440 lines
17 KiB
JSON
440 lines
17 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-07-23",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Kovter becomes almost file-less, creates a new file type, and gets some new certificates",
|
||
|
"publish_timestamp": "1469260058",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1469260042",
|
||
|
"uuid": "57931fd5-3c78-4dab-b1e9-4cc302de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259789",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200d-b68c-41b3-8296-4d1f02de0b81",
|
||
|
"value": "https://eepheverseoftheday.org/2811826639187/2811826639187/146819749948281/FlashPlayer.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259789",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200d-14b8-4146-b84d-45af02de0b81",
|
||
|
"value": "https://deequglutenfreeclub.org/8961166952189/8961166952189/146809673281840/FlashPlayer.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259789",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200d-7c40-41b6-9fed-4fce02de0b81",
|
||
|
"value": "https://zaixovinmonopolet.net/5261173544131/5261173544131/146785099939564/FlashPlayer.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259790",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200e-cf2c-40e7-8523-479f02de0b81",
|
||
|
"value": "https://feehacitysocialising.net/7561659755159/1468089713424429/firefox-patch.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259790",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200e-2cf0-427d-8982-4a6402de0b81",
|
||
|
"value": "https://eepheverseoftheday.org/1851760268603/1851760268603/1468192094476645/firefox-patch.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259790",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200e-eefc-4fcb-85c9-4f9002de0b81",
|
||
|
"value": "https://uchuhfsbox.net/8031143191240/8031143191240/1467996389305283/firefox-patch.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259790",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200e-f2f0-434f-ad2a-490e02de0b81",
|
||
|
"value": "https://ierairosihanari.org/1461656983266/1461656983266/1467987174641688/firefox-patch.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "We have seen Kovter downloaded from a large list of URLs, including",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259790",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "5793200e-cab8-4f3e-864d-4e5102de0b81",
|
||
|
"value": "https://anayimovilyeuros.net/7601143032510/7601143032510/1465468888898207/chrome-patch.exe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259837",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203d-0d10-4cdd-a2dd-404102de0b81",
|
||
|
"value": "7e93cc85ed87ddfb31ac84154f28ae9d6bee0116"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259837",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203d-c6a4-4753-b3ea-4de602de0b81",
|
||
|
"value": "78d98ccccc41e0dea1791d24595c2e90f796fd48"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259838",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203e-17b8-4118-93e8-435e02de0b81",
|
||
|
"value": "c6305ea8aba8b095d31a7798f957d9c91fc17cf6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259838",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203e-ccf8-4d8f-a7a5-487f02de0b81",
|
||
|
"value": "b780af39e1bf684b7d2579edfff4ed26519b05f6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259838",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203e-1ef8-4134-82f2-4e3402de0b81",
|
||
|
"value": "a286affc5f6e92bdc93374646676ebc49e21bcae"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259838",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203e-ad0c-4952-addf-423c02de0b81",
|
||
|
"value": "ac4325c9837cd8fa72d6bcaf4b00186957713414"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter has also rotated through a series of new digital certificates, including the following",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259839",
|
||
|
"to_ids": true,
|
||
|
"type": "x509-fingerprint-sha1",
|
||
|
"uuid": "5793203f-1bb4-43cd-b5f4-4ca002de0b81",
|
||
|
"value": "ce75af3b8be1ecef9d0eb51f2f3281b846add3fc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259891",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932073-e494-4aa4-aadb-4db602de0b81",
|
||
|
"value": "7177811e2f7be8db2a7d9b1f690dc9e764fdc8a2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259891",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932073-86d0-423f-a8d6-4ff202de0b81",
|
||
|
"value": "da3261ceff37a56797b47b998dafe6e0376f8446"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259892",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932074-9d0c-49a4-bd99-45eb02de0b81",
|
||
|
"value": "c3f3ecf24b6d39b0e4ff51af31002f3d37677476"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259892",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932074-f678-4467-a322-4f3d02de0b81",
|
||
|
"value": "c49febe1e240e47364a649b4cd19e37bb14534d0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259892",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932074-c224-4667-9752-435202de0b81",
|
||
|
"value": "3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259892",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932074-32e4-44bb-b8ed-4b5602de0b81",
|
||
|
"value": "e428de0899cb13de47ac16618a53c5831337c5e6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259892",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "57932074-8868-4798-83d1-4c9002de0b81",
|
||
|
"value": "b8cace9f517bad05d8dc89d7f76f79aae8717a24"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259925",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57932095-f574-45fd-b1f6-4b9d02de0b81",
|
||
|
"value": "cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259925",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57932095-ad7c-4efc-ba28-407d02de0b81",
|
||
|
"value": "7df17844ee9f36c35629c54646953445"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c3f3ecf24b6d39b0e4ff51af31002f3d37677476",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259925",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57932095-6dc8-42f4-b071-400e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/cd7a7ef59534293d8f059fef4ebd2cacf5dc3f598c2a34ae1bf9b952f9b022a0/analysis/1468240910/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259926",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57932096-c044-4f67-a760-485a02de0b81",
|
||
|
"value": "3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259926",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57932096-bfe4-4010-8f08-43ec02de0b81",
|
||
|
"value": "4167da9574e5e334205f5be8b9181aab"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: 3689ff2ef2aceb9dc0877b38edf5cb4e1bd86f39",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259926",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57932096-7a0c-4d72-a7cd-482e02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/3bc1d770a7ecc99c014739e7db3b0ed6cf8f0063e593e0f501df701c85ce6e22/analysis/1466283391/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259926",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57932096-2970-4903-bf44-4c3a02de0b81",
|
||
|
"value": "45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259926",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57932096-32a4-433b-a558-4f1d02de0b81",
|
||
|
"value": "5d908526f1a84e96ce00f5bb1e093ede"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: c49febe1e240e47364a649b4cd19e37bb14534d0",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259927",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57932097-6b24-4988-9716-48c302de0b81",
|
||
|
"value": "https://www.virustotal.com/file/45b2ceb2ed61d75156a001d7c1aa64f5d3f71c188c433c085f2d2383543d24bf/analysis/1463744476/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259927",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "57932097-ef18-48e3-ae1c-48ff02de0b81",
|
||
|
"value": "744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259927",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "57932097-bf8c-48cd-b559-4a7302de0b81",
|
||
|
"value": "1885e38dce5d58cf8e7436256e019065"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Kovter SHA1 - Xchecked via VT: e428de0899cb13de47ac16618a53c5831337c5e6",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259927",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "57932097-2e98-428f-9354-4e4c02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/744c3eba00f668e5e766ff6268b73c419b204fc51fe48fd1f75359c528d5681b/analysis/1464087978/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259951",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "579320af-d86c-4d75-bf38-42de02de0b81",
|
||
|
"value": "https://blogs.technet.microsoft.com/mmpc/2016/07/22/kovter-becomes-almost-file-less-creates-a-new-file-type-and-gets-some-new-certificates/"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469259982",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "579320ce-a6bc-4bbc-8cf4-4d2902de0b81",
|
||
|
"value": "Trojan:Win32/Kovter is a well-known click-fraud malware which is challenging to detect and remove because of its file-less persistence on infected PCs. In this blog, we will share some technical details about the latest changes we have seen in Kovter\u00e2\u20ac\u2122s persistence method and some updates on their latest malvertising campaigns.\r\n\r\nNew persistence method\r\nSince June 2016, Kovter has changed their persistence method to make remediation harder for antivirus software."
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1469260042",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5793210a-2368-429a-992f-431f02de0b81",
|
||
|
"value": "Trojan:Win32/Kovter"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|