315 lines
No EOL
9.6 KiB
JSON
315 lines
No EOL
9.6 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "0",
|
|
"date": "2015-11-27",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Expansion on APT-28 - Evolving Threats: dissection of a Cyber-Espionage attack",
|
|
"publish_timestamp": "1468246298",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1448612175",
|
|
"uuid": "56580480-2738-4888-98be-b742950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#33FF00",
|
|
"name": "tlp:green"
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608932",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "565804a4-6bc8-4dbb-88c4-4b02950d210b",
|
|
"value": "APT28"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608932",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "565804a4-5b60-4e42-a2db-4a6c950d210b",
|
|
"value": "Sednit"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608933",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "565804a5-7c14-4b8f-8ad5-40cc950d210b",
|
|
"value": "Sofacy"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608981",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565804d5-38bc-4e6e-9cc0-b791950d210b",
|
|
"value": "microsofthelpcenter.info"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608982",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565804d6-aa04-48b1-99ee-b791950d210b",
|
|
"value": "1oo7.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608982",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565804d6-f130-4582-8c10-b791950d210b",
|
|
"value": "microsoftdriver.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608983",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d7-4408-4786-b006-b791950d210b",
|
|
"value": "198.105.125.74"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608983",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d7-d8f4-4eba-a35a-b791950d210b",
|
|
"value": "66.172.12.133"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608984",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d8-a4fc-4721-8b3a-b791950d210b",
|
|
"value": "45.64.105.23"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608984",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d8-e720-4012-b480-b791950d210b",
|
|
"value": "176.31.112.10"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608985",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d9-6174-41e1-a430-b791950d210b",
|
|
"value": "176.31.96.178"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608985",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804d9-df2c-490e-95fb-b791950d210b",
|
|
"value": "87.236.215.13"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608986",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804da-08a8-40f5-9bd1-b791950d210b",
|
|
"value": "46.19.138.66"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "CnC list paragraph",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448608986",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565804da-f894-4f3d-8fed-b791950d210b",
|
|
"value": "5.199.171.58"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609035",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5658050b-9fe8-45be-bf50-b742950d210b",
|
|
"value": "http://www.rsaconference.com/writable/presentations/file_upload/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609036",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5658050c-3aec-4100-b938-b742950d210b",
|
|
"value": "https://github.com/gasgas4/APTnotes/blob/master/2015/2015.11.04_Evolving_Threats/cct-w08_evolving-threats-dissection-of-a-cyber-espionage-attack.pdf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Combing through screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609210",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565805ba-f6fc-43db-90bb-b376950d210b",
|
|
"value": "militaryexponews.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Combing through screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609212",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565805bc-f64c-4cc5-b5a3-b376950d210b",
|
|
"value": "irwing.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Combing through screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609212",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565805bc-10fc-4f47-a3a9-b376950d210b",
|
|
"value": "eservicesystems.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Combing through screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609213",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "565805bd-6630-4743-ba10-b376950d210b",
|
|
"value": "windowsappstore.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Combing through screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448609213",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "565805bd-4320-414c-9afd-b376950d210b",
|
|
"value": "131.72.136.10"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448611989",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "56581095-fba8-4c69-bd27-b376950d210b",
|
|
"value": "Additional IOCs found combing through screenshots & using threatCrowd.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448612064",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "565810e0-b624-4b74-9335-401f950d210b",
|
|
"value": "GET to URLs containing the follwoing tokens: /find/?itwm= &from= &utm= &oprnd= &from=\r\nPOST to URLs containing the follwoing tokens: /open/?ags= &ags= &oprnd= &channel= &itwm="
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Resolution of domain irwing.org",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448612173",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5658114d-bc94-4a40-8080-485d950d210b",
|
|
"value": "204.12.244.58"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Resolution of domain irwing.org",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448612174",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5658114e-9a4c-4fac-92a3-4868950d210b",
|
|
"value": "104.200.17.202"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Resolution of domain irwing.org",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1448612174",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5658114e-1b48-4304-87ec-4fc9950d210b",
|
|
"value": "104.200.17.53"
|
|
}
|
|
]
|
|
}
|
|
} |