adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5aa670db-6ef0-4d81-8e90-9476950d210f.json

693 lines
No EOL
24 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2018-03-12",
"extends_uuid": "",
"info": "OSINT - APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS",
"publish_timestamp": "1520857733",
"published": true,
"threat_level_id": "3",
"timestamp": "1520857725",
"uuid": "5aa670db-6ef0-4d81-8e90-9476950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#10cb00",
"local": false,
"name": "misp-galaxy:threat-actor=\"Mirage\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
"local": false,
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "Possible linked APT15 domains include:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857671",
"to_ids": true,
"type": "hostname",
"uuid": "5aa670f5-39b4-4382-9f91-0fa3950d210f",
"value": "micakiz.wikaba.org"
},
{
"category": "Network activity",
"comment": "Possible linked APT15 domains include:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857671",
"to_ids": true,
"type": "domain",
"uuid": "5aa670f6-d5ac-4682-9a04-0fa3950d210f",
"value": "cavanic9.net"
},
{
"category": "Network activity",
"comment": "Possible linked APT15 domains include:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857672",
"to_ids": true,
"type": "domain",
"uuid": "5aa670f6-d5d4-4202-9a37-0fa3950d210f",
"value": "ridingduck.com"
},
{
"category": "Network activity",
"comment": "Possible linked APT15 domains include:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857672",
"to_ids": true,
"type": "domain",
"uuid": "5aa670f7-0014-4df2-a56f-0fa3950d210f",
"value": "zipcodeterm.com"
},
{
"category": "Network activity",
"comment": "Possible linked APT15 domains include:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857672",
"to_ids": true,
"type": "domain",
"uuid": "5aa670f7-6a48-4bdf-8746-0fa3950d210f",
"value": "dnsapp.info"
},
{
"category": "Network activity",
"comment": "RoyalDNS backdoor was seen communicating to the domain:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857673",
"to_ids": true,
"type": "domain",
"uuid": "5aa67102-ced4-4a30-b0d7-0fa3950d210f",
"value": "andspurs.com"
},
{
"category": "Network activity",
"comment": "The BS2005 backdoor utilised the following domains for C2:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857673",
"to_ids": true,
"type": "hostname",
"uuid": "5aa6710e-52b4-40af-ac3b-0fa3950d210f",
"value": "run.linodepower.com"
},
{
"category": "Network activity",
"comment": "The BS2005 backdoor utilised the following domains for C2:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857673",
"to_ids": true,
"type": "hostname",
"uuid": "5aa6710f-fe88-4d3d-96a7-0fa3950d210f",
"value": "singa.linodepower.com"
},
{
"category": "Network activity",
"comment": "The BS2005 backdoor utilised the following domains for C2:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857674",
"to_ids": true,
"type": "hostname",
"uuid": "5aa6710f-50d0-4454-860d-0fa3950d210f",
"value": "log.autocount.org"
},
{
"category": "Network activity",
"comment": "The RoyalCli backdoor was attempting to communicate to the following domains:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857674",
"to_ids": true,
"type": "hostname",
"uuid": "5aa6711b-a1c4-40d1-92b7-0fa3950d210f",
"value": "news.memozilla.org"
},
{
"category": "Network activity",
"comment": "The RoyalCli backdoor was attempting to communicate to the following domains:",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857675",
"to_ids": true,
"type": "hostname",
"uuid": "5aa6711b-f3b8-4787-b246-0fa3950d210f",
"value": "video.memozilla.org"
},
{
"category": "Payload delivery",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857413",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67145-28d0-47cb-927a-d9cd950d210f",
"value": "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
},
{
"category": "Payload delivery",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857413",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67145-68d0-4b05-a406-d9cd950d210f",
"value": "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
},
{
"category": "Payload delivery",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857414",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67146-a2d0-4ed0-968e-d9cd950d210f",
"value": "6ea9cc475d41ca07fa206eb84b10cf2bbd2392366890de5ae67241afa2f4269f"
},
{
"category": "Payload delivery",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857414",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67146-e6a4-40d8-a37c-d9cd950d210f",
"value": "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
},
{
"category": "Payload delivery",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857414",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67146-1288-4aa0-9671-d9cd950d210f",
"value": "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857675",
"to_ids": false,
"type": "pdb",
"uuid": "5aa67163-e99c-4bf6-9649-d928950d210f",
"value": "%USERPROFILE%\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857676",
"to_ids": false,
"type": "text",
"uuid": "5aa67177-ac60-43db-9bd5-4053950d210f",
"value": "APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS\r\nIn May 2017, NCC Group's Incident Response team reacted to an ongoing incident where our client, which provides a range of services to UK Government, suffered a network compromise involving the advanced persistent threat group APT15.\r\n\r\nAPT15 is also known as, Ke3chang, Mirage, Vixen Panda GREF and Playful Dragon.\r\nA number of sensitive documents were stolen by the attackers during the incident and we believe APT15 was targeting information related to UK government departments and military technology."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857676",
"to_ids": false,
"type": "text",
"uuid": "5aa671e4-c8f4-4d39-ad4b-9394950d210f",
"value": "5aa64b62-8f2c-4081-a6f9-4480950d210f"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1520857676",
"to_ids": false,
"type": "link",
"uuid": "5aa67218-06ac-49e7-baa9-d9cd950d210f",
"value": "https://github.com/nccgroup/Royal_APT"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1520857680",
"uuid": "0e812898-7fc4-40f8-ac95-7a23e22438de",
"ObjectReference": [
{
"comment": "",
"object_uuid": "0e812898-7fc4-40f8-ac95-7a23e22438de",
"referenced_uuid": "bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
"relationship_type": "analysed-with",
"timestamp": "1520857686",
"uuid": "5aa67256-1c04-4a97-84a8-947502de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1520857677",
"to_ids": true,
"type": "sha1",
"uuid": "5aa6724d-b8c0-487a-860b-947502de0b81",
"value": "201e74fd33724a872ab89f8a002a560d1ce73e54"
},
{
"category": "Payload delivery",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1520857677",
"to_ids": true,
"type": "sha256",
"uuid": "5aa6724d-6bd4-49c4-8c18-947502de0b81",
"value": "750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b"
},
{
"category": "Payload delivery",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1520857678",
"to_ids": true,
"type": "md5",
"uuid": "5aa6724e-c468-4b60-a221-947502de0b81",
"value": "ed21ce2beee56f0a0b1c5a62a80c128b"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1520857678",
"uuid": "bf2e6e7d-19c6-4341-94b9-8f15b563b0b3",
"Attribute": [
{
"category": "External analysis",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1520857678",
"to_ids": false,
"type": "link",
"uuid": "5aa6724e-e14c-4ad9-ad8e-947502de0b81",
"value": "https://www.virustotal.com/file/750d9eecd533f89b8aa13aeab173a1cf813b021b6824bc30e60f5db6fa7b950b/analysis/1520793006/"
},
{
"category": "Other",
"comment": "BS2005",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1520857679",
"to_ids": false,
"type": "text",
"uuid": "5aa6724f-fd84-4c88-9a54-947502de0b81",
"value": "44/67"
},
{
"category": "Other",
"comment": "BS2005",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1520857679",
"to_ids": false,
"type": "datetime",
"uuid": "5aa6724f-d5a8-4efc-b433-947502de0b81",
"value": "2018-03-11T18:30:06"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1520857682",
"uuid": "06f1e0a0-004c-4356-9f89-380b53274f42",
"ObjectReference": [
{
"comment": "",
"object_uuid": "06f1e0a0-004c-4356-9f89-380b53274f42",
"referenced_uuid": "326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
"relationship_type": "analysed-with",
"timestamp": "1520857686",
"uuid": "5aa67256-9704-459d-8bd4-947502de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1520857679",
"to_ids": true,
"type": "sha1",
"uuid": "5aa6724f-0b60-4f1e-b424-947502de0b81",
"value": "3d4ee6cbfaeb7890bb0b2d41547849f8e2d9243f"
},
{
"category": "Payload delivery",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1520857679",
"to_ids": true,
"type": "sha256",
"uuid": "5aa6724f-cfc0-4955-b212-947502de0b81",
"value": "bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d"
},
{
"category": "Payload delivery",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1520857680",
"to_ids": true,
"type": "md5",
"uuid": "5aa67250-c2c4-4584-8881-947502de0b81",
"value": "941a4fc3d2a3289017cf9c56584d1168"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1520857680",
"uuid": "326d28d2-bc18-4205-945a-2b3ef2cfa9fa",
"Attribute": [
{
"category": "External analysis",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1520857680",
"to_ids": false,
"type": "link",
"uuid": "5aa67250-7bc8-45a9-b533-947502de0b81",
"value": "https://www.virustotal.com/file/bc937f6e958b339f6925023bc2af375d669084e9551fd3753e501ef26e36b39d/analysis/1520841997/"
},
{
"category": "Other",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1520857681",
"to_ids": false,
"type": "text",
"uuid": "5aa67251-59a4-4b15-9b43-947502de0b81",
"value": "7/65"
},
{
"category": "Other",
"comment": "Royal DNS",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1520857681",
"to_ids": false,
"type": "datetime",
"uuid": "5aa67251-5338-45f7-a3c9-947502de0b81",
"value": "2018-03-12T08:06:37"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1520857684",
"uuid": "f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "f1bdc5bc-932a-4efa-9855-e8e3981fbd2f",
"referenced_uuid": "3d28abc7-0edd-438c-bd55-54bfbf90e295",
"relationship_type": "analysed-with",
"timestamp": "1520857686",
"uuid": "5aa67256-1c8c-4434-aaec-947502de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1520857682",
"to_ids": true,
"type": "sha1",
"uuid": "5aa67252-6ed4-45b9-9df8-947502de0b81",
"value": "a35297163ed0efcb71e63069a3115737d2fe2d1d"
},
{
"category": "Payload delivery",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1520857682",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67252-c304-4294-81a7-947502de0b81",
"value": "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
},
{
"category": "Payload delivery",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1520857682",
"to_ids": true,
"type": "md5",
"uuid": "5aa67252-26e8-4190-bc90-947502de0b81",
"value": "5e5c9e6e710f67f4886e4f4169d02b1d"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1520857683",
"uuid": "3d28abc7-0edd-438c-bd55-54bfbf90e295",
"Attribute": [
{
"category": "External analysis",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1520857683",
"to_ids": false,
"type": "link",
"uuid": "5aa67253-ffe8-4691-9928-947502de0b81",
"value": "https://www.virustotal.com/file/6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785/analysis/1520793104/"
},
{
"category": "Other",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1520857683",
"to_ids": false,
"type": "text",
"uuid": "5aa67253-2ca8-410a-914b-947502de0b81",
"value": "45/67"
},
{
"category": "Other",
"comment": "RoyalCli",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1520857683",
"to_ids": false,
"type": "datetime",
"uuid": "5aa67253-568c-41df-8205-947502de0b81",
"value": "2018-03-11T18:31:44"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "7",
"timestamp": "1520857687",
"uuid": "c752a171-4c3d-403e-bb4a-5dae51f2993f",
"ObjectReference": [
{
"comment": "",
"object_uuid": "c752a171-4c3d-403e-bb4a-5dae51f2993f",
"referenced_uuid": "8840afc4-669d-4a92-8a3e-a104c2994436",
"relationship_type": "analysed-with",
"timestamp": "1520857687",
"uuid": "5aa67257-4ca4-4b10-940e-947502de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1520857684",
"to_ids": true,
"type": "sha1",
"uuid": "5aa67254-c7e4-443f-8966-947502de0b81",
"value": "63fbd3feb41c0b6de892b4a70a6241d123ec1e5a"
},
{
"category": "Payload delivery",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1520857684",
"to_ids": true,
"type": "sha256",
"uuid": "5aa67254-1f90-49ec-af2c-947502de0b81",
"value": "16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce"
},
{
"category": "Payload delivery",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1520857684",
"to_ids": true,
"type": "md5",
"uuid": "5aa67254-46f4-409b-843b-947502de0b81",
"value": "d21a7e349e796064ce10f2f6ede31c71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "1",
"timestamp": "1520857685",
"uuid": "8840afc4-669d-4a92-8a3e-a104c2994436",
"Attribute": [
{
"category": "External analysis",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1520857685",
"to_ids": false,
"type": "link",
"uuid": "5aa67255-56f0-4687-875c-947502de0b81",
"value": "https://www.virustotal.com/file/16b868d1bef6be39f69b4e976595e7bd46b6c0595cf6bc482229dbb9e64f1bce/analysis/1520844201/"
},
{
"category": "Other",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1520857685",
"to_ids": false,
"type": "text",
"uuid": "5aa67255-5500-48d8-9364-947502de0b81",
"value": "2/67"
},
{
"category": "Other",
"comment": "MS Exchange Tool",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1520857685",
"to_ids": false,
"type": "datetime",
"uuid": "5aa67255-bb78-4fff-b7bf-947502de0b81",
"value": "2018-03-12T08:43:21"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink