467 lines
No EOL
17 KiB
JSON
467 lines
No EOL
17 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-10-02",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers",
|
|
"publish_timestamp": "1507107090",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1507107078",
|
|
"uuid": "59d34428-803c-4eab-bac7-49c0950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#0fc100",
|
|
"name": "misp-galaxy:threat-actor=\"Aurora Panda\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d34439-4454-45a8-94dc-3e8a950d210f",
|
|
"value": "http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "59d344c1-426c-49c5-9ff5-4eed950d210f",
|
|
"value": "Since my last post, we have found new evidence in the next stage payloads of the CCleaner supply chain attack that provide a stronger link between this attack and the Axiom group.\r\n\r\nFirst of all, our researchers would like to thank the entire team at Cisco Talos for their excellent work on this attack (their post regarding stage 2 can be found here) as well as their cooperation by allowing us access to the stage 2 payload. Also, we would like to give a special thanks to Kaspersky Labs for their collaboration.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x86 Registry Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34505-26c0-45b8-ad15-3e8b950d210f",
|
|
"value": "f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34505-22e0-4906-90c3-3e8b950d210f",
|
|
"value": "07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34505-2e78-4dc1-a67b-3e8b950d210f",
|
|
"value": "0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34505-3db8-4638-9c56-3e8b950d210f",
|
|
"value": "20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34505-f7d0-4def-8e96-3e8b950d210f",
|
|
"value": "ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2 Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34544-1b60-4b87-8b28-42df950d210f",
|
|
"value": "dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x86 Trojanized Binary",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d345d3-66fc-41a9-a259-4762950d210f",
|
|
"value": "07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x64 Trojanized Binary",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d345d3-b880-404c-8dfa-43d3950d210f",
|
|
"value": "128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "59d34660-03b0-4649-93dc-4236950d210f",
|
|
"value": "13.59.9.90"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x64 Registry Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59d34915-eb94-48f5-8e04-3e86950d210f",
|
|
"value": "75eaa1889dbc93f11544cf3e40e3b9342b81b1678af5d83026496ee6a1b2ef79"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "Registry Keys",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59d34b35-0d00-462b-903a-43a4950d210f",
|
|
"value": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "Registry Keys",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59d34b35-12cc-4033-9114-400e950d210f",
|
|
"value": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "Registry Keys",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59d34b35-3b98-432e-b9f2-40d1950d210f",
|
|
"value": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "Registry Keys",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59d34b35-7ebc-4b87-b031-45fc950d210f",
|
|
"value": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004"
|
|
},
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "Registry Keys",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "regkey",
|
|
"uuid": "59d34b35-f05c-4193-b489-4d53950d210f",
|
|
"value": "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-b11c-4106-bb81-424502de0b81",
|
|
"value": "82691bf5d8ca1c760e0dbc67c99f89ecd890de08"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-0ce0-47c9-a313-48fc02de0b81",
|
|
"value": "52dda1e6ac12c24f2997cf05e0ea42c9"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "x64 Trojanized Binary - Xchecked via VT: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-d74c-4b70-870f-48ab02de0b81",
|
|
"value": "https://www.virustotal.com/file/128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f/analysis/1507088207/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-9b60-478f-b63b-4e1802de0b81",
|
|
"value": "53c9ea5ac9b2efc5e8e0b4e3a051fa1615cc09a9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-edd8-4715-a50d-43ec02de0b81",
|
|
"value": "d6fd2df91432ca21c79ece2c6637d1c6"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "x86 Trojanized Binary - Xchecked via VT: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-c5f8-42d4-8dfd-450402de0b81",
|
|
"value": "https://www.virustotal.com/file/07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902/analysis/1507103949/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-52f0-421f-93cf-46b902de0b81",
|
|
"value": "e7cca2da5161a313161a81a38a8b5773310a6801"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-e200-4df3-9afe-44d302de0b81",
|
|
"value": "748aa5fcfa2af451c76039faf6a8684d"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Stage 2 Payload - Xchecked via VT: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-8964-4305-9aac-4cc602de0b81",
|
|
"value": "https://www.virustotal.com/file/dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83/analysis/1507084318/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-4c70-4d6c-858b-43ff02de0b81",
|
|
"value": "7dd556415487cc192b647c9a7fde70896eeee7a2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-f260-4592-a320-451a02de0b81",
|
|
"value": "e77e708924168afd17dbe26bba8621af"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-b5c0-4500-923c-458d02de0b81",
|
|
"value": "https://www.virustotal.com/file/ee362a8161bd442073775363bf5fa1305abac2ce39b903d63df0d7121ba60550/analysis/1506960621/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-2b88-4315-af2a-4dee02de0b81",
|
|
"value": "590ddc140152c2c5ce2f0dc7b21a297fd4102ba3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-54ec-44d7-a611-45f502de0b81",
|
|
"value": "8ad22f3e9e603ff89228f3c66d9949d9"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-55f0-4dd3-853e-452302de0b81",
|
|
"value": "https://www.virustotal.com/file/20cd49fd0f244944a8f5ba1d7656af3026e67d170133c1b3546c8b2de38d4f27/analysis/1446757665/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-24ac-4c9a-9ed0-46d202de0b81",
|
|
"value": "40f9cde4ccd1b1b17a647c6fc72c5c5cd40d2b08"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-b468-4875-a528-4f0902de0b81",
|
|
"value": "ba86c0c1d9a08284c61c4251762ad0df"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-55b8-4813-a62a-42aa02de0b81",
|
|
"value": "https://www.virustotal.com/file/0375b4216334c85a4b29441a3d37e61d7797c2e1cb94b14cf6292449fb25c7b2/analysis/1506960528/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59d4a0da-3e44-4d72-a76f-46b802de0b81",
|
|
"value": "60415999bc82dc9c8f4425f90e41a98d514f76a2"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59d4a0da-dc90-4b07-9a85-47ac02de0b81",
|
|
"value": "35a4783a1db27f159d7506a78ca89101"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "- Xchecked via VT: 07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1507107034",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59d4a0da-a858-4517-8dfe-4f5502de0b81",
|
|
"value": "https://www.virustotal.com/file/07f93e49c7015b68e2542fc591ad2b4a1bc01349f79d48db67c53938ad4b525d/analysis/1507055418/"
|
|
}
|
|
]
|
|
}
|
|
} |