590 lines
No EOL
18 KiB
JSON
590 lines
No EOL
18 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2015-03-04",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Who's Really Spreading through the Bright Star? by Securelist / Kaspersky",
|
|
"publish_timestamp": "1456154100",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1425646275",
|
|
"uuid": "54f9a0ef-0ebc-414d-88ab-f094950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#33FF00",
|
|
"name": "tlp:green"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54f9a0fd-56c8-411a-8cc7-489b950d210b",
|
|
"value": "https://securelist.com/blog/68978/whos-really-spreading-through-the-bright-star/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a10f-34e4-4fd7-a9d3-484e950d210b",
|
|
"value": "Dark Hotel"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "54f9a13b-6bdc-40e8-a010-f094950d210b",
|
|
"value": "a.gwas.perl.sh"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "54f9a13b-3c84-4c16-a132-f094950d210b",
|
|
"value": "a-gwas-01.dyndns.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "54f9a13c-7868-4fb4-be39-f094950d210b",
|
|
"value": "a-gwas-01.slyip.net"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a172-5cac-4b31-ad16-453f950d210b",
|
|
"value": "78d3c8705f8baf7d34e6a6737d1cfa18"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a172-0e68-4f06-b8c1-4e32950d210b",
|
|
"value": "978888892a1ed13e94d2fcb832a2a6b5"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a17e-ad50-4166-a1a0-4860950d210b",
|
|
"value": "%WINDIR%\\system32\\mscaps.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a17e-97e4-4943-81de-4463950d210b",
|
|
"value": "%WINDIR%\\system32\\wtime32.dll"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a1ab-b520-4b9a-8339-4188950d210b",
|
|
"value": "Bright Star"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a217-da1c-4f1b-b37d-4132950d210b",
|
|
"value": "2d9df706d1857434fcaa014df70d1c66"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a217-df00-4d26-9ac7-4f77950d210b",
|
|
"value": "fffa05401511ad2a89283c52d0c86472"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a217-b858-49e2-bba3-4321950d210b",
|
|
"value": "1fcc5b3ed6bc76d70cfa49d051e0dff6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a217-9d88-4a75-a466-4236950d210b",
|
|
"value": "d0c9ada173da923efabb53d5a9b28d54"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a218-bfe4-4b5c-b5c8-461c950d210b",
|
|
"value": "daac1781c9d22f5743ade0cb41feaebf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a218-c784-446d-bf77-4ab7950d210b",
|
|
"value": "6a9461f260ebb2556b8ae1d0ba93858a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a218-e61c-492d-92cc-4777950d210b",
|
|
"value": "f1c9f4a1f92588aeb82be5d2d4c2c730"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a218-f9e0-45b9-9f98-4797950d210b",
|
|
"value": "59ee2ff6dbac2b6cd3e98cb0ff581bdb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646116",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a218-79d8-4182-84db-4c98950d210b",
|
|
"value": "f415ea8f2435d6c9656cc6525c65bd3c"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "Kaspersky",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646155",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a24b-fca4-4e03-b504-4098950d210b",
|
|
"value": "Trojan.Win32.Agent.hwgw"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "Kaspersky",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646155",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a24b-9908-439e-8df7-44d7950d210b",
|
|
"value": "UDS:DangerousObject.Multi.Generic"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "Kaspersky",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646155",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a24b-b538-4cee-8162-4e69950d210b",
|
|
"value": "HEUR:Trojan.Win32.Generic"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "Kaspersky",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646155",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54f9a24b-ebfc-40f6-a24f-4500950d210b",
|
|
"value": "Trojan-Dropper.Win32.Daws.awfy"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-ca7c-4ece-8598-40fc950d210b",
|
|
"value": "78d3c8705f8baf7d34e6a6737d1cfa18"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-108c-4f7a-8982-40c4950d210b",
|
|
"value": "2d9df706d1857434fcaa014df70d1c66"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-8d30-43e2-a150-4f43950d210b",
|
|
"value": "1e7c6907b63c4a485e7616aa04351da7"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-87c0-4133-8257-4962950d210b",
|
|
"value": "1fcc5b3ed6bc76d70cfa49d051e0dff6"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-1724-483e-a397-4a70950d210b",
|
|
"value": "523b4b169dde3bcab81311cfdee68e92"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-ba10-46fc-91a5-4567950d210b",
|
|
"value": "541989816355fd606838260f5b49d931"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-d54c-41ec-89b4-455d950d210b",
|
|
"value": "5e34f85278bf3504fc1b9a59d2e7479b"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-f7f4-42c8-b545-4a79950d210b",
|
|
"value": "6a9461f260ebb2556b8ae1d0ba93858a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-3cc8-4d0c-ba11-4581950d210b",
|
|
"value": "78ba5b642df336009812a0b52827e1de"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-fe84-4b60-81b3-4cff950d210b",
|
|
"value": "7f15d9149736966f1df03fc60e87b8ac"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646210",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "54f9a282-002c-440a-a52b-4f25950d210b",
|
|
"value": "7f3a38093bd60da04d0fa5f50867d24f"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-56b0-4339-9b32-46cd950d210b",
|
|
"value": "mscaps.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-8c04-4bba-89b1-40be950d210b",
|
|
"value": "arc.dll"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-d0f0-43d8-b6a6-4ad1950d210b",
|
|
"value": "@aedf66.tmp.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-7094-4fea-964c-432b950d210b",
|
|
"value": "dis.dll"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-7c88-4ac1-a201-413f950d210b",
|
|
"value": "wdext.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-0690-42fd-8aac-454b950d210b",
|
|
"value": "sha.dll"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1425646275",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54f9a2c3-43c4-4a83-b866-4122950d210b",
|
|
"value": "wdexe.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 6a9461f260ebb2556b8ae1d0ba93858a)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839070",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c6575e-3d24-4ed7-b7c5-599f950d210f",
|
|
"value": "01e14b87b69dce8272d84669f44f81d685dcf7c5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 978888892a1ed13e94d2fcb832a2a6b5)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839072",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c65760-d398-47c4-9b5a-59a3950d210f",
|
|
"value": "4528a769de6407f01d01d03095d5d8fa38c4b4ae"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via fffa05401511ad2a89283c52d0c86472)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839074",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c65762-f0a8-4514-a3e7-40a3950d210f",
|
|
"value": "99a9fbcac39b9522d1d628620b69c4cd7cc110f1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via d0c9ada173da923efabb53d5a9b28d54)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839076",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c65764-c1c0-4f62-87cd-599c950d210f",
|
|
"value": "0cefe568d2a06bd44fe9dfab65b1e27bd34def11"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via f1c9f4a1f92588aeb82be5d2d4c2c730)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839078",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56c65766-7358-4804-84d2-c650950d210f",
|
|
"value": "3dc5a017b15ba74fae2342937380905bf7e8fbd5"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "Automatically added (via 6a9461f260ebb2556b8ae1d0ba93858a)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839071",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c6575f-94f0-44dd-901d-599d950d210f",
|
|
"value": "0b059565160c180df60470349770a6dd225981a8051639385bb49d33d2a73632"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 978888892a1ed13e94d2fcb832a2a6b5)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839073",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c65761-4130-4d4a-9614-4766950d210f",
|
|
"value": "c7dc3ac34cfcadba2aedf1727ce95c7e54a8e4b3ada1373916adb25dcf05e369"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via fffa05401511ad2a89283c52d0c86472)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839075",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c65763-f668-4c0e-ace8-59a1950d210f",
|
|
"value": "41a712fd2111c5ddec6fe58a29c80f19923cc72e88b4508d5a3daeb236ddf1b8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via d0c9ada173da923efabb53d5a9b28d54)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839076",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c65764-a468-44de-8d2d-c651950d210f",
|
|
"value": "ad01ab517cf1c9f5d30b3ea749c91c5c8fc613e771d25287483023d2066e1523"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via f1c9f4a1f92588aeb82be5d2d4c2c730)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455839078",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c65766-16b4-4f4f-ae47-599f950d210f",
|
|
"value": "d3a46f71aa7467920b16b64c9d17eaf6c4e147f41cd1390dccff01e4a81f8dfa"
|
|
}
|
|
]
|
|
}
|
|
} |