476 lines
No EOL
16 KiB
JSON
476 lines
No EOL
16 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2020-06-08",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - New Cyber Operation Targets Italy: Digging Into the Netwire Attack Chai",
|
|
"publish_timestamp": "1591613967",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1591613958",
|
|
"uuid": "5ede1810-6cfc-4a01-adb0-470902de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:rat=\"Netwire\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613471",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ede181f-f798-45c0-a074-4e8802de0b81",
|
|
"value": "https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5ede1831-67d4-4f13-9438-4929e387cbd9",
|
|
"value": "ce7b8394cdc66149f91ed39ce6c047ee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5ede1831-1b50-4630-b338-46c5e387cbd9",
|
|
"value": "4e4001c6c47d09009eb24ce636bf5906"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5ede1831-4dd0-48ed-bcfd-47fde387cbd9",
|
|
"value": "4b8e4d05092389216f947e980ac8a7b9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5ede1831-7178-468c-a00e-42d2e387cbd9",
|
|
"value": "ad066878659d1f2d0aee06546d3e500b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5ede1831-9d98-43a1-8264-449ee387cbd9",
|
|
"value": "ebe4a3f4ceb6d8f1a0485e3ce4333a7c"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "dropsite",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613526",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5ede1856-22c0-4d4a-84c0-4371e387cbd9",
|
|
"value": "cloudservices-archive.best"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613585",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5ede1891-e434-48d0-901a-4ba0e387cbd9",
|
|
"value": "185.140.53.48"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1591613628",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "5ede18bc-9744-4008-97ed-4d1a950d210f",
|
|
"value": "HKCU\\Software\\NetWire"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1591613500",
|
|
"uuid": "93f556f4-1c4b-42f6-b34b-36acac26b2d5",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "93f556f4-1c4b-42f6-b34b-36acac26b2d5",
|
|
"referenced_uuid": "7516cd9d-c920-44fa-92f2-d0e72a9c5e8b",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1591613501",
|
|
"uuid": "5ede183d-1bb4-4814-be8f-476b02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "c65f2d81-b3cd-4ad6-b072-c5aa4596bdd2",
|
|
"value": "ad066878659d1f2d0aee06546d3e500b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "0fe9c9c2-1db1-4a6b-8741-a6c2078c668b",
|
|
"value": "fb7f0880acc174e0c89728783c348cba69315b08"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "aad0f64a-5189-40e4-a99a-c70e8e780819",
|
|
"value": "48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1591613500",
|
|
"uuid": "7516cd9d-c920-44fa-92f2-d0e72a9c5e8b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "496eac0e-698f-4ea0-ab26-4bc466225bb6",
|
|
"value": "2020-06-08T02:32:26+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54756807-9746-4083-b6ec-55f6dcc03d9c",
|
|
"value": "https://www.virustotal.com/gui/file/48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c/detection/f-48d9c8293d94c851dec10832b2ef6800dc91669e8fef96d8763d17d6b225e42c-1591583546"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "98064a88-4e53-446c-a5bb-197eb881c9b2",
|
|
"value": "30/71"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1591613500",
|
|
"uuid": "8643d2ab-58e2-4f2a-8bdf-775e51e94e83",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "8643d2ab-58e2-4f2a-8bdf-775e51e94e83",
|
|
"referenced_uuid": "ac7894f1-8369-4475-858b-5e0d797603fa",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1591613501",
|
|
"uuid": "5ede183d-f740-4916-80ad-4d3402de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "d979e93f-b087-4eb8-904c-1ef55f77abc9",
|
|
"value": "ce7b8394cdc66149f91ed39ce6c047ee"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "ee13406c-23c6-4662-ab86-79ee474eed8b",
|
|
"value": "2e0003aeda533f10ef3a69cb6217dbc1da980b9e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "21fcf321-de46-4699-855e-f0a22981004e",
|
|
"value": "b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1591613500",
|
|
"uuid": "ac7894f1-8369-4475-858b-5e0d797603fa",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "75f593f3-25bf-4602-b637-0b6422e543c3",
|
|
"value": "2020-06-02T17:10:55+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5c188649-b2d1-4765-9f41-b6ff4c233eca",
|
|
"value": "https://www.virustotal.com/gui/file/b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79/detection/f-b7e95d0dcedd77ab717a33163af23ab2fd2dc6d07cdf81c5e4cfe080b0946b79-1591117855"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e11599e7-9145-400f-99a4-2ef1ef9ffdf0",
|
|
"value": "37/64"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1591613500",
|
|
"uuid": "1436bace-be80-4f0c-a165-497411872a06",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "1436bace-be80-4f0c-a165-497411872a06",
|
|
"referenced_uuid": "21d4379f-ea7d-47d6-8179-136db3b0a8d9",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1591613501",
|
|
"uuid": "5ede183d-fe88-4a74-b530-485c02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "86c3280b-7994-4c80-9ab2-b6f01fe652a5",
|
|
"value": "4b8e4d05092389216f947e980ac8a7b9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "3ff9fafc-928a-44d0-947b-bb1ba6b808cb",
|
|
"value": "42b1a3e7891c78f026a9773fad96931ebf8e08cf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1591613489",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "8d67a2aa-b9ad-4d17-a271-3b9b13784416",
|
|
"value": "818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1591613501",
|
|
"uuid": "21d4379f-ea7d-47d6-8179-136db3b0a8d9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "236726a3-1637-4980-978e-8941bd88c278",
|
|
"value": "2020-06-07T09:15:48+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "c36149ad-2fd7-4274-8f24-2c86b7e57a04",
|
|
"value": "https://www.virustotal.com/gui/file/818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5/detection/f-818fa737f4041136cde620c3fa3bac5124f60506ef1a64bbc2f8472218039db5-1591521348"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1591613489",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8e4840ee-7871-45d2-b843-6391332b12a8",
|
|
"value": "21/59"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |