2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2017-01-30" ,
"extends_uuid" : "" ,
"info" : "OSINT - Saga 2.0 (Sage 2.0) comes with IP Generation Algorithm (IPGA)" ,
"publish_timestamp" : "1485803996" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1485803987" ,
"uuid" : "588f9099-bcc8-4730-b744-4eed02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803689" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "588f90a9-09cc-4c5f-86d1-4f5602de0b81" ,
"value" : "On Jan 20, 2017, we came across a malware that appeared to be a new Ransomware family called Sage 2.0. Within a couple of days we were able to collect more than 200 malware binaries across our sensors associated with this new Ransomware. Last week, Brad Duncan also wrote a SANS InfoSec Diary entry on Sage 2.0, noticing some strange UDP packets sent to over 7'000 different IPs:"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803879" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "588f90c8-6aec-4917-83a2-404202de0b81" ,
"value" : "https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#075200" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "admiralty-scale:source-reliability=\"b\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Sage 2.0 samples" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "588f90e4-27dc-48c5-9c7d-4a6a02de0b81" ,
"value" : "cfe8749de0954cee3966e1cbdb341e69"
} ,
{
"category" : "External analysis" ,
"comment" : "Sage 2.0 Traffic Encryption and Serialisation" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B A A A A A W L C A M A A A C a w z Q e A A A A G X R F W H R T b 2 Z 0 d 2 F y Z Q B B Z G 9 i Z S B J b W F n Z V J l Y W R 5 c c l l P A A A A w B Q T F R F P 4 / u / K O s a m p o S n + / l Z S T K G + 1 j 2 d r P l d x //DxTExKaH2XDw8PLXrRyChEzs7Kh7glk73u+zVK/FRlx96Z29vXxMPBvb29MIHfwsG/jYyMcHBwiYiGnogZzc3Np8tfosDf+yY92SU3PT08Hh4e4+LfGUZ0Li0trKyqZGRjQkJCoKCeNTU1lLfadXV17u7up6akmJiX+fn3FTdb2oiPWnebaaI++hcviYmJ3NzY5ubmrAUXHlKOVoG01dXV9vXyxcXFrX+Evr67olZeJiYmFxcXeHh4k6e7Q4G/egcTf7MWXFxcCRgoZYmwx9XkAAAA0wYc+gch////VFRUtrazenl3rq6urrjCFQAD5OPfnp6d1dTQxcXBmJeVzOH7W1tZ/Pz73t7emcP2tLSym5ubZaXy1NPQ9/f3goKCn8ZQfX196+rm8vj+v9mLk5OTWJ7wi4uLhYWEf7T0/YOQ3+zFTJbvstL4/sHInJybrKys+0VZ2en8RITQpKSivLu5zMvI5fD9pKSktLS0cq3z1uK4jLz1v9r5ml1kpcv36+vnZGe6goKBnMNM9be79/rwkZGQl8FCt9R8j70zt7a0p6emxsXDw9fuz+Oor9Bt5/HT5OPg3ebG1dTRfqUv7/bi1+e2/HSC/tHV/GR0r6+tudOC/uDj/bK6932Iydvt7O7hlb8/XpPIq8tn/ZOe+EJU5+bilkeHsrGv8+Ph0tLPuLe08vb6NXi6UIrDWVhYfHx69MbIcHBv919u9pqha5zMPXKljrHSrsnj1+Tx9ouU9NXU8g4nrKuphq7VvNLo9257vD9MgICAeaXR5O324h0yysnHskhTurm3qamnqk9ZBhEeCAgIAwgNJmirDiVB6hUs9PPvPzAybHF45erTPwII2+Xu/v7+IVqTIl2j+/v6/v39y6PDXG7Aw2hxI2Geb29v6gcfiputfFSaVZXi252i5dHh5qisj4+O5be58cjRss91rsqW3c3L4+PjprC9gI2dz8/hgqLIBQ4X7XOAMoftenp68/Luqd/VsAABQLFJREFUeNrsfcuuszyTdQsxQUyTQcTMRGSEuBP0SzBAgGgJiQGMMsskyRV81/HP+xr6wmhXlW0OIad9evZOaul995OAMcahlstle/m//pvBYLwt/qtnMBhvCyYABoMJgMFgMAEwGAwmAAaDwQTAYDCYABgMBhMAg8FgAmAwGEwADAaDCYDBYDABMBgMJgAGg8EEwGAwmAAYDAYTAIPBYAJgMBh/jgCSJMl+XZlzS4gqzeWnzBPCSZM+T1P59xk88mCJzDW/PCyPltfOqnNfilJm+nOV+x1PwPibBFAGMcJ3vI9mnyXy9fUubTOLwIjLkQEVYoLihv27WCrIlAqY9gn+fdykHnuwVN1lBnlUXDurzn0phMx0+GaNa+kbXojveALGnySAKh7wwbbLV5f70fRE5KoTg9Um8QTJ3XLJFGX8IQJ49MF+JQGI+NM/ywIswyZMAEwAw+uv4X/QnRxymDBANBy3nicAaL4D9BEsKJoQ5XME8PCDvREBDPdgAmACIEDrHZSyr/zxPqi3bGkZtv9CuGNLpy4AnbjdBRhyg+TYi3gqBvDwg12JASgT+bEYwCUBBF/eBRjuwTEAJgDqaYOdfTIAmCdgxxk2uSNbAc/dlWcyaMuruXHdbdaGNkp8pBH89IP9dBt5SQDJN9+DwQSAXrWYtocOtNmBpUw5r6T9ukIepZaoqORZv0qutLmj4478WmpbdJcJAByCsi+sIOnz0hJwKwevKeFddcFHKNCFoHT415wOxFLLfe3BZkWXWVl97olU5kWeyOzJ1fXqbDkJXOLFdDCyZKED7WIkjg9Bx1QlWKhReAbPE1AQRU9ZKk8LuPA6AVxelVc+VFBV6iJGld/LH8mh3heUTF2F5cuwuKYme1PAHMqvK+XyNowXJ4Bi3nM33ryb62Z83Bc139Pl9mX00sLblpnufLFIAGCmDl2XTgIG5luSDHc0MYDqfgzh4sFmRQcCqfCL7uXPnnwaA0gncYvROQWyu3HcUSzX6CgIQg5K4S519md1ef0qQcWwkD8cXeUW1vjoqiAbFTcd/BtTKdXibRgvHwPAFynw8ovXFV+JPJ4SQHIl3mc8gGxi5e7gCyRXCUBZ1cia8jsEkD4SRJw/2KzoQ64XBEDG8BwBYJ4TthTLNTqOggLTZX78HAHQVW48JQC63NO/S4B1P74qXSSAZJLg4jaM1ycAHcELvExFhxIInKkQHLwz0htM4H2LEnqxvCRJlzrIcE2w6IOnc49hiQCSFCJ2iaCOA97ChwBcnoKJYPhPEwCUxrXkoaroH36wWdEvCWD65DMCoC4AGmsxOedXKRawUlbr0Z39pBgihuN84RlcJ02F+o6kkSZR6l8LAhYLV+HDCVkDqTUmgELzA/kkWLvyKpe4OBlqUj8B+GYiStBzyS5vw3h9AhheH9e7DBcJ1ahbZAa5bhkWokk4caf8CAH4VpRNLkuvBAHVOXxN73uo0webFx1P4Byl2UCfvtvCMCA+YnV5Lh9IJdBdnmsBOPN8yuAd/f3qMGCycJUY1yg+aIDjIy6VICIm0lflOpv5MGCha1JML+h9jha+DQH0eTX3+vIkCYYXrR9e9URbw+XoOMb6Rf8BAhifSRLvPgGUF6MKoyDdtQebF31auuTiyRcIAB8xWDoXGFIRy/Q45GueWHGqr+MjjxHA6Kp8TADJ0NlSR4rRVToeOyeASNdkOVTS+DaMdyAAmLFbubrzjdFl0yOtqGXI/KFnHmhfOLmw/yD7DAGUYh6lu0IA6UIMMl2cNDN6sHnRLwlg+uQLBFAZz2N+TpVQGXMxdaCn+ZonHogo7pcJYNYFWLxqRgAefRQUfplclS4QgKlJ9WPNb8N4DwLAV4c8+FlMGnuoAQ4f+bOo13jIf8H+0e9UIQFr2jlYJoBqGo/6EgIYPdi86BcEMI/GXxCAF5vBjCsEUNEEp3jioczyfYIAZkHARwigMCE+hwmA8QwBoJWm6CxCfE07wsEkzJ1emaC6YP/jl1TcHAVIzasLYS3rYwRQXp81Z5lQ37joFwQwf/K5kWO4ouxvEUDuTkcSjVc+yvd7CYBKlpDfxgTAeIIAUnxrXNW061cl07H0SDeCXqIw7//Pw3KBHpPK4un44CIBeKNhsg/EAO4+2LzoFwQwf/J5oM8d3fUKAZjVD85odGKW79zGTG/+KQK4FgMg599Trspk3sRTMQAmgLcjgIz6xto0R9E/vzDGnpgpLxf9/2pq3gm1vOgVpNPxwWUCSEdD0V8zCjB9sHnRLwhg/uRTIx8CgLcIQP5bJUmx+KxXCEBcHwW4QQAXowDJ6HPhqBkY+iqcNbA0CpCPRwFKJoB3JAAnEBUMJ6uxYhwpThJPB6fdqe26evg5tayJkxsrD7wcCAAHn3waVJ6GAJYIAMfJkySqtKFeJ4DH5gHMHmxe9AsCmD/51Mi92ETliqsEUCzNn5nlO7cx7JrIgmKcZTEIKBZ884t5ABOKdlUVJjTKj7oIrvYEnDvzAJgA3osAxHQ2WzXrKvu0FFc4aaT70/OZbpMs0oEAxomD/h4BTOYcprcJ4KGZgLMHmxf9ggCq5SDBvZmAkxiAZokqHZipupxLObaxPL46E/DGVRczAZNx1aoQwHwmoJkcdXMmIBPAexHAKEZdTuJYo4lqw3TyLHiCAIZ3/2p8cDQKMDLQuLxNAENo8t5U4CG7edEvCGD+5B8ggLGxmy7RLN8LGys/QgCD1sKcANSFxYwAqPejeOPmWgAmgPcigMTDRXhmEVwOI+cizUuBb8jYLClcRMv0xm3cWL4KQ01moX+CS9aci5XnJlw/rO8jBS+/KmHYPOlH69UGHZtnVgNePNis6EP2ejXg7MlHK/5urQYsRiXMxIzEFmrUPIO5OJEuu6wjazKEMZMEu7zqYjXgMBzijgnTx+WJujAFdA9EdGs14PQ2jLcZBVgExs5BUUNcLO
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803970" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "588f9152-70fc-466d-a8cc-474302de0b81" ,
"value" : "sage.png" ,
"Tag" : [
{
"colour" : "#00223b" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0fc000" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "admiralty-scale:information-credibility=\"2\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Payload delivery" ,
"comment" : "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803926" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "588f9196-e66c-4ceb-b014-4f9002de0b81" ,
"value" : "5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803926" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "588f9196-cb48-4b36-8f32-41e802de0b81" ,
"value" : "e8eec675b5af14138598e4d152d34fd2ecb43a87"
} ,
{
"category" : "External analysis" ,
"comment" : "Sage 2.0 samples - Xchecked via VT: cfe8749de0954cee3966e1cbdb341e69" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1485803927" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "588f9197-7d90-436b-af52-41b002de0b81" ,
"value" : "https://www.virustotal.com/file/5e7cc796dfd2d47e6efb31412e1d614db6d96620ac118426dda04b6fbb943993/analysis/1485347931/"
}
]
}
}