Skip to content

Instantly share code, notes, and snippets.

@adulau

adulau/event-stream-misp-event.json

Created November 26, 2018 22:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adulau/c42a0c73bd61d0ec13ec7519ed42a035 to your computer and use it in GitHub Desktop.
Save adulau/c42a0c73bd61d0ec13ec7519ed42a035 to your computer and use it in GitHub Desktop.
Download ZIP
event-stream MISP json
Raw
event-stream-misp-event.json
{
"response": [
{
"Event": {
"id": "12274",
"orgc_id": "2",
"org_id": "2",
"date": "2018-11-26",
"threat_level_id": "3",
"info": "OSINT - `event-stream` dependency attack steals wallets from users of copay",
"published": true,
"uuid": "5bfc6891-b838-44fe-bc17-16b702de0b81",
"attribute_count": "12",
"analysis": "2",
"timestamp": "1543270394",
"distribution": "3",
"proposal_email_lock": false,
"locked": false,
"publish_timestamp": "1543270402",
"sharing_group_id": "0",
"disable_correlation": false,
"extends_uuid": "",
"event_creator_email": "alexandre.dulaunoy@circl.lu",
"Org": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Orgc": {
"id": "2",
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Attribute": [
{
"id": "1350412",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "5bfc68a3-19e0-4f70-81d4-48d502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268515",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://github.com/bitpay/copay/issues/9346#issuecomment-441749542",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350413",
"type": "domain",
"category": "Network activity",
"to_ids": true,
"uuid": "5bfc68be-0b50-47a2-a33e-16c502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268542",
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "copayapi.host",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350414",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5bfc68bf-51a0-4f93-84ff-16c502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268543",
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "51.38.112.212",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350415",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5bfc68bf-4798-421d-b09f-16c502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268543",
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "145.249.104.239",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350416",
"type": "ip-dst",
"category": "Network activity",
"to_ids": true,
"uuid": "5bfc68c0-af3c-4165-8243-16c502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268544",
"comment": "\"HTTP POST traffic on port 8080 to copayapi.host (which currently resolves to 51.38.112.212 and previously resolved to 145.249.104.239) or 111.90.151.134 indicates compromised and exfiltrated wallet private keys.\"",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "111.90.151.134",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350417",
"type": "dns-soa-email",
"category": "Attribution",
"to_ids": true,
"uuid": "5bfc68ef-2698-4780-b1f5-45c902de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268846",
"comment": "copayapi.host's SOA record indicates the domain registrant's email address is \"kvlguuvh@sharklasers.co\" (very likely a throwaway email address).",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "kvlguuvh@sharklasers.co",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350418",
"type": "github-username",
"category": "Social network",
"to_ids": false,
"uuid": "5bfc691b-da14-4228-997c-40e802de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268635",
"comment": "The GitHub account of the event-stream hijacker: https://github.com/right9ctrl (email address right9ctrl@outlook.com)",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "right9ctrl",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350419",
"type": "url",
"category": "Network activity",
"to_ids": false,
"uuid": "5bfc696a-2a8c-4e1d-9f1c-4ef902de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268714",
"comment": "The NPM account of the event-stream hijacker: https://www.npmjs.com/~right9ctrlh",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://www.npmjs.com/~right9ctrl",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350420",
"type": "url",
"category": "Network activity",
"to_ids": false,
"uuid": "5bfc697d-ab8c-4a6b-9083-453702de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268733",
"comment": "The GitHub repo for the malicious flat-map package: https://github.com/hugeglass/flatmap-stream",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://github.com/hugeglass/flatmap-stream",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350421",
"type": "url",
"category": "Network activity",
"to_ids": false,
"uuid": "5bfc6990-28ec-4517-a397-4b8502de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268752",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://www.npmjs.com/~hugeglass",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350422",
"type": "link",
"category": "External analysis",
"to_ids": false,
"uuid": "5bfc69b5-bd34-40c5-a2da-42e202de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268789",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "https://github.com/dominictarr/event-stream/issues/116",
"Galaxy": [],
"ShadowAttribute": []
},
{
"id": "1350423",
"type": "whois-registrant-email",
"category": "Attribution",
"to_ids": false,
"uuid": "5bfc69de-2090-455c-8b3c-45b102de0b81",
"event_id": "12274",
"distribution": "5",
"timestamp": "1543268830",
"comment": "",
"sharing_group_id": "0",
"deleted": false,
"disable_correlation": false,
"object_id": "0",
"object_relation": null,
"value": "right9ctrl@outlook.com",
"Galaxy": [],
"ShadowAttribute": []
}
],
"ShadowAttribute": [],
"RelatedEvent": [
{
"Event": {
"id": "12271",
"date": "2018-11-26",
"threat_level_id": "3",
"info": "`event-stream` (npm module) dependency attack steals wallets from users of copay",
"published": true,
"uuid": "5bfc4548-dcac-400e-8a6d-4b5402de0b81",
"analysis": "0",
"timestamp": "1543260078",
"distribution": "3",
"org_id": "695",
"orgc_id": "204",
"Org": {
"id": "695",
"name": "EATM-CERT",
"uuid": "593fe562-cb44-433b-b036-4ee5c0a80104"
},
"Orgc": {
"id": "204",
"name": "CERT-BUND",
"uuid": "56a64d7a-63dc-4471-bce9-4accc25ed029"
}
}
}
],
"Galaxy": [],
"Object": [],
"Tag": [
{
"id": "2",
"name": "tlp:white",
"colour": "#ffffff",
"exportable": true,
"hide_tag": false,
"user_id": "0",
"numerical_value": null
},
{
"id": "2912",
"name": "ecsirt:intrusions=\"application-compromise\"",
"colour": "#00a0a0",
"exportable": true,
"hide_tag": false,
"user_id": "0",
"numerical_value": null
},
{
"id": "3323",
"name": "estimative-language:confidence-in-analytic-judgment=\"high\"",
"colour": "#0029ff",
"exportable": true,
"hide_tag": false,
"user_id": "0",
"numerical_value": null
},
{
"id": "247",
"name": "estimative-language:likelihood-probability=\"almost-certain\"",
"colour": "#0029ff",
"exportable": true,
"hide_tag": false,
"user_id": "0",
"numerical_value": null
}
]
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment