misp-circl-feed/feeds/circl/misp/5c3c4a6d-15f0-4133-baff-3c2c68f8e8cf.json

176 lines
6.4 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "0",
"date": "2019-01-14",
"extends_uuid": "",
"info": "2019-01-10: North Korea Lazarus Targeting REDBANC",
"publish_timestamp": "1547585139",
"published": true,
"threat_level_id": "2",
"timestamp": "1547585075",
"uuid": "5c3c4a6d-15f0-4133-baff-3c2c68f8e8cf",
"Orgc": {
"name": "VK-Intel",
"uuid": "5bfa439e-c978-4dcd-b474-73f568f8e8cf"
},
"Tag": [
{
"colour": "#e0b538",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "Actor: Lazarus",
"relationship_type": ""
},
{
"colour": "#421b85",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "Ruse: Job Application",
"relationship_type": ""
},
{
"colour": "#2133c6",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "Powershell",
"relationship_type": ""
},
{
"colour": "#7a0e9f",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "PowerRatankba",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Trusted Relationship - T1199\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scripting - T1064\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Scheduled Task - T1053\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Windows Management Instrumentation - T1047\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"New Service - T1050\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data from Local System - T1005\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Exfiltration Over Command and Control Channel - T1041\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Data Encoding - T1132\"",
"relationship_type": ""
},
{
"colour": "#8aec22",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "report:5ZvWjgDgRhuD1zVgDT7-cg",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "Malware Hash",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547455129",
"to_ids": true,
"type": "sha256",
"uuid": "5c3c4a99-8830-4833-81d5-3c3068f8e8cf",
"value": "f12db45c32bda3108adb8ae7363c342fdd5f10342945b115d830701f95c54fa9"
},
{
"category": "Payload installation",
"comment": "Malware Hash",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547455129",
"to_ids": true,
"type": "sha256",
"uuid": "5c3c4a99-9a68-4e6c-a9a4-3c3068f8e8cf",
"value": "0f56ebca33efe0a2755d3b380167e1f5eab4e6180518c03b28d5cffd5b675d26"
},
{
"category": "Network activity",
"comment": "C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547477647",
"to_ids": true,
"type": "url",
"uuid": "5c3ca28f-cb88-44d1-a7ce-382d68f8e8cf",
"value": "https://ecombox.store"
},
{
"category": "Payload installation",
"comment": "apt_possible_lazarus_powerratankba_b",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547479055",
"to_ids": true,
"type": "yara",
"uuid": "5c3ca80f-b398-47e5-b633-124a0a640c05",
"value": "rule apt_possible_lazarus_powerratankba_b {\r\n meta:\r\n description = \"Detects possible Lazarus PowerRatankba.B from Redbanc\"\r\n author = \"@VK_Intel\"\r\n date = \"2019-01-15\"\r\n hash1 = \"db8163d054a35522d0dec35743cfd2c9872e0eb446467b573a79f84d61761471\"\r\n strings:\r\n $f0 = \"function EncryptDES\" fullword ascii\r\n $s0 = \"$ProID = Start-Process powershell.exe -PassThru -WindowStyle Hidden -ArgumentList\" fullword ascii\r\n $s1 = \"$respTxt = HttpRequestFunc_doprocess -szURI $szFullURL -szMethod $szMethod -contentData $contentData;\" fullword ascii\r\n $s2 = \"$cmdSchedule = 'schtasks /create /tn \\\"ProxyServerUpdater\\\"\" ascii\r\n $s3 = \"/tr \\\"powershell.exe -ep bypass -windowstyle hidden -file \" ascii\r\n $s4 = \"C:\\\\\\\\Users\\\\\\\\Public\\\\\\\\Documents\\\\\\\\tmp' + -join \" ascii\r\n $s5 = \"$cmdResult = cmd.exe /c $cmdInst | Out-String;\" fullword ascii\r\n $s6 = \"whoami /groups | findstr /c:\\\"S-1-5-32-544\\\"\" fullword ascii\r\n condition:\r\n filesize < 500KB and $f0 and 2 of ($s*) \r\n}"
},
{
"category": "Payload installation",
"comment": "Powershell Agent & PowerRatankba",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547493833",
"to_ids": true,
"type": "sha256",
"uuid": "5c3ce1c9-39e4-4b59-90e4-5a350a640c05",
"value": "a1f06d69bd6379e310b10a364d689f21499953fa1118ec699a25072779de5d9b"
},
{
"category": "Payload installation",
"comment": "Powershell Agent & PowerRatankba",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547493833",
"to_ids": true,
"type": "sha256",
"uuid": "5c3ce1c9-4d80-470f-9cfc-5a350a640c05",
"value": "20d94f7d8ee2c4367443a930370d5685789762b1d11794810dc0ac6c626ad78e"
},
{
"category": "Network activity",
"comment": "URL C2 backup",
"deleted": false,
"disable_correlation": false,
"timestamp": "1547493895",
"to_ids": true,
"type": "url",
"uuid": "5c3ce207-b7f0-468f-8e5a-5a330a640c05",
"value": "https://bodyshoppechiropractic.com"
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}