misp-circl-feed/feeds/circl/misp/54ec3439-7154-48e4-ae1e-4c1c950d210b.json

550 lines
No EOL
19 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2015-02-24",
"extends_uuid": "",
"info": "OSINT A deeper look into ScanBox TLP:WHITE report from PWC UK",
"publish_timestamp": "1456154126",
"published": true,
"threat_level_id": "2",
"timestamp": "1434353282",
"uuid": "54ec3439-7154-48e4-ae1e-4c1c950d210b",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766047",
"to_ids": false,
"type": "link",
"uuid": "54ec345f-6524-4783-bc45-41c5950d210b",
"value": "http://pwc.blogs.com/cyber_security_updates/2015/02/my-entry.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766047",
"to_ids": false,
"type": "link",
"uuid": "54ec345f-43d8-4a5a-b214-448c950d210b",
"value": "http://pwc.blogs.com/files/2015-02-24--scanbox-ii---tlpwhite.pdf"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766071",
"to_ids": false,
"type": "text",
"uuid": "54ec3477-e1a8-43b2-8731-4047950d210b",
"value": "ScanBox"
},
{
"category": "Network activity",
"comment": "Malware distribution point",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766144",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec34c0-ad7c-488c-ab16-42fc950d210b",
"value": "88.80.190.133"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766515",
"to_ids": true,
"type": "domain",
"uuid": "54ec3633-164c-47a9-8693-4dad950d210b",
"value": "googlecaches.com"
},
{
"category": "Network activity",
"comment": "Legitimate compromised site",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766645",
"to_ids": true,
"type": "domain",
"uuid": "54ec36b6-6678-4619-9169-4f79950d210b",
"value": "gokbayrak.com"
},
{
"category": "Network activity",
"comment": "Legitimate compromised site",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766703",
"to_ids": true,
"type": "domain",
"uuid": "54ec36d4-caf8-4d3d-83eb-4746950d210b",
"value": "macanna.com.tw"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766722",
"to_ids": true,
"type": "md5",
"uuid": "54ec3702-76c4-4368-b35e-4406950d210b",
"value": "3b8d7732de3b3c8823d241e7cd3185c4"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766744",
"to_ids": true,
"type": "hostname",
"uuid": "54ec3718-c068-4cdc-9cb6-510f950d210b",
"value": "happynewyear.dns04.com"
},
{
"category": "Network activity",
"comment": "IP of happynewyear.dns04.com and hosts a lot of other malicious host names",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424766828",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec376c-66f4-415a-b8ef-47e5950d210b",
"value": "115.23.172.151"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767422",
"to_ids": false,
"type": "text",
"uuid": "54ec39be-9658-411d-9a63-43c5950d210b",
"value": "TH3Bug"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767939",
"to_ids": true,
"type": "hostname",
"uuid": "54ec39d8-4934-47ac-aa10-479d950d210b",
"value": "news.foundationssl.com"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767470",
"to_ids": false,
"type": "text",
"uuid": "54ec39ee-9854-4f56-b521-474b950d210b",
"value": "Deep Panda"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767511",
"to_ids": true,
"type": "domain",
"uuid": "54ec3a18-b9d4-4f76-93e7-4f99950d210b",
"value": "qoog1e.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767530",
"to_ids": true,
"type": "domain",
"uuid": "54ec3a2a-0918-435c-a163-4b3e950d210b",
"value": "webmailgoogle.com"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-8f44-4071-9fdd-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (plugin_pdf_ie())\"; flow:established,from_server; file_data; content:\"plugin_pdf_ie()\"; classtype:trojanactivity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanboxframework- whos-affected-and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-4bf8-4707-9c47-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (.item(0).appendChild(iframe_tag))\"; flow:established,from_server; file_data; content:\".item(0).appendChild(iframe_tag)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-04c8-4824-a61e-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox and Targetted Watering Holes Content (var version\\;var ax\\;var e\\;try{axo=new ActiveXObject)\"; flow:established,from_server; file_data; content:\"var version\\;var ax\\;var e\\;try{axo=new ActiveXObject\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-3ef8-4b3b-806b-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;)\"; flow:established,from_server; file_data; content:\"document.getElementsByTagName('head').item(0).appendChild(form_tag)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-b1b4-40fd-ac2b-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - ScanBox Watering Hole Content (return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;)\"; flow:established,from_server; file_data; content:\"return ((!a) ? 'x-': a) + Math.floor(Math.random() * 99999)\\;\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767781",
"to_ids": true,
"type": "snort",
"uuid": "54ec3b25-1528-4ea9-bf00-65e2950d210b",
"value": "alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:\"--[PwC CTD] -- MultiGroup - TH3BUG and Non-Targetted Groups Watering Hole Code (Chr(CInt(ns(i)) Xor n))\"; flow:established,from_server; file_data; content:\"Chr(CInt(ns(i)) Xor n)\"; classtype:trojan-activity; reference:url,pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whosaffected- and-whos-using-it-1.html; metadata:tlp WHITE,author CDD; rev:2015021901;)"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767845",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec3b65-b04c-483f-8b0d-c5e6950d210b",
"value": "1.9.5.38"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767845",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec3b65-abc4-4227-8c5c-c5e6950d210b",
"value": "103.255.61.227"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767845",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec3b65-82ac-49a8-b2b2-c5e6950d210b",
"value": "118.193.153.221"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767845",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec3b65-28c0-4bd8-93e3-c5e6950d210b",
"value": "118.193.153.227"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767845",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec3b65-3d60-4126-ad34-c5e6950d210b",
"value": "174.121.122.73"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767939",
"to_ids": true,
"type": "hostname",
"uuid": "54ec3b95-14c8-409d-a793-48bb950d210b",
"value": "file.googlecaches.com"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767939",
"to_ids": true,
"type": "hostname",
"uuid": "54ec3b95-9fe8-4d24-be71-4665950d210b",
"value": "gtm.googlecaches.com"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767939",
"to_ids": true,
"type": "hostname",
"uuid": "54ec3b95-7118-461c-ba2c-4cfb950d210b",
"value": "js.googlewebcache.com"
},
{
"category": "Network activity",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767939",
"to_ids": true,
"type": "hostname",
"uuid": "54ec3b95-5820-4cb3-b8dd-4c54950d210b",
"value": "owa.outlookssl.com"
},
{
"category": "Payload delivery",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767971",
"to_ids": true,
"type": "sha256",
"uuid": "54ec3be3-cb88-4725-8231-41ca950d210b",
"value": "4639c30b3666cb11b3927d5579790a88bff68e8137f18241f4693e0d4539c608"
},
{
"category": "Payload delivery",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767971",
"to_ids": true,
"type": "sha1",
"uuid": "54ec3be3-4954-479c-b579-422f950d210b",
"value": "809959f390d5a49c8999ad6fff27fdc92ff1b2b0"
},
{
"category": "Payload delivery",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767972",
"to_ids": true,
"type": "sha256",
"uuid": "54ec3be4-7b64-4b7a-aab6-4de2950d210b",
"value": "ab58b6aa7dcc25d8f6e4b70a24e0ccede0d5f6129df02a9e61293c1d7d7640a2"
},
{
"category": "Payload delivery",
"comment": "Cluster 1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424767972",
"to_ids": true,
"type": "sha1",
"uuid": "54ec3be4-2c04-47d0-8172-4e87950d210b",
"value": "e8a8ffe39040fe36e95217b4e4f1316177d675ed"
},
{
"category": "Network activity",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec4094-59d4-4b92-883c-4c9a950d210b",
"value": "122.10.10.161"
},
{
"category": "Network activity",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec4094-fc8c-4e3f-a701-40f4950d210b",
"value": "204.152.199.43"
},
{
"category": "Network activity",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "ip-dst",
"uuid": "54ec4095-baf4-4f93-bd14-430f950d210b",
"value": "50.2.24.211"
},
{
"category": "Network activity",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "hostname",
"uuid": "54ec40a9-18ac-4e47-a399-4941950d210b",
"value": "bak.mailaunch.com"
},
{
"category": "Network activity",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "hostname",
"uuid": "54ec40a9-7220-4c16-979d-4913950d210b",
"value": "us-mg6.mail.yahoo.mailaunch.com"
},
{
"category": "Payload delivery",
"comment": "Cluster 4",
"deleted": false,
"disable_correlation": false,
"timestamp": "1424769246",
"to_ids": true,
"type": "sha1",
"uuid": "54ec40bc-e490-4845-a9d6-65e2950d210b",
"value": "f1890cc9d6dc84021426834063394539414f68d8"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1434353282",
"to_ids": false,
"type": "link",
"uuid": "557e7e82-ee90-4a49-b920-3a74950d210b",
"value": "http://pwc.blogs.com/files/cto-tib-20150223-01a.pdf"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838627",
"to_ids": true,
"type": "md5",
"uuid": "56c655a3-066c-40d9-847b-59a3950d210f",
"value": "be3a3daa7d0d11df2380d3401696624a"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via e8a8ffe39040fe36e95217b4e4f1316177d675ed)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838628",
"to_ids": true,
"type": "md5",
"uuid": "56c655a4-a164-4629-8286-599e950d210f",
"value": "ef498ea09bf51b002fc7eb3dfd0d19d3"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via 809959f390d5a49c8999ad6fff27fdc92ff1b2b0)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838630",
"to_ids": true,
"type": "md5",
"uuid": "56c655a6-4ed4-4e67-93a4-4e9c950d210f",
"value": "9cf5523da799277a4d40881199eb8325"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838625",
"to_ids": true,
"type": "sha1",
"uuid": "56c655a1-b548-42d5-8f06-c652950d210f",
"value": "27a774e6bb82d4575598be00eb2ca44734d9bcf2"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 3b8d7732de3b3c8823d241e7cd3185c4)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838626",
"to_ids": true,
"type": "sha256",
"uuid": "56c655a2-ca34-4a49-a2cb-59a1950d210f",
"value": "9dc7d24cf0e0426e0e882badd6145de57384206fd6be46dc31fdfc7ea2a072cc"
},
{
"category": "Payload delivery",
"comment": "Automatically added (via f1890cc9d6dc84021426834063394539414f68d8)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455838628",
"to_ids": true,
"type": "sha256",
"uuid": "56c655a4-fdec-4a71-abf7-4d79950d210f",
"value": "3112420afeb829a575ba46512314c0fab2fc80870c153de35cde4d3140a2dd26"
}
]
}
}