540 lines
No EOL
18 KiB
JSON
540 lines
No EOL
18 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2020-05-23",
|
|
"extends_uuid": "",
|
|
"info": "Linux/KAITEN AK47(a Mod-Telnet-Scanner) & Echo-loader hexstrings spread",
|
|
"publish_timestamp": "1590257790",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1590257775",
|
|
"uuid": "5ec960a6-b798-445c-8ae2-478a950d210f",
|
|
"Orgc": {
|
|
"name": "MalwareMustDie",
|
|
"uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#22681c",
|
|
"name": "malware_classification:malware-category=\"Botnet\""
|
|
},
|
|
{
|
|
"colour": "#5ed600",
|
|
"name": "ddos:type=\"flooding-attack\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-4b8c-4ca8-b247-2e98950d210f",
|
|
"value": "d7062a6b3380c1c5c79fd0aec06051c5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-eb0c-40d1-a28f-2e98950d210f",
|
|
"value": "bb4d558ef723daa5e014aeaa5337df7c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-a6b0-430c-ae81-2e98950d210f",
|
|
"value": "f469f4130e1d267f63ede66cb4341e0d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-dfb4-43ea-bddd-2e98950d210f",
|
|
"value": "581b9b9d6230005fa3a5ab1e9090eb9a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-7090-4190-9e35-2e98950d210f",
|
|
"value": "e71c7c5f0b09c3b17e0064b5774499f9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-4f08-4de9-9c0b-2e98950d210f",
|
|
"value": "4f0724e3775f872eafcc70a0a946b0df"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-4284-4f19-90a4-2e98950d210f",
|
|
"value": "a1c60716c51c64a89f96167057b51c68"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-5b40-4328-a278-2e98950d210f",
|
|
"value": "9aa4741ad010753683a602bf7a2d99cd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "bot malware payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256715",
|
|
"to_ids": false,
|
|
"type": "md5",
|
|
"uuid": "5ec9644b-716c-4e6c-83cf-2e98950d210f",
|
|
"value": "604de8c8f3d612bcbfc44f1e3c4b2e33"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-9c64-4619-abb5-4e71950d210f",
|
|
"value": "igLHvijzbFarm"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-4b04-4bbf-a267-4200950d210f",
|
|
"value": "igLHvijzbFarm5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-9e6c-4267-841f-4caf950d210f",
|
|
"value": "igLHvijzbFarm6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-8af4-4492-893d-4aea950d210f",
|
|
"value": "igLHvijzbFm68k"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-9a80-4287-81d9-4242950d210f",
|
|
"value": "igLHvijzbFmips"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-2214-424a-9e73-45f2950d210f",
|
|
"value": "igLHvijzbFmpsl"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-9004-4551-abf4-4221950d210f",
|
|
"value": "igLHvijzbFppc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-7770-4936-abee-43fc950d210f",
|
|
"value": "igLHvijzbFsh4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "payload filename in C2 (scan-able during download)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256797",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec9649d-ddc8-434b-ab7b-4888950d210f",
|
|
"value": "igLHvijzbFspc"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Payload service IPv6|port_number",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256922",
|
|
"to_ids": false,
|
|
"type": "ip-src|port",
|
|
"uuid": "5ec9651a-74d8-4321-9801-4485950d210f",
|
|
"value": "204.11.49.132|80"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Payload service IPv6|port_number",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590256922",
|
|
"to_ids": false,
|
|
"type": "ip-src|port",
|
|
"uuid": "5ec9651a-edd4-4050-90f3-413d950d210f",
|
|
"value": "196.53.114.199|80"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 connection established activity",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-24T00:00:00+00:00",
|
|
"timestamp": "1590257006",
|
|
"to_ids": false,
|
|
"type": "ip-dst|port",
|
|
"uuid": "5ec9656e-b94c-4932-8275-4bca950d210f",
|
|
"value": "196.53.114.199|8080"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Source code file name",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-24T00:00:00+00:00",
|
|
"timestamp": "1590257075",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5ec965b3-987c-4a25-84af-4999950d210f",
|
|
"value": "bot.c"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 credential",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257198",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec9662e-9320-4e61-9e17-4aca950d210f",
|
|
"value": "#donks"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2 credential",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257210",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec9663a-e5b4-4d84-b5db-4a63950d210f",
|
|
"value": "swagfag"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257290",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec9668a-2078-4769-b5fe-4e19950d210f",
|
|
"value": "Freak"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-d430-4211-9e70-4f2b950d210f",
|
|
"value": "Leonidus"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-d9c0-4c28-b877-48a3950d210f",
|
|
"value": "Crypto"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-092c-48a3-bd2f-4710950d210f",
|
|
"value": "error401"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-15a4-4e17-bc6e-419f950d210f",
|
|
"value": "lmfao"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-2ab0-4a9b-ab4c-44b5950d210f",
|
|
"value": "dmt"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-78a0-41d3-b302-4c55950d210f",
|
|
"value": "ni**er"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-7980-4f11-bc2e-4a5b950d210f",
|
|
"value": "DeTH"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-cf14-4dd7-9faf-4861950d210f",
|
|
"value": "Okami"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-c324-4229-92d5-4243950d210f",
|
|
"value": "nightd0g"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-1180-43d3-a4a1-4e30950d210f",
|
|
"value": "phpbot"
|
|
},
|
|
{
|
|
"category": "Social network",
|
|
"comment": "botherder handles hardcoded",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257326",
|
|
"to_ids": false,
|
|
"type": "other",
|
|
"uuid": "5ec966ae-1a2c-499d-916c-4f2e950d210f",
|
|
"value": "netspot1-netspot10"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257397",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5ec966f5-2ae0-463d-b2a0-4c65950d210f",
|
|
"value": "196.53.114.199"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-23T00:00:00+00:00",
|
|
"timestamp": "1590257397",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5ec966f5-7690-4f72-9037-483b950d210f",
|
|
"value": "204.11.49.132"
|
|
},
|
|
{
|
|
"category": "Internal reference",
|
|
"comment": "Threat report (contains more details)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"first_seen": "2020-05-21T00:00:00+00:00",
|
|
"last_seen": "2020-05-24T00:00:00+00:00",
|
|
"timestamp": "1590257775",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5ec96731-05fc-4acf-9b81-4840950d210f",
|
|
"value": "https://gist.github.com/unixfreaxjp/7b8bd6be614f7a051fc9a9da760d3138"
|
|
}
|
|
]
|
|
}
|
|
} |