2023-04-21 13:25:09 +00:00
{
2023-12-14 14:30:15 +00:00
"Event" : {
"analysis" : "2" ,
"date" : "2018-12-25" ,
"extends_uuid" : "" ,
"info" : "OSINT - Destructive Shamoon Malware Continues its Return with a New Anti-American Message" ,
"publish_timestamp" : "1545860568" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1545860566" ,
"uuid" : "5c225981-ae64-4141-8a37-430a02de0b81" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#ffffff" ,
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
} ,
{
"colour" : "#004646" ,
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
} ,
{
"colour" : "#00223b" ,
"local" : "0" ,
"name" : "osint:source-type=\"blog-post\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:tool=\"Shamoon\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0088cc" ,
"local" : "0" ,
"name" : "misp-galaxy:mitre-enterprise-attack-malware=\"Shamoon\"" ,
"relationship_type" : ""
} ,
{
"colour" : "#0026eb" ,
"local" : "0" ,
"name" : "estimative-language:confidence-in-analytic-judgment=\"moderate\"" ,
"relationship_type" : ""
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1545755024" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c225990-7df0-46a3-8fee-4cb202de0b81" ,
"value" : "https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1545755046" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c2259a6-f400-4bce-ac8d-493102de0b81" ,
"value" : "Anomali Labs in its continued hunt for the destructive Shamoon malware, has identified a new Shamoon malware sample that uses an image of a burning US Dollar as part of its destructive attack. Historic versions of the Shamoon destructive wiper have utilized images of a burning American flag and the drowned Syrian refugee and child Alan Kurdi as part of targeted attacks attributed to the Iranian State. The image includes the text \"WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN\" which is displayed in tandem with the overwriting of files on a victim's system.\r\n\r\nThe newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion. In this case the malicious internal file name is \"Baidu PC Faster\" and uses the description \"Baidu WiFi Hotspot Setup\". A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource \"GRANT\" is included which indicates that this sample was like compiled based on the second version of the codebase."
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1545755282" ,
"to_ids" : false ,
"type" : "x509-fingerprint-sha1" ,
"uuid" : "5c225a92-e620-4078-96a5-4d8402de0b81" ,
"value" : "4b953f30f1de4dfef894b136daa155ceafc243a0"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1545756020" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5c225d74-4938-48b1-a404-4e9802de0b81" ,
"value" : "gfxprc_X64_pro.exe"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1545756020" ,
"to_ids" : false ,
"type" : "filename" ,
"uuid" : "5c225d74-ed64-4f4b-8094-4e9a02de0b81" ,
"value" : "gfxprc_X64.exe"
}
] ,
"Object" : [
{
"comment" : "Shamoon (Packed)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1545860564" ,
"uuid" : "5c225a33-d8ec-4e9d-9c63-42fe02de0b81" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5c225a33-d8ec-4e9d-9c63-42fe02de0b81" ,
"referenced_uuid" : "d6dc565c-ce26-46ea-ad7b-4fd231f06f72" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1545755970" ,
"uuid" : "5c225d42-83a8-4a62-a857-42e602de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "5c225a33-d8ec-4e9d-9c63-42fe02de0b81" ,
"referenced_uuid" : "c3943d4b-93b1-4f83-b1db-a683329ce623" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1545860567" ,
"uuid" : "5c23f5d7-d930-47ca-b3c3-4eec02de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1545755187" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c225a33-ddf0-4a07-b32d-45ce02de0b81" ,
"value" : "7335b8bdc62f35e2579ba18b91dc6227c586ef75"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1545755187" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c225a33-bb80-488e-aa4b-4d7302de0b81" ,
"value" : "f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1545755188" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5c225a34-6130-47ed-ac70-4e0302de0b81" ,
"value" : "d0c3852e376423247ae45c24592880b6"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1545755188" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c225a34-898c-43e0-aaeb-494102de0b81" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "Shamoon (Unpacked)" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1545860565" ,
"uuid" : "5c225a67-c328-4d9e-9076-a51902de0b81" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "5c225a67-c328-4d9e-9076-a51902de0b81" ,
"referenced_uuid" : "8d89302c-d05e-4557-85ae-4717b031f335" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1545755900" ,
"uuid" : "5c225cfc-2cec-4d2f-824b-4a3f02de0b81"
} ,
{
"comment" : "" ,
"object_uuid" : "5c225a67-c328-4d9e-9076-a51902de0b81" ,
"referenced_uuid" : "331ae947-e60d-48b4-9b21-325c2acde6ce" ,
2023-04-21 13:25:09 +00:00
"relationship_type" : "analysed-with" ,
2023-12-14 14:30:15 +00:00
"timestamp" : "1545860567" ,
"uuid" : "5c23f5d7-4510-49c7-8f07-493602de0b81"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1545755239" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5c225a67-043c-46f5-910c-a51902de0b81" ,
"value" : "b18b92a25078aa5f23a9987fd9038440b58b9566"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1545755239" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c225a67-1d70-4cf2-b14f-a51902de0b81" ,
"value" : "c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1545755240" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "5c225a68-f2d0-4543-b7be-a51902de0b81" ,
"value" : "5711ac3dd15b019f558ec29e68d13ca9"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "state" ,
"timestamp" : "1545755240" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c225a68-3abc-4395-a9fe-a51902de0b81" ,
"value" : "Malicious"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "x509 object describing a X.509 certificate" ,
"meta-category" : "network" ,
"name" : "x509" ,
"template_uuid" : "d1ab756a-26b5-4349-9f43-765630f0911c" ,
"template_version" : "7" ,
"timestamp" : "1545755381" ,
"uuid" : "5c225af5-c140-458f-b353-4e1d02de0b81" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "subject" ,
"timestamp" : "1545755382" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c225af6-d1c4-4bc8-9fd5-44a902de0b81" ,
"value" : "CN=\"Baidu Online Network Technology Beijing Co.,Ltd.\", OU=Baidu security, O=\"Baidu Online Network Technology Beijing Co.,Ltd.\", L=Beijing, ST=Beijing, C=CN"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "x509-fingerprint-sha1" ,
"timestamp" : "1545755382" ,
"to_ids" : true ,
"type" : "x509-fingerprint-sha1" ,
"uuid" : "5c225af6-1924-413d-8494-4a2502de0b81" ,
"value" : "4b953f30f1de4dfef894b136daa155ceafc243a0"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "issuer" ,
"timestamp" : "1545755383" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c225af7-61d0-4cf3-bd47-480002de0b81" ,
"value" : "CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O=\"VeriSign, Inc.\", C=US\r\nSerial: 5faee9e83f32948f3b2040ac6df0145c"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "serial-number" ,
"timestamp" : "1545755383" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c225af7-1afc-4625-8b06-430702de0b81" ,
"value" : "5faee9e83f32948f3b2040ac6df0145c"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545755715" ,
"uuid" : "8d89302c-d05e-4557-85ae-4717b031f335" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545755715" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "24757b25-e392-4525-b407-8c37aeb11fe7" ,
"value" : "2018-12-24T12:02:45"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545755716" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "ff29c3a5-6fd7-433f-8a09-c432727c88ca" ,
"value" : "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545755716" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "582751d6-7f02-4f98-ad88-85bb6f4a62b0" ,
"value" : "17/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545755716" ,
"uuid" : "d6dc565c-ce26-46ea-ad7b-4fd231f06f72" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545755716" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c5f5eb09-38ee-4bfa-b02e-d0df84f64dde" ,
"value" : "2018-12-24T15:16:39"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545755717" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "c78c0cb0-5e91-4886-ab6e-4fcd5558c7a3" ,
"value" : "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545664599/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545755717" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "55f75f6c-75a4-48e7-806d-9323b916f2d7" ,
"value" : "14/68"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545859670" ,
"uuid" : "d6f1dcfb-ad11-482d-b7af-105f27616350" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545859670" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a92b6f8d-367f-47bf-bc24-d7ba884d1cd6" ,
"value" : "2018-12-24T12:02:45"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545859671" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "38ef2af6-3419-4fcf-a241-310d4927f1c9" ,
"value" : "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545859671" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "efec593f-48cd-433f-97aa-bde26003aa72" ,
"value" : "17/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545859671" ,
"uuid" : "6672ba95-da71-4081-8a5c-34ce8863a146" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545859671" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "cc6abc85-e4fd-4877-8928-cf40bd36e0bd" ,
"value" : "2018-12-26T20:58:38"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545859672" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "cd8c1b95-440e-469f-b4da-2adb4dcce401" ,
"value" : "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545857918/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545859672" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a91f8039-b52b-4b4d-b56e-17a544538240" ,
"value" : "32/70"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545860565" ,
"uuid" : "331ae947-e60d-48b4-9b21-325c2acde6ce" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545860565" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "caf5dc57-8207-43de-96eb-e8de55273ee1" ,
"value" : "2018-12-24T12:02:45"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545860565" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "006f3849-b2a3-4383-b093-aa18f8577a47" ,
"value" : "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545860566" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "cfd788c2-f51f-4978-94ec-415097d849ba" ,
"value" : "17/69"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1545860566" ,
"uuid" : "c3943d4b-93b1-4f83-b1db-a683329ce623" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1545860566" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "41a18372-be40-4844-b6db-820b3e6d5812" ,
"value" : "2018-12-26T20:58:38"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1545860566" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "41808df6-6a9f-4c20-94e8-fa206a56f065" ,
"value" : "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545857918/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1545860567" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "08437b29-50a1-4188-aeeb-d7a9e1c7e60e" ,
"value" : "32/70"
}
]
}
2023-04-21 13:25:09 +00:00
]
2023-12-14 14:30:15 +00:00
}
2023-04-21 13:25:09 +00:00
}