3083 lines
No EOL
141 KiB
JSON
3083 lines
No EOL
141 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2022-12-19",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - QNAP worm aka Raspberry Robin",
|
|
"publish_timestamp": "1671457942",
|
|
"published": true,
|
|
"threat_level_id": "4",
|
|
"timestamp": "1671443120",
|
|
"uuid": "0ebe51c2-31f1-4ba4-b7ab-1f5e62531e45",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:malpedia=\"Raspberry Robin\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441766",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cb31d5aa-fe8e-4489-ae28-4310e5e0fc03",
|
|
"value": "03s30.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441766",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f9137b71-bfbf-48d8-a668-c0236e087f02",
|
|
"value": "0dz.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441766",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "13024c29-51b2-46dd-a921-7d8e1dc5775e",
|
|
"value": "0e.si"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441766",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "758d0298-85ed-4c67-87b1-bfb7a43d75ba",
|
|
"value": "0i.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "73c78cac-6af2-49f9-9a6c-420b379bcfdb",
|
|
"value": "0i.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3c8a2966-e151-47a7-a8d1-57b35d135faa",
|
|
"value": "0j.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "518c0382-d276-4439-92bd-24c83a4561b7",
|
|
"value": "0j.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b7f6702e-d5d0-489b-a580-b7b78790a380",
|
|
"value": "0p.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "aa3dcada-6c13-4564-9f73-a0335b43bafa",
|
|
"value": "0t.yt"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2fea340f-896b-493a-b97f-5fc88ec24785",
|
|
"value": "0v.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1342a252-3cdb-42ad-b296-404fefabda2c",
|
|
"value": "0w.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1800718f-4276-45d9-b227-c82e02191e54",
|
|
"value": "0x9.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7c876b16-533b-428e-9288-04e5da832706",
|
|
"value": "13j.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ad5d1222-ce53-4445-ae6b-22751380e8d8",
|
|
"value": "1h3.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3a1e9148-4ea5-42bb-aea1-549bfac00ad1",
|
|
"value": "1i.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c8fab75b-f3f8-471d-b4b8-e7da5aec0966",
|
|
"value": "1j.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1b0227bb-221a-4026-9252-dffff31ba131",
|
|
"value": "1j4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "335a647e-a90c-4db6-847f-b339333a96a0",
|
|
"value": "1k4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8be37180-6ff3-4977-a542-6f3e73ff0a50",
|
|
"value": "1n4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fa14609a-bcfb-4962-a110-8884a0fa398d",
|
|
"value": "1u.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b52486bc-7502-4017-98a6-f495ce47baab",
|
|
"value": "1u.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1a181051-a965-4677-b6d9-3e0f32346329",
|
|
"value": "21k.website"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "44d91ad2-8127-43e0-bb4a-7d280e2cb5dd",
|
|
"value": "27o.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ac62460a-d312-47b6-a2c4-9c38ab8d622b",
|
|
"value": "2i.nu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9852e885-6187-4f93-8db6-e266bc84c99e",
|
|
"value": "2i.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "082e17c6-0a51-4603-8c0a-49978bb007b7",
|
|
"value": "2i.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c681d300-444a-4d6e-9581-801edc074f19",
|
|
"value": "2j4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "df252477-5100-46f0-834d-56b11c879301",
|
|
"value": "2jks.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "13f2606a-5807-4cc2-bd19-b8a7c7a89323",
|
|
"value": "2kbq.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3d689955-65aa-46dd-bbb8-8d41618c1922",
|
|
"value": "2t.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ab32e42f-29be-4f6e-8e4f-7cbd91a65ece",
|
|
"value": "2t.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7a661fa4-c125-4d8a-98f1-f766762465c5",
|
|
"value": "2um.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9aa0d49b-348f-4c33-93d8-ecbc22792843",
|
|
"value": "2yd.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "50fd3b28-7f34-4e54-a6f2-265c29e40523",
|
|
"value": "3e.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "06b7404d-a331-40c1-a4eb-f3546e4bcae8",
|
|
"value": "3h.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c5e5aec1-52a2-4ab0-9fc4-c826075e703a",
|
|
"value": "3h1.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "4139a465-5894-49a3-996e-2bdac0aff36b",
|
|
"value": "3lzj.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a6353d14-77ee-44cb-b4e4-8f31db33eafe",
|
|
"value": "3p.ms"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3ac29d6e-9f5f-4c2e-b68b-5008d643c722",
|
|
"value": "3z.nu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3b208b0b-381e-4a4a-b017-3f1d0c79e979",
|
|
"value": "4aw.ro"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "70d262a3-c8f3-4a62-b8e4-9f701b3a47a0",
|
|
"value": "4c.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b02dcadf-019a-4a1e-bd5c-2257cba4d96f",
|
|
"value": "4j.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5cf61fa2-cf33-4592-92e1-2b01d845292f",
|
|
"value": "4j1.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1cdb15c5-7d1c-4c4b-8640-1cea926705a0",
|
|
"value": "4j5.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "73147215-3645-46b6-988f-caf7759359dc",
|
|
"value": "4k1.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6f7041eb-1d19-410f-825d-7e7e0bc2d806",
|
|
"value": "4kx.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cfdc5b83-aa9a-45ee-af2d-b300c3649278",
|
|
"value": "4m.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1fe32bf3-70c5-4c67-8120-a87e775c667f",
|
|
"value": "4n.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e2fbe282-1aef-401f-988d-5732ecbc3658",
|
|
"value": "4q.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e39d7a10-e379-45b0-964c-b755b41a7394",
|
|
"value": "4s.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "426d0b10-64bc-46e2-8226-92f909ff53d1",
|
|
"value": "4s3.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "972ea084-a516-41e7-bdd6-ef1b49105d75",
|
|
"value": "4w.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "715ce51d-e3fe-4beb-85a9-5728dbcda2ef",
|
|
"value": "4w.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6c0ff296-037b-4b65-8380-31d80767e8d5",
|
|
"value": "4w.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7e7b2978-1410-4d24-9fe4-b890ba5ed5bc",
|
|
"value": "4xq.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7326c4a9-727f-4b61-b1be-403bffc49c90",
|
|
"value": "5ap.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0da10963-3c11-4c47-a832-682895907df4",
|
|
"value": "5g7.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3b771589-417b-4957-b713-95709bb147f5",
|
|
"value": "5j8.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "dfeb6e55-e066-4ff1-ad3a-097d63ef7d37",
|
|
"value": "5jb.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "36ede7ea-74ae-41b8-b23a-50d7552eea31",
|
|
"value": "5jk.club"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "276c754e-60ff-476b-a11d-d03dca0df8f5",
|
|
"value": "5kj.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c5212bd5-aa7c-489c-b899-e97e3f4c271e",
|
|
"value": "5kx.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "29ac9533-2f77-41ce-a7e2-af96c180abae",
|
|
"value": "5qe8.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1b674845-cbe1-4908-b0f2-241b5aa6951d",
|
|
"value": "5qw.pw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1b276564-8dc8-4eab-a5e4-06a8ef185dff",
|
|
"value": "5qy.ro"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7c9d843b-77c7-4ef6-9a51-3863866f5523",
|
|
"value": "5s.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e5b29a97-7196-47f8-ad21-4a4a9e2adc12",
|
|
"value": "5v0.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "62634849-6bc2-4fc4-ae22-267762c4e6a8",
|
|
"value": "5z.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f6762a31-3477-44f0-ab06-aed59ed0f562",
|
|
"value": "5z.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b21c5805-1e3d-4919-b8a6-edc8b2667d6e",
|
|
"value": "60i.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "eff3ec09-2d72-42b7-aa77-91d49a5c5509",
|
|
"value": "66j.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5035f976-6838-4f20-8e61-36ef99e26771",
|
|
"value": "6ax.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "154a7e94-8deb-45cf-b294-2539635484f2",
|
|
"value": "6gcr.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ecd60927-356f-414a-871a-2a1ecd3f567c",
|
|
"value": "6id.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c2228cbd-365a-4762-a6be-d6f3bf7ab4bf",
|
|
"value": "6j2.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "62023b08-2687-4a2d-a5f1-c405856c6c39",
|
|
"value": "6qo.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7140b55e-67d6-47b3-8450-09fa02a7d702",
|
|
"value": "6t.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b5b9b43d-c312-4dab-90ce-3cd36c5fc6f5",
|
|
"value": "6t.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c86cd3a7-5f0b-41b4-a723-a6e2bc965095",
|
|
"value": "6t4.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7e91e10a-2a87-4f90-b71b-37adc886ae9c",
|
|
"value": "6uy.at"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "68e364b9-0bd7-42fc-8736-e1f69ce28fa9",
|
|
"value": "6w.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e639c93a-6450-41e6-b5a3-8c8fd7277f68",
|
|
"value": "6wr9.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7f6b0ea3-c3dd-4950-bc47-827b221a1ed7",
|
|
"value": "6xj.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ebdfea59-e2dd-47cd-b6ba-2e552a48d815",
|
|
"value": "6y.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7e24d173-1ed5-4edb-ae1f-deb9dac1a6b8",
|
|
"value": "79r.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cbdde65f-8a50-4c49-810d-77c306afd4c6",
|
|
"value": "7d.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "275e207a-ecd0-4f6d-b75f-f6643c343695",
|
|
"value": "7d.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fbf8c793-37f4-415e-b835-0dccd365f525",
|
|
"value": "7yfb.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c8b69cc0-64ce-40d8-b4a1-bcea42b7b73f",
|
|
"value": "8t.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d99fcf05-1782-4a76-97fc-11980400b5f1",
|
|
"value": "8t.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441767",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6a7345f8-8950-4874-94b7-a4a2076d053f",
|
|
"value": "9r.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a04003b9-e918-4305-80f3-8a93756bf065",
|
|
"value": "9r.sk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8b4025a8-3a6b-4397-ba28-7282159ea66f",
|
|
"value": "a0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bdc6549a-d120-4f2f-b849-0aad16e696cd",
|
|
"value": "aij.hk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f9c4b5b1-dd7a-48fe-9de2-14c3ead2f3ce",
|
|
"value": "as3.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "157501d2-ed48-4319-8408-591d47992e10",
|
|
"value": "b3vv.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fcc8ca3c-ce57-4a20-b64c-a594eaef51e1",
|
|
"value": "b8x.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9bb37e82-5f95-4c38-af73-42f5ef774efb",
|
|
"value": "b9.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3aa2653f-45f0-4fd5-b9b9-481e16df488c",
|
|
"value": "bcomb.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0cf5b70f-ae08-4fe2-b17c-8a0ed780afea",
|
|
"value": "bo2sv.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "afe125d0-cac4-4dbb-86af-f0a8540ec197",
|
|
"value": "bpyo.in"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "86464d8d-457f-4407-9933-e1d97fce1e0b",
|
|
"value": "c0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "22a2ad94-1122-480d-ad65-1b25795058f0",
|
|
"value": "c4z.pl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "41083164-f714-4e7d-a0de-18d24e1a6746",
|
|
"value": "c7.lc"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7013ae3b-6908-417c-872f-9fae33f6a128",
|
|
"value": "cb3u.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "01c2726f-77a0-465b-b0fb-91b572bffec6",
|
|
"value": "d0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ca8f4268-2950-4ebe-b443-3118b973682a",
|
|
"value": "d4j.club"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5988cb26-a1f4-4a46-be3b-172e9fb1f445",
|
|
"value": "dj2.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "eab8228e-60ab-44e9-be88-e366a235e7e1",
|
|
"value": "doem.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8eda6b78-cf59-4d4c-b761-668729db4e3f",
|
|
"value": "dsi.mk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a3b96aab-8b3e-428b-9de8-9741f629ab36",
|
|
"value": "e0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "edb25eef-c613-43dd-a4e0-6da3e7c0a6e6",
|
|
"value": "e9.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7b226ee8-65de-444c-8da4-ee6cdf2ac29f",
|
|
"value": "egso.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e4e29065-ca30-4fee-9dad-c9e7c790ef0f",
|
|
"value": "ej3.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "966fa2fa-44f6-4423-a44a-71853f103e06",
|
|
"value": "ejk.bz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ab6e4045-d470-4216-bd6d-8d0276ebdb09",
|
|
"value": "ejk.li"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "dc5914a1-0315-4247-bb5d-758ec0e52737",
|
|
"value": "euya.cn"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "13689d8e-3ad0-4116-aad6-748f626b89a2",
|
|
"value": "eznb.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c4a7865b-9a11-4076-94fd-e6ae4321f48d",
|
|
"value": "f0.tel"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d9873050-4a42-482c-9661-93a9dc547d6d",
|
|
"value": "fgcz.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bf561941-5a8c-41fb-b9cd-b719440ef1a9",
|
|
"value": "fnx.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d990861c-25b9-417c-95e9-33cfad3fbc52",
|
|
"value": "fxb.tw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "41bed45b-24e9-4544-92b3-c6698061fc7f",
|
|
"value": "fz.ms"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "71548cbb-0df4-45f8-a2bf-c380a2a23410",
|
|
"value": "g0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f7bf7cec-d28a-43f9-a122-ab59e1511f79",
|
|
"value": "g3.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "4d17873a-e80c-440d-8ec8-b450c4ca6ed1",
|
|
"value": "g4.nu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ea77ffa1-45f5-4c2f-ba1b-7d5b1e7aba87",
|
|
"value": "g4.tel"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8c987922-5569-4602-a655-e8ff1a6f475c",
|
|
"value": "g4.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "74f9449f-6b9b-4ded-97fd-b7fc5e2a01f7",
|
|
"value": "getmyfile.click"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0ba27902-1562-491f-a07b-16ea65628f24",
|
|
"value": "getmyfile.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9dbe222c-a5ca-4f70-96fa-f1b938968f53",
|
|
"value": "getmyfile.link"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7b855019-b2bf-46b5-8b05-e3ae92cf4df6",
|
|
"value": "glnj.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7002684d-5768-482c-94e0-536e43e36e89",
|
|
"value": "gloa.in"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "31513a41-ae4b-49ef-b55b-0417beb19720",
|
|
"value": "gz.qa"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "4cb5cb02-3498-4e43-b6dd-39a1e0f12dca",
|
|
"value": "gz3.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6f9aefc8-e628-4f3d-8083-91ade72ddb6f",
|
|
"value": "h0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "698d3bd0-be71-4ad4-9346-118b3e7138a0",
|
|
"value": "h0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d6ac5848-acd5-487f-a991-32d4594ce085",
|
|
"value": "h6.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f312e637-6d37-42e6-89db-33862cfc53f8",
|
|
"value": "i0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "68c1cce9-cb1a-4141-be31-abf1f5092eb4",
|
|
"value": "i0up.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "88561fb9-f9c3-4c35-a1aa-5622c9699f02",
|
|
"value": "i1.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "17cb1c6c-d01b-4541-b03e-b7f1f9ee5ab3",
|
|
"value": "i49.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d2eb1970-c337-4e7b-80df-a40bc0973f6a",
|
|
"value": "i4x.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3ad00795-589d-4cac-8ebc-148cfec832ac",
|
|
"value": "i6n.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "092c2afe-15ce-4976-bfe6-af512860d11c",
|
|
"value": "iyw5.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d8d986da-886b-4370-97db-dcf740e59b62",
|
|
"value": "iz.gy"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "90643393-a341-41e1-92f3-aa735fc848b8",
|
|
"value": "j1n.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "18b44377-7389-4a74-8a43-1019da17fd7e",
|
|
"value": "j2.gy"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2fbaf3f7-bc52-4b7a-99bc-35aef9177b59",
|
|
"value": "j3n.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fec38676-707c-40b5-964d-0af571004fbc",
|
|
"value": "j4r.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "44f9a258-23c5-4b6f-9610-8447a7c0d716",
|
|
"value": "j4z.co"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e4b2026c-6684-4da5-bccf-dadfc6439386",
|
|
"value": "j4z.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3acda878-9a09-4485-97a1-b0d7d7e69627",
|
|
"value": "j5m.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "eb18dfe4-76a6-4f4b-bf37-f063946fd232",
|
|
"value": "j5n.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "82585293-3047-4f49-b519-3cef85fc214f",
|
|
"value": "j68.info"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8e8596ca-dd98-4dd3-9b53-6b59b85e6437",
|
|
"value": "j8.si"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "33288511-ea3b-4d9e-b47e-1f7f0f7917e3",
|
|
"value": "jjl.one"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "91020589-5ba7-41db-b3f8-6f3ae570aa39",
|
|
"value": "jrtz.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6d6cbd04-a68c-41db-b29d-e4e4c64f025c",
|
|
"value": "jrx.fr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "347c0396-d7cf-48be-8974-691522d49720",
|
|
"value": "jrx.tw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c019e48a-8811-4121-8107-7b9febb9cd28",
|
|
"value": "jzm.pw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c356bdf7-1d08-4e24-8e34-f75ba2e9333b",
|
|
"value": "k0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e2165d59-90bd-4d3f-a6c8-34a3938ce8cb",
|
|
"value": "k1n.club"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c161810c-c301-4c0d-a601-4007a153f238",
|
|
"value": "k5j.one"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "92fef36c-3a97-44ab-9534-0c5b217316dc",
|
|
"value": "k5m.co"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "be59de04-fdb1-49cc-8033-f052d8057c61",
|
|
"value": "k5x.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f96671c9-33a6-4e87-8974-e92530f70e83",
|
|
"value": "k6c.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8bd24384-5c85-43cb-9a7a-57fdf4e910c4",
|
|
"value": "k6j.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2515959a-b108-4a29-a58f-edcb66a71001",
|
|
"value": "k6j.pw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "dde463c0-e60b-4013-b0e1-724dafddf38d",
|
|
"value": "kglo.link"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441768",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cc983cd9-ccaa-41fe-a65b-d2aee1e28a8a",
|
|
"value": "kj1.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "84e3be7b-3f0c-41ec-bb68-5e144543bd37",
|
|
"value": "kjaj.top"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "96d55b85-0caa-401b-9780-e9edfdc04e51",
|
|
"value": "kr4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5cef6e17-187f-43a5-9414-586e346ad226",
|
|
"value": "krrz.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d7ad8277-d2fe-4e0b-9fd2-324341934cb0",
|
|
"value": "l0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "808aba47-263b-4721-93ce-c108184afa01",
|
|
"value": "l5k.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b5ec6afc-72e6-484b-94cf-4accecf28b56",
|
|
"value": "l6nk.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "510d376b-3a57-4eef-8104-9a7eef131935",
|
|
"value": "l9b.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "25d02cc3-d18b-430d-8e01-9c795d538cbd",
|
|
"value": "ldnr.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "042ba6de-8e69-4316-9979-3037eeb66d9f",
|
|
"value": "lgf.pw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9e6b4eed-d73a-4bab-89f0-56a256315189",
|
|
"value": "li1iv.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "87c572a8-4e7c-469a-87a9-fa4e8782dbb2",
|
|
"value": "lwip.re"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5fc48a95-d409-45e1-a2d1-38da607694dc",
|
|
"value": "lwxa.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7517a6f3-05e6-4720-96bf-17582a017634",
|
|
"value": "m0.nu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2b0a6440-193a-447b-8036-3f14f8d6537b",
|
|
"value": "m0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8dc59744-8247-4ef6-8a1b-c4d0e319e2f8",
|
|
"value": "m0.yt"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1f16d835-7679-4672-a54b-e4084253cb65",
|
|
"value": "m5n.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c05caab4-18bf-4665-b0e4-1117634d7b16",
|
|
"value": "mirw.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "edb5b0e6-002d-42dd-8658-68f97a2f7105",
|
|
"value": "mn1.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "86ccd18f-dedd-4276-be87-b093f6e05aab",
|
|
"value": "mnem.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a71e0ee5-8416-4672-ad45-bc93d2ad8dc8",
|
|
"value": "msix.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "03204596-9a53-4726-93e0-360fdd593825",
|
|
"value": "mwgq.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fc96f8be-951b-4839-a8b8-25ded7e2fc18",
|
|
"value": "mz3.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "57c4b12e-c87e-444c-a399-3f610427e4f6",
|
|
"value": "mzjc.is"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "22e7ee7f-2fe8-471c-bd52-410bcc21a2eb",
|
|
"value": "n3.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c930f2d6-0395-484b-9753-dab954b5c7e6",
|
|
"value": "n5.ms"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "34ab9aac-fe9b-45a3-a7ba-252e61fb0cb4",
|
|
"value": "n51.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "09b741da-1eee-4e36-8b9b-60d045d5aa49",
|
|
"value": "n54.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "68a79251-7658-4ab2-a8c7-e2589744fef5",
|
|
"value": "n5k.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7720e7aa-e600-4596-98fa-74de77a4e11a",
|
|
"value": "n9fz.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9499e299-3f16-4872-9165-04e513d8a4b2",
|
|
"value": "nk0.club"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c0acafa2-3a27-4600-a33f-393adc7c152f",
|
|
"value": "nt3.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6f44f21b-22cd-4b61-9801-d842a76635b5",
|
|
"value": "nwz.li"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "171aee96-4194-44ea-a89f-b790523d3b8f",
|
|
"value": "nz4.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a6a506a9-010d-4f14-8cbe-c49beaf3a2d0",
|
|
"value": "nzm.one"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9d436d9a-7c83-44b2-800b-0cfc6a7889e2",
|
|
"value": "o7car.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6dad13b0-bf92-4c59-ab3f-6d0ea79d7afe",
|
|
"value": "oj8.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0ad3845b-67eb-4846-b217-8574e814ffdc",
|
|
"value": "omzk.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "31caf8fa-2ad9-461f-815a-067097fac9b8",
|
|
"value": "p0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "32909740-173d-4581-96d7-635809613bdc",
|
|
"value": "p3.ms"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "63a10464-b79d-481f-93c2-d975f515cd7e",
|
|
"value": "p9.tel"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1d2ce439-c305-48f4-bd66-db737e29c2c1",
|
|
"value": "pjz.one"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c6c5d4d8-8dcb-4ab5-b267-fe4dd7d6c1dd",
|
|
"value": "q0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "011d2ca7-c6b9-4b68-a74e-afb6b4292c14",
|
|
"value": "q0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "666605e0-8195-4e35-b822-b724f48fdb82",
|
|
"value": "q2.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "ab930a69-5cf3-4b73-a894-c194c3e222ca",
|
|
"value": "qji6.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d88ac7d5-7f96-47ff-b0dc-7af6b8305b8c",
|
|
"value": "qmpo.art"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "85af1a0f-79a4-4005-87c6-a98730cbff56",
|
|
"value": "r0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2b672d12-ee76-4922-80a4-395d054ba4ce",
|
|
"value": "r0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f9925fb3-0eb4-4a3b-8e46-50b7eb6c2841",
|
|
"value": "r4e.pl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d25ab28e-76be-49d7-816a-ee061fcd1e4e",
|
|
"value": "r6.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "29b9bb04-d050-4bcc-a98f-fd6b02291f89",
|
|
"value": "ri7.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2bc52b9c-e726-45f3-b0e3-f1fb80e5b4e3",
|
|
"value": "rn9v.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a956c9ba-972c-497a-be29-d12caa8d913b",
|
|
"value": "rx3.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a941fb2a-8350-440a-bb7d-3aa6a30ae815",
|
|
"value": "s0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a8c53e6f-226b-4821-a8a1-633d4c105ce2",
|
|
"value": "s8.cx"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b1aefcbe-5027-4e6c-a054-9475eca7563e",
|
|
"value": "skqv.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "90049ad6-387e-4bba-8e57-341ba2b245e3",
|
|
"value": "t0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3316bfd2-d0f8-4986-bb2f-352cd7a0d40b",
|
|
"value": "t7.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a02a87b3-5512-467f-a924-8a32444319be",
|
|
"value": "tiua.uk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1db68a30-fd23-41e8-9586-17780a722d7f",
|
|
"value": "trzx.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6410d437-dd10-431a-a623-7ad1aa73618a",
|
|
"value": "tz6.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "4dac994f-9876-4af0-a018-37c55201af23",
|
|
"value": "u0.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f041b0b9-e3db-4bd3-b3c3-4143635ba598",
|
|
"value": "u0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "35675372-9e38-4d54-bced-9ecd8da2edd5",
|
|
"value": "u0.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bcccd3c7-0229-4bbf-80f1-601af2d9cc3e",
|
|
"value": "u7u.ro"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "61d5b4ab-befd-42d6-9075-c33f0ffd95ed",
|
|
"value": "u8wp.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5dc8d521-78f7-4d83-97c8-09dfe1643d24",
|
|
"value": "ubv5.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0514722f-8bbd-4011-95f8-a1037cb35586",
|
|
"value": "ue2.eu"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "74882ad9-585a-4b42-a321-8bf90ed620cd",
|
|
"value": "uoej.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "50dec3dd-a589-486d-b6cb-12e786a912e2",
|
|
"value": "uqw.futbol"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "973467b3-ea0b-4d56-9524-0c9b832e0d20",
|
|
"value": "uz3.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "daf73e02-df2d-4ec3-a748-7d6912876b70",
|
|
"value": "v0.cx"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "189a0034-94e7-4191-8b1b-cfb632de62e0",
|
|
"value": "vn6.co"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "fc61082b-adbd-4300-a75b-29b91fd44acb",
|
|
"value": "vqdn.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c9fbdb0e-e0a8-4735-9a29-16868ca92d3d",
|
|
"value": "vs.gy"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8322355d-cb9b-4be6-97bd-6e84b725bb5a",
|
|
"value": "w0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "63a90297-d7a6-46a7-81f2-c5da074ddec1",
|
|
"value": "w0iq.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "19c50e52-6313-4ec6-9806-347086ddcef0",
|
|
"value": "w4.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "93e774f3-c40a-484b-b373-b745ab88b71f",
|
|
"value": "w4.rs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "8999fc5f-41a9-425a-a5a0-e6f526982b8d",
|
|
"value": "w4.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441769",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e9b84ead-97c5-48fd-92f8-f91ea1c75f93",
|
|
"value": "w6.nz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e9bf9c36-9553-4e38-876d-c623c7530c6e",
|
|
"value": "wak.rocks"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "dfc8564c-0c28-4cd7-8421-cdde39edc91f",
|
|
"value": "xjam.hk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "70ab60c9-d7bd-4081-9bd9-afb64536d330",
|
|
"value": "xtabr.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d098a898-40f9-4c8a-80b7-79e9ebfe1bdf",
|
|
"value": "xz4.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "795c92f0-5474-4bb1-b4fc-4d89b85cf003",
|
|
"value": "y0.pm"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "22ad1e21-a348-4ed4-b224-6d866a1ab682",
|
|
"value": "y0.wf"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "f5a3c0c3-5763-4119-a016-5e370eda1f1c",
|
|
"value": "y3x.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1f85f78c-a812-4756-9843-2a805c45ff18",
|
|
"value": "ynns.uk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "960dccfc-5180-46a6-a36f-8089eb9d3825",
|
|
"value": "yuiw.xyz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "aa046f62-44ca-460d-86e7-7b5a16732a80",
|
|
"value": "z7s.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a8aa69bd-063c-414d-9edf-b21e3fd68692",
|
|
"value": "zbs.is"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3d69e18b-5341-4c4c-9cb7-73af223c1704",
|
|
"value": "zi9f.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a68fb465-f713-4c3c-a658-368f30c0ca5c",
|
|
"value": "zie5.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bd99e9ed-e0e1-4ffa-a93e-2b3e9d47ac89",
|
|
"value": "zjc.bz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "15d682aa-5c0e-41f2-a9a4-f67dc643e183",
|
|
"value": "zk.qa"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "21d6b907-0d2a-4167-967f-6c58a42fc304",
|
|
"value": "zk4.me"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "996b832c-4b83-4b20-ae83-2ae5a138e058",
|
|
"value": "zk5.co"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "From https://raw.githubusercontent.com/SEKOIA-IO/Community/main/IOCs/qnapworm/20220704_QNAP_Worm_Infrastructure",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1671441770",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0ff9b6e9-a2be-40db-b8a1-266e0df2f33a",
|
|
"value": "zxn.fyi"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "7",
|
|
"timestamp": "1671442083",
|
|
"uuid": "aaf09192-2cff-4665-aae1-05a6e8cae7ba",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1671442083",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "39dc2fbe-f68c-414e-94ec-5867c8bd095c",
|
|
"value": "https://redcanary.com/blog/raspberry-robin/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1671442083",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "e2350615-9e5d-4e34-8dbb-0cda7b2d70f3",
|
|
"value": "Raspberry Robin gets the worm early\r\n\r\nRed Canary is tracking a worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious DLL."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1671442083",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "bc877e77-decb-4913-aecf-8f62a917a257",
|
|
"value": "Blog"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"EventReport": [
|
|
{
|
|
"name": "Raspberry Robin gets the worm early",
|
|
"content": "@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") gets the worm early\r\n===================================\r\n\r\nRed Canary is tracking a worm spread by external drives that leverages Windows Installer to reach out to QNAP-associated domains and download a malicious @[tag](dll).\r\n\r\n###### [Lauren Podber](https://redcanary.com/authors/lauren-podber)- [Stef Rand](https://redcanary.com/authors/stef-rand)\r\n\r\n*Originally published May 5, 2022. Last modified September 16, 2022.*\r\n\r\n*Over the past several months, Red Canary @[tag](misp-galaxy:sector=\"Intelligence\") has been tracking a cluster of malicious activity we call @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"). Read on for details on what @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") is, high-fidelity opportunities to detect known behaviors, and background on how we decided to cluster this activity.*\r\n\r\n*Check out this [video update](https://www.youtube.com/watch?v=xLteZDHiA1Y) for the latest developments and guidance on how to test your detection capabilities\u00a0with [@[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omic Red Team](https://atomicredteam.io/).*\r\n\r\n\"@[tag](misp-galaxy:malpedia=\"Raspberry Robin\")\" is Red Canary's name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim's user and device names. We also observed @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") use TOR exit nodes as additional command and control (@[tag](c2)) infrastructure.\r\n\r\nLike most activity clusters we track, @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") began as a handful of detections with similar characteristics that we saw in multiple customers' environments, first noticed by [Jason Killam](https://redcanary.com/authors/jason-killam/) from Red Canary's Detection Engineering team. We saw @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") activity as far back as September 2021, though most related activity occurred during or after January 2022. As we observed additional activity, we couldn't find public reporting to corroborate our analysis, aside from [some findings on VirusTotal](https://www.virustotal.com/gui/collection/cea528052dc6137b9ec1f2b03342921894fd0bb3b21209320bfdcb4ff7d27fb8) that we suspected were related based on overlap in @[tag](c2) domains.\r\n\r\nTo date, we've observed @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") in organizations with ties to technology and manufacturing, though it's not yet clear if there are other links among victims. We have several intelligence gaps around this cluster, including the operators' objectives. While we don't yet have the full picture, we want to share what we know about this activity cluster so far to enrich collective understanding of this threat and empower defenders to identify this activity. We use the cluster name \"@[tag](misp-galaxy:malpedia=\"Raspberry Robin\")\" to refer to the entire chain of activity described below, including the initial access method, the worm itself, and the follow-on execution and @[tag](c2) activity.\r\n\r\nBelow we've provided a comprehensive analysis of known @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") behavior with corresponding detection opportunities along the way.\r\n\r\n![raspberry robin intrusion @[attribute](3bec64e6-9f0a-473d-976f-8b4176059784))\r\n\r\n*Figure 1: @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") event outline*\r\n\r\nInitial access\r\n--------------\r\n\r\n@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") is typically introduced via infected removable drives, often USB devices. The @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") worm often appears as a shortcut `.lnk` file masquerading as a legitimate folder on the infected USB device.\r\n\r\nSoon after the @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") infected drive is connected to the system, the UserAssist registry entry is updated and records execution of a ROT13-ciphered value referencing a `.lnk` file when deciphered. In the example below, `q:\\erpbirel.yax` deciphers to `d:\\recovery.lnk`.\r\n\r\n@[attribute](09c5f151-1880-4d05-980a-a804fc0ccd4a))\r\n\r\n*Figure 2: Registry modification with ROT13 `.lnk` file*\r\n\r\nExecution\r\n---------\r\n\r\n@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") first uses `@[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350)` to read and execute a file stored on the infected external drive. The command is consistent across @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") detections we have seen so far, making it reliable early evidence of potential @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") activity. Typically the command line includes `cmd /R <` to read and execute a file. The use of `cmd /R <` is not unique to @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"), but the filename pattern is unique. The filename is made up of five to seven random alphanumeric characters and a variety of file extensions. Some of the file extensions we've seen include `.usb`, `ico`, `.lnk`, `.bin`, .`sv`, and `.lo`. Additionally, the command has sometimes included type, which is a built-in command to display the contents of a file.\r\n\r\nHere's an example of what the whole command might look like:\r\n\r\n@[attribute](4576484c-a673-42a3-af99-1f40dd358f63))\r\n\r\n*Figure 3: @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") `@[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350)` command*\r\n\r\nNext, `@[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350)` typically launches `explorer.exe` and `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)`. With @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"), `explorer.exe`'s command line can be a mixed-case reference to an external device; a person's name, like `LAUREN V`; or the name of the `.lnk` file, like the figure below. The name here has been modified from the `.lnk` file name to `LNkFILe`. While we aren't sure of this command's exact purpose, we've consistently observed it in @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") detections.\r\n\r\n@[attribute](9181b862-89f3-461a-8699-ae8808f0200b))\r\n\r\n*Figure 4: Mixed-case command referring to device or name*\r\n\r\n@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") extensively uses mixed-case letters in its commands. Adversaries sometimes use mixed-case syntax in an attempt to evade detection. Case-sensitive, string-based detections written to detect `evil` may not fire on `eViL`, but `@[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350)` is case-insensitive and has the flexibility to read and process both commands the same way.\r\n\r\nCommand and control (@[tag](c2))\r\n------------------------\r\n\r\nLet's look at @[tag](misp-galaxy:malpedia=\"Raspberry Robin\")'s `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` command in detail, since that informs our first behavior-based detection opportunity.\r\n\r\nWhile `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` downloads and executes legitimate installer packages, adversaries also leverage it to deliver malware. @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") uses `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` to attempt external network communication to a malicious domain for @[tag](c2) purposes. The command line has several key features we have seen across multiple detections:\r\n\r\n- Use of mixed-case syntax (this is yet another example of mixed case use by @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"))\r\n- Use of short, recently-registered domains only containing a few characters, for example `@[attribute](5f491ca2-c442-477f-90c0-4ce9c24e4415)`\r\n- The domains in our detections hosted QNAP NAS device login pages around the time of the @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") activity. We hypothesize @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") may use compromised QNAP devices for @[tag](c2) infrastructure. The use of (ostensibly) compromised QNAP devices for @[tag](c2) infrastructure is not unique to this activity cluster, but we observed operators using these across several @[tag](misp-galaxy:malpedia=\"Raspberry Robin\")-associated detections.\r\n- Inclusion of port `8080`, a non-standard HTTP web service port, in the URL\r\n- Inclusion of a string of random alphanumeric characters as the URL subdirectory, frequently followed by the victim's hostname and username\r\n\r\nHere is a modified example of a full malicious @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` command line matching all of the above criteria. The random string has been modified, and the victim's host name replaced with `HOSTNAME`, though the domain name remains the original one observed.\r\n\r\n@[attribute](c0414832-c1f2-4916-95f9-9b0c7b8bc68f))\r\n\r\n*Figure 5: Malicious @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` command*\r\n\r\nTo detect @[tag](suspicious) use of `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` by @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") or other threats, it's essential to take a look at the command line and the URL. Detecting `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it's malicious or not.\r\n\r\n* * * * *\r\n\r\n### Detection opportunity: **`@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` downloading and executing packages**\r\n\r\nIdentify the use of Windows Installer @[tag](misp-galaxy:mitre-attack-pattern=\"Tool - T1588.002\") `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` to download and @[attribute](fb37533c-7565-4a53-a143-dd9c2d601132)\r\npackages in the CLI.\r\n\r\nprocess == @[attribute](cc53c160-20f9-4025-996a-943559ffc34a)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nprocess_command_line_includes == `('http:', '@[attribute](47b88fa1-f5a1-44af-b835-3cb6f743d776)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nprocess_command_line_includes == `('/q', '-q')`\r\n\r\n* * * * *\r\n\r\nPersistence\r\n-----------\r\n\r\nIn several @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") detections, we have seen `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` go on to install a malicious @[tag](dll) file. @[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\") this time we are not certain what the @[tag](dll) does.. We suspect it may establish persistence on the victim's system. In the detections we saw, the malicious files were created as `C:\\Windows\\Installer\\@[tag](msi)****.tmp` files. In one case, a file with the same hash was also created as `C:\\Users\\username\\AppData\\Local\\Temp\\bznwi.ku`.\r\n\r\nExamples:\r\n\r\n- `C:\\Windows\\Installer\\@[tag](msi)5C01.tmp`\\\r\n `C:\\Users\\username\\AppData\\Local\\Temp\\bznwi.ku`\r\n - Shared MD5 hash: @[attribute](47817f4f-417b-4ee2-beae-85e5ae229c08)\r\n - [VirusTotal example](https://www.virustotal.com/gui/file/1a5fcb209b5af4c620453a70653263109716f277150f0d389810df85ec0beac1/)\r\n- `C:\\Windows\\Installer\\@[tag](msi)E160.tmp`\r\n - MD5 hash: @[attribute](5d88a4cb-b84a-48df-9249-fafc353320bc)\r\n - [VirusTotal example](https://www.virustotal.com/gui/file/c0a13af59e578b77e82fe0bc87301f93fc2ccf0adce450087121cb32f218092c/)\r\n\r\nExecution (again)\r\n-----------------\r\n\r\nNext, `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` launches a legitimate Windows utility, `fodhelper.exe`, which in turn spawns `rundll32.exe` to execute a malicious command. Processes launched by `fodhelper.exe` run with elevated administrative privileges without requiring a User Account Control prompt. It is unusual for `fodhelper.exe` to spawn any processes as the parent, making this another useful detection opportunity.\r\n\r\n* * * * *\r\n\r\n### Detection opportunity: `fodhelper.exe` as a parent process\r\n\r\nIdentify Windows Features On Demand helper `fodhelper.exe` creating processes as the parent.\r\n\r\nparent_process == `('fodhelper')`\r\n\r\n* * * * *\r\n\r\nThe `rundll32.exe` command starts another legitimate Windows utility, in this case `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)`, and passes in additional commands to execute and configure the recently-installed malicious @[tag](dll) `bznwi.ku` (Hash: `@[attribute](47817f4f-417b-4ee2-beae-85e5ae229c08)`). Here is what that command looks like. (We modified the random string values in the command, as well as replaced the victim's username with `username`.)\r\n\r\n@[attribute](849568fc-cc7e-433a-a306-7758028225da))\r\n\r\n*Figure 6: Malicious `rundll32.exe` command*\r\n\r\nThe `-A` flag in `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` specifies an action. `configdriver` loads the driver setup @[tag](dll), in this case `VKIPDSE`. `SETFILEDSNDIR` creates the registry location @[attribute](268a7686-67e8-4e86-b6a5-f02de7ee6209) File @[attribute](0512470f-6f14-48cd-8f91-7ab0ffe13d54), if it does not already exist, and specifies the default location used by the ODBC Data @[tag](misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Source\") Administrator when creating a file-based data source. `INSTALLDRIVER` adds additional information about the driver.\r\n\r\nIn this detection, we saw `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` successfully execute the malicious command. Since `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` has a built-in `regsvr` flag similar to `regsvr32.exe`, it can be used by adversaries to execute @[tag](dll)s and bypass application control defenses that aren't monitoring for `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` misuse.\r\n\r\n* * * * *\r\n\r\n### Detection opportunity: **`@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` loading .@[tag](dll)s**\r\n\r\nDetect the Windows Open Database Connectivity utility loading a @[attribute](6d4adc80-d015-40b1-8d5d-b32f73c67e0a)\r\nfile or @[tag](dll). The /A flag specifies an action, `/F` uses a response file, and `/S` runs in silent @[attribute](ee779db7-f8fd-4d60-ac06-502d4a6369be)\r\n`Odbcconf.exe` running rgsvr actions in silent mode could indicate misuse.\r\n\r\nprocess == @[attribute](5deea668-eee5-4192-8a17-62233d29c665)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nprocess_command_line_includes == @[attribute](2c12bcf3-8508-44af-a44b-5f926ac216eb)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nprocess_command_line_includes == `('/f', '@[attribute](484486c5-6b10-4f9f-901f-687e21853c0c)\r\n@[suggestion](|@[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf))\r\nprocess_command_line_includes == `('/a', '@[attribute](fe465f07-1729-4e7d-86db-3167a40ab721)\r\n@[suggestion](|@[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf))\r\nprocess_command_line_includes == `('/s', '-s')`\r\n\r\n* * * * *\r\n\r\n@[tag](c2), part deux\r\n-------------\r\n\r\nWe observed outbound @[tag](c2) activity involving the processes `regsvr32.exe`, `rundll32.exe`, and `dllhost.exe` executing without any command-line parameters and making external network connections to IP addresses associated with TOR nodes. Additionally, some of the IP addresses in the connections host domains consisting of random alphanumeric characters. For example, `hxxps[:]//www[.]ivuoq6si2a[.]com/`.\r\n\r\nThis activity presents us with a final detection opportunity. It is atypical for `regsvr32.exe`, `rundll32.exe` and `dllhost.exe` to execute with no command-line parameters and establish external network connections. This behavior is not inherently malicious, but is good to monitor.\r\n\r\n* * * * *\r\n\r\n### Detection opportunity: **network connections from the command line with** **no parameters**\r\n\r\nDetect `regsvr32.exe`, `rundll32.exe`, and `dllhost.exe` making external @[attribute](a0e7c5ba-abda-4bc7-a30f-8e9a55a99bf4)\r\nconnections with an empty command line.\r\n\r\nprocess == @[attribute](bb387cbd-bcb9-4ef7-816b-e641f191ae49)\r\n@[suggestion](|@[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf))\r\nprocess == @[attribute](5beb0b40-5158-4095-b300-de0b77a70e4e)\r\n@[suggestion](|@[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf))\r\nprocess == @[attribute](1e6484b7-b7a2-408f-a217-bf1a6a8d7d04)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nprocess_command_line_contains == @[attribute](b238f8d0-b440-4ae4-9554-28fd9a0221ba)\r\n@[attribute](d1ed6267-8eda-4187-b222-bf1e9cd85bb5)\r\nhas_netconnection\r\n\r\n**Note: Double Quotes (\"\") within the command line means null.*\r\n\r\n* * * * *\r\n\r\nTesting\r\n-------\r\n\r\n*Editor's note: We added the testing section to this article on May 11, 2022 and updated it on @[tag](misp-galaxy:tool=\"August\") 2, 2022.*\r\n\r\nThe detection opportunities listed in this article should offer good coverage against some @[tag](misp-galaxy:malpedia=\"Raspberry Robin\")-related techniques. However, it's hard to know if a detection analytic is configured or implemented correctly without testing it. Luckily, we've got a few different @[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omic Red Team tests that should effectively emulate the pseudo-detection analytics listed above. *Note: [@[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omic Red Team](https://atomicredteam.io/) is an open source library of tests that security professionals can use to validate their security controls.*\r\n\r\n### Emulating Command Prompt reading and executing the contents of a CMD file\r\n\r\nThis atomic was developed specifically to emulate @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"). It uses the \"standard-in\" command prompt feature (`cmd /R <`) to read and execute a file via @[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350). Run the following in the Command Prompt:\r\n\r\n```\r\ncmd /r cmd<C:\\@[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omicRedTeam\\atomics\\T1059.003\\src\\t1059.003_cmd.cmd\r\n```\r\n\r\nYou can find the test file in the atomics library [here](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md#atomic-test-5---command-prompt-read-contents-from-cmd-file-and-execute).\r\n\r\n### Emulating `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` downloading and executing packages\r\n\r\nThis following atomic retrieves an arbitrary @[tag](msi) file from a remote IP address and executes it. Note that the process is `@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc)` and that the command line includes `/q` and `https:`---all of the variables mentioned in the above detection opportunity. Run the following in the Command Prompt:\r\n\r\n```\r\n@[attribute](85c32a4e-7ebf-43a2-9f2c-92e076c767cc) /q /i \"@[attribute](11515eaf-09fe-4aac-912f-6459acfad623)\"\r\n```\r\n\r\nYou can find the test file in the atomics library [here](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md#atomic-test-11---msiexecexe---execute-remote-msi-file).\r\n\r\n### Emulating `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` loading @[tag](dll)s\r\n\r\nThe following atomic uses `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` to load and execute a locally stored @[tag](dll). Note that the process will be `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` and that the command line includes the `/a` and `/s` parameters that the pseudo detection analytic looks for.\r\n\r\n```\r\n@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a) /S /A {REGSVR \"C\\@[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omicRedTeam\\atomics\\T1218.008\\src\\Win32\\T1218-2.dll\"}\r\n```\r\n\r\nNote that this test includes a prerequisite. You can find detailed instructions in the [T1218.008 atomics @[attribute](71238972-2405-410d-b22e-0e8997cfbd94)).\r\n\r\n### Emulating network connections from the command line with no parameters\r\n\r\nThe following isn't a perfect atomic for emulating this detection opportunity, but it'll emulate the `rundll32.exe` process start and the network connection (albeit with a corresponding command line). Run the following in the Command Prompt.\r\n\r\n```\r\nrundll32.exe @[attribute](9c6078b3-d0b4-4a29-b530-5987487de076),RunHTMLApplication \";@[attribute](7a84592a-f64e-4084-8efd-570004d94a9a)();@[attribute](56fa56dc-296e-4c55-9332-70580ec0d951)();\r\n```\r\n\r\nYou can find the test file in the atomics library [here](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md#atomic-test-1---rundll32-execute-javascript-remote-payload-with-getobject).\r\n\r\n@[tag](misp-galaxy:sector=\"Intelligence\") gaps\r\n-----------------\r\n\r\nSeveral unanswered questions about this cluster remain. @[tag](misp-galaxy:ransomware=\"First\") and foremost, we don't know how or where @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") infects external drives to perpetuate its activity, though it's likely this occurs offline or otherwise outside of our visibility. We also don't know why @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") installs a malicious @[tag](dll). @[tag](misp-galaxy:ransomware=\"One\") hypothesis is that it may be an attempt to establish persistence on an infected system, though additional information is required to build confidence in that hypothesis.\r\n\r\nPerhaps our biggest question concerns the operators' objectives. Absent additional information on later-stage activity, it's difficult to make inferences on the goal or goals of these campaigns. Despite this, we hope this information is useful for informing broader efforts to track and better detect @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") activity. We hope to start a conversation that will help the whole community learn more about this threat. If you've been tracking similar activity, we'd love to hear from you and collaborate. Contact <@[attribute](6227f374-370a-4a15-bf33-7fa86f327dc1)> with any observations or questions.\r\n\r\n*Thank you to all our contributing researchers who helped make this research possible, especially [Jeff Felling](https://redcanary.com/authors/jeff-felling/) from Red Canary @[tag](misp-galaxy:sector=\"Intelligence\") and [Jason Killam](https://redcanary.com/authors/jason-killam/) from Red Canary Detection Engineering.*\r\n\r\nAppendix\r\n--------\r\n\r\nAs we define parameters for an activity cluster, we map behaviors to [MITRE ATT&CK](https://redcanary.com/mitre-attack/) where applicable and note observables of interest. In some cases, often with infrastructure and certain adversary decisions, observables associated with an activity cluster may not neatly map to an ATT&CK technique, and that's okay.\r\n\r\n| Tactic | Technique | Description | Observable |\r\n| --- | --- | --- | --- |\r\n|\r\n\r\n**Initial Access**\r\n\r\n |\r\n\r\nT1091 Replication Through Removable Media\r\n\r\n |\r\n\r\nIn some cases, @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") was introduced via infected removable drives. In these instances, the worm appeared as a shortcut (LNK file) masquerading as a legitimate folder on a USB device\r\n\r\n |\r\n\r\ne:\\removable @[attribute](86e9c491-0daa-4a24-8416-ab305dc32217)\r\n\r\n |\r\n|\r\n\r\n**Initial Access**\r\n\r\n @[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf)\r\n |\r\n\r\n`explorer.exe` with a command line containing a reference to a device or a name\r\n\r\n |\r\n\r\nExpLoRER \"USB Drive\" or EXPLorEr \"LAUREN V\" @[attribute](6675efaa-e012-4e6f-b3fe-c823a311b366)\r\neXPLOReR LNkFILe\r\n\r\n |\r\n|\r\n\r\n**Execution**\r\n\r\n |\r\n\r\nT1059.003 @[tag](misp-galaxy:cmtmf-attack-pattern=\"Command and Scripting Interpreter\") (Windows Command Shell)\r\n\r\n |\r\n\r\n@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") uses the \"standard-in\" command prompt feature `cmd/R <` to read and execute a file with a name composed of several seemingly random alphanumeric characters\r\n\r\n |\r\n\r\n@[suggestion](C:\\Windows\\system32\\@[attribute](bd4ada09-e9f3-452a-a694-b60d0e13a350))\" /R CMD<@[attribute](788d9f8a-ee65-4413-ba53-aa821295155c)\r\n\r\n |\r\n|\r\n\r\n**Defense Evasion**\r\n\r\n @[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf)\r\n |\r\n\r\nThe use of mixed-case letters, which is tradecraft sometimes used by adversaries to evade defenses (not unique to @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"))\r\n\r\n |\r\n\r\nmSIeXEc, ExpLoRER, or HTtp in a command line\r\n\r\n |\r\n|\r\n\r\n**Defense Evasion**\r\n\r\n |\r\n\r\nT1218.008 @[tag](Signed) Binary @[tag](Proxy) Execution: @[attribute](fa3d03a5-c0a5-45bd-a2a9-1cf5cdf4b0ba)\r\nT1218.008 @[tag](Signed) Binary @[tag](Proxy) Execution: Odbcconf\r\n\r\n |\r\n\r\n@[tag](misp-galaxy:malpedia=\"Raspberry Robin\") uses legitimate Windows utilities like `fodhelper.exe` and `@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a)` to proxy @[tag](dll) file execution with `rundll32.exe`\r\n\r\n |\r\n\r\n\"RUN@[tag](dll)32.exe\" shell32,ShellExec_Run@[tag](dll)A \"@[suggestion](C:\\WINDOWS\\syswow64\\@[attribute](3b599e72-fa09-4be4-94bf-67198ec82d2a))\" -A {regsvr \"@[attribute](f8fbc847-b0ef-4afe-b32e-ba4bc975183f).\"} -E -A {configdriver VKIPDSE} -A {SETFILEDSNDIR fnpawxs PXQAND ofeslkscqqczuaj} -a {INSTALLDRIVER fqcmypo OGEYSCKXFTBNXAF}\r\n\r\n |\r\n|\r\n\r\n**@[tag](c2)**\r\n\r\n |\r\n\r\nT1218.007 @[tag](Signed) Binary @[tag](Proxy) Execution: @[attribute](f4836f13-62dd-43e2-b74e-825a09959a6a)\r\nT1071.001 Application Layer Protocol: Web Protocols\r\n\r\n |\r\n\r\n`Msiexec.exe` making external network connections to URLs that include the victim's hostname and username\r\n\r\n |\r\n\r\nmsiEXEC /Q -I @[attribute](763b6c2d-f047-4454-8dbb-0a6f55c088f3)\r\n\r\n |\r\n|\r\n\r\n**@[tag](c2)**\r\n\r\n @[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf)\r\n |\r\n\r\nRecently registered top-level domains with few characters, likely used as @[tag](c2) infrastructure\r\n\r\n |\r\n\r\n@[attribute](117d8e6c-a095-4c44-82a2-fcae60ee5595) or @[attribute](5f491ca2-c442-477f-90c0-4ce9c24e4415)\r\n\r\n |\r\n|\r\n\r\n**@[tag](c2)**\r\n\r\n @[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf)\r\n |\r\n\r\nUse of infrastructure tied to compromised QNAP NAS devices (not unique to @[tag](misp-galaxy:malpedia=\"Raspberry Robin\"))\r\n\r\n @[attribute](359c5991-d3b2-471b-abc9-9faa57dc25cf)\r\n |\r\n|\r\n\r\n**@[tag](c2)**\r\n\r\n |\r\n\r\nT1218.008 @[tag](Signed) Binary @[tag](Proxy) Execution: @[attribute](fa3d03a5-c0a5-45bd-a2a9-1cf5cdf4b0ba)\r\nT1218.008 @[tag](Signed) Binary @[tag](Proxy) Execution: Regsvr32\r\n\r\n |\r\n\r\n`rundll32.exe` and `regsvr32.exe` used for @[tag](c2) communication\r\n\r\n |\r\n\r\nLook for `rundll32.exe` and/or `regsvr32.exe` making external network connections with no command-line arguments\r\n\r\n |\r\n\r\n###### MORE ON RASPBERRY ROBIN\r\n\r\n[\r\n\r\nWatch our security experts break down new developments in @[tag](misp-galaxy:malpedia=\"Raspberry Robin\") TTPs, along with the most helpful @[tag](misp-galaxy:mitre-attack-pattern=\"At - T1053.002\")omic Red Team tests for validating your detection coverage.\r\n\r\n](https://www.youtube.com/watch?v=xLteZDHiA1Y)\r\n\r\n[](https://www.youtube.com/watch?v=xLteZDHiA1Y)\r\n\r\n[](https://www.youtube.com/watch?v=xLteZDHiA1Y)",
|
|
"id": "142",
|
|
"event_id": "109238",
|
|
"timestamp": "1671442262",
|
|
"uuid": "20084cb0-fdb3-4c37-bd8d-692470e66ed7",
|
|
"deleted": false
|
|
}
|
|
]
|
|
}
|
|
} |