363 lines
No EOL
12 KiB
JSON
363 lines
No EOL
12 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2019-05-09",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site.",
|
|
"publish_timestamp": "1557415440",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1557415377",
|
|
"uuid": "5cd4446a-b318-40d6-8120-473a950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": false,
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Unconditional client-side exploitation/Injected Website/Driveby - T1372\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5cd444bb-5100-4607-ab39-4e98950d210f",
|
|
"value": "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5cd444bb-b15c-4760-b152-4fda950d210f",
|
|
"value": "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1557415149",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5cd444ed-5814-49ff-a3f9-466a950d210f",
|
|
"value": "lifopp-sacoho.com"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1557415108",
|
|
"uuid": "9bc5279d-fa53-4c2f-92f1-9aac47fe4658",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "9bc5279d-fa53-4c2f-92f1-9aac47fe4658",
|
|
"referenced_uuid": "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1557415108",
|
|
"uuid": "5cd444c4-dc64-44bb-b6bc-45ec950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "74f7c0dd-c91b-40c0-8f79-2a166f238326",
|
|
"value": "3590c4b2cfa63655dc14bef32659f675"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "62f22eb0-6df4-4280-8141-68c00d1b25d8",
|
|
"value": "5b0825a4436e4908501667e1cfa91e9e39e82302"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "1876d114-6aff-4578-bdb3-fb33a4177b40",
|
|
"value": "4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1557415108",
|
|
"uuid": "b6903b23-45ff-4d75-ab0d-ebc19a94a7e6",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "9268cd71-c418-4b6c-8ae7-b2755788dedc",
|
|
"value": "2019-05-08T10:03:22"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "fea2b397-1408-4777-ab45-308963ac7d8b",
|
|
"value": "https://www.virustotal.com/file/4090224f97db5601e5b293f81ec6fe28f86d7e3d8f4592f6b9d0765831e2c966/analysis/1557309802/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "584d4279-982a-4ca3-bedf-933dd6a5b6bb",
|
|
"value": "31/72"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "15",
|
|
"timestamp": "1557415108",
|
|
"uuid": "2ec00d74-5d8a-4db5-9d43-1845fcfd8917",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "2ec00d74-5d8a-4db5-9d43-1845fcfd8917",
|
|
"referenced_uuid": "b6b594cd-778d-4c19-a1e8-b04a78d6154d",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1557415108",
|
|
"uuid": "5cd444c4-2080-4e51-8579-47de950d210f"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "81add71e-e549-4b98-9afe-695b617f0642",
|
|
"value": "0211036d4f551610892d3da2f2377b95"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "addec366-d1b1-446f-ba62-24d6bcfbb96f",
|
|
"value": "b4f5d93b0eb93812018646f6b358da9592ae6499"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1557415099",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "3dc10670-ea31-4e41-984c-2bd669198b13",
|
|
"value": "41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1557415108",
|
|
"uuid": "b6b594cd-778d-4c19-a1e8-b04a78d6154d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "a6d53689-a303-42fe-8c7f-def94d11e653",
|
|
"value": "2019-05-07T11:36:35"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "eceb9e59-eff8-433b-8169-b854da49308d",
|
|
"value": "https://www.virustotal.com/file/41c82089de60c0a2fe9a51d0f8f919261d0e73cf1da0d61b835194c177787b4e/analysis/1557228995/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1557415099",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "05cda147-431f-4496-807b-50aa24c3c031",
|
|
"value": "14/56"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
|
|
"meta-category": "misc",
|
|
"name": "microblog",
|
|
"template_uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",
|
|
"template_version": "5",
|
|
"timestamp": "1557415316",
|
|
"uuid": "5cd44594-ead8-4e11-8ccb-4a0e950d210f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "post",
|
|
"timestamp": "1557415317",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5cd44595-8944-400e-b668-4629950d210f",
|
|
"value": "keepass(dot)com spreading malware acting as the official site for KeePass password manager. Download for .dmg and .exe files are available on the site. @malwrhunterteam"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "type",
|
|
"timestamp": "1557415317",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5cd44595-c004-4e7e-83c1-442b950d210f",
|
|
"value": "Twitter"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "url",
|
|
"timestamp": "1557415317",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "5cd44595-d14c-4a3d-bb69-4f53950d210f",
|
|
"value": "https://twitter.com/berkcgoksel/status/1125727590440931329"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "username",
|
|
"timestamp": "1557415317",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5cd44595-720c-4b7b-9eb2-42a8950d210f",
|
|
"value": "berkcgoksel"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |