407 lines
No EOL
15 KiB
JSON
407 lines
No EOL
15 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-12-13",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Windows 10: protection, detection, and response against recent Depriz malware attacks",
|
|
"publish_timestamp": "1481616971",
|
|
"published": true,
|
|
"threat_level_id": "2",
|
|
"timestamp": "1481616512",
|
|
"uuid": "584fabab-b03c-404c-8ff8-4433950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:threat-actor=\"TERBIUM\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616311",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fabb7-4028-4bf3-b6b1-4963950d210f",
|
|
"value": "https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616331",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "584fabcb-d218-44f6-ab11-40ab950d210f",
|
|
"value": "A few weeks ago, multiple organizations in the Middle East fell victim to targeted and destructive attacks that wiped data from computers, and in many cases rendering them unstable and unbootable. Destructive attacks like these have been observed repeatedly over the years and the Windows Defender and Windows Defender Advanced Threat Protection Threat Intelligence teams are working on protection, detection, and response to these threats.\r\n\r\nMicrosoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616357",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fabe5-1424-464d-9330-46ef950d210f",
|
|
"value": "5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616358",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fabe6-f5a8-4ecf-b0a1-4bd5950d210f",
|
|
"value": "e7c7f41babdb279c099526ece03ede9076edca4e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616358",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fabe6-5698-4cb8-93e8-4920950d210f",
|
|
"value": "a2669df6f7615d317f610f731b6a2129fbed4203"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616358",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fabe6-3374-42f0-9f85-4b16950d210f",
|
|
"value": "425f02028dcc4e89a07d2892fef9346dac6c140a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616358",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fabe6-1e18-4ab7-bea7-42b7950d210f",
|
|
"value": "ad6744c7ea5fee854261efa403ca06b68761e290"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616406",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fac16-f83c-400f-9397-41dc950d210f",
|
|
"value": "1292c7dd60214d96a71e7705e519006b9de7968f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616406",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "584fac16-42c0-4af5-8c8d-4910950d210f",
|
|
"value": "ce549714a11bd43b52be709581c6e144957136ec"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616435",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "584fac33-c3c0-414a-92fb-464a950d210f",
|
|
"value": "Trojan:Win32/Depriz.A!dha"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616435",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "584fac33-7be4-4f0b-b5ec-4a30950d210f",
|
|
"value": "Trojan:Win32/Depriz.B!dha"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616435",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "584fac33-da00-4a71-92d7-4a09950d210f",
|
|
"value": "Trojan:Win32/Depriz.C!dha"
|
|
},
|
|
{
|
|
"category": "Antivirus detection",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616435",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "584fac33-885c-41cd-84f8-4eee950d210f",
|
|
"value": "Trojan:Win32/Depriz.D!dha"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: ce549714a11bd43b52be709581c6e144957136ec",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616512",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac80-e698-4685-8173-48f702de0b81",
|
|
"value": "4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: ce549714a11bd43b52be709581c6e144957136ec",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616512",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac80-fa70-4953-a8a3-46f802de0b81",
|
|
"value": "1493d342e7a36553c56b2adea150949e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: ce549714a11bd43b52be709581c6e144957136ec",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616513",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac81-86d8-44f1-be73-459502de0b81",
|
|
"value": "https://www.virustotal.com/file/4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6/analysis/1481093448/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: 1292c7dd60214d96a71e7705e519006b9de7968f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616513",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac81-38f0-460c-84b9-48d502de0b81",
|
|
"value": "5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: 1292c7dd60214d96a71e7705e519006b9de7968f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616513",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac81-8a88-4819-8385-454302de0b81",
|
|
"value": "76c643ab29d497317085e5db8c799960"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "legitimate RawDisk drivers - Xchecked via VT: 1292c7dd60214d96a71e7705e519006b9de7968f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616513",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac81-05fc-42e5-ba7d-4dbd02de0b81",
|
|
"value": "https://www.virustotal.com/file/5a826b4fa10891cf63aae832fc645ce680a483b915c608ca26cedbb173b1b80a/analysis/1480997926/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: ad6744c7ea5fee854261efa403ca06b68761e290",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616514",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac82-d864-4f8b-a64e-46ff02de0b81",
|
|
"value": "128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: ad6744c7ea5fee854261efa403ca06b68761e290",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616514",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac82-2588-445b-a0d1-4d1502de0b81",
|
|
"value": "2cd0a5f1e9bcce6807e57ec8477d222a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "malicious files - Xchecked via VT: ad6744c7ea5fee854261efa403ca06b68761e290",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616514",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac82-d674-48f2-ba3a-40d902de0b81",
|
|
"value": "https://www.virustotal.com/file/128fa5815c6fee68463b18051c1a1ccdf28c599ce321691686b1efa4838a2acd/analysis/1481237179/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: 425f02028dcc4e89a07d2892fef9346dac6c140a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616514",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac82-0bb4-4614-a42a-445b02de0b81",
|
|
"value": "c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: 425f02028dcc4e89a07d2892fef9346dac6c140a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616515",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac83-0cd0-4fb9-979e-4e7502de0b81",
|
|
"value": "c843046e54b755ec63ccb09d0a689674"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "malicious files - Xchecked via VT: 425f02028dcc4e89a07d2892fef9346dac6c140a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616515",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac83-e384-44ab-8511-432d02de0b81",
|
|
"value": "https://www.virustotal.com/file/c7fc1f9c2bed748b50a599ee2fa609eb7c9ddaeb9cd16633ba0d10cf66891d8a/analysis/1480864286/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: a2669df6f7615d317f610f731b6a2129fbed4203",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616515",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac83-5ef8-402e-ba66-4e0d02de0b81",
|
|
"value": "448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: a2669df6f7615d317f610f731b6a2129fbed4203",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616515",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac83-3544-4270-9883-4ea502de0b81",
|
|
"value": "5289f4b806bbd7893fbda3ce4025683e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "malicious files - Xchecked via VT: a2669df6f7615d317f610f731b6a2129fbed4203",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616516",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac84-3308-4c86-b2e5-40e602de0b81",
|
|
"value": "https://www.virustotal.com/file/448ad1bc06ea26f4709159f72ed70ca199ff2176182619afa03435d38cd53237/analysis/1481042001/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: e7c7f41babdb279c099526ece03ede9076edca4e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616516",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac84-4a9c-442c-8fe1-4b8402de0b81",
|
|
"value": "394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: e7c7f41babdb279c099526ece03ede9076edca4e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616516",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac84-4b0c-4ffc-8888-4a8a02de0b81",
|
|
"value": "5446f46d89124462ae7aca4fce420423"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "malicious files - Xchecked via VT: e7c7f41babdb279c099526ece03ede9076edca4e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616516",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac84-032c-4ca0-924d-450602de0b81",
|
|
"value": "https://www.virustotal.com/file/394a7ebad5dfc13d6c75945a61063470dc3b68f7a207613b79ef000e1990909b/analysis/1481303798/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: 5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616517",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "584fac85-ad2c-42d1-890e-4f6202de0b81",
|
|
"value": "47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "malicious files - Xchecked via VT: 5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616517",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "584fac85-01f4-4220-887d-438f02de0b81",
|
|
"value": "8fbe990c2d493f58a2afa2b746e49c86"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "malicious files - Xchecked via VT: 5c52253b0a2741c4c2e3f1f9a2f82114a254c8d6",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1481616517",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "584fac85-5e84-4d1b-b431-4f6902de0b81",
|
|
"value": "https://www.virustotal.com/file/47bb36cd2832a18b5ae951cf5a7d44fba6d8f5dca0a372392d40f51d1fe1ac34/analysis/1481303775/"
|
|
}
|
|
]
|
|
}
|
|
} |