{ "type": "Domain", "indicator": "parmanpower.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/parmanpower.com", "alexa": "http://www.alexa.com/siteinfo/parmanpower.com", "indicator": "parmanpower.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 728340, "indicator": "parmanpower.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Ajax Security Team" ], "malware_families": [ "Bkdr_ghole.b.", "Hoffman", "Ishak", "Tspy_woolerg.a.", "Detected gholee", "Rocket kitten", "Flying kitten", "Ghole" ], "industries": [ "Defense", "Aerospace", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "632349065aa657208658ea7f", "name": "Ajax Security Team | MITRE ATT&CK Group ID: G0130", "description": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 Ajax Security Team transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.", "modified": "2022-10-15T12:01:33.826000", "created": "2022-09-15T15:47:18.656000", "tags": [ "actor/ajaxsecurityteam" ], "references": [ "https://attack.mitre.org/groups/G0130/", "https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs", "https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/", "https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/" ], "public": 1, "adversary": "Ajax Security Team", "targeted_countries": [ "United States of America", "Israel", "Iran, Islamic Republic of", "Russian Federation", "Syrian Arab Republic" ], "malware_families": [ { "id": "Flying Kitten", "display_name": "Flying Kitten", "target": null }, { "id": "Ishak", "display_name": "Ishak", "target": null }, { "id": "GHOLE", "display_name": "GHOLE", "target": null }, { "id": "TSPY_WOOLERG.A.", "display_name": "TSPY_WOOLERG.A.", "target": null }, { "id": "BKDR_GHOLE.B.", "display_name": "BKDR_GHOLE.B.", "target": null }, { "id": "Detected Gholee", "display_name": "Detected Gholee", "target": null }, { "id": "Hoffman", "display_name": "Hoffman", "target": null }, { "id": "Rocket Kitten", "display_name": "Rocket Kitten", "target": null }, { "id": "GHolE", "display_name": "GHolE", "target": null } ], "attack_ids": [ { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1070", "name": "Indicator Removal on Host", "display_name": "T1070 - Indicator Removal on Host" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1080", "name": "Taint Shared Content", "display_name": "T1080 - Taint Shared Content" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1555", "name": "Credentials from Password Stores", "display_name": "T1555 - Credentials from Password Stores" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [ "Aerospace", "Defense", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "eric.ford", "id": "42510", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_42510/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 73, "FileHash-SHA1": 69, "FileHash-SHA256": 67, "URL": 15, "domain": 54, "email": 6, "hostname": 44, "CIDR": 1, "YARA": 1 }, "indicator_count": 330, "is_author": false, "is_subscribing": null, "subscriber_count": 134, "modified_text": "1323 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "parmanpower.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "parmanpower.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780223552.5723872 }