123 lines
112 KiB
JSON
123 lines
112 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-01-30",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - Saga 2.0 (Sage 2.0) comes with IP Generation Algorithm (IPGA)",
|
||
|
"publish_timestamp": "1485803996",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1485803987",
|
||
|
"uuid": "588f9099-bcc8-4730-b744-4eed02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803689",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "588f90a9-09cc-4c5f-86d1-4f5602de0b81",
|
||
|
"value": "On Jan 20, 2017, we came across a malware that appeared to be a new Ransomware family called Sage 2.0. Within a couple of days we were able to collect more than 200 malware binaries across our sensors associated with this new Ransomware. Last week, Brad Duncan also wrote a SANS InfoSec Diary entry on Sage 2.0, noticing some strange UDP packets sent to over 7'000 different IPs:"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803879",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "588f90c8-6aec-4917-83a2-404202de0b81",
|
||
|
"value": "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#075200",
|
||
|
"name": "admiralty-scale:source-reliability=\"b\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Sage 2.0 samples",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803748",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "588f90e4-27dc-48c5-9c7d-4a6a02de0b81",
|
||
|
"value": "cfe8749de0954cee3966e1cbdb341e69"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Sage 2.0 Traffic Encryption and Serialisation",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAABAAAAAWLCAMAAACawzQeAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAwBQTFRFP4/u/KOsampoSn+/lZSTKG+1j2drPldx//DxTExKaH2XDw8PLXrRyChEzs7Kh7glk73u+zVK/FRlx96Z29vXxMPBvb29MIHfwsG/jYyMcHBwiYiGnogZzc3Np8tfosDf+yY92SU3PT08Hh4e4+LfGUZ0Li0trKyqZGRjQkJCoKCeNTU1lLfadXV17u7up6akmJiX+fn3FTdb2oiPWnebaaI++hcviYmJ3NzY5ubmrAUXHlKOVoG01dXV9vXyxcXFrX+Evr67olZeJiYmFxcXeHh4k6e7Q4G/egcTf7MWXFxcCRgoZYmwx9XkAAAA0wYc+gch////VFRUtrazenl3rq6urrjCFQAD5OPfnp6d1dTQxcXBmJeVzOH7W1tZ/Pz73t7emcP2tLSym5ubZaXy1NPQ9/f3goKCn8ZQfX196+rm8vj+v9mLk5OTWJ7wi4uLhYWEf7T0/YOQ3+zFTJbvstL4/sHInJybrKys+0VZ2en8RITQpKSivLu5zMvI5fD9pKSktLS0cq3z1uK4jLz1v9r5ml1kpcv36+vnZGe6goKBnMNM9be79/rwkZGQl8FCt9R8j70zt7a0p6emxsXDw9fuz+Oor9Bt5/HT5OPg3ebG1dTRfqUv7/bi1+e2/HSC/tHV/GR0r6+tudOC/uDj/bK6932Iydvt7O7hlb8/XpPIq8tn/ZOe+EJU5+bilkeHsrGv8+Ph0tLPuLe08vb6NXi6UIrDWVhYfHx69MbIcHBv919u9pqha5zMPXKljrHSrsnj1+Tx9ouU9NXU8g4nrKuphq7VvNLo9257vD9MgICAeaXR5O324h0yysnHskhTurm3qamnqk9ZBhEeCAgIAwgNJmirDiVB6hUs9PPvPzAybHF45erTPwII2+Xu/v7+IVqTIl2j+/v6/v39y6PDXG7Aw2hxI2Geb29v6gcfiputfFSaVZXi252i5dHh5qisj4+O5be58cjRss91rsqW3c3L4+PjprC9gI2dz8/hgqLIBQ4X7XOAMoftenp68/Luqd/VsAABQLFJREFUeNrsfcuuszyTdQsxQUyTQcTMRGSEuBP0SzBAgGgJiQGMMsskyRV81/HP+xr6wmhXlW0OIad9evZOaul995OAMcahlstle/m//pvBYLwt/qtnMBhvCyYABoMJgMFgMAEwGAwmAAaDwQTAYDCYABgMBhMAg8FgAmAwGEwADAaDCYDBYDABMBgMJgAGg8EEwGAwmAAYDAYTAIPBYAJgMBh/jgCSJMl+XZlzS4gqzeWnzBPCSZM+T1P59xk88mCJzDW/PCyPltfOqnNfilJm+nOV+x1PwPibBFAGMcJ3vI9mnyXy9fUubTOLwIjLkQEVYoLihv27WCrIlAqY9gn+fdykHnuwVN1lBnlUXDurzn0phMx0+GaNa+kbXojveALGnySAKh7wwbbLV5f70fRE5KoTg9Um8QTJ3XLJFGX8IQJ49MF+JQGI+NM/ywIswyZMAEwAw+uv4X/QnRxymDBANBy3nicAaL4D9BEsKJoQ5XME8PCDvREBDPdgAmACIEDrHZSyr/zxPqi3bGkZtv9CuGNLpy4AnbjdBRhyg+TYi3gqBvDwg12JASgT+bEYwCUBBF/eBRjuwTEAJgDqaYOdfTIAmCdgxxk2uSNbAc/dlWcyaMuruXHdbdaGNkp8pBH89IP9dBt5SQDJN9+DwQSAXrWYtocOtNmBpUw5r6T9ukIepZaoqORZv0qutLmj4478WmpbdJcJAByCsi+sIOnz0hJwKwevKeFddcFHKNCFoHT415wOxFLLfe3BZkWXWVl97olU5kWeyOzJ1fXqbDkJXOLFdDCyZKED7WIkjg9Bx1QlWKhReAbPE1AQRU9ZKk8LuPA6AVxelVc+VFBV6iJGld/LH8mh3heUTF2F5cuwuKYme1PAHMqvK+XyNowXJ4Bi3nM33ryb62Z83Bc139Pl9mX00sLblpnufLFIAGCmDl2XTgIG5luSDHc0MYDqfgzh4sFmRQcCqfCL7uXPnnwaA0gncYvROQWyu3HcUSzX6CgIQg5K4S519md1ef0qQcWwkD8cXeUW1vjoqiAbFTcd/BtTKdXibRgvHwPAFynw8ovXFV+JPJ4SQHIl3mc8gGxi5e7gCyRXCUBZ1cia8jsEkD4SRJw/2KzoQ64XBEDG8BwBYJ4TthTLNTqOggLTZX78HAHQVW48JQC63NO/S4B1P74qXSSAZJLg4jaM1ycAHcELvExFhxIInKkQHLwz0htM4H2LEnqxvCRJlzrIcE2w6IOnc49hiQCSFCJ2iaCOA97ChwBcnoKJYPhPEwCUxrXkoaroH36wWdEvCWD65DMCoC4AGmsxOedXKRawUlbr0Z39pBgihuN84RlcJ02F+o6kkSZR6l8LAhYLV+HDCVkDqTUmgELzA/kkWLvyKpe4OBlqUj8B+GYiStBzyS5vw3h9AhheH9e7DBcJ1ahbZAa5bhkWokk4caf8CAH4VpRNLkuvBAHVOXxN73uo0webFx1P4Byl2UCfvtvCMCA+YnV5Lh9IJdBdnmsBOPN8yuAd/f3qMGCycJUY1yg+aIDjIy6VICIm0lflOpv5MGCha1JML+h9jha+DQH0eTX3+vIkCYYXrR9e9URbw+XoOMb6Rf8BAhifSRLvPgGUF6MKoyDdtQebF31auuTiyRcIAB8xWDoXGFIRy/Q45GueWHGqr+MjjxHA6Kp8TADJ0NlSR4rRVToeOyeASNdkOVTS+DaMdyAAmLFbubrzjdFl0yOtqGXI/KFnHmhfOLmw/yD7DAGUYh6lu0IA6UIMMl2cNDN6sHnRLwlg+uQLBFAZz2N+TpVQGXMxdaCn+ZonHogo7pcJYNYFWLxqRgAefRQUfplclS4QgKlJ9WPNb8N4DwLAV4c8+FlMGnuoAQ4f+bOo13jIf8H+0e9UIQFr2jlYJoBqGo/6EgIYPdi86BcEMI/GXxCAF5vBjCsEUNEEp3jioczyfYIAZkHARwigMCE+hwmA8QwBoJWm6CxCfE07wsEkzJ1emaC6YP/jl1TcHAVIzasLYS3rYwRQXp81Z5lQ37joFwQwf/K5kWO4ouxvEUDuTkcSjVc+yvd7CYBKlpDfxgTAeIIAUnxrXNW061cl07H0SDeCXqIw7//Pw3KBHpPK4un44CIBeKNhsg/EAO4+2LzoFwQwf/J5oM8d3fUKAZjVD85odGKW79zGTG/+KQK4FgMg599Trspk3sRTMQAmgLcjgIz6xto0R9E/vzDGnpgpLxf9/2pq3gm1vOgVpNPxwWUCSEdD0V8zCjB9sHnRLwhg/uRTIx8CgLcIQP5bJUmx+KxXCEBcHwW4QQAXowDJ6HPhqBkY+iqcNbA0CpCPRwFKJoB3JAAnEBUMJ6uxYhwpThJPB6fdqe26evg5tayJkxsrD7wcCAAHn3waVJ6GAJYIAMfJkySqtKFeJ4DH5gHMHmxe9AsCmD/51Mi92ETliqsEUCzNn5nlO7cx7JrIgmKcZTEIKBZ884t5ABOKdlUVJjTKj7oIrvYEnDvzAJgA3osAxHQ2WzXrKvu0FFc4aaT70/OZbpMs0oEAxomD/h4BTOYcprcJ4KGZgLMHmxf9ggCq5SDBvZmAkxiAZokqHZipupxLObaxPL46E/DGVRczAZNx1aoQwHwmoJkcdXMmIBPAexHAKEZdTuJYo4lqw3TyLHiCAIZ3/2p8cDQKMDLQuLxNAENo8t5U4CG7edEvCGD+5B8ggLGxmy7RLN8LGys/QgCD1sKcANSFxYwAqPejeOPmWgAmgPcigMTDRXhmEVwOI+cizUuBb8jYLClcRMv0xm3cWL4KQ01moX+CS9aci5XnJlw/rO8jBS+/KmHYPOlH69UGHZtnVgNePNis6EP2ejXg7MlHK/5urQYsRiXMxIzEFmrUPIO5OJEuu6wjazKEMZMEu7zqYjXgMBzijgnTx+WJujAFdA9EdGs14PQ2jLcZBVgExs5BUUNcLO
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803970",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "588f9152-70fc-466d-a8cc-474302de0b81",
|
||
|
"value": "sage.png",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0fc000",
|
||
|
"name": "admiralty-scale:information-credibility=\"2\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803926",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "588f9196-e66c-4ceb-b014-4f9002de0b81",
|
||
|
"value": "5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803926",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "588f9196-cb48-4b36-8f32-41e802de0b81",
|
||
|
"value": "e8eec675b5af14138598e4d152d34fd2ecb43a87"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1485803927",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "588f9197-7d90-436b-af52-41b002de0b81",
|
||
|
"value": "https://www.virustotal.com/file/5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993/analysis/1485347931/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|