adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/552e76b6-3b44-410e-a0a9-4fec950d210b.json

556 lines
No EOL
18 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2015-04-14",
"extends_uuid": "",
"info": "OSINT Unit 42 Identifies New DragonOK Backdoor Malware Deployed Against Japanese Targets by Palo Alto Unit42",
"publish_timestamp": "1511189977",
"published": true,
"threat_level_id": "4",
"timestamp": "1429110761",
"uuid": "552e76b6-3b44-410e-a0a9-4fec950d210b",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#f71212",
"local": false,
"name": "APT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429108429",
"to_ids": false,
"type": "link",
"uuid": "552e76cd-5a6c-4b3f-aec9-47d1950d210b",
"value": "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429108443",
"to_ids": false,
"type": "text",
"uuid": "552e76db-3ebc-4327-9550-494a950d210b",
"value": "DragonOK"
},
{
"category": "External analysis",
"comment": "Related to this",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429108475",
"to_ids": false,
"type": "link",
"uuid": "552e76fb-e018-49be-97dc-4cd9950d210b",
"value": "https://www.fireeye.com/resources/pdfs/white-papers/fireeye-operation-quantum-entanglement.pdf"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109155",
"to_ids": true,
"type": "url",
"uuid": "552e79a3-0ea4-4d0b-8d76-44b8950d210b",
"value": "/news/STravel.asp"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109155",
"to_ids": true,
"type": "url",
"uuid": "552e79a3-0e0c-4f40-a40c-4b59950d210b",
"value": "/news/SJobs.asp"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109155",
"to_ids": true,
"type": "url",
"uuid": "552e79a3-3b78-4e06-bae5-4a96950d210b",
"value": "/news/SSports.asp"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109155",
"to_ids": true,
"type": "url",
"uuid": "552e79a3-c120-47fa-83d8-450d950d210b",
"value": "/news/SWeather.asp"
},
{
"category": "Network activity",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109564",
"to_ids": true,
"type": "domain",
"uuid": "552e7b3c-c450-426d-9943-4cce950d210b",
"value": "biosnews.info"
},
{
"category": "Attribution",
"comment": "Debug symbols Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109628",
"to_ids": false,
"type": "text",
"uuid": "552e7b51-39a0-48d3-ad1f-4a62950d210b",
"value": "D:\\Work\\1021WinInetGEnc1\\Release\\WinInetG.pdb"
},
{
"category": "Network activity",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109614",
"to_ids": true,
"type": "ip-dst",
"uuid": "552e7b5f-957c-4e45-8481-1539950d210b",
"value": "23.229.234.160"
},
{
"category": "Payload delivery",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109652",
"to_ids": true,
"type": "sha256",
"uuid": "552e7b94-e1dc-4594-9221-4592950d210b",
"value": "227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968"
},
{
"category": "Payload delivery",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109652",
"to_ids": true,
"type": "sha256",
"uuid": "552e7b94-2958-4692-a665-452f950d210b",
"value": "35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae"
},
{
"category": "Payload delivery",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109652",
"to_ids": true,
"type": "sha256",
"uuid": "552e7b95-0a3c-4522-8850-4805950d210b",
"value": "0b97ced3fabb14dbffa641d9bd1cc9dd8c97eab9cb6160d43202ee078e017989"
},
{
"category": "Payload delivery",
"comment": "Sysget/HelloBridge",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109653",
"to_ids": true,
"type": "sha256",
"uuid": "552e7b95-f2cc-4a4e-8f4b-45c1950d210b",
"value": "287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e"
},
{
"category": "Payload delivery",
"comment": "PlugX",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109682",
"to_ids": true,
"type": "sha256",
"uuid": "552e7bb2-d774-42b7-94b6-47d6950d210b",
"value": "70ac649d31db748c4396a9a3f7a9c619c8d09e6400492ab3447520fb726083c4"
},
{
"category": "Network activity",
"comment": "PlugX",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109702",
"to_ids": true,
"type": "hostname",
"uuid": "552e7bc6-5210-4bc3-9c59-4cf4950d210b",
"value": "http.tourecord.com"
},
{
"category": "Network activity",
"comment": "PlugX & Poison Ivy & FirstFormerRAT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109888",
"to_ids": true,
"type": "ip-dst",
"uuid": "552e7bdb-eb54-485d-aee5-1534950d210b",
"value": "103.20.193.62"
},
{
"category": "Artifacts dropped",
"comment": "PoisonIvy",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109754",
"to_ids": true,
"type": "sha256",
"uuid": "552e7bfa-c7f8-4207-92dd-4cb1950d210b",
"value": "6e95215a52e1cbf4a58cb24c91750151170ea3d59fa9dbfe566e33a2ffc04f4c"
},
{
"category": "Network activity",
"comment": "Poison Ivy",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109773",
"to_ids": true,
"type": "hostname",
"uuid": "552e7c0d-8e70-4165-85a4-4fb8950d210b",
"value": "bbs.reweblink.com"
},
{
"category": "Artifacts dropped",
"comment": "FirstFormerRAT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109855",
"to_ids": true,
"type": "filename|sha256",
"uuid": "552e7c55-d884-4920-8b49-4843950d210b",
"value": "RpcRtRemote.dll|e68b70eaaf45fa43e726a29ce956f0e6ea26ece51165a1989e22597aebba244f"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109873",
"to_ids": true,
"type": "hostname",
"uuid": "552e7c71-9a24-4abe-aef2-1534950d210b",
"value": "https.reweblink.com"
},
{
"category": "Artifacts dropped",
"comment": "Nflog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109918",
"to_ids": true,
"type": "sha256",
"uuid": "552e7c9e-207c-4efc-bf4a-403c950d210b",
"value": "64cbcb1f5b8a9d98b3543e3bf342e8c799e0f74f582a5eb0dc383abac7692f63"
},
{
"category": "Network activity",
"comment": "Nflog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109934",
"to_ids": true,
"type": "hostname",
"uuid": "552e7cae-34e8-4e05-9cee-4b50950d210b",
"value": "new.hotpmsn.com"
},
{
"category": "Network activity",
"comment": "Nflog",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429109958",
"to_ids": true,
"type": "ip-dst",
"uuid": "552e7cc6-2928-42c4-ab4a-468c950d210b",
"value": "58.64.156.140"
},
{
"category": "Network activity",
"comment": "NewCT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429110109",
"to_ids": true,
"type": "hostname",
"uuid": "552e7d5d-cdec-4afb-a0ae-484b950d210b",
"value": "bbs.jpaols.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1429110761",
"to_ids": true,
"type": "domain",
"uuid": "552e7fe9-4294-4638-954e-2d3d950d210b",
"value": "jpaols.com"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839868",
"to_ids": true,
"type": "md5",
"uuid": "56c65a7c-1364-4f10-a9c9-c652950d210f",
"value": "5a656afcd99ffac80db0b256e150e69c"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839870",
"to_ids": true,
"type": "md5",
"uuid": "56c65a7e-ca60-48d9-a6a1-5f51950d210f",
"value": "da1d2288aab04a4f97d594d8dd2b8249"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839872",
"to_ids": true,
"type": "md5",
"uuid": "56c65a80-01d8-42ca-b19d-599e950d210f",
"value": "9d10cc1cb4a0fd8d94c02fc5d7ba8bd1"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 227de988efdcf886bc0be7dc3df9f51a727664593de47352df31757853e42968)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839869",
"to_ids": true,
"type": "sha1",
"uuid": "56c65a7d-8344-42ac-8777-c651950d210f",
"value": "d698174f2bee6665edda571865d2d6ce4c9995df"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 35784ec1968d322092cb6826f7795f65eeb0b8365ac8c7d8756851c92acf31ae)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839871",
"to_ids": true,
"type": "sha1",
"uuid": "56c65a7f-25cc-4ced-b707-599f950d210f",
"value": "4f405b7d13748327d1d1737c0b050b104a39fba4"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 287e29ca7b2177fdaa561a96284726ada636dbbdaadfdbeadf88164e625ed88e)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455839873",
"to_ids": true,
"type": "sha1",
"uuid": "56c65a81-0c80-4738-8bfa-c650950d210f",
"value": "d2e1b0e27d0f134b4bab6bf9437067fdf6a16618"
},
{
"category": "External analysis",
"comment": "Sysget/HelloBrige HTTP GET request in response from a getinto command from the C2 server to download a file",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504792656",
"to_ids": true,
"type": "url",
"uuid": "59b15050-20b4-4439-bab6-4cd5950d210f",
"value": "http://biosnews.info//index.php?fn=s3&file="
},
{
"category": "External analysis",
"comment": "Sysget/HelloBridge HTTP POST request in response to a file upload response received from the C2 server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504792479",
"to_ids": true,
"type": "url",
"uuid": "59b14f9f-34e0-4d67-a264-429c950d210f",
"value": "http://biosnews.info//index.php?fn=s2&item="
},
{
"category": "External analysis",
"comment": "Sysget/HelloBridge Inital dropper HTTP GET request to C2 server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504792381",
"to_ids": true,
"type": "url",
"uuid": "59b14f3d-6e74-4d60-bbf6-fc46950d210f",
"value": "http://biosnews.info/index.php?fn=s4&name="
},
{
"category": "External analysis",
"comment": "Sysget/HelloBridge configuration file",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504791939",
"to_ids": true,
"type": "filename",
"uuid": "59b14d83-618c-4a64-925a-43ad950d210f",
"value": "%temp%\\ibmCon6.tmp"
},
{
"category": "External analysis",
"comment": "PlugX - windows-service-displayname",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504792904",
"to_ids": true,
"type": "other",
"uuid": "59b15148-7220-4e76-a29d-4638950d210f",
"value": "RasTls"
},
{
"category": "External analysis",
"comment": "PlugX - persistence mechanism",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793006",
"to_ids": true,
"type": "regkey|value",
"uuid": "59b151ae-6c70-461a-8aa1-430f950d210f",
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\RasTls|%windir%\\system32\\svchost.exe"
},
{
"category": "External analysis",
"comment": "Sysget/HelloBridge - event object name",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793067",
"to_ids": true,
"type": "other",
"uuid": "59b151eb-c048-4ae7-af03-4e28950d210f",
"value": "mcsong[]"
},
{
"category": "External analysis",
"comment": "Sysget/HelloBrisge - persistence mechanism",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793115",
"to_ids": true,
"type": "regkey|value",
"uuid": "59b1521b-a8d4-4a9c-a26e-4fac950d210f",
"value": "HKCU\\software\\microsoft\\windows\\currentversion\\run|%temp%\\notilv.exe"
},
{
"category": "External analysis",
"comment": "FormerFirstRAT - hostname|port",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504794043",
"to_ids": true,
"type": "other",
"uuid": "59b155bb-9a94-4af4-baba-4472950d210f",
"value": "https.reweblink.com|443"
},
{
"category": "External analysis",
"comment": "FormerFirstRAT - AES-128 encryption key",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793926",
"to_ids": false,
"type": "other",
"uuid": "59b15546-37f4-4980-bd47-4976950d210f",
"value": "tucwatkins"
},
{
"category": "External analysis",
"comment": "NFlog - event object name",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793469",
"to_ids": false,
"type": "other",
"uuid": "59b1537d-79c4-456b-bec4-4f9b950d210f",
"value": "GoogleZCM"
},
{
"category": "External analysis",
"comment": "NFlog - persistence mechanism",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793358",
"to_ids": true,
"type": "regkey",
"uuid": "59b1530e-77e4-4484-9645-4972950d210f",
"value": "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\update"
},
{
"category": "External analysis",
"comment": "FormerFirstRAT - persistence mechanism",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793245",
"to_ids": true,
"type": "regkey",
"uuid": "59b1529d-2ab0-429b-a8ae-45e8950d210f",
"value": "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WmdmPmSp"
},
{
"category": "External analysis",
"comment": "FormerFirstRAT - protocol|port for protocol anomaly detection",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793976",
"to_ids": true,
"type": "other",
"uuid": "59b15578-0c2c-445f-a3de-4d1a950d210f",
"value": "HTTP|443"
},
{
"category": "External analysis",
"comment": "FormerFirstRAT - persistence mechanism",
"deleted": false,
"disable_correlation": false,
"timestamp": "1504793245",
"to_ids": true,
"type": "regkey",
"uuid": "59b1529d-6e80-4824-991b-4be5950d210f",
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WmdmPmSp"
}
]
}
}
Reference in a new issue View git blame Copy permalink