misp-circl-feed/feeds/circl/misp/5b9162c3-90b4-423b-bd69-28330acd0835.json

796 lines
No EOL
25 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2018-09-06",
"extends_uuid": "",
"info": "powerpool-malware-exploits-zero-day-vulnerability",
"publish_timestamp": "1589183606",
"published": true,
"threat_level_id": "2",
"timestamp": "1621849865",
"uuid": "5b9162c3-90b4-423b-bd69-28330acd0835",
"Orgc": {
"name": "Synovus Financial",
"uuid": "5a68c02d-959c-4c8a-a571-0dcac0a8060a"
},
"Tag": [
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#00223b",
"name": "osint:source-type=\"blog-post\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536254918",
"to_ids": false,
"type": "link",
"uuid": "5b9162d7-70bc-4802-a3e8-2efb0acd0835",
"value": "https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/"
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536255394",
"to_ids": true,
"type": "domain",
"uuid": "5b916597-a96c-43dc-bcc0-2f0b0acd0835",
"value": "newsrental.net",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536255394",
"to_ids": true,
"type": "domain",
"uuid": "5b916597-7bc0-45f8-a810-2f0b0acd0835",
"value": "rosbusiness.eu",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536255394",
"to_ids": true,
"type": "domain",
"uuid": "5b916597-dc78-43cb-b1df-2f0b0acd0835",
"value": "afishaonline.eu",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536255394",
"to_ids": true,
"type": "domain",
"uuid": "5b916597-7ba8-4aaa-98b5-2f0b0acd0835",
"value": "sports-collectors.com",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
},
{
"category": "Network activity",
"comment": "C2\r\nCountry: Korea, Republic Of\r\nRegion: Gyeonggi-do\r\nCity: Yongin\r\nISP: Daou Technology",
"deleted": false,
"disable_correlation": false,
"timestamp": "1536256145",
"to_ids": true,
"type": "ip-dst",
"uuid": "5b916597-ec48-4d1f-b15f-2f0b0acd0835",
"value": "27.102.106.149",
"Tag": [
{
"colour": "#00aad0",
"name": "veris:action:malware:variety=\"C2\""
}
]
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "13",
"timestamp": "1536254905",
"uuid": "5b91638b-01d0-4303-9938-28310acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1536254957",
"to_ids": true,
"type": "md5",
"uuid": "5b91638b-f688-4841-b4d2-28310acd0835",
"value": "32b8d08e67cf509236ae8142fbeb30b3",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1536254957",
"to_ids": true,
"type": "sha256",
"uuid": "5b91638b-5d60-4865-9be0-28310acd0835",
"value": "8c2e729bc086921062e214b7e4c9c4ddf324a0fa53b4ed106f1341cfe8274fe4",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1536254957",
"to_ids": true,
"type": "sha1",
"uuid": "5b91638b-250c-4e03-b6f7-28310acd0835",
"value": "038f75dcf1e5277565c68d57fa1f4f7b3005f3f3",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1536254859",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5b91638b-480c-4627-95ab-28310acd0835",
"value": "198656"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1536254963",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b91638b-a4dc-450f-9bc6-28310acd0835",
"value": "3072:y0FPC7QAKohdraoNpLOxx85wzWVTBfGGMZhm05Pb8QOutp:ba7zfragLOxx85JVTBezZXbLOut",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
},
{
"colour": "#5fb4b2",
"name": "Stage 1"
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1536254859",
"to_ids": false,
"type": "text",
"uuid": "5b91638b-d750-48ec-aeaa-28310acd0835",
"value": "Malicious"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1536254905",
"to_ids": false,
"type": "text",
"uuid": "5b9163b9-43a4-43cc-831b-2eff0acd0835",
"value": "First stage backdoor"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "13",
"timestamp": "1536255024",
"uuid": "5b916430-9e3c-4911-b3e9-ca520acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1536255053",
"to_ids": true,
"type": "md5",
"uuid": "5b916430-0124-4a45-bf94-ca520acd0835",
"value": "efe3518ee7d62299d01b7882f72ffd0a",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1536255024",
"to_ids": false,
"type": "text",
"uuid": "5b916430-f9b4-45ed-b526-ca520acd0835",
"value": "First stage backdoor"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1536255053",
"to_ids": true,
"type": "sha256",
"uuid": "5b916430-4898-4071-b4f5-ca520acd0835",
"value": "035f97af0def906fbd8f7f15fb8107a9e852a69160669e7c0781888180cd46d5",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1536255054",
"to_ids": true,
"type": "sha1",
"uuid": "5b916430-e110-4bc6-8427-ca520acd0835",
"value": "247b542af23ad9c63697428c7b77348681aadc9a",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1536255024",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5b916430-0fac-4102-a6c2-ca520acd0835",
"value": "195072"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1536255054",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b916430-0b5c-49c8-b20b-ca520acd0835",
"value": "3072:hMBIQ8vnQQgZKc1WZL0Az3jGSp0TBfmXnZS1m05xI8QOutt:eBIbPDgZK0yL0Az36e0TBeXZStILOut",
"Tag": [
{
"colour": "#5fb4b2",
"name": "Stage 1"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1536255024",
"to_ids": false,
"type": "text",
"uuid": "5b916430-0634-4a60-b821-ca520acd0835",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "13",
"timestamp": "1536255120",
"uuid": "5b91647e-fb8c-475d-a647-2eff0acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1536255177",
"to_ids": true,
"type": "md5",
"uuid": "5b91647e-5998-450e-b763-2eff0acd0835",
"value": "e2bd4044fab4214c4aa7dd65d65fca21",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1536255177",
"to_ids": true,
"type": "sha256",
"uuid": "5b91647e-172c-4f3e-be5d-2eff0acd0835",
"value": "af2abf0748013a7084507f8e96f6e7c21a3f962fbbb148dcbb482a98c06940a1",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1536255177",
"to_ids": true,
"type": "sha1",
"uuid": "5b91647e-bb5c-4513-980d-2eff0acd0835",
"value": "0423672fe9201c325e33f296595fb70dcd81bcd9",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1536255102",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5b91647e-de40-459d-8828-2eff0acd0835",
"value": "395776"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1536255177",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b91647e-a5fc-4161-b118-2eff0acd0835",
"value": "6144:Py7VqCkozgC2uNmz/MbVflIaPhlHvuFFNTP9DZ8EX8kE5KRf+L8uvyvcQ0BiF:Py7V6N/wISZvk7TP9F1X8 hcRe8u6wW",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1536255102",
"to_ids": false,
"type": "text",
"uuid": "5b91647e-eec4-4749-8e33-2eff0acd0835",
"value": "Malicious"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1536255120",
"to_ids": false,
"type": "text",
"uuid": "5b916490-d93c-4284-9455-28330acd0835",
"value": "Second stage backdoor"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "13",
"timestamp": "1536255239",
"uuid": "5b916507-21cc-4a2f-aa8c-28280acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1536255270",
"to_ids": true,
"type": "md5",
"uuid": "5b916507-cdc0-4c61-ac3f-28280acd0835",
"value": "80e7a7789286d3fb69f083f1a2dddbe6",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1536255239",
"to_ids": false,
"type": "text",
"uuid": "5b916507-2a48-4b4f-9d72-28280acd0835",
"value": "Second stage backdoor"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1536255270",
"to_ids": true,
"type": "sha256",
"uuid": "5b916507-38cc-4434-90f8-28280acd0835",
"value": "58a50840c04cd15f439f1cc1b684e9f9fa22c0d64f44a391d9e2b1222e5cd6bd",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1536255270",
"to_ids": true,
"type": "sha1",
"uuid": "5b916507-c8a4-4c50-9886-28280acd0835",
"value": "b4ec4837d07ff64e34947296e73732171d1c1586",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1536255239",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5b916507-88d0-49cd-b0ba-28280acd0835",
"value": "396288"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1536255270",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b916507-d174-4cec-85ee-28280acd0835",
"value": "6144:kSH62LyBiglfDq9wD7aG2HODV9cF7Bt7/hNWhZHhvMKpA7KSgodwIFsA40Bia:kSH6F9DiY9udjNW7BvMKp yKsWI97",
"Tag": [
{
"colour": "#fccc51",
"name": "Stage 2"
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1536255239",
"to_ids": false,
"type": "text",
"uuid": "5b916507-5344-4ccd-bcee-28280acd0835",
"value": "Malicious"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "13",
"timestamp": "1536255324",
"uuid": "5b91655c-3648-48a0-82e3-2f140acd0835",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1536255355",
"to_ids": true,
"type": "md5",
"uuid": "5b91655c-25d0-4a8c-80e8-2f140acd0835",
"value": "99670267cbece5f5cc3ce92efd5bb04b",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Exploit vuln\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "text",
"timestamp": "1536255324",
"to_ids": false,
"type": "text",
"uuid": "5b91655c-7730-4639-89de-2f140acd0835",
"value": "ALPC LPE exploit"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1536255355",
"to_ids": true,
"type": "sha256",
"uuid": "5b91655c-21a0-4189-b441-2f140acd0835",
"value": "97b5b4478d234632df4c65ec251051a6b032ce21e9e68495e31f077bf4074831",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Exploit vuln\""
}
]
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1536255355",
"to_ids": true,
"type": "sha1",
"uuid": "5b91655d-3ee8-42f6-8276-2f140acd0835",
"value": "9dc173d4d4f74765b5fc1e1c9a2d188d5387beea",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Exploit vuln\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1536255325",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5b91655d-3714-464e-86f5-2f140acd0835",
"value": "183296"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1536255355",
"to_ids": true,
"type": "ssdeep",
"uuid": "5b91655d-3c88-4839-90d3-2f140acd0835",
"value": "3072:STZt5j+T9LjP4JqIBhNV0St7TZEjOYI1TVmqG7rg:q5j+T9LjPPIBhN2Q7TZAfI1TVwg",
"Tag": [
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Exploit vuln\""
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1536255325",
"to_ids": false,
"type": "text",
"uuid": "5b91655d-d1bc-4241-95c3-2f140acd0835",
"value": "Malicious"
}
]
}
]
}
}