394 lines
No EOL
14 KiB
JSON
394 lines
No EOL
14 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-09-03",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Javascript malware hosted on US government site which launches powershell to connect to C2.",
|
|
"publish_timestamp": "1513594406",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1513594323",
|
|
"uuid": "59ac43b3-d8a8-4fcf-9543-4a8f02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#003860",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"pastie-website\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59ac43e1-dff8-46a7-9514-4f4702de0b81",
|
|
"value": "https://pastebin.com/0eAPV7Lc",
|
|
"Tag": [
|
|
{
|
|
"colour": "#003860",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"pastie-website\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59ac43f8-6c28-48c0-99e0-453402de0b81",
|
|
"value": "1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59ac4419-3df8-4eda-9312-421002de0b81",
|
|
"value": "898e4131496d0ae8eb3fd2a742a30830be3989f6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1504461849",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59ac4419-4af4-416c-aa4f-4cb302de0b81",
|
|
"value": "c714ca63fc9fccce002941c171c07e4d"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59ac4419-ddd0-47d5-a136-4ac002de0b81",
|
|
"value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504118595/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Javascript malware hosted on US government site which launches powershell to connect to C2.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "59ac444f-e13c-4f0d-9ff7-aa5c02de0b81",
|
|
"value": "http://dms.nwcg.gov/pipermail/ross-suggestion/attachments/20170304/9ee8a89e/attachment.zip"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59ac4475-de90-483c-81a6-492502de0b81",
|
|
"value": "https://blog.newskysecurity.com/us-government-site-unwittingly-hosting-malware-f1f4f11b6a1d",
|
|
"Tag": [
|
|
{
|
|
"colour": "#0c9100",
|
|
"local": "0",
|
|
"name": "admiralty-scale:source-reliability=\"f\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513587291",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a3781ac-e49c-4f47-a5c0-47a9950d210f",
|
|
"value": "1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6",
|
|
"Tag": [
|
|
{
|
|
"colour": "#3a001f",
|
|
"local": "0",
|
|
"name": "workflow:todo=\"expansion\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Configuration of Cerber hosted on US Gov website",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a37820a-a000-466c-bff1-44e1950d210f",
|
|
"value": "https://pastebin.com/HAiqH0Wq",
|
|
"Tag": [
|
|
{
|
|
"colour": "#003860",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"pastie-website\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1513594318",
|
|
"uuid": "7bbbd45c-82a1-44f6-ab72-7fdf191b8148",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "7bbbd45c-82a1-44f6-ab72-7fdf191b8148",
|
|
"referenced_uuid": "8328c6e4-df62-4f8a-b9c4-309693e5d9f9",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1513594315",
|
|
"uuid": "5a379dcb-d7a8-4b2f-b46a-4a6602de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a379dcb-6f40-4694-8cc3-4b9502de0b81",
|
|
"value": "898e4131496d0ae8eb3fd2a742a30830be3989f6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a379dcb-618c-415b-b981-43b602de0b81",
|
|
"value": "c714ca63fc9fccce002941c171c07e4d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a379dcb-d8d0-44f4-9542-4a8202de0b81",
|
|
"value": "1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1513594315",
|
|
"uuid": "8328c6e4-df62-4f8a-b9c4-309693e5d9f9",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a379dcb-1d74-48e4-8937-48b002de0b81",
|
|
"value": "https://www.virustotal.com/file/1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd/analysis/1504922776/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a379dcb-5f38-4007-a029-423d02de0b81",
|
|
"value": "36/60"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "- Xchecked via VT: 1e6851e6e0ff2e0e430e882c8326334471ab2e35ebbac4104bd2aa27128ea6bd",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a379dcb-d190-49b0-adbe-42a502de0b81",
|
|
"value": "2017-09-09T02:06:16"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1513594318",
|
|
"uuid": "5e701ff1-51b4-4e2b-aacd-421636d9c852",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5e701ff1-51b4-4e2b-aacd-421636d9c852",
|
|
"referenced_uuid": "801bce9a-1810-4811-a6e0-b8338414db9d",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1513594316",
|
|
"uuid": "5a379dcc-f874-4938-92df-4a4702de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a379dcb-dd7c-4776-8a74-436a02de0b81",
|
|
"value": "f996046fea268074d2edd430e628f23942d7b5b6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a379dcb-71ac-4d71-b6b1-47b702de0b81",
|
|
"value": "61bcd1f3233b857be0aee9ceba6779f3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1513594315",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a379dcb-7954-4470-8c38-401d02de0b81",
|
|
"value": "1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1513594315",
|
|
"uuid": "801bce9a-1810-4811-a6e0-b8338414db9d",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a379dcb-2534-458c-b5be-40a602de0b81",
|
|
"value": "https://www.virustotal.com/file/1f15415da53df8a8e0197aa7e17e594d24ea6d7fbe80fe3bb4a5cd41bc8f09f6/analysis/1504623436/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a379dcb-1b28-4489-b32e-4db702de0b81",
|
|
"value": "51/64"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Cerber Ransomware",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1513594315",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a379dcb-ab70-4d4e-8fba-4c1c02de0b81",
|
|
"value": "2017-09-05T14:57:16"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |