363 lines
No EOL
11 KiB
JSON
363 lines
No EOL
11 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2015-09-28",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Infected Korean Website Installs Banking Malware by Cyphort",
|
|
"publish_timestamp": "1443511859",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1443511856",
|
|
"uuid": "560a3ca1-e110-476e-b730-4765950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511482",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "560a3cba-80f8-4552-b0f5-472e950d210b",
|
|
"value": "http://www.cyphort.com/koreatimes-installs-venik/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511574",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d16-8174-4ec6-abb5-4817950d210b",
|
|
"value": "koreatimes.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511574",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d16-f058-4646-a321-4dc8950d210b",
|
|
"value": "filehon.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511575",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d17-2eb0-4f10-bc30-41d9950d210b",
|
|
"value": "joara.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511575",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d17-1c24-4311-a351-408c950d210b",
|
|
"value": "hometax.go.kr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511575",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d17-6eec-43e5-bd7a-412f950d210b",
|
|
"value": "soriaudio.co.kr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511576",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d18-1a88-4db3-81c8-450f950d210b",
|
|
"value": "gomsee.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511576",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d18-980c-4c66-ac01-4881950d210b",
|
|
"value": "lottoplay.co.kr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511576",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d18-6774-46fe-acf1-4c60950d210b",
|
|
"value": "insight.co.kr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511577",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d19-787c-4cd7-89da-4390950d210b",
|
|
"value": "filecity.co.kr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511577",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d19-ed44-4225-96ce-48b6950d210b",
|
|
"value": "nggol.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Past infected sites",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511577",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "560a3d19-4b38-45d6-95c6-438b950d210b",
|
|
"value": "koreamanse.com"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511599",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "560a3d2f-80d4-4082-b16c-4c4c950d210b",
|
|
"value": "CVE-2014-6332"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511599",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "560a3d2f-7b1c-40e9-9a93-4d5f950d210b",
|
|
"value": "CVE-2011-3544"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511599",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "560a3d2f-f99c-4d63-a726-4e2d950d210b",
|
|
"value": "CVE-2015-0336"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511705",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "560a3d99-cd74-481b-9861-e475950d210b",
|
|
"value": "99.188.106.161"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511705",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "560a3d99-c840-4f69-ae51-e475950d210b",
|
|
"value": "http://142.0.137.68"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511706",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "560a3d9a-8d6c-4f79-b327-e475950d210b",
|
|
"value": "http://142.0.137.67:805/index.php"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511706",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "560a3d9a-b6a0-4cbc-924b-e475950d210b",
|
|
"value": "142.0.137.199"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511719",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "560a3da7-2510-4ae0-a6bb-417f950d210b",
|
|
"value": "142.0.137.68"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511719",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "560a3da7-f748-49bc-982b-47b9950d210b",
|
|
"value": "142.0.137.67"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511755",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "560a3dcb-a60c-46f7-a05d-470d950d210b",
|
|
"value": "c242d641d9432f611360db36f2075f67"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511755",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "560a3dcb-7e10-4595-a21f-4913950d210b",
|
|
"value": "a6ec0fbe1ad821a3fb527f39e180e378"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511755",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "560a3dcb-7e90-4d72-883c-4add950d210b",
|
|
"value": "b9a5a00e134fe0df217c01145319b1cb"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "- Xchecked via VT: a6ec0fbe1ad821a3fb527f39e180e378",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511841",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "560a3e21-0638-4bcd-8d62-4319950d210b",
|
|
"value": "04272c55bf2a534cf9f4556f102f01770d1ac2d4979cd98e9a2e294cf57c2a49"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "- Xchecked via VT: a6ec0fbe1ad821a3fb527f39e180e378",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511841",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "560a3e21-4654-4a55-b8c2-428d950d210b",
|
|
"value": "0cb0f491de8ba2761de899d8cbc136e2747145ee"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511842",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "560a3e22-2db0-4a39-b37f-4ef5950d210b",
|
|
"value": "https://www.virustotal.com/file/04272c55bf2a534cf9f4556f102f01770d1ac2d4979cd98e9a2e294cf57c2a49/analysis/1443347085/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "- Xchecked via VT: c242d641d9432f611360db36f2075f67",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511842",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "560a3e22-027c-4e2d-b613-40cb950d210b",
|
|
"value": "3361cece5f1e2920f2eb6029aa844d434f3f265cace7061cc52a0e11a6d1d383"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "- Xchecked via VT: c242d641d9432f611360db36f2075f67",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511842",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "560a3e22-73bc-488e-81ec-42d5950d210b",
|
|
"value": "be8e700fb54019f06e3c816473d9141cc7d75630"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1443511843",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "560a3e23-008c-4560-9c3a-40a7950d210b",
|
|
"value": "https://www.virustotal.com/file/3361cece5f1e2920f2eb6029aa844d434f3f265cace7061cc52a0e11a6d1d383/analysis/1443415018/"
|
|
}
|
|
]
|
|
}
|
|
} |