misp-circl-feed/feeds/circl/misp/68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5.json

902 lines
1.5 MiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "0",
"date": "2023-04-13",
"extends_uuid": "",
"info": "SNOWYAMBER - Malware Analysis Report",
"publish_timestamp": "1681802291",
"published": true,
"threat_level_id": "1",
"timestamp": "1681739653",
"uuid": "68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#ffffff",
"name": "tlp:clear"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:tool=\"SNOWYAMBER\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Right-to-Left Override - T1036.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"One-Way Communication - T1102.003\""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "phishing email mimicking diplomatic correspondence. The link hidden under \u201chere\u201d leads to the ENVYSCOUT",
"data": "iVBORw0KGgoAAAANSUhEUgAABGgAAAJcCAYAAAClsZKxAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3Xl8Ddf/P/DXZL3ZiUgIIhEkFQRBEKV2aiuNWJoPbbX4WGopjdqraFVVlZaitVasFWup2neSiJ3crBLZEdn31++P2zsyudls9ft8e56Px33UnTlzzplzZq7O25xzJJKEIAiCIAiCIAiCIAiC8Nrove4KCIIgCIIgCIIgCIIg/NuJAI0gCIIgCIIgCIIgCMJrJgI0giAIgiAIgiAIgiAIr5kI0AiCIAiCIAiCIAiCILxmIkAjCIIgCIIgCIIgCILwmokAjSAIgiAIgiAIgiAIwmsmAjSCIAiCIAiCIAiCIAivmQjQCIIgCIIgCIIgCIIgvGYiQCMIgiAIgiAIgiAIgvCaiQCNIAiCIAiCIAiCIAjCa1apAE2nTp0gSRIkScK+ffteeiV69+4NPT09nDp16pmPzczMhCRJ8Pf3x61btyBJEi5cuKCTbvDgwZAkCWvWrHkZVVa4efMmJEnC2bNnX3re/yvCwsIgSRL++uuvV1rOq+hHGxsbLFiw4KXl909KSUmBJEnYtWvXC+Uzbdo0uLi4AAAGDRqEHj16vIzqPZOAkAyYT1DjYUbhP1ru7fg8mE9Q40J4dqWPGbkxAV2Xxb5w2Q7TI7D4yKMXzgcANpx/AvMJahQUsdLHZOYW4efTqei0NAY1pobDelIYGsyKxLB18Th+N+ul1EsQBEEQBEEQhMqpMECTmJiI06dPy9937tz50itx6dIlTJs2DR07dnzmY01NTSFJEszNzWFubg4A8n+1UlNTsW/fPjRt2hQbN258KXUurlatWli1ahXq169fqfS3bt2Co6PjS68HANja2iIqKuqF01TkVZ5DWV51P/6blbx/St5Dwv89Z9TZaPxFFI7fzcLnvaxxfa4jor+uh4MTasHTSYWPNiVg0o4ksPLxHkEQBEEQBEEQXkCFAZpdu3ahqKgITZo0AQDs27cPubm5L60CqampGDRo0HO/wSBJEkxNTWFubg4zMzMAugEaf39/mJqa4rvvvsP58+cRFhb2wvUurmrVqhgzZgxq1KhRqfRBQUEvtXyt+/fvIzk5+YXTVMarOofyvOp+/DczMzOT75vif66snJwcrFu3DpcvX34V1RNesj9uZmLYunisG14D20fZo3sjM9ha6MNCpYeGdkaY2KUqLkyvi5P3srHqVOrrru7/tNmzZyM6Ovp1V0MQBEEQBEH4H1BhgEb7xsy4cePg6uqKtLQ0HDlyRN4fEREBW1tbeQhURR/tUIzc3FzMmzcPrVq1wq+//gp7e3sMHjwYoaGhivLNzc0hSRIOHDhQZh0//vhjODo6wsLCAiNHjkS1atUU+zds2AAfHx907twZdevWxebNm3XyWLduHRo3bgxTU1PY2Njg3XffRWxsbKX2lxziFBMTAx8fH9jZ2cHExASNGjWSh+TMmzcPI0aMQHR0NCRJwvfffw8ACAwMRLdu3WBjYwNzc3O0bt1aMVxo1apVsLW1xaVLl+Dp6QkrKyvUq1cPv/76KwDg5MmTqFu3LgDAyckJ77zzjs45lpUmNjYWgwcPhrW1NYyNjdGkSRNs2bKlzPYu6xwAzZCz9957DxYWFrCyssLkyZNRWPh0yEpwcDB69OgBGxsbWFpaYuDAgZV+eKmoH7VtdPLkSbi7u8PMzAzu7u64du0aNm7ciIYNG8LS0hJvv/22TpCqoKAAkydPho2NDczMzDBgwAA8fPhQ3l9R/wAvdg1Vtoyff/4ZDg4OMDExgZeXF27duqXTTufOnUOHDh3kwGXnzp1x5coVef+PP/4IOzs77Nu3D3Z2dpg2bRo8PDwwcOBAAEDHjh3RrVu3SvVJfHw8Zs2ahTp16uCbb76BiYkJMnOLYD5BXepnw/knmvYuIqbsTEatz8JRY2o4PtiQgCfZRco+KSIWHXqI5l9Gw2ZKGNznR2HdmSeKNE4zIrDqVCpm7ElBw9mRqDktHIN+jkNiWuEz5VPSkj8fwW5qOK7GlB2MNtAD9l3LQLMvo2E9KQytF0Uj+H6OIs3GC2nwWKjZX8cvAh9uTEBSuu4QrpP3smA+QY1LkcrjbzzIhfkENf66oxludCUqB92/j0X1KWFwmR2JWQEpyC1QvuISlpSPLt/FoNrkMNSfGYktl9IU+5PSCzF2ayI2fVgDXVxNcSkyB12+i4HNlDA0/zIax+9moefyWPx2KQ2rhtnimyOPkF/4tIwN55+g1aJoVJ8SBofpERi2Lh4PUgvk/SkZhfh4cwJc50Si+pQwdFoagzPqp8PHZuxJKfXaaDg7EgBwL0Ez5Oy0OhtD1sbBYXoEnGZE4NOdySgsdonsDEqH1+L7sJsaDofpEfD5OQ6RKfny/nVnnsDx8wicUWejzdf3YftpGNp8fR83HuTit0tpcJ8fhRpTwzFwVRxSKhhW99ulNLRcqLl+PBZGY/NFTZtW5lq/desW6tevD29v73/1MFhBEARBEAShEliO+Ph46unpUU9Pj4mJiZw5cyYB0NfXV06jVqs5YMAAjh49mvr6+vL+iRMncuLEiZQkiQA4bNgwTpw4kSEhISTJvn37EgBtbGzo6+tLd3d3AmC1atV4//59OX8zMzMC4P79+8urapnu3LlDALxw4QJJctasWXRycmJRUZGc5vTp05QkiWvWrGFYWBgvXbrEDh06sG3btpXaf+PGDQLgmTNnSJJdunShl5cXL1++zLCwMP7000/U19fnkSNHmJmZyU8++YR16tRhcnIys7OzmZ2dzWrVqrFPnz68evUqb926xU8++YRmZmaMjY0lSa5du5ZGRkbs3bs3Y2JiWFRUxLlz59LQ0JCxsbHMy8vj9u3bCYDBwcFMS0vTaYvS0uTm5tLV1ZXu7u48deoUQ0NDOXfuXALg3r17S23T0s5BrVYTAJs1a8YVK1YwJCSE33zzDQFw27ZtJMn79+/T0tKSvXr14vXr13nlyhV26NCB9evXZ05Ozgv3o7aNhgwZwsePH/Px48d0cXFhvXr1+P777zMrK4uxsbGsXr06/fz85OOqVavGOnXqcMKECbxy5Qq3b99OS0tLDho0iCQr1T8veg1VtgwAnDJlCu/du8dDhw7Rw8ODALhz506S5L1796hSqThkyBBeu3aN165dY79+/WhhYcGYmBiS5Jo1a2hqasouXbrw0KFDjIiIKLftSxMYGEhfX18aGRnxzTff5J49e1hYWEiSLCoiw5PyFJ8J/om0+zSM6sRckuTXhx+y6kQ1N114wvCkPK49nUrX2RE0Gx/KlPQCkuRnu5NYfYqav136O82ZVFadqOaG80/kejSYFcEGsyK46cIT5hcWMfZxPp1nRHDi9kQ5TUX53IrLpdn4UJ4PyyJJ7rmazioT1TxyK6PM8/9wQzzd5kay38pYng/L4vmwLHp+Fc0WC6LkNFsvpdF8QiiXHHlIdWIuz6iz2PzLKLZfHE3tZVvHL5xfH37IoiKy8bxITtyWqChn/v4UNpgVwcIiMuphHu0+DePozQm8FJnNvSHpdJgezsk7kkiS68+l0uoTNXstj+H+axm8ej+HH2yIp9Unaj54nC/n+cX+FH64IZ4keS0mhzaT1fzqj4d8mFHAixHZbPNVNG2nhPGMWtMeb8yJ4OXIbJLkubAsmk8I5a/nUhmRnMcrUdns/n0MOy/V/GYXFpHtF0ezyReRPHkvk3fjczllRxKrTVbzVpym7x9mFCiujYsR2awxNYyf+GvOPTwpj2bjQ9nmq2hejNCUe+JuJs3Gh3J3ULrm+ovKpvmEUH6xP4X3EnIZGJXNXstj2OaraPk815/T9POI9fFMzSpkalYhm82PYuN5kRy9OYFZeUV88DifdaeHc/be5DL7OuBqOi0/CeWyvx4x+H4OVxx/TPMJodxzNb1S1zqp+f0aNWoUVSoVW7ZsyS1btjAvL6/MMgVBEARBEIR/p3IDNCtWrCAAduzYkSQZHBxMALS0tCz1gdrY2JgAePPmTXmbNmhz9epVedtff/1FANTX1+e9e/dIaoIHzZo1IwBOnDhRTvvHH3
"deleted": false,
"disable_correlation": false,
"timestamp": "1681726432",
"to_ids": false,
"type": "attachment",
"uuid": "b85948e6-6b33-426d-bcd2-9917c8c876e1",
"value": "PhishMailImpers1.png"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT delivering SNOWYAMBER ZIP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "2c9097c1-7c12-419f-a80a-8ee7740a006c",
"value": "totalmassasje.no/schedule.php"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "9af93eb7-62c1-4284-9f68-085df52485da",
"value": "signitivelogics.com/Schedule.html"
},
{
"category": "Network activity",
"comment": "Cobalt Strike Team Server",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "931b2bf8-8273-4a00-b720-79ef2cf0197f",
"value": "humanecosmetics.com/category/noteworthy/6426-7346-9789"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "0a3912ce-c191-4242-a648-16471e7b22ac",
"value": "signitivelogics.com/BMW.html"
},
{
"category": "Network activity",
"comment": "BRUTERATEL C2",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "domain",
"uuid": "a07de07e-8918-48f9-a7ed-fe224af7debb",
"value": "badriatimimi.com"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT delivering SNOWYAMBER ZIP",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "9320ff1a-1b4f-4215-a606-fa08d722bc50",
"value": "literaturaelsalvador.com/Instructions.html"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "b64caea6-1cfb-41bf-8500-44c68a6a4209",
"value": "literaturaelsalvador.com/Schedule.html"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "6d824e3d-4f47-47a1-bb16-004fbe3f883b",
"value": "parquesanrafael.cl/note.html"
},
{
"category": "Network activity",
"comment": "ENVYSCOUT URL",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681738835",
"to_ids": true,
"type": "url",
"uuid": "735b8086-30e6-48f0-b41f-176143a0cecd",
"value": "inovaoftalmologia.com.br/form.html"
},
{
"category": "Payload delivery",
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681739023",
"to_ids": true,
"type": "email-src",
"uuid": "2370ce17-a271-4cb6-b6eb-f7342ffc6415",
"value": "miodrag.sekulic@mod.gov.rs"
},
{
"category": "Payload delivery",
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681739023",
"to_ids": true,
"type": "email-src",
"uuid": "4af4ff1a-5174-463c-b3d7-a5ed83251879",
"value": "bohuslava.kopalova@seznam.cz"
},
{
"category": "Payload delivery",
"comment": "Used to distribute phishing emails with a link to i.php (reconnaissance?)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681739023",
"to_ids": true,
"type": "email-src",
"uuid": "d984944c-9e4d-4a17-92df-5629b25f3195",
"value": "navratilova.lucie.etnologie@seznam.cz"
},
{
"category": "Payload delivery",
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
"deleted": false,
"disable_correlation": false,
"timestamp": "1681739023",
"to_ids": true,
"type": "email-src",
"uuid": "b03218e2-51f5-4f6a-b346-5e3a32ce79e0",
"value": "zdenek.holych@seznam.cz"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1681726216",
"uuid": "443b388e-54ed-4a9d-b628-a6b90807a495",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1681726216",
"to_ids": false,
"type": "link",
"uuid": "b04589cb-5c03-42fc-b43f-205b9b450aeb",
"value": "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1681726216",
"to_ids": false,
"type": "text",
"uuid": "581fcaf2-9e37-4c87-9b3c-8d19b827bae3",
"value": "SNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1681726216",
"to_ids": false,
"type": "text",
"uuid": "ca09fdca-c324-4a9b-a2dd-0040f07675a9",
"value": "Report"
},
{
"category": "External analysis",
"comment": "",
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEzNSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEyOTcgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEyOTggMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyNC9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyOSAwIFIgMzYgMCBSIDM3IDAgUiA0MCAwIFIgNDEgMCBSIDQ0IDAgUiA0NSAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTEgMCBSIDUyIDAgUiA1NCAwIFIgNTUgMCBSIDU2IDAgUiA1OCAwIFIgNjEgMCBSIDYzIDAgUiAxMjYgMCBSIDEzMCAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNTk1LjMyIDg0MS45Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMDg2Pj4NCnN0cmVhbQ0KeJy9WNtu2zgQfRfgf+DTQipgmvfLoijguGm3xbrNxgaKRdAHNVFSA66dKmoK//3OyJfKlhRfwq4fCJMcac6cGc6M2OvnxeQ2vS7Iy5e9flGk11+zG3LVG8/vP/fGi/usd5HeTWZpMZnPeqMfXwpc+itLb7L81Sty9npAvnciRhn+nLOcMKK9plIQpzj1guRZJ/r0gsw60dm4E/XecMI5ZYqMbzsRSjPCifCWGkusN/jg+BvIvR1ZcvcAryZ35cytZm870VVMkq6CwVT/fCbj953oHHT804kCYJJcUMmrmEooGwSn6QNZcj4ckF4L7Wfzoph/a2f+zXxehGTeMuqEItJTHt5I0rtA84aDd68JC47ZGoZP7AFdA8JPAyII19SbRiBCU2eOBiLCA2GGquMZkeGASGmo9cQ4Q707GogKzogxlmp1NBB9GhD5BBDlqTwahwmPQzjqj8ZhT8UhG0Fo5xtAjBLO4w8Jl/HHhIv4Ew7/JlzHfRyGOD3D4RxFLvcgdoEQC2soty2I99HmTwOhCHeNtEHC0ysUVGtb7uZ31dlliWuYTn+meUb6s3S6eMASOUls/EAus/t5nsi4eFaxrMETWlGlD4e3N0NXakV3iYwLYd0aECjYRjjdLJTS3EnOcXHr4e2tpUGlM1tUCCg8pqJhS8xIhupg+Wsnun2xpvF3owX6ng931MI6r7OuHPcH2yEEsxXNjGljdrZWdlDHcccxtxoxSoSS1IM246jypUVGlQvKUuXKF0uHrYBWZbjhgvawwCHyNFWm1Rv/lxUY3cHMaPOSqHmJeekPjjZmOJO6YqBy1rjdvcrp0Niak6531MIevF66X9Ppep9Ds+xsmwd+I0Kk/ASIbezK+hngxvBTo0daJWxL9FQzJCLUmggIC1BhFKMKarjhdHn8pYTYIV2+0Sm8olqAjRA4u2mobtS6reLoT6k0tRr6EUWlJQL6NQ9BBX1jmefxHQz3f2J6R3Kflh+t9H3HF0OlREFHpSoFJdjAHYb0rxKyBazSZh329KYAie2uU0sKrrZaU1Nv9t7PJ0lXxDMsfCS9eVzWQ1h5gGLYlfGCfMHZ4s9aVXwWKAXeEqIN1N4aaAJzIxQ19W+UIRJQkjHFofxXpPmCDOY/ZomKiwwah3yCUiV/OJ1ui99lyXLzOkt0TEZZ/liuwzQon1p4CnmgxZC9fNrAfDLf9Kn1R1ibJbRU8DnVomyvzS6szQayDqtTPzhHd1/iMIYwoBA2F38H5sFzdHoLgB0eGqlYt+LYSuNpoAbAcItdPRxQyL3r7Bc9KVHJdxays8NbCLBAlYKSQI03qiXbiUpXe8izGyrq9x9AocMN2fBNwmV5JdaHs3gPnsgn0+UV2a4/ngcBdUNf2QSBYO3Dsje+vooFEzK0aqnxbqHZ+r13LjywE5yiriG9P3KKtLPAtmOrwVqVtpyD/wDS/EKiDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTI3MyAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDEyNzEgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTI3NCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxMjc1IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDEyNzkgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNER0VFK1JhamRoYW5pLVNlbWlCb2
"deleted": false,
"disable_correlation": false,
"object_relation": "report-file",
"timestamp": "1681726216",
"to_ids": false,
"type": "attachment",
"uuid": "746857c1-6069-48a8-ae9f-6e8d68f2e191",
"value": "SNOWYAMBER_.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681731313",
"uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"ObjectReference": [
{
"comment": "",
"object_uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"relationship_type": "contained-within",
"timestamp": "1681731313",
"uuid": "c063585d-8376-4b83-8cd7-606fe34cb77d"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681730403",
"to_ids": true,
"type": "filename",
"uuid": "ffef844b-22c3-4a94-b69f-c2eba895666a",
"value": "vcruntime140.dll"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681731274",
"uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"ObjectReference": [
{
"comment": "",
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"referenced_uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"relationship_type": "contains",
"timestamp": "1681731238",
"uuid": "001fac35-e347-4152-9d1d-c93f5078c6bc"
},
{
"comment": "",
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"referenced_uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"relationship_type": "contains",
"timestamp": "1681731252",
"uuid": "4ea55007-d683-4e19-8294-57737a1a3a2e"
},
{
"comment": "",
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"referenced_uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
"relationship_type": "contains",
"timestamp": "1681731274",
"uuid": "f5418b84-9731-43d8-bb40-fc1a52d4388f"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681730487",
"to_ids": true,
"type": "filename",
"uuid": "05a981bb-8177-4078-b30e-c574777d6176",
"value": "schedule.zip"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681736959",
"uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"ObjectReference": [
{
"comment": "",
"object_uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"relationship_type": "contained-within",
"timestamp": "1681731338",
"uuid": "38811445-4575-4a36-9da8-d779c985df0d"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681736959",
"to_ids": true,
"type": "filename",
"uuid": "3be2fbef-0eb4-447c-8b5e-7da5b8e91121",
"value": "7za.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681736959",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "84c6ca7a-c084-4707-9722-ede4426144d3",
"value": "270336"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681736959",
"to_ids": true,
"type": "sha1",
"uuid": "7358cd6c-05e8-4a52-927e-d0fd846c6b12",
"value": "c938934c0f5304541087313382aee163e0c5239c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681736959",
"to_ids": true,
"type": "md5",
"uuid": "96a9a86c-2484-48df-8c64-978c982dbfcd",
"value": "d0efe94196b4923eb644ec0b53d226cc"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681736959",
"to_ids": true,
"type": "sha256",
"uuid": "83f9bcdc-834d-443c-a65d-ea887e4cbd2b",
"value": "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681731328",
"uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"ObjectReference": [
{
"comment": "",
"object_uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
"relationship_type": "contained-within",
"timestamp": "1681731328",
"uuid": "85724344-42da-4f8b-8c21-b714ed6d7dec"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681730507",
"to_ids": true,
"type": "filename",
"uuid": "501a0c84-2110-470c-b7b0-668a8bd46884",
"value": "november_schedulexe.pdf"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681732508",
"uuid": "ef951d3f-c15c-43db-ac22-67316faf4dfd",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681732508",
"to_ids": true,
"type": "filename",
"uuid": "cb443611-4671-439e-90d5-7556fa426937",
"value": "Instructions.lnk"
}
]
},
{
"comment": "It seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes.",
"deleted": false,
"description": "File object describing a file with meta-information",
"first_seen": "2023-02-08T00:00:00+00:00",
"last_seen": "2023-02-08T00:00:00+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681737208",
"uuid": "88421de8-4479-4a9c-9433-9d918795a10b",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1681737208",
"to_ids": true,
"type": "filename",
"uuid": "a0482318-d18e-49d7-8097-d661bf17c9b1",
"value": "BugSplatRc64.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681737208",
"to_ids": true,
"type": "sha1",
"uuid": "33f69f2a-1d36-44d0-a026-ace071af7031",
"value": "8eb64670c10505322d45f6114bc9f7de0826e3a1"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681737208",
"to_ids": true,
"type": "md5",
"uuid": "ef02ee0e-d7a3-4af2-9bdd-59b4b92b76fb",
"value": "cf36bf564fbb7d5ec4cec9b0f185f6c9"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681737208",
"to_ids": true,
"type": "sha256",
"uuid": "eb52f1df-a9ab-44ab-95b9-f432708ceda5",
"value": "e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681737208",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "db5cbc1f-3468-4677-b357-0079f4ab7c11",
"value": "271360"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1681735978",
"uuid": "515a4264-5f6e-4690-b9b0-6eb6a31aa972",
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1681735978",
"to_ids": true,
"type": "yara",
"uuid": "a51eae60-e3c6-4fbe-a03e-c14334626315",
"value": "rule APT29_SNOWYAMBER\r\n{\r\nmeta:\r\ndescription = \"Detects APT29-linked SNOWYAMBER dropper\"\r\nstrings:\r\n// Payload decryption loop\r\n// Custom algorithm based on XOR\r\n$op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45\r\n00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1}\r\n// Decryption routine generated by Obfuscate library\r\n$op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2}\r\n// Hardcoded inital value used as beaconing counter\r\n$op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F}\r\n// src/json.hpp - string left in binary using nlohmann JSON\r\n$str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00}\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n$str_nlohmann\r\nand\r\n$op_decrypt_string\r\nand\r\n($op_initialize_emoji or $op_decrypt_payload)\r\n}"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara-rule-name",
"timestamp": "1681735978",
"to_ids": false,
"type": "text",
"uuid": "bf06b2d4-55b2-42af-a520-163bc03391bf",
"value": "APT29_SNOWYAMBER"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"last_seen": "2023-02-07T00:00:00+00:00",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681737803",
"uuid": "11702c83-79b9-4a02-9e48-93534a11ed08",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "sha1",
"timestamp": "1681737803",
"to_ids": true,
"type": "sha1",
"uuid": "f2ded617-cbfc-45cf-a848-2a97bfdc9839",
"value": "3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "md5",
"timestamp": "1681737803",
"to_ids": true,
"type": "md5",
"uuid": "61aabd77-0da9-47f0-b109-6258ee9d9d78",
"value": "82ecb8474efe5fedcb8f57b8aafa93d2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "sha256",
"timestamp": "1681737803",
"to_ids": true,
"type": "sha256",
"uuid": "fb63d8c4-f10f-4e55-aecf-2a74b37fd001",
"value": "4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "filename",
"timestamp": "1681737803",
"to_ids": true,
"type": "filename",
"uuid": "f74a67c5-2acf-465c-999e-65418fd68e2a",
"value": "BugSplatRc64.dll"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"last_seen": "2023-02-07T00:00:00+00:00",
"object_relation": "size-in-bytes",
"timestamp": "1681737803",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "1eee95b4-72d0-486f-9680-9b6f7411ecb0",
"value": "301056"
}
]
},
{
"comment": "2nd stage - CobaltStrike beacon (decrypted)",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681738413",
"uuid": "2a667d0c-1f7f-41d4-8ba2-2e44d839b432",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681738413",
"to_ids": true,
"type": "sha1",
"uuid": "e36f46b4-114c-44da-9a9f-641487e6c555",
"value": "aaf973a56b17a0a82cf1b3a49ff68da1c50283d4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681738413",
"to_ids": true,
"type": "md5",
"uuid": "aa996c3c-4650-4d6c-95ac-bf8fea8d7374",
"value": "800db035f9b6f1e86a7f446a8a8e3947"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681738413",
"to_ids": true,
"type": "sha256",
"uuid": "558be957-7b03-4667-9344-6c65050f6c4a",
"value": "032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681738413",
"to_ids": true,
"type": "filename",
"uuid": "51e163b5-ce39-4690-9714-358f049fbe2d",
"value": "hXaIk1725.pdf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681738413",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "84d79df8-b742-41ba-9619-ac47f137cfeb",
"value": "261635"
}
]
},
{
"comment": "2nd stage \u2013 BruteRatel stageless badger (decrypted)",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1681738525",
"uuid": "26da3ae3-4d28-49c3-a4d7-2b86cca4f59a",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1681738525",
"to_ids": true,
"type": "sha1",
"uuid": "9f7f3b2a-cdd3-4d94-8ab7-c6e5938642ba",
"value": "a8a82a7da2979b128cbeddf4e70f9d5725ef666b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1681738525",
"to_ids": true,
"type": "md5",
"uuid": "9e1b013e-2c30-4238-b571-d3e584ca157c",
"value": "0e594576bb36b025e80eab7c35dc885e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1681738525",
"to_ids": true,
"type": "sha256",
"uuid": "7a95da1a-8ef0-4820-9742-96ff05f3d743",
"value": "ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "filename",
"timestamp": "1681738525",
"to_ids": true,
"type": "filename",
"uuid": "91aab884-091f-4d4d-8988-86a01a9333d3",
"value": "hXaIk1314.pdf"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1681738525",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "6e01548f-3eaf-4fe9-9c3a-41d9c001db29",
"value": "347837"
}
]
}
]
}
}