misp-circl-feed/feeds/circl/misp/586f5fb9-2678-4fe5-a14e-45e5950d210f.json

122 lines
4.3 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2017-01-06",
"extends_uuid": "",
"info": "OSINT - Exposing an AV-Disabling Driver Just in Time for Lunch",
"publish_timestamp": "1483713519",
"published": true,
"threat_level_id": "3",
"timestamp": "1483697574",
"uuid": "586f5fb9-2678-4fe5-a14e-45e5950d210f",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#770095",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "ms-caro-malware:malware-platform=\"Win32\"",
"relationship_type": ""
},
{
"colour": "#006262",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "ecsirt:malicious-code=\"malware\"",
"relationship_type": ""
},
{
"colour": "#3a7300",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "circl:incident-classification=\"malware\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695096",
"to_ids": false,
"type": "link",
"uuid": "586f63f8-d83c-4ff1-8e7b-4db8950d210f",
"value": "https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695136",
"to_ids": false,
"type": "comment",
"uuid": "586f6420-21b0-4760-b9b3-24ba950d210f",
"value": "Disable AV, Reload Without Resistance\r\n\r\nWe also noticed that the malware using this driver causes the system to reboot after installing the driver. This causes the targeted AV software not to be loaded after the system restores, enabling the malware to execute without disturbance.\r\n\r\nThe driver performs this action because the user-mode code can\u00e2\u20ac\u2122t overwrite AV registry data; it employs self-protections to prevent exactly that. However, when executed by a driver, which can carry out more actions on a deeper privilege level, it is much harder to prevent such actions."
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695145",
"to_ids": true,
"type": "md5",
"uuid": "586f6429-c9a0-4a3d-9206-4a49950d210f",
"value": "48b872f91f1ff3f96594bf480ebf3dcc"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 48b872f91f1ff3f96594bf480ebf3dcc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695186",
"to_ids": true,
"type": "sha256",
"uuid": "586f6452-0abc-4a68-8607-4fcf02de0b81",
"value": "1613f863490f5b28f85483d5eedde68899f1c71d048973e0786f51c4427112be"
},
{
"category": "Payload installation",
"comment": "- Xchecked via VT: 48b872f91f1ff3f96594bf480ebf3dcc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695186",
"to_ids": true,
"type": "sha1",
"uuid": "586f6452-8f80-4dd7-9b5f-459402de0b81",
"value": "822004b4b09c92acc4a281a17e0cab175d90dca6"
},
{
"category": "External analysis",
"comment": "- Xchecked via VT: 48b872f91f1ff3f96594bf480ebf3dcc",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695187",
"to_ids": false,
"type": "link",
"uuid": "586f6453-114c-43c1-a501-423502de0b81",
"value": "https://www.virustotal.com/file/1613f863490f5b28f85483d5eedde68899f1c71d048973e0786f51c4427112be/analysis/1483620148/"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1483695427",
"to_ids": false,
"type": "link",
"uuid": "586f6543-3660-443d-a1e7-489b950d210f",
"value": "https://twitter.com/LiorKesh/status/816653825738211328"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}