misp-circl-feed/feeds/circl/stix-2.1/571a302c-e5c4-4014-8131-4e9c950d210f.json

542 lines
24 KiB
JSON
Raw Permalink Normal View History

2023-04-21 14:44:17 +00:00
{
"type": "bundle",
"id": "bundle--571a302c-e5c4-4014-8131-4e9c950d210f",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:47.000Z",
"modified": "2016-04-22T14:13:47.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--571a302c-e5c4-4014-8131-4e9c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:47.000Z",
"modified": "2016-04-22T14:13:47.000Z",
"name": "OSINT - Teaching an old RAT new tricks",
"published": "2016-04-22T14:14:57Z",
"object_refs": [
"observed-data--571a303a-3c3c-4030-885f-400b950d210f",
"url--571a303a-3c3c-4030-885f-400b950d210f",
"x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f",
"indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f",
"indicator--571a30f3-44ec-4b50-a024-40d702de0b81",
"indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81",
"observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
"url--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
"indicator--571a312c-ada4-409a-9d75-437e950d210f",
"indicator--571a3163-6690-403b-9d75-43e6950d210f",
"indicator--571a317a-55bc-42d0-a5b2-4164950d210f",
"indicator--571a3185-2014-41d4-8f7f-45dc02de0b81",
"indicator--571a3186-1514-4141-a640-482702de0b81",
"observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81",
"url--571a3186-bcbc-4ce1-a073-439e02de0b81",
"indicator--571a3186-6a4c-409f-948d-4df502de0b81",
"indicator--571a3187-e8b0-4cb8-9896-49c802de0b81",
"observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81",
"url--571a3187-a00c-45ee-b49b-49ec02de0b81",
"indicator--571a3188-39b4-474d-adbd-414502de0b81",
"indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81",
"observed-data--571a3188-e618-4f9d-8024-420b02de0b81",
"url--571a3188-e618-4f9d-8024-420b02de0b81",
"indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f",
"indicator--571a319b-f570-4379-b681-476c950d210f"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT"
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a303a-3c3c-4030-885f-400b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:07:54.000Z",
"modified": "2016-04-22T14:07:54.000Z",
"first_observed": "2016-04-22T14:07:54Z",
"last_observed": "2016-04-22T14:07:54Z",
"number_observed": 1,
"object_refs": [
"url--571a303a-3c3c-4030-885f-400b950d210f"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a303a-3c3c-4030-885f-400b950d210f",
"value": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--571a3056-7f64-4ee4-99d6-425b950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:08:22.000Z",
"modified": "2016-04-22T14:08:22.000Z",
"labels": [
"misp:type=\"comment\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "comment",
"x_misp_value": "Attackers have been successfully deploying RATs for years to remotely control users systems - giving them full access to the victim\u00e2\u20ac\u2122s files or resources such as cameras, recording key strokes, or downloading further malware. Traditionally RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload - which are easier to detect.\r\n\r\nRecently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state. In doing so, the attacker can remain out of view from antivirus technologies, and even \u00e2\u20ac\u02dcnext-generation\u00e2\u20ac\u2122 technologies that only focus on file-based threat vectors. Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it\u00e2\u20ac\u2122s not being analyzed in a network sandbox.\r\n\r\nAnd finally it\u00e2\u20ac\u2122s important to highlight that the RAT itself is not new. In fact this technique can be used to deliver any \u00e2\u20ac\u0153known\u00e2\u20ac\u009d RAT to a victim\u00e2\u20ac\u2122s system. We analyzed this sample against our SentinelOne EPP to confirm is does not evade our behavior-based detection mechanisms. This is due to the fact that we\u00e2\u20ac\u2122re monitoring all processes at the user-space/kernel-space interface - and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points."
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a307d-d2a8-48f3-a7fa-4c68950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:09:01.000Z",
"modified": "2016-04-22T14:09:01.000Z",
"description": "Win32 PE .NET 2.0 - Samples Analyzed",
"pattern": "[file:hashes.SHA256 = 'b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:09:01Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a30f3-44ec-4b50-a024-40d702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:10:59.000Z",
"modified": "2016-04-22T14:10:59.000Z",
"description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
"pattern": "[file:hashes.SHA1 = '3b1ac573509281cdc0b6141f8ea6ed3af393b554']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:10:59Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a30f4-dd90-4bbc-8f25-4cfd02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:11:00.000Z",
"modified": "2016-04-22T14:11:00.000Z",
"description": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
"pattern": "[file:hashes.MD5 = '65752e742d643d121ee7e826ab65dc9b']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:11:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:11:00.000Z",
"modified": "2016-04-22T14:11:00.000Z",
"first_observed": "2016-04-22T14:11:00Z",
"last_observed": "2016-04-22T14:11:00Z",
"number_observed": 1,
"object_refs": [
"url--571a30f4-5ec4-4d2a-86ed-40c602de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a30f4-5ec4-4d2a-86ed-40c602de0b81",
"value": "https://www.virustotal.com/file/b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8/analysis/1461260966/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a312c-ada4-409a-9d75-437e950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:11:56.000Z",
"modified": "2016-04-22T14:11:56.000Z",
"description": "Packed \"Benchmark\" DLL",
"pattern": "[file:hashes.MD5 = 'e5c71180f117270538487cd9b9b1b6d8']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:11:56Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3163-6690-403b-9d75-43e6950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:12:51.000Z",
"modified": "2016-04-22T14:12:51.000Z",
"description": "Monitor (PerfWatson.exe)",
"pattern": "[file:hashes.MD5 = '9e05fb115bd4e85cfc0e32c72aa721be']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:12:51Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a317a-55bc-42d0-a5b2-4164950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:14.000Z",
"modified": "2016-04-22T14:13:14.000Z",
"description": "NanoCore RAT dumped from memory",
"pattern": "[file:hashes.MD5 = 'd740ed3f33ca4cef3a6aa717f94bf52a']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:14Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"md5\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3185-2014-41d4-8f7f-45dc02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:25.000Z",
"modified": "2016-04-22T14:13:25.000Z",
"description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
"pattern": "[file:hashes.SHA256 = '755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:25Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3186-1514-4141-a640-482702de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:26.000Z",
"modified": "2016-04-22T14:13:26.000Z",
"description": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
"pattern": "[file:hashes.SHA1 = '8105e6146d9cacf30ca38920a5a8483b52ddff62']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a3186-bcbc-4ce1-a073-439e02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:26.000Z",
"modified": "2016-04-22T14:13:26.000Z",
"first_observed": "2016-04-22T14:13:26Z",
"last_observed": "2016-04-22T14:13:26Z",
"number_observed": 1,
"object_refs": [
"url--571a3186-bcbc-4ce1-a073-439e02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a3186-bcbc-4ce1-a073-439e02de0b81",
"value": "https://www.virustotal.com/file/755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050/analysis/1460984076/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3186-6a4c-409f-948d-4df502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:26.000Z",
"modified": "2016-04-22T14:13:26.000Z",
"description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
"pattern": "[file:hashes.SHA256 = '51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3187-e8b0-4cb8-9896-49c802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:27.000Z",
"modified": "2016-04-22T14:13:27.000Z",
"description": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
"pattern": "[file:hashes.SHA1 = '407abece50b4905197d5132c19f19b5321fa9a55']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a3187-a00c-45ee-b49b-49ec02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:27.000Z",
"modified": "2016-04-22T14:13:27.000Z",
"first_observed": "2016-04-22T14:13:27Z",
"last_observed": "2016-04-22T14:13:27Z",
"number_observed": 1,
"object_refs": [
"url--571a3187-a00c-45ee-b49b-49ec02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a3187-a00c-45ee-b49b-49ec02de0b81",
"value": "https://www.virustotal.com/file/51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1/analysis/1455165681/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3188-39b4-474d-adbd-414502de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:28.000Z",
"modified": "2016-04-22T14:13:28.000Z",
"description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
"pattern": "[file:hashes.SHA256 = 'e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a3188-fb1c-4924-8bcb-4d7f02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:28.000Z",
"modified": "2016-04-22T14:13:28.000Z",
"description": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
"pattern": "[file:hashes.SHA1 = '3a35080da4c0e71bdd1445fdae886a87d27a419e']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:28Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload installation"
}
],
"labels": [
"misp:type=\"sha1\"",
"misp:category=\"Payload installation\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--571a3188-e618-4f9d-8024-420b02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:28.000Z",
"modified": "2016-04-22T14:13:28.000Z",
"first_observed": "2016-04-22T14:13:28Z",
"last_observed": "2016-04-22T14:13:28Z",
"number_observed": 1,
"object_refs": [
"url--571a3188-e618-4f9d-8024-420b02de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--571a3188-e618-4f9d-8024-420b02de0b81",
"value": "https://www.virustotal.com/file/e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06/analysis/1461269734/"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a319a-7aa4-48bc-bc4b-4ffb950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:46.000Z",
"modified": "2016-04-22T14:13:46.000Z",
"description": "On port 1617",
"pattern": "[domain-name:value = 'azona2015.chickenkiller.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:46Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--571a319b-f570-4379-b681-476c950d210f",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2016-04-22T14:13:47.000Z",
"modified": "2016-04-22T14:13:47.000Z",
"description": "On port 1617",
"pattern": "[domain-name:value = 'azona.chickenkiller.com']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2016-04-22T14:13:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Network activity"
}
],
"labels": [
"misp:type=\"hostname\"",
"misp:category=\"Network activity\"",
"misp:to_ids=\"True\""
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}