misp-circl-feed/feeds/circl/misp/5e04e696-4e74-4be0-a8e1-4cee02de0b81.json

1128 lines
91 KiB
JSON
Raw Permalink Normal View History

2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event": {
"analysis": "2",
"date": "2019-12-26",
"extends_uuid": "",
"info": "OSINT - Let\u00e2\u20ac\u2122s play (again) with Predator the thief \u00e2\u20ac\u201c Fumik0_'s box",
"publish_timestamp": "1577379991",
"published": true,
"threat_level_id": "3",
"timestamp": "1577379958",
"uuid": "5e04e696-4e74-4be0-a8e1-4cee02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:malpedia=\"Predator The Thief\"",
"relationship_type": ""
},
{
"colour": "#004646",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#00223b",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "osint:source-type=\"blog-post\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Web Browsers - T1503\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Credential Access - T1212\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials in Files - T1081\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Credentials in Registry - T1214\"",
"relationship_type": ""
},
{
"colour": "#0088cc",
2024-04-05 12:15:17 +00:00
"local": false,
2023-12-14 14:30:15 +00:00
"name": "misp-galaxy:mitre-attack-pattern=\"Credential Dumping - T1003\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-a28c-4a80-98ba-4aec02de0b81",
"value": "9110e59b6c7ced21e194d37bb4fc14b2"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-aea8-4bd4-a8ca-42c502de0b81",
"value": "51e1924ac4c3f87553e9e9c712348ac8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-7690-4a4b-bd92-4fd802de0b81",
"value": "fe6125adb3cc69aa8c97ab31a0e7f5f8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-f3e4-4cf9-953d-478302de0b81",
"value": "02484e00e248da80c897e2261e65d275"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-a02c-4e88-bc60-453502de0b81",
"value": "a86f18fa2d67415ac2d576e1cd5ccad8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-e90c-47c7-999d-488702de0b81",
"value": "3861a092245655330f0f1ffec75aca67"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5e04e6ad-7c40-4b8b-997b-440302de0b81",
"value": "ed3893c96decc3aa798be93192413d28"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379521",
"to_ids": true,
"type": "domain",
"uuid": "5e04e6c1-41c8-4a8d-9072-a4f6950d210f",
"value": "cadvexmail19mn.world"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379645",
"to_ids": true,
"type": "sha256",
"uuid": "5e04e73d-f834-4bdb-b1ef-468c02de0b81",
"value": "21ebdc3a58f3d346247b2893d41c80126edabb060759af846273f9c9d0c92a9a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379645",
"to_ids": true,
"type": "sha256",
"uuid": "5e04e73d-14e0-465d-a699-482702de0b81",
"value": "6e27a2b223ef076d952aaa7c69725c831997898bebcd2d99654f4a1aa3358619"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379645",
"to_ids": true,
"type": "sha256",
"uuid": "5e04e73d-5688-42a8-94b1-4bff02de0b81",
"value": "01ef26b464faf08081fceeeb2cdff7a66ffdbd31072fe47b4eb43c219da287e8"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577379773",
"to_ids": false,
"type": "link",
"uuid": "5e04e7bd-3f00-4689-8eb0-506f02de0b81",
"value": "https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379758",
"uuid": "38108716-d461-41c6-8f58-0c2e5faa9f64",
"ObjectReference": [
{
"comment": "",
"object_uuid": "38108716-d461-41c6-8f58-0c2e5faa9f64",
"referenced_uuid": "480d06d8-d9b8-4ced-97d8-5a1dd2b938f3",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-4b98-4a60-94b5-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "4881ccb2-268b-4905-8ccc-782750882a0a",
"value": "3861a092245655330f0f1ffec75aca67"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "b7ed0944-2408-48f4-ad94-8cdbf16aba64",
"value": "ce44e7d00cf55e8bf13f5c52bfbdbe3d4603bfa1"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "41d7cd54-f11d-4c9d-ab58-39df67d985dd",
"value": "6b02aa8fc222f1f46ffcea8ac02474d8f0ef10f7d48986348da9e2ac8c519db9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379758",
"uuid": "480d06d8-d9b8-4ced-97d8-5a1dd2b938f3",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "96d5c98a-5ac5-44c2-9f1a-353b10f7a0ab",
"value": "2019-12-07T18:46:23"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "e60bda6a-dab6-444e-a401-15142aa21064",
"value": "https://www.virustotal.com/file/6b02aa8fc222f1f46ffcea8ac02474d8f0ef10f7d48986348da9e2ac8c519db9/analysis/1575744383/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "1e54635d-bec8-4e0b-93df-c8641ba189dd",
"value": "27/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379758",
"uuid": "7dd2b52a-6440-4cc6-9142-24b33b288eec",
"ObjectReference": [
{
"comment": "",
"object_uuid": "7dd2b52a-6440-4cc6-9142-24b33b288eec",
"referenced_uuid": "60e31b6e-033c-4edf-8e19-187bf909e409",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-afdc-4d6b-93b0-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "1676ee25-3d38-4f07-a4b7-0467786afae5",
"value": "fe6125adb3cc69aa8c97ab31a0e7f5f8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "d8ab56c4-0dfb-4334-abcd-8cdb10c71e42",
"value": "7cc5b92224347c6e3d695b7e67dc841210b9ad04"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "75409f8b-fe7b-4351-b705-7a8d51f5d2ec",
"value": "9166ef682132814d0286ddecfefcc4222759cb9dcf62f7014c53b6367d3d28c3"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379759",
"uuid": "60e31b6e-033c-4edf-8e19-187bf909e409",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "856067c0-03fa-47c2-b886-6e4e3210d5a6",
"value": "2019-12-20T09:59:07"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "ab78c3d0-dc09-4de4-9692-9a4dda23a176",
"value": "https://www.virustotal.com/file/9166ef682132814d0286ddecfefcc4222759cb9dcf62f7014c53b6367d3d28c3/analysis/1576835947/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "ed280824-6ca1-4c77-897c-9c5e7c0abdf5",
"value": "51/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379759",
"uuid": "d4a24fd0-9810-4c54-86ba-631f43d4e22c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "d4a24fd0-9810-4c54-86ba-631f43d4e22c",
"referenced_uuid": "c62ace2f-f3d3-4207-be63-75b867775faf",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-1fd4-487a-93db-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "f8c938b4-de02-4d6c-aae1-cbd1f4a1bf96",
"value": "a86f18fa2d67415ac2d576e1cd5ccad8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "902163fe-b3f1-45cf-9dfe-82a7a19ec077",
"value": "7dfe085e01e8285139d16455e810ae4792eb2c18"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "d7ee5602-4fba-47f7-9349-462b6978679b",
"value": "d24a2e930976774bc5f9d3246f94e1c93a707d33ed7e392cfe01bb3677cc1c22"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379759",
"uuid": "c62ace2f-f3d3-4207-be63-75b867775faf",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "89df942c-9005-4f34-80f1-ea4719b6c95f",
"value": "2019-12-25T07:19:31"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "54923d4a-fa00-4d06-8660-aa1ddc99389a",
"value": "https://www.virustotal.com/file/d24a2e930976774bc5f9d3246f94e1c93a707d33ed7e392cfe01bb3677cc1c22/analysis/1577258371/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "0594f440-9360-4876-b34e-ef99ffe3469b",
"value": "57/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379759",
"uuid": "50c3e941-eafb-46ac-9dd7-96753fea8e57",
"ObjectReference": [
{
"comment": "",
"object_uuid": "50c3e941-eafb-46ac-9dd7-96753fea8e57",
"referenced_uuid": "ecd2c5e0-2e9f-4c69-bc0c-c23961b9e132",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-a7c4-48b8-a1a7-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "a1286f31-7f32-4c2c-a2d7-6f440543c651",
"value": "ed3893c96decc3aa798be93192413d28"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "4425afe7-c6ca-4212-9d1a-00ca7d3eb895",
"value": "32037e67ab590dbe7015109aed258035dbb0808a"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "96701dd9-04b0-4cde-92ae-9734b70b39a6",
"value": "8ec9b712fe5f0648f015b582abca33ebbdb49670c547fdb074051f6b03c6ffc9"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379760",
"uuid": "ecd2c5e0-2e9f-4c69-bc0c-c23961b9e132",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "9dcde278-2ff3-44d6-8ea8-46d6738629e6",
"value": "2019-12-02T16:08:23"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "5e9f6929-d276-4a11-87ec-13f4ea380c78",
"value": "https://www.virustotal.com/file/8ec9b712fe5f0648f015b582abca33ebbdb49670c547fdb074051f6b03c6ffc9/analysis/1575302903/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "feed86f7-129f-4de7-b836-38337265abbc",
"value": "33/70"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379760",
"uuid": "63aa563e-87b6-4727-808c-1f8dbd42ecf2",
"ObjectReference": [
{
"comment": "",
"object_uuid": "63aa563e-87b6-4727-808c-1f8dbd42ecf2",
"referenced_uuid": "7bf812c0-54af-47f5-8085-751942a1c16c",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-4da4-4d58-aa9c-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "2790ce28-14e5-4d6a-a973-c7ba01dbb7ee",
"value": "9110e59b6c7ced21e194d37bb4fc14b2"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "f98bee97-bf82-4465-9200-27f6a958cc92",
"value": "3359490391fb18bbe18ba12341b7476b79dac376"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "0d66612c-a577-4267-b6e5-48a7522d3b28",
"value": "7e666e1f9ed0cfc211096d54106d66ba47f0375e675814b44c24b34dad57f578"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379760",
"uuid": "7bf812c0-54af-47f5-8085-751942a1c16c",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "f9a8fab5-cfe1-4e83-9473-fe78cf056bce",
"value": "2019-12-13T17:23:41"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "72865949-620a-4098-b04c-59f9d39bfded",
"value": "https://www.virustotal.com/file/7e666e1f9ed0cfc211096d54106d66ba47f0375e675814b44c24b34dad57f578/analysis/1576257821/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "1011e2ec-c6d5-4479-9e24-040bb1dc1189",
"value": "48/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379760",
"uuid": "4dce2aca-173e-45d5-ac70-39b11b0bde68",
"ObjectReference": [
{
"comment": "",
"object_uuid": "4dce2aca-173e-45d5-ac70-39b11b0bde68",
"referenced_uuid": "f0633bef-4096-48ac-8076-42f96522515a",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-9d94-4c17-be6b-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "226b76a3-0c49-4ed6-845e-66de3057770e",
"value": "51e1924ac4c3f87553e9e9c712348ac8"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "4b1792f1-1b3f-4fbf-891f-aa49b7a58e6b",
"value": "7f81cdffcab77a07b1e15298d5b7c6681c0e5c6c"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "14de9e87-a38a-45f1-bc3b-d5e507221fe5",
"value": "271d39c0daaf1efb3571fcb7cf2b271f882aebe070176d777e3dcbbbe1d80002"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379761",
"uuid": "f0633bef-4096-48ac-8076-42f96522515a",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "8f960a45-2cda-48b5-af90-bc324e624589",
"value": "2019-12-25T23:50:06"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "6815fe07-a65c-4e36-9ae8-e061f2d81996",
"value": "https://www.virustotal.com/file/271d39c0daaf1efb3571fcb7cf2b271f882aebe070176d777e3dcbbbe1d80002/analysis/1577317806/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "ff524555-72ff-4dfe-ae4b-9b94c8f058fe",
"value": "44/72"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379761",
"uuid": "b146e56a-7421-4e1c-90a6-05e350142898",
"ObjectReference": [
{
"comment": "",
"object_uuid": "b146e56a-7421-4e1c-90a6-05e350142898",
"referenced_uuid": "2a62535e-e6ab-4678-91ed-333564e64814",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-ad10-4333-81a9-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379501",
"to_ids": true,
"type": "md5",
"uuid": "5b4ba1b2-d21c-46af-8b62-94e76d205bb2",
"value": "02484e00e248da80c897e2261e65d275"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha1",
"uuid": "04e03d03-1c4a-42cc-ac84-51bfe0292090",
"value": "8a1550d7d473c85cb8bdadce151eb66dce8bc7cc"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379501",
"to_ids": true,
"type": "sha256",
"uuid": "68a381b3-8a58-4986-bd7c-a1e1824c2172",
"value": "8f33307a23babe5b961fd72184274a34cad2218916ac343baa131290ff018e57"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379761",
"uuid": "2a62535e-e6ab-4678-91ed-333564e64814",
"Attribute": [
{
"category": "Other",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379501",
"to_ids": false,
"type": "datetime",
"uuid": "8e218d95-e946-45f4-9279-f13ac5a15eb9",
"value": "2019-12-23T11:50:24"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379501",
"to_ids": false,
"type": "link",
"uuid": "b8ef1188-4a8f-4b05-9781-9c94c02046c8",
"value": "https://www.virustotal.com/file/8f33307a23babe5b961fd72184274a34cad2218916ac343baa131290ff018e57/analysis/1577101824/"
},
{
"category": "Payload delivery",
"comment": "Other predator hashes",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379501",
"to_ids": false,
"type": "text",
"uuid": "5f67fdb9-1ef5-41ab-9320-11685191e102",
"value": "47/71"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577379761",
"uuid": "1c1bc6e2-3c6f-4111-b421-87e1e5a05b9d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "1c1bc6e2-3c6f-4111-b421-87e1e5a05b9d",
"referenced_uuid": "fd386d29-307f-462e-bd14-57bd67528cee",
2023-04-21 13:25:09 +00:00
"relationship_type": "analysed-with",
2023-12-14 14:30:15 +00:00
"timestamp": "1577379762",
"uuid": "5e04e7b2-9bbc-4fd9-bf89-f63d02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577379645",
"to_ids": true,
"type": "md5",
"uuid": "8760a3c2-7264-49df-84f7-906831144742",
"value": "82ec8cb11e560681ffe5a2ee1397ba40"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577379645",
"to_ids": true,
"type": "sha1",
"uuid": "224ac502-5ac2-4ef7-9547-cf49a2ee7479",
"value": "a3349ccc3ccc58424b6855dceaa740d9d144eedf"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577379645",
"to_ids": true,
"type": "sha256",
"uuid": "65558765-d330-4641-bb83-d8429f29af7f",
"value": "21ebdc3a58f3d346247b2893d41c80126edabb060759af846273f9c9d0c92a9a"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577379761",
"uuid": "fd386d29-307f-462e-bd14-57bd67528cee",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577379645",
"to_ids": false,
"type": "datetime",
"uuid": "00c15ce8-a3c2-4a45-97c2-0099d1251967",
"value": "2019-11-06T00:05:26"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577379645",
"to_ids": false,
"type": "link",
"uuid": "25eefa9c-ab55-4d28-80ae-513162e3c225",
"value": "https://www.virustotal.com/file/21ebdc3a58f3d346247b2893d41c80126edabb060759af846273f9c9d0c92a9a/analysis/1572998726/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577379645",
"to_ids": false,
"type": "text",
"uuid": "c55d65e8-361e-4d20-887a-b57b56a73cc6",
"value": "52/72"
}
]
},
{
"comment": "Dump of the original website in Markdown format",
"deleted": false,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"name": "annotation",
"template_uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
"template_version": "2",
"timestamp": "1577379957",
"uuid": "5e04e875-85b4-466b-9115-507002de0b81",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "format",
"timestamp": "1577379958",
"to_ids": false,
"type": "text",
"uuid": "5e04e876-5a80-4348-bbf9-507002de0b81",
"value": "markdown"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1577379958",
"to_ids": false,
"type": "text",
"uuid": "5e04e876-d1f0-46cf-86f2-507002de0b81",
"value": "report"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "text",
"timestamp": "1577379958",
"to_ids": false,
"type": "text",
"uuid": "5e04e876-4654-422f-b2f5-507002de0b81",
"value": "[<img width=\"39\" height=\"32\" src=\":/87c1ef79c46d4766a0ce89c58236458d\"/>](https://fumik0.com)\r\n\r\n* [Home](https://fumik0.com/)\r\n* [Tracker](http://tracker.fumik0.com)\r\n* [Twitter](https://twitter.com/fumik0_)\r\n* [About](https://fumik0.com/about/)\r\n* [Contact](https://fumik0.com/contact/)\r\n\r\n* [Home](https://fumik0.com)\r\n* [botnet](https://fumik0.com/category/botnet/)\r\n* Let\u00e2\u20ac\u2122s play (again) with Predator the thief\r\n\r\n# Let\u00e2\u20ac\u2122s play (again) with Predator the thief\r\n\r\n[0](https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/#comments)\r\n\r\n![](:/5d9c033aa2614a1584eda9e4756ad915) [fumko](https://fumik0.com/author/fumko/ \"written December 25, 2019 @ 7:49 pm\") written 21 hours ago\r\n\r\n![](:/3189a43320a24016869436b1919bdb67)\r\n\r\nWhenever I reverse a sample, I am mostly interested in how it was developed, even if in the end the techniques employed are generally the same, I am always curious about what was the way to achieve a task, or just simply understand the code philosophy of a piece of code. It is a very nice way to spot different trending and discovering (sometimes) new tricks that you never know it was possible to do. This is one of the main reasons, I love digging mostly into stealers/clippers for their accessibility for being reversed, and enjoying malware analysis as a kind of game (unless some exceptions like Nymaim that is literally hell).\r\n\r\nIt's been 1 year and a half now that I start looking into \"Predator The Thief\", and this malware has evolved over time in terms of content added and code structure. This impression could be totally different from others in terms of stealing tasks performed, but based on my first in-depth analysis,, the code has changed too much and it was necessary to make another post on it.\r\n\r\nThis one will focus on some major aspects of the 3.3.2 version, but will not explain everything (because some details have already been mentioned in other papers,\u00c2\u00a0 some subjects are known). Also, times to times I will add some extra commentary about malware analysis in general.\r\n\r\n## Anti-Disassembly\r\n\r\nWhen you open an unpacked binary in IDA or other disassembler software like GHIDRA, there is an amount of code that is not interpreted correctly which leads to rubbish code, the incapacity to construct instructions or showing some graph. Behind this, it's obvious that an anti-disassembly trick is used.\r\n\r\n<img width=\"636\" height=\"317\" src=\":/6ae0ef5565ff40d5b6b87daf4ec4b7ed\"/>\r\n\r\nThe technique exploited here is known and used in the wild by other malware, it requires just a few opcodes to process and leads at the end at the creation of a false branch. In this case, it begins with a simple xor instruction that focuses on configuring the zero flag and forcing the JZ jump condition to work no matter what, so, at this stage, it's understandable that something suspicious is in progress. Then the MOV opcode (0xB8) next to the jump is a 5 bytes instruction and disturbing the disassembler to consider that this instruction is the right one to interpret beside that the correct opcode is inside this one, and in the end, by choosing this wrong path malicious tasks are hidden.\r\n\r\nOf course, fixing this issue is simple, and required just a few seconds. For example with IDA, you need to undefine the MOV instruction by pressing the keyboard shortcut \"U\", to produce this pattern.\r\n\r\n![predator_anti_analysis_03](:/49ceced72dd147d19759ebb547322859)\r\n\r\nThen skip the 0xB8 opcode, and pushing on \"C\" at the 0xE8 position, to configure the disassembler to interpret instruction at this point.\r\n\r\n<img width=\"900\" height=\"173\" src=\":/27d4709eba9d427481718e91aaa1fb67\"/>\r\n\r\nReplacing the 0xB8 opcode by 0x90. with a hexadecimal editor, will fix the issue. Opening again the patched PE, you will see that IDA is now able to even show the graph mode.\r\n\r\nAfter patching it, there are still some parts that can't be correctly parsed by the
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}