f38a628b84b0e43e65d5"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transferarbitrary files (RC4) - pmj packed",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313750",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3b96-ed18-4686-b26f-0fec950d210b",
|
|
"value": "b7a68a8b6cac502ad0adcf18d33a34c9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transferarbitrary files (RC4) - broken PE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313769",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "546b3ba9-c290-41cd-a221-433d950d210b",
|
|
"value": "a72d6dad860ca707e8abf18f771ed3f7"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transferarbitrary files (RC4, Server version) - broken PE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313795",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3bc3-f718-4352-af14-89b5950d210b",
|
|
"value": "6130776a40971d0ca526fd23e16e36ab"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transferarbitrary files (RC4, Server version) - fixed PE",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313813",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3bd5-fa10-4859-9291-40b5950d210b",
|
|
"value": "c460db6833e5542dede0bb04fdabdb59"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "SimpleFileMover Transferarbitrary files (No crypto, Debug version)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313839",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3bef-23b8-4846-aaa0-4348950d210b",
|
|
"value": "731089e10e20b13095df2624b6eb399f"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "(Un)Installs a malicious service - MSSprv",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313957",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3c65-3898-4ca4-a997-29c7950d210b",
|
|
"value": "f23ee51aa4a652266c2c1666bc15e15b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "(Un)Installs a malicious service - UPSmgr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313993",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3c89-7450-4721-8d81-0fec950d210b",
|
|
"value": "4a12f4646fe052392641533944d240d1"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "(Un)Installs a malicious service - UPSmgr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416313993",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3c89-f014-4d53-8437-0fec950d210b",
|
|
"value": "bc55ba7467d5d62ac0b5c42a2c682fd6"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-0134-4026-b1d3-89be950d210b",
|
|
"value": "8d64f279400d8e1f8bf2170d148203a7"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-6da8-4a29-8a22-89be950d210b",
|
|
"value": "90a219684b3b815d6b6c1addd5e28c5b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-2034-442f-805f-89be950d210b",
|
|
"value": "3ce19fc2a1a6a42b8450d477a9919de2"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-505c-4428-92e0-89be950d210b",
|
|
"value": "718c6e47512bec8c585320d087041ace"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-9f4c-4a99-ac9c-89be950d210b",
|
|
"value": "47cc260cf70fc81995f651dc1c5b172a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314041",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cb9-fa20-4980-b25e-89be950d210b",
|
|
"value": "ea66e664bdf530124ff7993a4ad510d4"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314042",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cba-2874-44c5-9f8c-89be950d210b",
|
|
"value": "35f65bd2c9ff5c46186f84f19a3a7d18"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314042",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cba-82b4-407f-8cb1-89be950d210b",
|
|
"value": "25721aa47fb29fcba9de1f3406d9f8d6"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314042",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cba-60b4-4dd1-87ce-89be950d210b",
|
|
"value": "31da84e9dd9b865a7d0e4c3baa7b05a2"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314042",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3cba-d13c-49f1-92ca-89be950d210b",
|
|
"value": "7b30b4d95ed988081ec9fe3908df409e"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Ziyang RAT CnC",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314124",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b3d0c-b798-46a2-9cf1-43ff950d210b",
|
|
"value": "shabidomain.4456dvr.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Ziyang RAT CnC",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314124",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b3d0c-ad7c-4181-ad34-49b5950d210b",
|
|
"value": "inno-tech.isgre.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Ziyang RAT CnC",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314124",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "546b3d0c-63c4-41f4-9cfd-4037950d210b",
|
|
"value": "adobeupdater3.isgre.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314153",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "546b3d29-19fc-4733-9459-4948950d210b",
|
|
"value": "193.188.43.69"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314230",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b3d76-dfe4-4258-9518-0fec950d210b",
|
|
"value": "The Power Was Blocked, Release it please!"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314230",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b3d76-b80c-406c-820e-0fec950d210b",
|
|
"value": "The Power Was Blocked, You are not Master!"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314230",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b3d76-9d84-4db5-9907-0fec950d210b",
|
|
"value": "The Power was released already, Just use it."
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314230",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b3d76-460c-4bff-81d2-0fec950d210b",
|
|
"value": "The Power was released, Just do what you want!"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Ziyang RAT",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314230",
|
|
"to_ids": true,
|
|
"type": "pattern-in-file",
|
|
"uuid": "546b3d76-c0a4-4734-ab91-0fec950d210b",
|
|
"value": "ZiYangZhouhu"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Control module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314287",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3daf-c0bc-4cec-99d9-89be950d210b",
|
|
"value": "eb8399483b55f416e48a320d68597d72"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Agent module",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314305",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3dc1-d5e4-405f-bf7b-48c1950d210b",
|
|
"value": "68aed7b1f171b928913780d5b21f7617"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Agent module - old version",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314326",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "546b3dd6-5884-49fc-b455-412d950d210b",
|
|
"value": "54e4a15a68cfbb2314d0aaad455fbfce"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314340",
|
|
"to_ids": true,
|
|
"type": "mutex",
|
|
"uuid": "546b3de4-e4d8-4917-aec8-4f19950d210b",
|
|
"value": "Mtx_Sp_On_PC_1_2_8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-9c60-4780-91cc-4571950d210b",
|
|
"value": "%USERPROFILE%\\My Documents\\My Pictures\\wins"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-46f8-4eb4-bec9-4bc8950d210b",
|
|
"value": "%USERPROFILE%\\Pictures\\wins"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-36f0-4d0e-93ea-4399950d210b",
|
|
"value": "%WINDIR%\\msagent\\netwn.drv"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-2548-4928-8878-4272950d210b",
|
|
"value": "%USERPROFILE%\\NetHood\\Microsoft\\Windows\\Help\\set.fl"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-ab3c-464d-a842-4025950d210b",
|
|
"value": "%APPDATA%\\Microsoft\\Windows\\Network Shortcuts\\Microsoft\\Windows\\Help\\set.fl"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-80dc-4f45-b956-43e0950d210b",
|
|
"value": "%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\Chars\\ferf.st"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-34c8-4d66-b38d-4d45950d210b",
|
|
"value": "%LOCALAPPDATA%\\Microsoft\\Windows\\Chars\\ferf.st"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-d28c-40fa-9646-4a9b950d210b",
|
|
"value": "%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\Chars\\fert.st"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314474",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6a-f838-4499-bdb5-4756950d210b",
|
|
"value": "%LOCALAPPDATA%\\Microsoft\\Windows\\Chars\\fert.st"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314475",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6b-c2f0-49e6-99b8-4927950d210b",
|
|
"value": "%USERPROFILE%\\Local Settings\\Application Data\\Microsoft\\Windows\\Help\\update.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1416314475",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "546b3e6b-8278-48fc-8a53-4d0b950d210b",
|
|
"value": "%LOCALAPPDATA%\\Microsoft\\Windows\\Help\\update.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 96c28bddba400ddc9a4b12d6cc806aa3)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834558",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645be-0f64-4fe0-a6e2-c652950d210f",
|
|
"value": "b888a3371d2f04b6a68fc3ecadff3f3194688756"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 78f2acc3309e1e743f98109a16c2b481)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834561",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645c1-1584-4576-84b7-c650950d210f",
|
|
"value": "612d96c53b7df6c3c44b1358dbb38ccff0aed052"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 12b0e0525c4dc2510a26d4f1f2863c75)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834563",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645c3-9b9c-4093-baf0-5ca1950d210f",
|
|
"value": "b3f9abbd7dcbb340bdb5acd1fbc74b252508e66b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 0f171ff1a80822934439edaa7be1023b)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834565",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645c5-7190-4520-91bd-599f950d210f",
|
|
"value": "81c937e76488441f21e85cc76f4e8afda1eaf6be"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 47803deb563d9ff917369b8c97c22a7e)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834568",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645c8-2cdc-4d9d-9ca6-59a1950d210f",
|
|
"value": "6f50b0b5e48307f5aa5ea8580287becda6343aee"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 10d7989355b5fc2915a18004df4f9074)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834570",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645ca-3d58-46b9-8ff2-c651950d210f",
|
|
"value": "f4e912585460656d7f368ef307522a3c1922f20e"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 5d7c34b6854d48d3da4f96b71550a221)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834573",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645cd-b1fc-4e01-bb5a-599e950d210f",
|
|
"value": "1f0e20fbc74b4a7b1d73a0a6ac131f9543bd6cbb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 00d0382fe1b02b529701a48a1ee4a543)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834575",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645cf-f864-4e0c-9b7c-599d950d210f",
|
|
"value": "1fb11cd15466f483a211832e48af423d8baea7e9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 721c56a617dfd2cecade790d9e9fa9ce)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834577",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645d1-efe0-46d4-a3a0-c653950d210f",
|
|
"value": "5a9da1fb37a484aeb40e05e81f28655265e75727"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 8f73b7653ebf20f66a961cc39249b2e3)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834580",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645d4-8ac8-4028-883c-445f950d210f",
|
|
"value": "401c196b8fd5f835ebc8cf99e0ce769dd916ecbf"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 7b30b4d95ed988081ec9fe3908df409e)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834584",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645d8-648c-415c-a0a2-c650950d210f",
|
|
"value": "ae8126f84dc5a84ef9dfe0c6c49525b7f21e87ce"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 68aed7b1f171b928913780d5b21f7617)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834586",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645da-21bc-40d2-9b42-c651950d210f",
|
|
"value": "44e711e95311b81d597a7800d96482b873cb8235"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Automatically added (via 5e5917967bb61704a473b1ad20c36769)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834591",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c645df-6e20-4dcc-a990-599f950d210f",
|
|
"value": "7243730d1ca58858c49f0c68646aa26dfb040372"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 96c28bddba400ddc9a4b12d6cc806aa3)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834559",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645bf-13fc-494e-9656-47cd950d210f",
|
|
"value": "689be4fa4158ab2980030fa0cb3ffd42df51293d6f38d11c0b32804cfd28a2ac"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 78f2acc3309e1e743f98109a16c2b481)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834561",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645c1-36ac-4ac4-a901-599f950d210f",
|
|
"value": "cb374f08d1842b12ce11bd563e86525cc641c39b7584158ececf1e90718f7d75"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 12b0e0525c4dc2510a26d4f1f2863c75)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834563",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645c3-3764-4385-880c-59a2950d210f",
|
|
"value": "4fd0c6187360c628be002f8556b04856b3166ecd6a193f4885d7f85fca0cb43f"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 0f171ff1a80822934439edaa7be1023b)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834566",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645c6-05cc-49be-bd05-48a1950d210f",
|
|
"value": "d0213a305436dc0bbe0623e190f7095b218d302e6b1f509e2ca0ee7e1deb5142"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 47803deb563d9ff917369b8c97c22a7e)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834569",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645c9-1c9c-4f24-b852-4230950d210f",
|
|
"value": "dded62ad85c0bdd68bcc96f88d8ba42d5ad0ef999911ebdea3f561a4491ebbc6"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 10d7989355b5fc2915a18004df4f9074)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834571",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645cb-6234-440a-be8b-c653950d210f",
|
|
"value": "04a0fe701e2ad53ca0b3055d3e418469845a4b815a35ee4eee354c50a1a9981f"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 5d7c34b6854d48d3da4f96b71550a221)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834574",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645ce-0848-432c-9219-59a2950d210f",
|
|
"value": "bec31fc132cff00910cb07cf9d66c9fcf5ff511f8182b61622a18843f0fd5841"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 00d0382fe1b02b529701a48a1ee4a543)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834576",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645d0-f9a8-44e5-80f1-c654950d210f",
|
|
"value": "8c086f47b51839bcf4b6f2c9643e0099c63798a4736d2c18e9aa3f7fa7f6d49b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 721c56a617dfd2cecade790d9e9fa9ce)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834579",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645d3-1650-4787-b31a-59a3950d210f",
|
|
"value": "0bd948790ed88ce261b63799ca11aa7199107ced88f2d16d6f5797518c23a5c8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 8f73b7653ebf20f66a961cc39249b2e3)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834581",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645d5-7db0-4779-9fe0-599d950d210f",
|
|
"value": "9088ff0552beeee85634a72d39eab1e80c77b09c677c33559fd28f4bc92ea718"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 7b30b4d95ed988081ec9fe3908df409e)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834585",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645d9-b870-4881-ac5c-5f51950d210f",
|
|
"value": "f6e1f835b4087765aba6cc921f8d8a20bf8969f85e1859d2c770fab31139ae42"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 68aed7b1f171b928913780d5b21f7617)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834587",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645db-37dc-4713-89a1-4ae0950d210f",
|
|
"value": "11e823bf9a73daabf9bd5a8b2d8a59cf02a31b31bfdd3bfe63b1758d4bee30cb"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Automatically added (via 5e5917967bb61704a473b1ad20c36769)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455834592",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c645e0-059c-489d-b45d-442e950d210f",
|
|
"value": "8521e86ded314b4dde21f5d3815bbf81acf4b961268d8f3e09d9cd0a5c1213cd"
|
|
}
|
|
]
|
|
}
|
|
} |