misp-circl-feed/feeds/circl/misp/57454ee0-3294-407a-8468-493c950d210f.json

462 lines
No EOL
16 KiB
JSON

{
"Event": {
"analysis": "2",
"date": "2016-05-25",
"extends_uuid": "",
"info": "OSINT - New Wekby Attacks Use DNS Requests As Command and Control Mechanism",
"publish_timestamp": "1464162534",
"published": true,
"threat_level_id": "3",
"timestamp": "1464161691",
"uuid": "57454ee0-3294-407a-8468-493c950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": "0",
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160375",
"to_ids": true,
"type": "sha256",
"uuid": "57455077-0144-41d3-b61f-4420950d210f",
"value": "da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160375",
"to_ids": true,
"type": "sha256",
"uuid": "57455077-e4e8-46e7-8528-4fe1950d210f",
"value": "930772d6af8f43f62ea78092914fa8d6b03e8e3360dd4678eec1a3dda17206ed"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160376",
"to_ids": true,
"type": "sha256",
"uuid": "57455078-6e98-4713-ae9a-4370950d210f",
"value": "6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160376",
"to_ids": true,
"type": "sha256",
"uuid": "57455078-5aa8-4a30-9f3e-48ee950d210f",
"value": "9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160376",
"to_ids": true,
"type": "sha256",
"uuid": "57455078-7a08-49da-a316-463f950d210f",
"value": "4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160377",
"to_ids": true,
"type": "sha256",
"uuid": "57455079-8b60-418f-8579-4b4c950d210f",
"value": "1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160377",
"to_ids": true,
"type": "sha256",
"uuid": "57455079-d494-4a47-9489-48a9950d210f",
"value": "456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb"
},
{
"category": "Network activity",
"comment": "DNS exfiltration",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160537",
"to_ids": true,
"type": "hostname",
"uuid": "57455119-805c-49dd-b728-4394950d210f",
"value": "ns1.logitech-usa.com"
},
{
"category": "Network activity",
"comment": "Delivery of the initial file",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160537",
"to_ids": true,
"type": "domain",
"uuid": "57455119-2dcc-40d1-aa46-44a9950d210f",
"value": "globalprint-us.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160537",
"to_ids": true,
"type": "domain",
"uuid": "57455119-880c-48af-a815-4de3950d210f",
"value": "intranetwabcam.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160538",
"to_ids": true,
"type": "hostname",
"uuid": "5745511a-9328-4035-85c8-456f950d210f",
"value": "login.access-mail.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160538",
"to_ids": true,
"type": "hostname",
"uuid": "5745511a-e1e4-4728-8b1a-441b950d210f",
"value": "glb.it-desktop.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160538",
"to_ids": true,
"type": "hostname",
"uuid": "5745511a-1828-434d-bfbe-40fa950d210f",
"value": "local.it-desktop.com"
},
{
"category": "Network activity",
"comment": "Imported via the Freetext Import Tool",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160539",
"to_ids": true,
"type": "hostname",
"uuid": "5745511b-5548-434d-a276-4bb1950d210f",
"value": "hi.getgo2.com"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160574",
"to_ids": false,
"type": "link",
"uuid": "5745513e-e4c4-429d-98fb-40f5950d210f",
"value": "https://blog.anomali.com/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160575",
"to_ids": false,
"type": "link",
"uuid": "5745513f-68ac-4629-9b82-480d950d210f",
"value": "http://www.volexity.com/blog/?p=158"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160575",
"to_ids": false,
"type": "link",
"uuid": "5745513f-79fc-4aa8-a5e4-48bf950d210f",
"value": "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160575",
"to_ids": false,
"type": "link",
"uuid": "5745513f-98a4-4b12-a221-4f50950d210f",
"value": "https://www.zscaler.com/blogs/research/chinese-cyber-espionage-apt-group-leveraging-recently-leaked-hacking-team-exploits-target-financial-services-firm"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160576",
"to_ids": false,
"type": "link",
"uuid": "57455140-3e14-4530-a551-4326950d210f",
"value": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160576",
"to_ids": false,
"type": "link",
"uuid": "57455140-79a4-4aaf-a4e3-4882950d210f",
"value": "http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464160642",
"to_ids": false,
"type": "mutex",
"uuid": "57455182-0280-4cee-8e2e-4bbb950d210f",
"value": ")!VoqA.I5"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161691",
"to_ids": true,
"type": "sha1",
"uuid": "5745559b-6988-419d-aa75-4c9302de0b81",
"value": "0d620c1c7e64a20a2918c0ec92260afc2716fd17"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161691",
"to_ids": true,
"type": "md5",
"uuid": "5745559b-b154-4998-98af-425f02de0b81",
"value": "07b9b62fb3b1c068837c188fefbd5de9"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161691",
"to_ids": false,
"type": "link",
"uuid": "5745559b-948c-4fe7-9404-4ef902de0b81",
"value": "https://www.virustotal.com/file/456fffc256422ad667ca023d694494881baed1496a3067485d56ecc8fefbfaeb/analysis/1463822200/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161691",
"to_ids": true,
"type": "sha1",
"uuid": "5745559b-e91c-488c-82cb-479a02de0b81",
"value": "459d35058d4a5c8ca84638a5ea8fcbc2d4e0c772"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161692",
"to_ids": true,
"type": "md5",
"uuid": "5745559c-6bac-4960-9e47-445402de0b81",
"value": "e5414c5215c9305feeebbe0dbee43567"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161692",
"to_ids": false,
"type": "link",
"uuid": "5745559c-cffc-4030-b815-486102de0b81",
"value": "https://www.virustotal.com/file/1b341dab023de64598d80456349db146aafe9b9e2ec24490c7d0ac881cecc094/analysis/1445829715/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161692",
"to_ids": true,
"type": "sha1",
"uuid": "5745559c-c63c-45ac-9f98-43a702de0b81",
"value": "326b5dfa775f7479862c8896e1906ba95e530f9b"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161692",
"to_ids": true,
"type": "md5",
"uuid": "5745559c-4324-4a68-ae68-422f02de0b81",
"value": "d0f79de7bd194c1843e7411c473e4288"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161692",
"to_ids": false,
"type": "link",
"uuid": "5745559c-2db8-4f32-af0f-498c02de0b81",
"value": "https://www.virustotal.com/file/4d62caef1ca8f4f9aead7823c95228a52852a1145ca6aaa58ad8493e042aed16/analysis/1445828993/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161693",
"to_ids": true,
"type": "sha1",
"uuid": "5745559d-dba8-4c1b-9fdc-49db02de0b81",
"value": "0e989a0867d6385ed0eda780a86a9229ac5b809e"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161693",
"to_ids": true,
"type": "md5",
"uuid": "5745559d-9b54-46fc-b82c-44c202de0b81",
"value": "985eba97e12c3e5bce9221631fb66d68"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161693",
"to_ids": false,
"type": "link",
"uuid": "5745559d-5274-4cd4-992a-4d6402de0b81",
"value": "https://www.virustotal.com/file/9200f80c08b21ebae065141f0367f9c88f8fed896b0b4af9ec30fc98c606129b/analysis/1437393001/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161693",
"to_ids": true,
"type": "sha1",
"uuid": "5745559d-0054-4721-a70e-4d3502de0b81",
"value": "1c581a09963109fc526a71adc5cde8e6c89ce615"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161693",
"to_ids": true,
"type": "md5",
"uuid": "5745559d-5e58-4eaa-bc9b-4d3a02de0b81",
"value": "7b24d17e5f29e27b1c17127839be591a"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161694",
"to_ids": false,
"type": "link",
"uuid": "5745559e-fcb4-4847-a533-419402de0b81",
"value": "https://www.virustotal.com/file/6852ba95720af64809995e04f4818517ca1bd650bc42ea86d9adfdb018d6b274/analysis/1447119998/"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161694",
"to_ids": true,
"type": "sha1",
"uuid": "5745559e-c110-4754-af54-43a302de0b81",
"value": "c6db4ddc514869a41272abba5e10de70b888476a"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161694",
"to_ids": true,
"type": "md5",
"uuid": "5745559e-f960-43d3-974a-410702de0b81",
"value": "e8d58aa76dd97536ac225949a2767e05"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1",
"deleted": false,
"disable_correlation": false,
"timestamp": "1464161694",
"to_ids": false,
"type": "link",
"uuid": "5745559e-b6b0-419c-b1fc-469f02de0b81",
"value": "https://www.virustotal.com/file/da3261c332e72e4c1641ca0de439af280e064b224d950817a11922a8078b11f1/analysis/1462960470/"
}
]
}
}