Created
November 26, 2018 22:15
-
-
Save adulau/c42a0c73bd61d0ec13ec7519ed42a035 to your computer and use it in GitHub Desktop.
event-stream MISP json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"response": [ | |
{ | |
"Event": { | |
"id": "12274", | |
"orgc_id": "2", | |
"org_id": "2", | |
"date": "2018-11-26", | |
"threat_level_id": "3", | |
"info": "OSINT - `event-stream` dependency attack steals wallets from users of copay", | |
"published": true, | |
"uuid": "5bfc6891-b838-44fe-bc17-16b702de0b81", | |
"attribute_count": "12", | |
"analysis": "2", | |
"timestamp": "1543270394", | |
"distribution": "3", | |
"proposal_email_lock": false, | |
"locked": false, | |
"publish_timestamp": "1543270402", | |
"sharing_group_id": "0", | |
"disable_correlation": false, | |
"extends_uuid": "", | |
"event_creator_email": "alexandre.dulaunoy@circl.lu", | |
"Org": { | |
"id": "2", | |
"name": "CIRCL", | |
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" | |
}, | |
"Orgc": { | |
"id": "2", | |
"name": "CIRCL", | |
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" | |
}, | |
"Attribute": [ | |
{ | |
"id": "1350412", | |
"type": "link", | |
"category": "External analysis", | |
"to_ids": false, | |
"uuid": "5bfc68a3-19e0-4f70-81d4-48d502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268515", | |
"comment": "", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "https://github.com/bitpay/copay/issues/9346#issuecomment-441749542", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350413", | |
"type": "domain", | |
"category": "Network activity", | |
"to_ids": true, | |
"uuid": "5bfc68be-0b50-47a2-a33e-16c502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268542", | |
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "copayapi.host", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350414", | |
"type": "ip-dst", | |
"category": "Network activity", | |
"to_ids": true, | |
"uuid": "5bfc68bf-51a0-4f93-84ff-16c502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268543", | |
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "51.38.112.212", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350415", | |
"type": "ip-dst", | |
"category": "Network activity", | |
"to_ids": true, | |
"uuid": "5bfc68bf-4798-421d-b09f-16c502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268543", | |
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "145.249.104.239", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350416", | |
"type": "ip-dst", | |
"category": "Network activity", | |
"to_ids": true, | |
"uuid": "5bfc68c0-af3c-4165-8243-16c502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268544", | |
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "111.90.151.134", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350417", | |
"type": "dns-soa-email", | |
"category": "Attribution", | |
"to_ids": true, | |
"uuid": "5bfc68ef-2698-4780-b1f5-45c902de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268846", | |
"comment": "copayapi.host's SOA record indicates the domain registrant's email address is \"kvlguuvh@sharklasers.co\" (very likely a throwaway email address).", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "kvlguuvh@sharklasers.co", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350418", | |
"type": "github-username", | |
"category": "Social network", | |
"to_ids": false, | |
"uuid": "5bfc691b-da14-4228-997c-40e802de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268635", | |
"comment": "The GitHub account of the event-stream hijacker: https://github.com/right9ctrl (email address right9ctrl@outlook.com)", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "right9ctrl", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350419", | |
"type": "url", | |
"category": "Network activity", | |
"to_ids": false, | |
"uuid": "5bfc696a-2a8c-4e1d-9f1c-4ef902de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268714", | |
"comment": "The NPM account of the event-stream hijacker: https://www.npmjs.com/~right9ctrlh", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "https://www.npmjs.com/~right9ctrl", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350420", | |
"type": "url", | |
"category": "Network activity", | |
"to_ids": false, | |
"uuid": "5bfc697d-ab8c-4a6b-9083-453702de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268733", | |
"comment": "The GitHub repo for the malicious flat-map package: https://github.com/hugeglass/flatmap-stream", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "https://github.com/hugeglass/flatmap-stream", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350421", | |
"type": "url", | |
"category": "Network activity", | |
"to_ids": false, | |
"uuid": "5bfc6990-28ec-4517-a397-4b8502de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268752", | |
"comment": "", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "https://www.npmjs.com/~hugeglass", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350422", | |
"type": "link", | |
"category": "External analysis", | |
"to_ids": false, | |
"uuid": "5bfc69b5-bd34-40c5-a2da-42e202de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268789", | |
"comment": "", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "https://github.com/dominictarr/event-stream/issues/116", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
}, | |
{ | |
"id": "1350423", | |
"type": "whois-registrant-email", | |
"category": "Attribution", | |
"to_ids": false, | |
"uuid": "5bfc69de-2090-455c-8b3c-45b102de0b81", | |
"event_id": "12274", | |
"distribution": "5", | |
"timestamp": "1543268830", | |
"comment": "", | |
"sharing_group_id": "0", | |
"deleted": false, | |
"disable_correlation": false, | |
"object_id": "0", | |
"object_relation": null, | |
"value": "right9ctrl@outlook.com", | |
"Galaxy": [], | |
"ShadowAttribute": [] | |
} | |
], | |
"ShadowAttribute": [], | |
"RelatedEvent": [ | |
{ | |
"Event": { | |
"id": "12271", | |
"date": "2018-11-26", | |
"threat_level_id": "3", | |
"info": "`event-stream` (npm module) dependency attack steals wallets from users of copay", | |
"published": true, | |
"uuid": "5bfc4548-dcac-400e-8a6d-4b5402de0b81", | |
"analysis": "0", | |
"timestamp": "1543260078", | |
"distribution": "3", | |
"org_id": "695", | |
"orgc_id": "204", | |
"Org": { | |
"id": "695", | |
"name": "EATM-CERT", | |
"uuid": "593fe562-cb44-433b-b036-4ee5c0a80104" | |
}, | |
"Orgc": { | |
"id": "204", | |
"name": "CERT-BUND", | |
"uuid": "56a64d7a-63dc-4471-bce9-4accc25ed029" | |
} | |
} | |
} | |
], | |
"Galaxy": [], | |
"Object": [], | |
"Tag": [ | |
{ | |
"id": "2", | |
"name": "tlp:white", | |
"colour": "#ffffff", | |
"exportable": true, | |
"hide_tag": false, | |
"user_id": "0", | |
"numerical_value": null | |
}, | |
{ | |
"id": "2912", | |
"name": "ecsirt:intrusions=\"application-compromise\"", | |
"colour": "#00a0a0", | |
"exportable": true, | |
"hide_tag": false, | |
"user_id": "0", | |
"numerical_value": null | |
}, | |
{ | |
"id": "3323", | |
"name": "estimative-language:confidence-in-analytic-judgment=\"high\"", | |
"colour": "#0029ff", | |
"exportable": true, | |
"hide_tag": false, | |
"user_id": "0", | |
"numerical_value": null | |
}, | |
{ | |
"id": "247", | |
"name": "estimative-language:likelihood-probability=\"almost-certain\"", | |
"colour": "#0029ff", | |
"exportable": true, | |
"hide_tag": false, | |
"user_id": "0", | |
"numerical_value": null | |
} | |
] | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment