2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2022-08-19" ,
"extends_uuid" : "" ,
"info" : "OSINT - JSSLoader: the shellcode edition" ,
"publish_timestamp" : "1660912855" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1660912821" ,
"uuid" : "013585af-ba0a-480a-8f2f-48df896d9229" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#dd5a72" ,
"local" : "0" ,
"name" : "misp-galaxy:threat-actor=\"FIN7\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#0071c3" ,
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0087e8" ,
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:clear" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "33ff2767-0cd0-4f23-8d5e-ef4e7c599a31" ,
"value" : "cc2171d14d0d3c4d117155185f7c911f781aac15b57adef6c32eb0149d5da3ba"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "328fe82a-fbab-4589-9a7b-11e5caef263a" ,
"value" : "bf1371e2d79115fc7cfc89266cd7a59c02b04a74e1246435392eb5e20c661d8f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "42764a9c-4661-481b-acd0-66649ddcf5cb" ,
"value" : "b08e713196b712c42da2df9da7836d270306065fbf6d4720f25d80e4104daf38"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6b066e8f-f78f-43f4-9331-8cdd54c8e719" ,
"value" : "7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "3d35309b-d8b1-4c14-b565-2d158cbc6b59" ,
"value" : "7a17ef218eebfdd4d3e70add616adcd5b78105becd6616c88b79b261d1a78fdf"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "92e60ec9-126c-4708-b444-04ade49d2d2c" ,
"value" : "410cd107dfd37752936bd20d022ea614cd373aa9d37db255f65dc434e653236a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910204" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2281dea8-11e1-4763-976a-f312d7fb0154" ,
"value" : "35f5c781d61d398ce47a8881228346a81afb4915bf083518bf2b4cc8d6a2685b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "9a498744-8261-428a-98bf-49d000228346" ,
"value" : "529f476f952fd1526d2038cb0012e5bdd8a702f3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "b765a67f-1c41-4c2f-92c0-c654b37adff5" ,
"value" : "0eaf6289dd7ebe8ae0879a4a72d1518e1d4ffac9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "e081fdb9-1972-4090-bfc4-123e792897a1" ,
"value" : "f1aff007c04c6fd3739dbeac537edaaa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "6d0ce48e-c437-46de-ae24-7472fbea594b" ,
"value" : "4a1e60be00e59617d53122d70c64506c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1406da62-389f-4c9b-8112-8a2eeb651c48" ,
"value" : "4961aec62fac8beeafffa5bfc841fab8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8d74be00-dc29-43aa-8497-db3684056d65" ,
"value" : "2956c03bff952b22387eed8172a26ba5"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910304" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "79754502-9a01-49f3-858f-9696336fd465" ,
"value" : "1e12ac069c1898ffe271ebdfcbd689c1"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910352" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "d72a4609-ff18-46b7-8921-eac3740002d4" ,
"value" : "d2742d7c4b7454745795c547594bb4f9dbddecfe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910352" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "00698b4e-497c-459d-94fa-e12da80c9008" ,
"value" : "9d0f6c8be3214eee1dda6ebb4bb41ef97cfe28b4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1660910352" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "cfdc5e5b-057b-49cd-b9db-646250947783" ,
"value" : "5c7b4da950b0f1845b38ef1aa11ca41b4731c766"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "7" ,
"timestamp" : "1660910745" ,
"uuid" : "aaff4760-ea84-46a6-a79a-27919f325ed3" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1660910745" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "fadbc54c-4adb-46b8-9d9e-b001f35b0f44" ,
"value" : "https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1660910745" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ddcaf51a-7f89-4427-b93d-82804562da14" ,
"value" : "JSSLoader: the shellcode edition"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "type" ,
"timestamp" : "1660910745" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "8555a473-687e-475b-943b-1d9cdb633669" ,
"value" : "Report"
}
]
} ,
{
"comment" : "Decoding of the strings is crucial for getting deeper understanding of the malware functionality. The following tool was used for strings deobfuscation:\uf0b7https://gist.github.com/hasherezade/6eb355c2c81e640e7470fafe4db3f069(it loads the original shellcode, and then deploys a decoding function out of it)" ,
"deleted" : false ,
"description" : "GitHub user" ,
"meta-category" : "misc" ,
"name" : "github-user" ,
"template_uuid" : "4329b5e6-8e6a-4b55-8fd1-9033782017d4" ,
"template_version" : "3" ,
"timestamp" : "1660911074" ,
"uuid" : "9560a135-3e58-4c09-bade-b3109a40ec35" ,
"Attribute" : [
{
"category" : "Social network" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username" ,
"timestamp" : "1660911074" ,
"to_ids" : false ,
"type" : "github-username" ,
"uuid" : "3c958b8f-aa3c-4c6e-86c0-f303835be16e" ,
"value" : "hasherezade"
} ,
{
"category" : "Social network" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "repository" ,
"timestamp" : "1660911074" ,
"to_ids" : false ,
"type" : "github-repository" ,
"uuid" : "83112dd4-06fb-44d3-99da-9c3458d38ea9" ,
"value" : "https://gist.github.com/hasherezade/6eb355c2c81e640e7470fafe4db3f069"
}
]
} ,
{
"comment" : "generated listing" ,
"deleted" : false ,
"description" : "GitHub user" ,
"meta-category" : "misc" ,
"name" : "github-user" ,
"template_uuid" : "4329b5e6-8e6a-4b55-8fd1-9033782017d4" ,
"template_version" : "3" ,
"timestamp" : "1660911217" ,
"uuid" : "c41f294b-2395-4d53-a671-577483c9180b" ,
"Attribute" : [
{
"category" : "Social network" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "username" ,
"timestamp" : "1660911217" ,
"to_ids" : false ,
"type" : "github-username" ,
"uuid" : "b32b4209-2439-4aa4-842e-c54b189bde12" ,
"value" : "hasherezade"
} ,
{
"category" : "Social network" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "repository" ,
"timestamp" : "1660911217" ,
"to_ids" : false ,
"type" : "github-repository" ,
"uuid" : "1ce528f7-24dc-4602-968c-fd2e019c9909" ,
"value" : "https://gist.github.com/hasherezade/4048e435cda43be374277afb06744ab1"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}