115 lines
No EOL
3.3 KiB
JSON
115 lines
No EOL
3.3 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2019-09-15",
|
|
"extends_uuid": "",
|
|
"info": "On-memory post exploit payloads from encoded binary",
|
|
"publish_timestamp": "1568643213",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1568643188",
|
|
"uuid": "5d7dba44-67d4-4fad-b919-4c2d950d210f",
|
|
"Orgc": {
|
|
"name": "MalwareMustDie",
|
|
"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#380046",
|
|
"name": "ms-caro-malware:malware-type=\"HackTool\""
|
|
},
|
|
{
|
|
"colour": "#ffc100",
|
|
"name": "poshc2 beacon"
|
|
},
|
|
{
|
|
"colour": "#c1e21c",
|
|
"name": " C2"
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:course-of-action=\"PowerShell Mitigation\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:course-of-action=\"Network Sniffing Mitigation\""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:course-of-action=\"Credential Dumping Mitigation\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Threat analysis report and analysis screenshots",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568520892",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5d7dbabc-3ef8-4eb1-9500-448e950d210f",
|
|
"value": "https://imgur.com/a/k60b8pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The attacker C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568520952",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5d7dbaf8-3e4c-4334-a278-403c950d210f",
|
|
"value": "154.121.50.129"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The attacker C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568520989",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5d7dbb1d-a2ec-4534-9e0b-48f0950d210f",
|
|
"value": "amazon34.duckdns.org"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568521103",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5d7dbb8f-210c-4f25-86d9-4e5c950d210f",
|
|
"value": "https://pastebin.com/Pgi3pMgj"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "The post exploitation outbound traffic for attack initiation (beacon and reverse HTTP)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568521103",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5d7dbb8f-2dec-4875-b15d-4f31950d210f",
|
|
"value": "https://pastebin.com/SAQRkmef"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The attacker C2's network AS Number",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1568521195",
|
|
"to_ids": false,
|
|
"type": "AS",
|
|
"uuid": "5d7dbbeb-9aa0-4209-beda-4a70950d210f",
|
|
"value": "AS327712"
|
|
}
|
|
]
|
|
}
|
|
} |