415 lines
No EOL
16 KiB
JSON
415 lines
No EOL
16 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-04-11",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler",
|
|
"publish_timestamp": "1491939455",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1491939061",
|
|
"uuid": "58ed2c42-04f0-44b7-baa4-9f1f02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491939040",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "58ed2c51-35cc-45dc-9afe-4c0102de0b81",
|
|
"value": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\r\n\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.\r\n\r\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491939039",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81",
|
|
"value": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2caa-a484-459e-ab44-446802de0b81",
|
|
"value": "c10dabb05a38edd8a9a0ddda1c9af10e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "template.doc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2cab-1eec-4d47-8efe-455502de0b81",
|
|
"value": "9dec125f006f787a3f8ad464d480eed1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "copy.jpg/winword.exe",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2cac-fc8c-49d8-a0e3-47f302de0b81",
|
|
"value": "acde6fb59ed431000107c8e8ca1b7266"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "docu.doc/document.doc",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2cad-febc-4229-b7bd-430f02de0b81",
|
|
"value": "e01982913fbc22188b83f5f9fadc1c17"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": false,
|
|
"type": "vulnerability",
|
|
"uuid": "58ed2cbc-9e64-4851-9097-475802de0b81",
|
|
"value": "CVE-2017-0199"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "hire_form.doc Malicious document",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d51-5fec-442b-a196-41dd02de0b81",
|
|
"value": "5ebfd13250dd0408e3de594e419f9e01"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "template.doc/template[?].hta Malicious HTA file",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d52-d5d0-4238-ad25-496502de0b81",
|
|
"value": "fb475f0d8c8e9bf1bc360211179d8a28"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "ww.vbs/maintenance.vbs Stage two VBScript",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d53-d174-406f-9e97-438e02de0b81",
|
|
"value": "984658e34e634d56423797858a711846"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "questions.doc/document.doc Decoy document",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d54-b650-421e-a53e-435c02de0b81",
|
|
"value": "73bf8647920eacc7cc377b3602a7ee7a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "eoobvfwiglhiliqougukgm.js Malicious script",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d55-aaa0-4f29-86dd-494402de0b81",
|
|
"value": "11fb87888bbb4dcea4891ab856ac1c52"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Final payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d56-1cfc-43ee-af58-4f2602de0b81",
|
|
"value": "a1faa23a3ef8cef372f5f74aed82d2de"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "58ed2d57-db7c-4112-bec8-4f4602de0b81",
|
|
"value": "15e51cdbd938545c9af47806984b1667"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58ed2da6-63f4-4aed-8cd0-41e802de0b81",
|
|
"value": "http://www.modani.com/media/wysiwyg/ww.vbs"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58ed2dbf-5660-4fd9-a6ba-4bc502de0b81",
|
|
"value": "http://www.modani.com/media/wysiwyg/wood.exe"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "variant then connects to the following command and control (C2) server",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58ed2de5-2bd0-4a4d-959c-45df02de0b81",
|
|
"value": "217.12.203.90"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "The initial stage reached out to the following URL to download the stage one malicious HTA file:",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "58ed2e50-6ad8-4998-9917-4d0402de0b81",
|
|
"value": "http://95.141.38.110/mo/dnr/tmp/template.doc"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Malicious HTA",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938958",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "58ed2e69-fcc8-4231-96c5-4dc602de0b81",
|
|
"value": "95.141.38.110"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938977",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58ed2ea1-de84-4fd8-83e4-427602de0b81",
|
|
"value": "169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938978",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58ed2ea2-1270-450c-b73a-498a02de0b81",
|
|
"value": "ea434604b3de06110de582a9c003c2b60368b33e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938979",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2ea3-9304-4143-ba8c-478902de0b81",
|
|
"value": "https://www.virustotal.com/file/169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18/analysis/1491819886/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938980",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58ed2ea4-f158-4709-9f95-497702de0b81",
|
|
"value": "3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938981",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58ed2ea5-cb4c-4612-8f43-436702de0b81",
|
|
"value": "3bb5af725d63a18a306506b3ebd12aed820e00eb"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938983",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2ea7-ad1c-40b8-b755-485a02de0b81",
|
|
"value": "https://www.virustotal.com/file/3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828/analysis/1491935832/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938984",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81",
|
|
"value": "13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938985",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58ed2ea9-d300-445f-a127-4bed02de0b81",
|
|
"value": "0f3b135fd9eb3c6befbeb69f418ac182aeb56557"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938986",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2eaa-7fa4-4ab8-a120-45bd02de0b81",
|
|
"value": "https://www.virustotal.com/file/13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575/analysis/1491931544/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938987",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58ed2eab-5f60-4ec0-ad19-4c4702de0b81",
|
|
"value": "01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938988",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58ed2eac-4b60-492d-82b1-45be02de0b81",
|
|
"value": "fa504cb04ea83ecf1d360062fe612aba5e678f68"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938990",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2eae-944c-443c-a126-421302de0b81",
|
|
"value": "https://www.virustotal.com/file/01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a/analysis/1491867682/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938990",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "58ed2eae-b31c-4009-ac2d-4be002de0b81",
|
|
"value": "f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938991",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "58ed2eaf-af18-47b9-8151-44ea02de0b81",
|
|
"value": "9aed05edab5d0200eb509ed22c8c30f19652814c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1491938992",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "58ed2eb0-2948-4c1f-9107-4f8002de0b81",
|
|
"value": "https://www.virustotal.com/file/f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66/analysis/1491801507/"
|
|
}
|
|
]
|
|
}
|
|
} |