misp-circl-feed/feeds/circl/misp/5a719a5d-ba14-4ec4-b4b8-4c94950d210f.json

{
  "Event": {
    "analysis": "2",
    "date": "2018-01-23",
    "extends_uuid": "",
    "info": "OSINT - Analyzing CrossRAT",
    "publish_timestamp": "1518771211",
    "published": true,
    "threat_level_id": "3",
    "timestamp": "1517454034",
    "uuid": "5a719a5d-ba14-4ec4-b4b8-4c94950d210f",
    "Orgc": {
      "name": "CIRCL",
      "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
    },
    "Tag": [
      {
        "colour": "#ffffff",
        "local": "0",
        "name": "tlp:white",
        "relationship_type": ""
      },
      {
        "colour": "#4bec00",
        "local": "0",
        "name": "enisa:nefarious-activity-abuse=\"remote-access-tool\"",
        "relationship_type": ""
      },
      {
        "colour": "#850048",
        "local": "0",
        "name": "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"",
        "relationship_type": ""
      },
      {
        "colour": "#0088cc",
        "local": "0",
        "name": "misp-galaxy:rat=\"CrossRat\"",
        "relationship_type": ""
      }
    ],
    "Attribute": [
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404415",
        "to_ids": false,
        "type": "comment",
        "uuid": "5a719a75-8c84-4da4-a006-41dd950d210f",
        "value": "The EFF/Lookout report describes CrossRat as a \u00e2\u20ac\u0153newly discovered desktop surveillanceware tool\u00e2\u20ac\u00a6which is able to target Windows, OSX, and Linux.\u00e2\u20ac\u009d Of course the OSX (macOS) part intrigues me the most, so this post may have somewhat of a \u00e2\u20ac\u02dcMac-slant.\u00e2\u20ac\u2122"
      },
      {
        "category": "External analysis",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404415",
        "to_ids": false,
        "type": "link",
        "uuid": "5a719a99-1774-46c6-820b-4b7d950d210f",
        "value": "https://digitasecurity.com/blog/2018/01/23/crossrat/"
      },
      {
        "category": "Payload delivery",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404415",
        "to_ids": true,
        "type": "filename",
        "uuid": "5a71ac17-ec40-42e2-ac4d-47ec950d210f",
        "value": "mediamgrs.jar"
      },
      {
        "category": "Network activity",
        "comment": "on port 2223.",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404416",
        "to_ids": true,
        "type": "domain",
        "uuid": "5a71acc8-fcc0-4835-8908-46fd950d210f",
        "value": "flexberry.com"
      },
      {
        "category": "Artifacts dropped",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404416",
        "to_ids": false,
        "type": "filename",
        "uuid": "5a71acef-87b0-4f2d-a464-4844950d210f",
        "value": "crossrat/client.class"
      },
      {
        "category": "Artifacts dropped",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404416",
        "to_ids": false,
        "type": "filename",
        "uuid": "5a71acef-d690-4c29-bdad-4574950d210f",
        "value": "crossrat/k.class"
      },
      {
        "category": "Artifacts dropped",
        "comment": "",
        "deleted": false,
        "disable_correlation": false,
        "timestamp": "1517404417",
        "to_ids": false,
        "type": "filename",
        "uuid": "5a71ad6b-4fe4-41ef-b4f2-452a950d210f",
        "value": "crossrat/j.class"
      }
    ],
    "Object": [
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "9",
        "timestamp": "1517394738",
        "uuid": "5a719b32-1108-47a6-aa7c-4847950d210f",
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "filename",
            "timestamp": "1517394738",
            "to_ids": true,
            "type": "filename",
            "uuid": "5a719b32-fbc0-4cff-bb3d-4f9f950d210f",
            "value": "hmar6.jar"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1517394739",
            "to_ids": true,
            "type": "sha256",
            "uuid": "5a719b33-3644-4c1c-9cec-488f950d210f",
            "value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "state",
            "timestamp": "1517394739",
            "to_ids": false,
            "type": "text",
            "uuid": "5a719b33-71d8-4268-873b-4fd9950d210f",
            "value": "Malicious"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "File object describing a file with meta-information",
        "meta-category": "file",
        "name": "file",
        "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
        "template_version": "7",
        "timestamp": "1517404420",
        "uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3",
        "ObjectReference": [
          {
            "comment": "",
            "object_uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3",
            "referenced_uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1",
            "relationship_type": "analysed-with",
            "timestamp": "1518771211",
            "uuid": "5a71c104-4034-4505-b082-406702de0b81"
          }
        ],
        "Attribute": [
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha1",
            "timestamp": "1517404417",
            "to_ids": true,
            "type": "sha1",
            "uuid": "5a71c101-ef58-4aca-985d-441702de0b81",
            "value": "b23e070dadc997759574d5ee92c7753b84968f50"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "md5",
            "timestamp": "1517404418",
            "to_ids": true,
            "type": "md5",
            "uuid": "5a71c102-4654-4c01-9262-475602de0b81",
            "value": "85b794e080d83a91e904b97769e1e770"
          },
          {
            "category": "Payload delivery",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "sha256",
            "timestamp": "1517404418",
            "to_ids": true,
            "type": "sha256",
            "uuid": "5a71c102-4f64-4ca5-877a-499102de0b81",
            "value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "VirusTotal report",
        "meta-category": "misc",
        "name": "virustotal-report",
        "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
        "template_version": "1",
        "timestamp": "1517404419",
        "uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1",
        "Attribute": [
          {
            "category": "External analysis",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "permalink",
            "timestamp": "1517404419",
            "to_ids": false,
            "type": "link",
            "uuid": "5a71c103-d788-427c-823b-49f802de0b81",
            "value": "https://www.virustotal.com/file/15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649/analysis/1517401865/"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": true,
            "object_relation": "detection-ratio",
            "timestamp": "1517404419",
            "to_ids": false,
            "type": "text",
            "uuid": "5a71c103-59d4-42dd-a748-4e6f02de0b81",
            "value": "33/57"
          },
          {
            "category": "Other",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "last-submission",
            "timestamp": "1517404419",
            "to_ids": false,
            "type": "datetime",
            "uuid": "5a71c103-c41c-4d36-aecf-453202de0b81",
            "value": "2018-01-31T12:31:05"
          }
        ]
      },
      {
        "comment": "",
        "deleted": false,
        "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.",
        "meta-category": "network",
        "name": "ip-port",
        "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
        "template_version": "6",
        "timestamp": "1517409088",
        "uuid": "5a71d340-9298-45fe-a0d4-43b8950d210f",
        "Attribute": [
          {
            "category": "Network activity",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "domain",
            "timestamp": "1517409088",
            "to_ids": true,
            "type": "domain",
            "uuid": "5a71d340-95b8-4ba8-9256-4243950d210f",
            "value": "flexberry.com"
          },
          {
            "category": "Network activity",
            "comment": "",
            "deleted": false,
            "disable_correlation": false,
            "object_relation": "dst-port",
            "timestamp": "1517409089",
            "to_ids": false,
            "type": "port",
            "uuid": "5a71d341-be70-4699-9f93-434f950d210f",
            "value": "2223"
          }
        ]
      }
    ]
  }
}
chg: [feed] added 2023-04-21 13:25:09 +00:00			`{`
			`"Event": {`
			`"analysis": "2",`
			`"date": "2018-01-23",`
			`"extends_uuid": "",`
			`"info": "OSINT - Analyzing CrossRAT",`
			`"publish_timestamp": "1518771211",`
			`"published": true,`
			`"threat_level_id": "3",`
			`"timestamp": "1517454034",`
			`"uuid": "5a719a5d-ba14-4ec4-b4b8-4c94950d210f",`
			`"Orgc": {`
			`"name": "CIRCL",`
			`"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"`
			`},`
			`"Tag": [`
			`{`
			`"colour": "#ffffff",`
chg: [export] updated 2023-05-19 09:05:37 +00:00			`"local": "0",`
			`"name": "tlp:white",`
			`"relationship_type": ""`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`},`
			`{`
			`"colour": "#4bec00",`
chg: [export] updated 2023-05-19 09:05:37 +00:00			`"local": "0",`
			`"name": "enisa:nefarious-activity-abuse=\"remote-access-tool\"",`
			`"relationship_type": ""`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`},`
			`{`
			`"colour": "#850048",`
chg: [export] updated 2023-05-19 09:05:37 +00:00			`"local": "0",`
			`"name": "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"",`
			`"relationship_type": ""`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`},`
			`{`
			`"colour": "#0088cc",`
chg: [export] updated 2023-05-19 09:05:37 +00:00			`"local": "0",`
			`"name": "misp-galaxy:rat=\"CrossRat\"",`
			`"relationship_type": ""`
chg: [feed] added 2023-04-21 13:25:09 +00:00			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404415",`
			`"to_ids": false,`
			`"type": "comment",`
			`"uuid": "5a719a75-8c84-4da4-a006-41dd950d210f",`
			`"value": "The EFF/Lookout report describes CrossRat as a \u00e2\u20ac\u0153newly discovered desktop surveillanceware tool\u00e2\u20ac\u00a6which is able to target Windows, OSX, and Linux.\u00e2\u20ac\u009d Of course the OSX (macOS) part intrigues me the most, so this post may have somewhat of a \u00e2\u20ac\u02dcMac-slant.\u00e2\u20ac\u2122"`
			`},`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404415",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5a719a99-1774-46c6-820b-4b7d950d210f",`
			`"value": "https://digitasecurity.com/blog/2018/01/23/crossrat/"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404415",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5a71ac17-ec40-42e2-ac4d-47ec950d210f",`
			`"value": "mediamgrs.jar"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "on port 2223.",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404416",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a71acc8-fcc0-4835-8908-46fd950d210f",`
			`"value": "flexberry.com"`
			`},`
			`{`
			`"category": "Artifacts dropped",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404416",`
			`"to_ids": false,`
			`"type": "filename",`
			`"uuid": "5a71acef-87b0-4f2d-a464-4844950d210f",`
			`"value": "crossrat/client.class"`
			`},`
			`{`
			`"category": "Artifacts dropped",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404416",`
			`"to_ids": false,`
			`"type": "filename",`
			`"uuid": "5a71acef-d690-4c29-bdad-4574950d210f",`
			`"value": "crossrat/k.class"`
			`},`
			`{`
			`"category": "Artifacts dropped",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"timestamp": "1517404417",`
			`"to_ids": false,`
			`"type": "filename",`
			`"uuid": "5a71ad6b-4fe4-41ef-b4f2-452a950d210f",`
			`"value": "crossrat/j.class"`
			`}`
			`],`
			`"Object": [`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "9",`
			`"timestamp": "1517394738",`
			`"uuid": "5a719b32-1108-47a6-aa7c-4847950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "filename",`
			`"timestamp": "1517394738",`
			`"to_ids": true,`
			`"type": "filename",`
			`"uuid": "5a719b32-fbc0-4cff-bb3d-4f9f950d210f",`
			`"value": "hmar6.jar"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1517394739",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a719b33-3644-4c1c-9cec-488f950d210f",`
			`"value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "state",`
			`"timestamp": "1517394739",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5a719b33-71d8-4268-873b-4fd9950d210f",`
			`"value": "Malicious"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "File object describing a file with meta-information",`
			`"meta-category": "file",`
			`"name": "file",`
			`"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",`
			`"template_version": "7",`
			`"timestamp": "1517404420",`
			`"uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3",`
			`"ObjectReference": [`
			`{`
			`"comment": "",`
			`"object_uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3",`
			`"referenced_uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1",`
			`"relationship_type": "analysed-with",`
			`"timestamp": "1518771211",`
			`"uuid": "5a71c104-4034-4505-b082-406702de0b81"`
			`}`
			`],`
			`"Attribute": [`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha1",`
			`"timestamp": "1517404417",`
			`"to_ids": true,`
			`"type": "sha1",`
			`"uuid": "5a71c101-ef58-4aca-985d-441702de0b81",`
			`"value": "b23e070dadc997759574d5ee92c7753b84968f50"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "md5",`
			`"timestamp": "1517404418",`
			`"to_ids": true,`
			`"type": "md5",`
			`"uuid": "5a71c102-4654-4c01-9262-475602de0b81",`
			`"value": "85b794e080d83a91e904b97769e1e770"`
			`},`
			`{`
			`"category": "Payload delivery",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "sha256",`
			`"timestamp": "1517404418",`
			`"to_ids": true,`
			`"type": "sha256",`
			`"uuid": "5a71c102-4f64-4ca5-877a-499102de0b81",`
			`"value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "VirusTotal report",`
			`"meta-category": "misc",`
			`"name": "virustotal-report",`
			`"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",`
			`"template_version": "1",`
			`"timestamp": "1517404419",`
			`"uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1",`
			`"Attribute": [`
			`{`
			`"category": "External analysis",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "permalink",`
			`"timestamp": "1517404419",`
			`"to_ids": false,`
			`"type": "link",`
			`"uuid": "5a71c103-d788-427c-823b-49f802de0b81",`
			`"value": "https://www.virustotal.com/file/15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649/analysis/1517401865/"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": true,`
			`"object_relation": "detection-ratio",`
			`"timestamp": "1517404419",`
			`"to_ids": false,`
			`"type": "text",`
			`"uuid": "5a71c103-59d4-42dd-a748-4e6f02de0b81",`
			`"value": "33/57"`
			`},`
			`{`
			`"category": "Other",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "last-submission",`
			`"timestamp": "1517404419",`
			`"to_ids": false,`
			`"type": "datetime",`
			`"uuid": "5a71c103-c41c-4d36-aecf-453202de0b81",`
			`"value": "2018-01-31T12:31:05"`
			`}`
			`]`
			`},`
			`{`
			`"comment": "",`
			`"deleted": false,`
			`"description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.",`
			`"meta-category": "network",`
			`"name": "ip-port",`
			`"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",`
			`"template_version": "6",`
			`"timestamp": "1517409088",`
			`"uuid": "5a71d340-9298-45fe-a0d4-43b8950d210f",`
			`"Attribute": [`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "domain",`
			`"timestamp": "1517409088",`
			`"to_ids": true,`
			`"type": "domain",`
			`"uuid": "5a71d340-95b8-4ba8-9256-4243950d210f",`
			`"value": "flexberry.com"`
			`},`
			`{`
			`"category": "Network activity",`
			`"comment": "",`
			`"deleted": false,`
			`"disable_correlation": false,`
			`"object_relation": "dst-port",`
			`"timestamp": "1517409089",`
			`"to_ids": false,`
			`"type": "port",`
			`"uuid": "5a71d341-be70-4699-9f93-434f950d210f",`
			`"value": "2223"`
			`}`
			`]`
			`}`
			`]`
			`}`
			`}`