187 lines
No EOL
5.8 KiB
JSON
187 lines
No EOL
5.8 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-10-16",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - CoalaBot: http Ddos Bot",
|
|
"publish_timestamp": "1540717002",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1540716975",
|
|
"uuid": "5bb71d5e-8784-489b-b33f-46e7950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:tool=\"CoalaBot\""
|
|
},
|
|
{
|
|
"colour": "#00bdbd",
|
|
"name": "ecsirt:availability=\"ddos\""
|
|
},
|
|
{
|
|
"colour": "#285c00",
|
|
"name": "ddos:type=\"amplification-attack\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538732907",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bb71d7e-b968-4998-ac69-4c42950d210f",
|
|
"value": "CoalaBot appears to be build on August Stealer code (Panel and Traffic are really alike)\r\n\r\nI found it spread as a tasks in a Betabot and in an Andromeda spread via RIG fed by at least one HilltopAds malvertising.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1538732894",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5bb72389-6444-419d-8c8e-4877950d210f",
|
|
"value": "https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1540716844",
|
|
"uuid": "5bb727a6-c410-4389-b3c0-4fbf950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1538729894",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5bb727a6-c35c-4ef0-8214-498e950d210f",
|
|
"value": "0ff1584eec4fc5c72439d94e8cee922703c44049"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1538729895",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5bb727a7-e830-4435-8bb8-49e8950d210f",
|
|
"value": "fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1538729900",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5bb727ac-7f4c-4787-acc8-4dd8950d210f",
|
|
"value": "f3862c311c67cb027a06d4272b680a3b"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1538729904",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5bb727b0-3d84-4e65-ba6c-479e950d210f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1540716847",
|
|
"uuid": "bbdbeb9e-0530-483d-b1c9-5351a35d1be7",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1540716851",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "07e074a4-cebf-4e42-9d97-2424eefe62f3",
|
|
"value": "2018-05-19T06:43:56"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1540716852",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "0be6e036-4e69-4a59-8f46-c88815452718",
|
|
"value": "https://www.virustotal.com/file/fd07ad13dbf9da3f7841bc0dbfd303dc18153ad36259d9c6db127b49fa01d08f/analysis/1526712236/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1540716852",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e03a39f8-2e23-436e-be47-81ef153eaed7",
|
|
"value": "48/67"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |