176 lines
No EOL
6.6 KiB
JSON
176 lines
No EOL
6.6 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2014-10-05",
|
|
"extends_uuid": "",
|
|
"info": "PWS: Win32/Kegotip.C",
|
|
"publish_timestamp": "1460041809",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1460041291",
|
|
"uuid": "5706756e-958c-4c53-8f77-45f4950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041141",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b5-e1ec-4652-9bf7-350b950d210f",
|
|
"value": "176.31.104.106"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041141",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b5-cc80-446f-927a-350b950d210f",
|
|
"value": "188.165.227.61"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041142",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b6-d020-44d7-89c7-350b950d210f",
|
|
"value": "188.165.228.199"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041142",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b6-538c-4e04-855b-350b950d210f",
|
|
"value": "46.165.243.25"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041142",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b6-c650-4975-9ebc-350b950d210f",
|
|
"value": "5.135.178.153"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041143",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b7-aa74-4be3-b5b2-350b950d210f",
|
|
"value": "93.113.37.210"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041143",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b7-ab74-4d18-a67f-350b950d210f",
|
|
"value": "94.23.32.170"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041143",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "570675b7-f404-471d-8e8f-350b950d210f",
|
|
"value": "94.75.227.218"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041143",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "570675b7-69e8-4c6b-9676-350b950d210f",
|
|
"value": "bestconspires.co.in"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041144",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "570675b8-88f0-42ea-8118-350b950d210f",
|
|
"value": "gefuret.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The collected data will be sent to remote server. We have seen this threat connect to the following domains using TCP ports 80 and 20050-20053:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041144",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "570675b8-4cb0-473d-b9d9-350b950d210f",
|
|
"value": "localeventit.pro"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041162",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "570675ca-d5f4-473e-99a2-350b950d210f",
|
|
"value": "https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=PWS:Win32/Kegotip.C"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1460041291",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5706764b-31d0-436c-b293-6b92950d210f",
|
|
"value": "This threat can steal your email addresses and other personal information, such as your user names and passwords, from several applications, including FTP software, Outlook Express and Internet Explorer. It sends the stolen data to a malicious hacker."
|
|
}
|
|
]
|
|
}
|
|
} |