384 lines
No EOL
13 KiB
JSON
384 lines
No EOL
13 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2018-07-03",
|
|
"extends_uuid": "",
|
|
"info": "Clipboard CryptoCoin Hijacker",
|
|
"publish_timestamp": "1530625191",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1530625163",
|
|
"uuid": "5b3b7b62-5728-4980-937b-40240acd0835",
|
|
"Orgc": {
|
|
"name": "Synovus Financial",
|
|
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Megasync.exe/allradio_4.27_portable.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-702c-45b3-831a-024a0acd0835",
|
|
"value": "9d891048dddda8a65de966c71f81464b20e402766aaee8a284da8d25c98270bd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Clipboard CryptoCoin Hijacker, d3dx11_31.dll",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-c67c-4e90-8a40-024a0acd0835",
|
|
"value": "48b66dd02a336eb049a784b3fd1beb5312fb8c078b3729d49e92e3e986c98e91"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Logger.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-6d70-4225-b6ad-024a0acd0835",
|
|
"value": "0cc32e6e6a407b2b69e1d89b3f005eecc54e238104725dcdcc8d3fc09c109bb4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Injected miner",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-e698-4e7c-86fa-024a0acd0835",
|
|
"value": "cf8ef10678e63ffd02a5a35c84461d0195e0eed234bf9328eede52f3bef0e5f7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Hidden Service",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-cbb0-4075-9c70-024a0acd0835",
|
|
"value": "2e23ab52259e45eaced300811a6d6795db719b029d06b08ca7bac7d86cc289ad"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Satamon.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-2b64-42b1-b364-024a0acd0835",
|
|
"value": "2c3eae980a88e7bb6a91f2b466856f612f34b8a37fac46bbbb52c0af0e695488"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-5fe0-459b-8a68-024a0acd0835",
|
|
"value": "ffdc286711557df5f0bfd6a96744e93633d13fe45c02c240d5d6cf7531b21847",
|
|
"Tag": [
|
|
{
|
|
"colour": "#42933e",
|
|
"name": "Adware"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-fcec-4230-94ba-024a0acd0835",
|
|
"value": "20bdef6e68bbec5ddeb7b893a9b4f387adbf2ee304963e905d98116a57334a41",
|
|
"Tag": [
|
|
{
|
|
"colour": "#42933e",
|
|
"name": "Adware"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Temp downloader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-d310-4dcb-be70-024a0acd0835",
|
|
"value": "acf810c7bb3961fd42f5925fcd4417cb812eb6fdaad00c98830c522d54c7f6eb"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Temp downloader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624986",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bda-cb08-43c7-a5aa-024a0acd0835",
|
|
"value": "084d4811c47a5dc36df59bfaf477e1f0bf3a9b3901877de1d1548c3343d1e4d6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Temp downloader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530624987",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5b3b7bdb-fe10-4c9d-af40-024a0acd0835",
|
|
"value": "ea92702d5fe168a57ccf5abbe6b9f5eca25f039e111db4b010183aa6909c38d2"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-c840-40dd-ac6d-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-f378-43e3-b6f5-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-0998-428e-b04f-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\TimeStamp\t914BE45509E88CBE12C9C147B92F8928"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-1978-4c09-995a-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\CurrentLanguage\tEnglish"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-2764-426d-998b-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\skin name\tCold"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-3294-4b11-92e1-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\color\t0"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-4788-4c49-9e44-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\saturation\t0"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-4ed0-48e1-98be-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\use skin\t1"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-5230-4d33-bb44-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\CurrentServer\thttp://www.radioserver2.com/"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-4e24-4424-bf77-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\ServersCount\t8"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-5e68-475b-bb2f-28b70acd0835",
|
|
"value": "HKCU\\Software\\All-Radio\\Settings\\resize\t1"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-5ea8-4f33-8ddf-28b70acd0835",
|
|
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\agwpyjho\t\"%USERPROFILE%\\gidulfmf.exe\""
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-7464-428d-bd37-28b70acd0835",
|
|
"value": "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\DirectX 11\trundll32 %Temp%\\d3dx11_31.dll,includes_func_runnded"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-93e4-4134-8ab3-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-a6e4-4316-a19e-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Path\t\\Opera scheduled Autoupdate 1427321617"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-b5fc-41d6-b3a7-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Hash\tBINARY SIZE=32 MD5=5520F781167B06815EF8BD54DD186F9C"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-b768-43cb-8995-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\Triggers\tBINARY SIZE=352 MD5=83356B89B15EAB067435487A7B92FDBE"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-d9a4-40e4-b86f-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{E50B01A9-6717-4321-B6C1-3444E35D4419}\\DynamicInfo\tBINARY SIZE=28 MD5=3068A03846DFF3649992C32FBA75E688"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625013",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "5b3b7bf5-fa50-44a7-b755-28b70acd0835",
|
|
"value": "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\%WINDIR%\\SysWOW64\\kqgzitry\t0"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1530625146",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5b3b7c72-4be0-49cf-94eb-28b50acd0835",
|
|
"value": "https://www.bleepingcomputer.com/news/security/all-radio-427-portable-cant-be-removed-then-your-pc-is-severely-infected/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |