misp-circl-feed/feeds/circl/misp/5bf290ce-2df0-4d91-9e62-4cb6950d210f.json


			
				
				
					
						
						
						
							
							
							{"Event": {"info": "OSINT - OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government", "Tag": [{"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Spearphishing Attachment - T1193\""}, {"colour": "#284800", "exportable": true, "name": "malware_classification:malware-category=\"Trojan\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#72003d", "exportable": true, "name": "workflow:todo=\"add-missing-misp-galaxy-cluster-values\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:threat-actor=\"OilRig\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"OilRig - G0049\""}, {"colour": "#0088cc", "exportable": true, "name": "misp-galaxy:mitre-intrusion-set=\"OilRig\""}], "publish_timestamp": "0", "timestamp": "1542637941", "Object": [{"comment": "BONDUPDATER Dropper Docs\r\ncontains a macro that attempted to install a new version of the BONDUPDATER Trojan\r\n", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5bf29643-27dc-452c-91bc-4c4a950d210f", "sharing_group_id": "0", "timestamp": "1542634536", "description": "File object describing a file with meta-information", "template_version": "15", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5bf29643-0d80-4d47-a39b-40ed950d210f", "timestamp": "1542634536", "to_ids": true, "value": "N56.15.doc", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5bf29643-7c10-4d53-9c91-4d52950d210f", "timestamp": "1542634536", "to_ids": true, "value": "7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5bf29643-734c-4c17-ad10-477e950d210f", "timestamp": "1542634536", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "BONDUPDATER Dropper Docs", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5bf29a92-4e88-4432-a67c-4b84950d210f", "sharing_group_id": "0", "timestamp": "1542634558", "description": "File object describing a file with meta-information", "template_version": "15", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5bf29a92-1d6c-4a1c-b652-493f950d210f", "timestamp": "1542634558", "to_ids": true, "value": "AppPool.vbs", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5bf29a92-9a88-480b-b42b-4f1c950d210f", "timestamp": "1542634558", "to_ids": true, "value": "c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5bf29a92-e11c-4c07-a579-41e5950d210f", "timestamp": "1542634558", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5bf29a92-036c-4b56-aaaa-4be2950d210f", "timestamp": "1542634558", "to_ids": false, "value": "%ALLUSERSPROFILE%\\WindowsAppPool\\AppPool.vbs", "disable_correlation": false, "object_relation": "fullpath", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5bf29a93-d104-42c0-8a6c-42aa950d210f", "timestamp": "1542634558", "to_ids": false, "value": "%ALLUSERSPROFILE%\\WindowsAppPool", "disable_correlation": true, "object_relation": "path", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "BONDUPDATER Dropper Docs", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5bf29c1e-4304-40db-bb46-46d3950d210f", "sharing_group_id": "0", "timestamp": "1542634588", "description": "File object describing a file with meta-information", "template_version": "15", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5bf29c1e-d494-475b-b3c8-482b950d210f", "timestamp": "1542634588", "to_ids": true, "value": "AppPool.ps1", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Payload delivery", "uuid": "5bf29c1e-eda0-412a-aab5-481b950d210f", "timestamp": "1542634588", "to_ids": true, "value": "d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}, {"comment": "", "category": "Other", "uuid": "5bf29c1f-cae0-4d5d-86b1-4535950d210f", "timestamp": "1542634588", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5bf29c1f-5b24-4521-af52-4927950d210f", "timestamp": "1542634588", "to_ids": false, "value": "%ALLUSERSPROFILE%\\WindowsAppPool\\AppPool.ps1", "disable_correlation": false, "object_relation": "fullpath", "type": "text"}, {"comment": "", "category": "Other", "uuid": "5bf29c1f-41e0-4f15-816f-4386950d210f", "timestamp": "1542634588", "to_ids": false, "value": "%ALLUSERSPROFILE%\\WindowsAppPool\\", "disable_correlation": true, "object_relation": "path", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5bf29d8f-e558-4af1-a0f3-4653950d210f", "sharing_group_id": "0", "timestamp": "1542626703", "description": "File object describing a file with meta-information", "template_version": "15", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5bf29d8f-e330-4c14-adc5-4b44950d210f", "timestamp": "1542626703", "to_ids": true, "value": "%ALLUSERSPROFILE%\\WindowsAppPool\\lock", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5bf29d8f-08a8-4f1f-90f8-4a30950d210f", "timestamp": "1542626703", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5bf29da3-deec-4a6a-9967-408a950d210f", "sharing_group_id": "0", "timestamp": "1542626723", "description": "File object describing a file with meta-information", "template_version": "15", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "5bf29da3-ac10-4aeb-bee0-4c91950d210f", "timestamp": "1542626723", "to_ids": true, "value": "%ALLUSERSPROFILE%\\WindowsAppPool\\quid", "disable_correlation": true, "object_relation": "filename", "type": "filename"}, {"comment": "", "category": "Other", "uuid": "5bf29da3-2964-4d60-998f-48df950d210f", "timestamp": "1542626723", "to_ids": false, "value": "Malicious", "disable_correlation": true, "object_relation": "state", "type": "text"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "1ad2e243-0418-419a-8300-12ac17adb5f0", "sharing_group_id": "0", "timestamp": "1542637584", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "329cf80d-bb3c-4a84-8343-151d2b2dbded", "timestamp": "1542637585", "to_ids": true, "value": "52b6e1ef0d079f4c2572705156365c06", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "ea31310d-82e2-46fe-a266-fa1ac686e6ce", "timestamp": "1542637585", "to_ids": true, "value": "5732b44851ec10f16c8e1201af3bec455f724961", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "2d9cdcee-8c8c-446b-a71c-8bab53b1a445", "timestamp": "1542637586", "to_ids": true, "value": "7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "48845792-c31e-45a2-ba4b-f60e29e7d371", "sharing_group_id": "0", "timestamp": "1542637586", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "37fd897a-6742-48b4-bc55-8ec2ab7d4119", "timestamp": "1542637586", "to_ids": false, "value": "2018-10-29 01:55:45", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "e88f35c0-a05d-44ef-80a8-99d2a29980b4", "timestamp": "1542637587", "to_ids": false, "value": "https://www.virustotal.com/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00/analysis/1540778145/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "f2c56cfe-2278-4d43-acec-2b77dc5af11c", "timestamp": "1542637587", "to_ids": false, "value": "39/58", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "5ce1579d-18af-4c70-8a05-238a5a7e25bd", "sharing_group_id": "0", "timestamp": "1542637587", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "d9e98e6b-8bb7-4eac-bc9a-927972226212", "timestamp": "1542637587", "to_ids": true, "value": "88a3636fbae365ac19d7fb68c2cc2fef", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "0c84b2ef-3440-465a-9e4b-91e380ce4646", "timestamp": "1542637588", "to_ids": true, "value": "64e1751562347134e17a7e1985a8765085302f93", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "2c7a9861-1174-4bdb-a230-277dd400474d", "timestamp": "1542637588", "to_ids": true, "value": "c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "11df404f-cd09-4341-9779-b38b73e4d580", "sharing_group_id": "0", "timestamp": "1542637589", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "d3581511-855c-43c3-858c-4d5f3f489e8b", "timestamp": "1542637589", "to_ids": false, "value": "2018-10-17 23:42:45", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "f7081c18-1de8-4365-bdf8-6dd8a3af9c51", "timestamp": "1542637589", "to_ids": false, "value": "https://www.virustotal.com/file/c0018a2e36c7ef8aa15b81001a19c4127ad7cd21ae410c1f854e5dadfa98b322/analysis/1539819765/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "afb88b5f-d777-4892-941d-9a853f4a2cc6", "timestamp": "1542637590", "to_ids": false, "value": "26/56", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}, {"comment": "", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "6ce66cdf-6c35-4d67-9978-1876aa656790", "sharing_group_id": "0", "timestamp": "1542637590", "description": "File object describing a file with meta-information", "template_version": "11", "Attribute": [{"comment": "", "category": "Payload delivery", "uuid": "b652093f-0dba-487e-b2e7-bb230dcf0676", "timestamp": "1542637590", "to_ids": true, "value": "8c4fa86dcc2fd00933b70cbf239f0636", "disable_correlation": false, "object_relation": "md5", "type": "md5"}, {"comment": "", "category": "Payload delivery", "uuid": "3346d87f-d7dd-4beb-8ca9-06c06685fd53", "timestamp": "1542637591", "to_ids": true, "value": "204855fa620bf1f8b2a781e1e8ecfda4d411ca77", "disable_correlation": false, "object_relation": "sha1", "type": "sha1"}, {"comment": "", "category": "Payload delivery", "uuid": "b0230b30-6592-4331-8aa6-08d97ee3af2c", "timestamp": "1542637591", "to_ids": true, "value": "d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7", "disable_correlation": false, "object_relation": "sha256", "type": "sha256"}], "distribution": "5", "meta-category": "file", "name": "file"}, {"comment": "", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "uuid": "e6c24ac2-3816-483f-8ca6-7cfdfb17f64f", "sharing_group_id": "0", "timestamp": "1542637591", "description": "VirusTotal report", "template_version": "2", "Attribute": [{"comment": "", "category": "Other", "uuid": "9b3fe04c-f077-40e2-ac6e-0318207570d7", "timestamp": "1542637592", "to_ids": false, "value": "2018-10-16 23:36:19", "disable_correlation": false, "object_relation": "last-submission", "type": "datetime"}, {"comment": "", "category": "External analysis", "uuid": "31c239f5-61f1-44aa-b098-96391ce6eafa", "timestamp": "1542637592", "to_ids": false, "value": "https://www.virustotal.com/file/d5c1822a36f2e7107d0d4c005c26978d00bcb34a587bd9ccf11ae7761ec73fb7/analysis/1539732979/", "disable_correlation": false, "object_relation": "permalink", "type": "link"}, {"comment": "", "category": "Other", "uuid": "8fab6ce4-d439-4d29-9307-def6e20c980e", "timestamp": "1542637593", "to_ids": false, "value": "24/57", "disable_correlation": true, "object_relation": "detection-ratio", "type": "text"}], "distribution": "5", "meta-category": "misc", "name": "virustotal-report"}], "analysis": "2", "Attribute": [{"comment": "", "category": "External analysis", "uuid": "5bf29192-07b0-4f32-bce6-4bca950d210f", "timestamp": "1542623657", "to_ids": false, "value": "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/", "Tag": [{"colour": "#00223b", "exportable": true, "name": "osint:source-type=\"blog-post\""}], "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "BONDUPDATER C2", "category": "Network activity", "uuid": "5bf2b90a-aba0-4bb8-a5ca-4f70950d210f", "timestamp": "1542634461", "to_ids": true, "value": "withyourface.com", "disable_correlation": false, "object_relation": null, "type": "domain"}], "extends_uuid": "", "published": false, "date": "2018-09-12", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "3", "uuid": "5bf290ce-2df0-4d91-9e62-4cb6950d210f"}}
						
						
					
				
				
					
						Reference in a new issue
					
					View git blame
					Copy permalink