1101 lines
No EOL
38 KiB
JSON
1101 lines
No EOL
38 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-08-31",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Gazing at Gazer",
|
|
"publish_timestamp": "1504295748",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1504295666",
|
|
"uuid": "59a7f10d-f0ec-431b-b99d-4fe4950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#002b4a",
|
|
"name": "osint:source-type=\"technical-report\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-b3a4-43c4-ba9c-4ddc950d210f",
|
|
"value": "%TEMP%\\KB943729.log"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-fbf0-4c99-a6d3-4b5b950d210f",
|
|
"value": "%TEMP%\\CVRG72B5.tmp.cvr"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-7988-47f3-af38-417c950d210f",
|
|
"value": "%TEMP%\\CVRG1A6B.tmp.cvr"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-0e2c-40a2-9421-4e22950d210f",
|
|
"value": "%TEMP%\\CVRG38D9.tmp.cvr"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-a8ec-4c13-be4a-44d0950d210f",
|
|
"value": "%TEMP%\\~DF1E06.tmp"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-a97c-4afc-91bb-4603950d210f",
|
|
"value": "%HOMEPATH%\\ntuser.dat.LOG3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "59a7f135-0fe4-4cf2-a333-4796950d210f",
|
|
"value": "%HOMEPATH%\\AppData\\Local\\Adobe\\AdobeUpdater.exe"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "59a7f1fa-c298-4a57-966a-4e26950d210f",
|
|
"value": "Herein we release our analysis of a previously undocumented backdoor that has been targeted against embassies and consulates around the world leads us to attribute it, with high confidence, to the Turla group. Turla is a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphishing campaigns to better pinpoint their targets. Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere. Based on strings found in the samples we analyzed, we have named this backdoor \u00e2\u20ac\u0153Gazer\u00e2\u20ac\u009d.\r\nRecently, the Turla APT group has seen extensive news coverage surrounding its campaigns, something we haven\u00e2\u20ac\u2122t seen for a long time. The Intercept reported that there exists a 2011 presentation by Canada\u00e2\u20ac\u2122s Communication Security Establishment (CSE) outlining the errors made by the Turla operators during their operations even though the tools they use are quite advanced. The codename for Turla APT group in this presentation is MAKERSMARK. Gazer is, similar to its siblings in the Turla family, using advanced methods to spy and persist on its targets. This whitepaper highlights the campaigns in which Gazer was used and also contains a technical analysis of its functionalities.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#002b4a",
|
|
"name": "osint:source-type=\"technical-report\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a7f2c4-9810-404a-8501-4950950d210f",
|
|
"value": "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf",
|
|
"Tag": [
|
|
{
|
|
"colour": "#002b4a",
|
|
"name": "osint:source-type=\"technical-report\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59a7f306-a5b8-475e-ac10-4819950d210f",
|
|
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ScreenSaver"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59a7f306-f5f8-4562-a15e-45ec950d210f",
|
|
"value": "HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Explorer\\ScreenSaver"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-5838-401c-a1fc-4509950d210f",
|
|
"value": "daybreakhealthcare.co.uk/wp-includes/themees.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-bd88-4024-8df0-44f5950d210f",
|
|
"value": "simplecreative.design/wp-content/plugins/calculated-fields-form/single.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-1e14-4d8b-a77a-4461950d210f",
|
|
"value": "169.255.137.203/rss_0.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-03f0-4322-b6fa-49a9950d210f",
|
|
"value": "outletpiumini.springwaterfeatures.com/wp-includes/pomo/settings.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-ed60-4e38-91ad-40ce950d210f",
|
|
"value": "zerogov.com/wp-content/plugins.deactivate/paypal-donations/src/PaypalDonations/SimpleSubsribe.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-4688-4ff0-b545-4ecd950d210f",
|
|
"value": "ales.ball-mill.es/ckfinder/core/connector/php/php4/CommandHandler/CommandHandler.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-f770-46a1-a5a4-4292950d210f",
|
|
"value": "dyskurs.com.ua/wp-admin/includes/map-menu.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-0d70-443b-87c7-43f6950d210f",
|
|
"value": "warrixmalaysia.com.my/wp-content/plugins/jetpack/modules/contact-form/grunion-table-form.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-a34c-4264-9dc0-480d950d210f",
|
|
"value": "217.171.86.137/config.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-4cd0-4b6d-a0c9-438c950d210f",
|
|
"value": "217.171.86.137/rss_0.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-8700-4482-b4b0-4563950d210f",
|
|
"value": "shinestars-lifestyle.com/old_shinstar/includes/old/front_footer.old.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-29e0-4c5a-8cc4-4921950d210f",
|
|
"value": "www.aviasiya.com/murad.by/life/wp-content/plugins/wp-accounting/inc/pages/page-search.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-2548-473c-a616-4597950d210f",
|
|
"value": "baby.greenweb.co.il/wp-content/themes/san-kloud/admin.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-60c0-4c83-8970-4ca1950d210f",
|
|
"value": "soligro.com/wp-includes/pomo/db.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-8f54-4407-8ebc-47bc950d210f",
|
|
"value": "giadinhvabe.net/wp-content/themes/viettemp/out/css/class.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-f070-46d1-99cc-4fe3950d210f",
|
|
"value": "tekfordummies.com/wp-content/plugins/social-auto-poster/includes/libraries/delicious/Delicious.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-0324-4c56-9f10-49fb950d210f",
|
|
"value": "kennynguyen.esy.es/wp-content/plugins/wp-statistics/vendor/maxmind-db/reader/tests/MaxMind/Db/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-a78c-469c-8c18-48a4950d210f",
|
|
"value": "test/Reader/BuildTest.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-9994-494f-af6e-479d950d210f",
|
|
"value": "sonneteck.com/wp-content/plugins/yith-woocommerce-wishlist/plugin-fw/licence/templates/panel/activation/activation.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-247c-406d-8064-422d950d210f",
|
|
"value": "chagiocaxuanson.esy.es/wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/ngglegacy/admin/templates/manage_gallery/gallery_preview_page_field.old.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-a644-42ae-bccb-49c1950d210f",
|
|
"value": "hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-4d28-428d-a4b8-44bd950d210f",
|
|
"value": "zszinhyosz.pe.hu/wp-content/themes/twentyfourteen/page-templates/full-hight.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C&C",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59a7f380-dc5c-467c-ab0a-4db0950d210f",
|
|
"value": "weandcats.com/wp-content/plugins/broken-link-checker/modules/checkers/http-module.php"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-6ff8-49ef-90bb-46f7950d210f",
|
|
"value": "27fa78de705ebaa4b11c4b5fe7277f91906b3f92"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-94b4-43a7-9787-4270950d210f",
|
|
"value": "35f205367e2e5f8a121925bbae6ff07626b526a7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-71b0-455d-b325-409e950d210f",
|
|
"value": "b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-4b78-47af-a932-4e07950d210f",
|
|
"value": "e40bb5beec5678537e8fe537f872b2ad6b77e08a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-27d8-4641-9e14-41d3950d210f",
|
|
"value": "522e5f02c06ad215c9d0c23c5a6a523d34ae4e91"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-653c-4486-8351-411e950d210f",
|
|
"value": "c380038a57ffb8c064851b898f630312fabcbba7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-b4fc-48b1-8957-4dc8950d210f",
|
|
"value": "267f144d771b4e2832798485108decd505cb824a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-9c70-439b-bd16-4851950d210f",
|
|
"value": "52f6d09cccdbc38d66c184521e7ccf6b28c4b4d9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-ce1c-4884-b7d7-48b6950d210f",
|
|
"value": "475c59744accb09724dae610763b7284646ab63f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-51ec-40e6-a397-428e950d210f",
|
|
"value": "22542a3245d52b7bcdb3eaef5b8b2693f451f497"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-97e8-4083-8edc-4ce0950d210f",
|
|
"value": "2b9faa8b0fcadac710c7b2b93d492ff1028b5291"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-eaec-442c-a5ed-4856950d210f",
|
|
"value": "e05ab6978c17724b7c874f44f8a6cbfb1c56418d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-12e4-4e6b-8316-4fe5950d210f",
|
|
"value": "6dec3438d212b67356200bbac5ec7fa41c716d86"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-3648-450c-bccd-47fa950d210f",
|
|
"value": "b548863df838069455a76d2a63327434c02d0d9d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-49e0-460b-8368-40b1950d210f",
|
|
"value": "c3e6511377dfe85a34e19b33575870dda8884c3c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-d564-4190-aed1-4415950d210f",
|
|
"value": "9ff4f59ca26388c37d0b1f0e0b22322d926e294a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-2588-4bbb-b048-4232950d210f",
|
|
"value": "029aa51549d0b9222db49a53d2604d79ad1c1e59"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-73b8-4a85-a811-4fee950d210f",
|
|
"value": "cecc70f2b2d50269191336219a8f893d45f5e979"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-5550-4519-b790-43e9950d210f",
|
|
"value": "7fac4fc130637afab31c56ce0a01e555d5dea40d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-eee4-4d0b-8c9d-4bc5950d210f",
|
|
"value": "5838a51426ca6095b1c92b87e1be22276c21a044"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-98bc-4f42-bc01-439c950d210f",
|
|
"value": "3944253f6b7019eed496fad756f4651be0e282b4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-1824-4364-bec3-4795950d210f",
|
|
"value": "228da957a9ed661e17e00efba8e923fd17fae054"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-c3b0-424b-bb55-418d950d210f",
|
|
"value": "295d142a7bdced124fdcc8edfe49b9f3acceab8a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-73fc-45bc-b350-411e950d210f",
|
|
"value": "0f97f599fab7f8057424340c246d3a836c141782"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-3530-4960-b9ea-42d2950d210f",
|
|
"value": "dbb185e493a0fdc959763533d86d73f986409f1b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-1994-4758-8d47-4c02950d210f",
|
|
"value": "4701828dee543b994ed2578b9e0d3991f22bd827"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-9ac0-4e36-b595-4384950d210f",
|
|
"value": "6fd611667ba19691958b5b72673b9b802edd7ff8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-fd10-4c92-b900-407c950d210f",
|
|
"value": "fcabeb735c51e2b8eb6fb07bda8b95401d069bd8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-3b30-4742-813e-4784950d210f",
|
|
"value": "75831df9cbcfd7bf812511148d2a0f117324a75f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-3ca0-4133-858f-4941950d210f",
|
|
"value": "bae3ae65c32838fb52a0f5ad2cde8659d2bff9f3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-9144-4d5d-a4f1-4299950d210f",
|
|
"value": "37ff6841419adc51eeb8756660b2fb46f3eb24ed"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-dfa8-40d5-b9ff-461a950d210f",
|
|
"value": "9e6de3577b463451b7afce24ab646ef62ad6c2bd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-0f30-4733-9240-4981950d210f",
|
|
"value": "795c6ee27b147ff0a05c0477f70477e315916e0e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-3620-4bfc-bf16-40f1950d210f",
|
|
"value": "8184ad9d6bbd03e99a397f8e925fa66cfbe5cf1b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-5dd8-432b-9b61-4d3f950d210f",
|
|
"value": "7ced96b08d7593e28fee616eccbc6338896517cf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-8e28-4524-b985-4ad0950d210f",
|
|
"value": "63c534630c2ce0070ad203f9704f1526e83ae586"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-7160-496e-8475-4b17950d210f",
|
|
"value": "23f1e3be3175d49e7b262cd88cfd517694dcba18"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-0998-4d01-a6b0-428c950d210f",
|
|
"value": "7a6f1486269abdc1d658db618dc3c6f2ac85a4a7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-7228-4d01-923b-4864950d210f",
|
|
"value": "11b35320fb1cf21d2e57770d8d8b237eb4330eaa"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-aca0-43d4-a7ae-4357950d210f",
|
|
"value": "e8a2bad87027f2bf3ecae477f805de13fccc0181"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-aa8c-4ec7-9d98-41ae950d210f",
|
|
"value": "950f0b0c7701835c5fbdb6c5698a04b8afe068e6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-8fdc-4575-b62f-4c34950d210f",
|
|
"value": "a5eec8c6aadf784994bf68d9d937bb7af3684d5c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-f678-4aaa-bc65-4d6f950d210f",
|
|
"value": "411ef895fe8dd4e040e8bf4048f4327f917e5724"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-26c8-475d-8df1-4b36950d210f",
|
|
"value": "c1288df9022bcd2c0a217b1536dfa83928768d06"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-5c2c-4d74-8c23-45ed950d210f",
|
|
"value": "4b6ef62d5d59f2fe7f245dd3042dc7b83e3cc923"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59a7f64b-7a84-446f-a7c4-43e6950d210f",
|
|
"value": "7f54f9f2a6909062988ae87c1337f3cf38d68d35"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295665",
|
|
"to_ids": false,
|
|
"type": "yara",
|
|
"uuid": "59a7f6e6-5934-4fa2-94d1-4db5950d210f",
|
|
"value": "import \u00e2\u20ac\u0153pe\u00e2\u20ac\u009d\r\nimport \u00e2\u20ac\u0153math\u00e2\u20ac\u009d\r\nimport \u00e2\u20ac\u0153hash\u00e2\u20ac\u009d\r\nrule Gazer_certificate_subject {\r\n condition:\r\n for any i in (0..pe.number_of_signatures - 1):\r\n (pe.signatures[i].subject contains \u00e2\u20ac\u0153Solid Loop\u00e2\u20ac\u009d or \r\npe.signatures[i].subject contains \u00e2\u20ac\u0153Ultimate Computer Support\u00e2\u20ac\u009d)\r\n}\r\nrule Gazer_certificate\r\n{\r\n strings:\r\n $certif1 = {52 76 a4 53 cd 70 9c 18 da 65 15 7e 5f 1f de 02}\r\n $certif2 = {12 90 f2 41 d9 b2 80 af 77 fc da 12 c6 b4 96 9c}\r\n condition:\r\n (uint16(0) == 0x5a4d) and 1 of them and filesize < 2MB\r\n}\r\nrule Gazer_logfile_name\r\n{\r\n strings:\r\n $s1 = \u00e2\u20ac\u0153CVRG72B5.tmp.cvr\u00e2\u20ac\u009d\r\n $s2 = \u00e2\u20ac\u0153CVRG1A6B.tmp.cvr\u00e2\u20ac\u009d\r\n $s3 = \u00e2\u20ac\u0153CVRG38D9.tmp.cvr\u00e2\u20ac\u009d\r\n condition:\r\n (uint16(0) == 0x5a4d) and 1 of them\r\n}"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a9baf2-6c64-4121-a01c-49a502de0b81",
|
|
"value": "93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a9baf2-7580-46ee-93bf-491102de0b81",
|
|
"value": "ccc172686bc7afc51349713178e2e45e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: a5eec8c6aadf784994bf68d9d937bb7af3684d5c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a9baf2-d000-4de0-87fb-4c7802de0b81",
|
|
"value": "https://www.virustotal.com/file/93e36c336b5b20b3c33b7d0f8844572ddcc10046d1fe91b7b106d78c7fea932c/analysis/1504156268/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a9baf2-b870-4ac5-b7e7-497902de0b81",
|
|
"value": "4013d3c221c6924e8c525aac7ed0402bd5349a28dcbc20bc1ff6bd09079faacf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a9baf2-8268-4aec-8206-43a402de0b81",
|
|
"value": "fd7e0ecc41735d3ba0329e1e311689f8"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: c380038a57ffb8c064851b898f630312fabcbba7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a9baf2-7d34-45a7-b496-478402de0b81",
|
|
"value": "https://www.virustotal.com/file/4013d3c221c6924e8c525aac7ed0402bd5349a28dcbc20bc1ff6bd09079faacf/analysis/1504278816/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a9baf2-bd24-454d-813b-47d702de0b81",
|
|
"value": "a65bc4adbd61c098acf40ef81dc8b6b10269af0d9ebbdc18b48439df76c18cb3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a9baf2-1358-450e-8816-480002de0b81",
|
|
"value": "0c6bb4ce1251c34365b8eb2a933dc431"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: e40bb5beec5678537e8fe537f872b2ad6b77e08a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a9baf2-982c-46bd-aa57-438c02de0b81",
|
|
"value": "https://www.virustotal.com/file/a65bc4adbd61c098acf40ef81dc8b6b10269af0d9ebbdc18b48439df76c18cb3/analysis/1504263553/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a9baf2-b0e8-4da9-9061-4e1a02de0b81",
|
|
"value": "d0b169d2e753191a5c366a863d216bc5a9eb5e173f0bd5a61f126c4fd16484ac"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a9baf2-813c-4fcd-8510-4af702de0b81",
|
|
"value": "5a2acbc101a8323f876bdd26948ee8a7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: b151cd7c4f9e53a8dcbdeb7ce61ccdd146eb68ab",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a9baf2-f00c-4a55-b56a-465002de0b81",
|
|
"value": "https://www.virustotal.com/file/d0b169d2e753191a5c366a863d216bc5a9eb5e173f0bd5a61f126c4fd16484ac/analysis/1504183815/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59a9baf2-44b0-4e39-b77d-423802de0b81",
|
|
"value": "473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59a9baf2-6ccc-4ade-a349-445702de0b81",
|
|
"value": "b099b82acb860d9a9a571515024b35f0"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 35f205367e2e5f8a121925bbae6ff07626b526a7",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504295666",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59a9baf2-98ac-43c0-a0a8-445f02de0b81",
|
|
"value": "https://www.virustotal.com/file/473aa2c3ace12abe8a54a088a08e00b7bd71bd66cda16673c308b903c796bec0/analysis/1504278826/"
|
|
}
|
|
]
|
|
}
|
|
} |