902 lines
1.5 MiB
JSON
902 lines
1.5 MiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "0",
|
||
|
"date": "2023-04-13",
|
||
|
"extends_uuid": "",
|
||
|
"info": "SNOWYAMBER - Malware Analysis Report",
|
||
|
"publish_timestamp": "1681802291",
|
||
|
"published": true,
|
||
|
"threat_level_id": "1",
|
||
|
"timestamp": "1681739653",
|
||
|
"uuid": "68cf0b2c-e449-4b2e-a7f7-b2b55cf951b5",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#004646",
|
||
|
"name": "type:OSINT"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0071c3",
|
||
|
"name": "osint:lifetime=\"perpetual\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0087e8",
|
||
|
"name": "osint:certainty=\"50\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:clear"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:tool=\"SNOWYAMBER\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Virtual Private Server - T1583.003\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Services - T1583.006\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Infrastructure - T1584\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Attachment - T1566.001\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Spearphishing Link - T1566.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Malicious Link - T1204.001\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Registry Run Keys / Startup Folder - T1547.001\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Search Order Hijacking - T1574.001\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"DLL Side-Loading - T1574.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"HTML Smuggling - T1027.006\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Right-to-Left Override - T1036.002\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Mark-of-the-Web Bypass - T1553.005\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"Web Service - T1102\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#0088cc",
|
||
|
"name": "misp-galaxy:mitre-attack-pattern=\"One-Way Communication - T1102.003\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "phishing email mimicking diplomatic correspondence. The link hidden under \u201chere\u201d leads to the ENVYSCOUT",
|
||
|
"data": "iVBORw0KGgoAAAANSUhEUgAABGgAAAJcCAYAAAClsZKxAAAABHNCSVQICAgIfAhkiAAAIABJREFUeJzs3Xl8Ddf/P/DXZL3ZiUgIIhEkFQRBEKV2aiuNWJoPbbX4WGopjdqraFVVlZaitVasFWup2neSiJ3crBLZEdn31++P2zsyudls9ft8e56Px33UnTlzzplzZq7O25xzJJKEIAiCIAiCIAiCIAiC8Nrove4KCIIgCIIgCIIgCIIg/NuJAI0gCIIgCIIgCIIgCMJrJgI0giAIgiAIgiAIgiAIr5kI0AiCIAiCIAiCIAiCILxmIkAjCIIgCIIgCIIgCILwmokAjSAIgiAIgiAIgiAIwmsmAjSCIAiCIAiCIAiCIAivmQjQCIIgCIIgCIIgCIIgvGYiQCMIgiAIgiAIgiAIgvCaiQCNIAiCIAiCIAiCIAjCa1apAE2nTp0gSRIkScK+ffteeiV69+4NPT09nDp16pmPzczMhCRJ8Pf3x61btyBJEi5cuKCTbvDgwZAkCWvWrHkZVVa4efMmJEnC2bNnX3re/yvCwsIgSRL++uuvV1rOq+hHGxsbLFiw4KXl909KSUmBJEnYtWvXC+Uzbdo0uLi4AAAGDRqEHj16vIzqPZOAkAyYT1DjYUbhP1ru7fg8mE9Q40J4dqWPGbkxAV2Xxb5w2Q7TI7D4yKMXzgcANpx/AvMJahQUsdLHZOYW4efTqei0NAY1pobDelIYGsyKxLB18Th+N+ul1EsQBEEQBEEQhMqpMECTmJiI06dPy9937tz50itx6dIlTJs2DR07dnzmY01NTSFJEszNzWFubg4A8n+1UlNTsW/fPjRt2hQbN258KXUurlatWli1ahXq169fqfS3bt2Co6PjS68HANja2iIqKuqF01TkVZ5DWV51P/6blbx/St5Dwv89Z9TZaPxFFI7fzcLnvaxxfa4jor+uh4MTasHTSYWPNiVg0o4ksPLxHkEQBEEQBEEQXkCFAZpdu3ahqKgITZo0AQDs27cPubm5L60CqampGDRo0HO/wSBJEkxNTWFubg4zMzMAugEaf39/mJqa4rvvvsP58+cRFhb2wvUurmrVqhgzZgxq1KhRqfRBQUEvtXyt+/fvIzk5+YXTVMarOofyvOp+/DczMzOT75vif66snJwcrFu3DpcvX34V1RNesj9uZmLYunisG14D20fZo3sjM9ha6MNCpYeGdkaY2KUqLkyvi5P3srHqVOrrru7/tNmzZyM6Ovp1V0MQBEEQBEH4H1BhgEb7xsy4cePg6uqKtLQ0HDlyRN4fEREBW1tbeQhURR/tUIzc3FzMmzcPrVq1wq+//gp7e3sMHjwYoaGhivLNzc0hSRIOHDhQZh0//vhjODo6wsLCAiNHjkS1atUU+zds2AAfHx907twZdevWxebNm3XyWLduHRo3bgxTU1PY2Njg3XffRWxsbKX2lxziFBMTAx8fH9jZ2cHExASNGjWSh+TMmzcPI0aMQHR0NCRJwvfffw8ACAwMRLdu3WBjYwNzc3O0bt1aMVxo1apVsLW1xaVLl+Dp6QkrKyvUq1cPv/76KwDg5MmTqFu3LgDAyckJ77zzjs45lpUmNjYWgwcPhrW1NYyNjdGkSRNs2bKlzPYu6xwAzZCz9957DxYWFrCyssLkyZNRWPh0yEpwcDB69OgBGxsbWFpaYuDAgZV+eKmoH7VtdPLkSbi7u8PMzAzu7u64du0aNm7ciIYNG8LS0hJvv/22TpCqoKAAkydPho2NDczMzDBgwAA8fPhQ3l9R/wAvdg1Vtoyff/4ZDg4OMDExgZeXF27duqXTTufOnUOHDh3kwGXnzp1x5coVef+PP/4IOzs77Nu3D3Z2dpg2bRo8PDwwcOBAAEDHjh3RrVu3SvVJfHw8Zs2ahTp16uCbb76BiYkJMnOLYD5BXepnw/knmvYuIqbsTEatz8JRY2o4PtiQgCfZRco+KSIWHXqI5l9Gw2ZKGNznR2HdmSeKNE4zIrDqVCpm7ElBw9mRqDktHIN+jkNiWuEz5VPSkj8fwW5qOK7GlB2MNtAD9l3LQLMvo2E9KQytF0Uj+H6OIs3GC2nwWKjZX8cvAh9uTEBSuu4QrpP3smA+QY1LkcrjbzzIhfkENf66oxludCUqB92/j0X1KWFwmR2JWQEpyC1QvuISlpSPLt/FoNrkMNSfGYktl9IU+5PSCzF2ayI2fVgDXVxNcSkyB12+i4HNlDA0/zIax+9moefyWPx2KQ2rhtnimyOPkF/4tIwN55+g1aJoVJ8SBofpERi2Lh4PUgvk/SkZhfh4cwJc50Si+pQwdFoagzPqp8PHZuxJKfXaaDg7EgBwL0Ez5Oy0OhtD1sbBYXoEnGZE4NOdySgsdonsDEqH1+L7sJsaDofpEfD5OQ6RKfny/nVnnsDx8wicUWejzdf3YftpGNp8fR83HuTit0tpcJ8fhRpTwzFwVRxSKhhW99ulNLRcqLl+PBZGY/NFTZtW5lq/desW6tevD29v73/1MFhBEARBEAShEliO+Ph46unpUU9Pj4mJiZw5cyYB0NfXV06jVqs5YMAAjh49mvr6+vL+iRMncuLEiZQkiQA4bNgwTpw4kSEhISTJvn37EgBtbGzo6+tLd3d3AmC1atV4//59OX8zMzMC4P79+8urapnu3LlDALxw4QJJctasWXRycmJRUZGc5vTp05QkiWvWrGFYWBgvXbrEDh06sG3btpXaf+PGDQLgmTNnSJJdunShl5cXL1++zLCwMP7000/U19fnkSNHmJmZyU8++YR16tRhcnIys7OzmZ2dzWrVqrFPnz68evUqb926xU8++YRmZmaMjY0lSa5du5ZGRkbs3bs3Y2JiWFRUxLlz59LQ0JCxsbHMy8vj9u3bCYDBwcFMS0vTaYvS0uTm5tLV1ZXu7u48deoUQ0NDOXfuXALg3r17S23T0s5BrVYTAJs1a8YVK1YwJCSE33zzDQFw27ZtJMn79+/T0tKSvXr14vXr13nlyhV26NCB9evXZ05Ozgv3o7aNhgwZwsePH/Px48d0cXFhvXr1+P777zMrK4uxsbGsXr06/fz85OOqVavGOnXqcMKECbxy5Qq3b99OS0tLDho0iCQr1T8veg1VtgwAnDJlCu/du8dDhw7Rw8ODALhz506S5L1796hSqThkyBBeu3aN165dY79+/WhhYcGYmBiS5Jo1a2hqasouXbrw0KFDjIiIKLftSxMYGEhfX18aGRnxzTff5J49e1hYWEiSLCoiw5PyFJ8J/om0+zSM6sRckuTXhx+y6kQ1N114wvCkPK49nUrX2RE0Gx/KlPQCkuRnu5NYfYqav136O82ZVFadqOaG80/kejSYFcEGsyK46cIT5hcWMfZxPp1nRHDi9kQ5TUX53IrLpdn4UJ4PyyJJ7rmazioT1TxyK6PM8/9wQzzd5kay38pYng/L4vmwLHp+Fc0WC6LkNFsvpdF8QiiXHHlIdWIuz6iz2PzLKLZfHE3tZVvHL5xfH37IoiKy8bxITtyWqChn/v4UNpgVwcIiMuphHu0+DePozQm8FJnNvSHpdJgezsk7kkiS68+l0uoTNXstj+H+axm8ej+HH2yIp9Unaj54nC/n+cX+FH64IZ4keS0mhzaT1fzqj4d8mFHAixHZbPNVNG2nhPGMWtMeb8yJ4OXIbJLkubAsmk8I5a/nUhmRnMcrUdns/n0MOy/V/GYXFpHtF0ezyReRPHkvk3fjczllRxKrTVbzVpym7x9mFCiujYsR2awxNYyf+GvOPTwpj2bjQ9nmq2hejNCUe+JuJs3Gh3J3ULrm+ovKpvmEUH6xP4X3EnIZGJXNXstj2OaraPk815/T9POI9fFMzSpkalYhm82PYuN5kRy9OYFZeUV88DifdaeHc/be5DL7OuBqOi0/CeWyvx4x+H4OVxx/TPMJodxzNb1S1zqp+f0aNWoUVSoVW7ZsyS1btjAvL6/MMgVBEARBEIR/p3IDNCtWrCAAduzYkSQZHBxMALS0tCz1gdrY2JgAePPmTXmbNmhz9epVedtff/1FANTX1+e9e/dIaoIHzZo1IwBOnDhRTvvHH3
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681726432",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "b85948e6-6b33-426d-bcd2-9917c8c876e1",
|
||
|
"value": "PhishMailImpers1.png"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT delivering SNOWYAMBER ZIP",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "2c9097c1-7c12-419f-a80a-8ee7740a006c",
|
||
|
"value": "totalmassasje.no/schedule.php"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "9af93eb7-62c1-4284-9f68-085df52485da",
|
||
|
"value": "signitivelogics.com/Schedule.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Cobalt Strike Team Server",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "931b2bf8-8273-4a00-b720-79ef2cf0197f",
|
||
|
"value": "humanecosmetics.com/category/noteworthy/6426-7346-9789"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "0a3912ce-c191-4242-a648-16471e7b22ac",
|
||
|
"value": "signitivelogics.com/BMW.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "BRUTERATEL C2",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "a07de07e-8918-48f9-a7ed-fe224af7debb",
|
||
|
"value": "badriatimimi.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT delivering SNOWYAMBER ZIP",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "9320ff1a-1b4f-4215-a606-fa08d722bc50",
|
||
|
"value": "literaturaelsalvador.com/Instructions.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT delivering SNOWYAMBER ISO",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "b64caea6-1cfb-41bf-8500-44c68a6a4209",
|
||
|
"value": "literaturaelsalvador.com/Schedule.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT URL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "6d824e3d-4f47-47a1-bb16-004fbe3f883b",
|
||
|
"value": "parquesanrafael.cl/note.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "ENVYSCOUT URL",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681738835",
|
||
|
"to_ids": true,
|
||
|
"type": "url",
|
||
|
"uuid": "735b8086-30e6-48f0-b41f-176143a0cecd",
|
||
|
"value": "inovaoftalmologia.com.br/form.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681739023",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "2370ce17-a271-4cb6-b6eb-f7342ffc6415",
|
||
|
"value": "miodrag.sekulic@mod.gov.rs"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681739023",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "4af4ff1a-5174-463c-b3d7-a5ed83251879",
|
||
|
"value": "bohuslava.kopalova@seznam.cz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Used to distribute phishing emails with a link to i.php (reconnaissance?)",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681739023",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "d984944c-9e4d-4a17-92df-5629b25f3195",
|
||
|
"value": "navratilova.lucie.etnologie@seznam.cz"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Used to distribute phishing emails with a link to ENVYSCOUT",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1681739023",
|
||
|
"to_ids": true,
|
||
|
"type": "email-src",
|
||
|
"uuid": "b03218e2-51f5-4f6a-b346-5e3a32ce79e0",
|
||
|
"value": "zdenek.holych@seznam.cz"
|
||
|
}
|
||
|
],
|
||
|
"Object": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "Metadata used to generate an executive level report",
|
||
|
"meta-category": "misc",
|
||
|
"name": "report",
|
||
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
||
|
"template_version": "7",
|
||
|
"timestamp": "1681726216",
|
||
|
"uuid": "443b388e-54ed-4a9d-b628-a6b90807a495",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "link",
|
||
|
"timestamp": "1681726216",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "b04589cb-5c03-42fc-b43f-205b9b450aeb",
|
||
|
"value": "https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "summary",
|
||
|
"timestamp": "1681726216",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "581fcaf2-9e37-4c87-9b3c-8d19b827bae3",
|
||
|
"value": "SNOWYAMBER is a dropper that was used in an espionage campaign significantly overlapping with publicly described activity linked to the APT29 and NOBELIUM activity sets. SNOWYAMBER abuses the NOTION collaboration service as a communication channel. It does not contain any other capabilities aside from downloading and executing 2nd stage. To bypass security products, SNOWYAMBER uses several antidetection and obfuscation techniques, including string encryption, dynamic API resolving, EDR/AV unhooking, and direct syscalls."
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "type",
|
||
|
"timestamp": "1681726216",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "ca09fdca-c324-4a9b-a2dd-0040f07675a9",
|
||
|
"value": "Report"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"data": "JVBERi0xLjcNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEzNSAwIFIvTWFya0luZm88PC9NYXJrZWQgdHJ1ZT4+L01ldGFkYXRhIDEyOTcgMCBSL1ZpZXdlclByZWZlcmVuY2VzIDEyOTggMCBSPj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyNC9LaWRzWyAzIDAgUiAxNSAwIFIgMjQgMCBSIDI2IDAgUiAyOSAwIFIgMzYgMCBSIDM3IDAgUiA0MCAwIFIgNDEgMCBSIDQ0IDAgUiA0NSAwIFIgNDcgMCBSIDQ4IDAgUiA0OSAwIFIgNTEgMCBSIDUyIDAgUiA1NCAwIFIgNTUgMCBSIDU2IDAgUiA1OCAwIFIgNjEgMCBSIDYzIDAgUiAxMjYgMCBSIDEzMCAwIFJdID4+DQplbmRvYmoNCjMgMCBvYmoNCjw8L1R5cGUvUGFnZS9QYXJlbnQgMiAwIFIvUmVzb3VyY2VzPDwvRm9udDw8L0YxIDUgMCBSL0YyIDkgMCBSL0YzIDExIDAgUi9GNCAxMyAwIFI+Pi9FeHRHU3RhdGU8PC9HUzcgNyAwIFIvR1M4IDggMCBSPj4vUHJvY1NldFsvUERGL1RleHQvSW1hZ2VCL0ltYWdlQy9JbWFnZUldID4+L01lZGlhQm94WyAwIDAgNTk1LjMyIDg0MS45Ml0gL0NvbnRlbnRzIDQgMCBSL0dyb3VwPDwvVHlwZS9Hcm91cC9TL1RyYW5zcGFyZW5jeS9DUy9EZXZpY2VSR0I+Pi9UYWJzL1MvU3RydWN0UGFyZW50cyAwPj4NCmVuZG9iag0KNCAwIG9iag0KPDwvRmlsdGVyL0ZsYXRlRGVjb2RlL0xlbmd0aCAxMDg2Pj4NCnN0cmVhbQ0KeJy9WNtu2zgQfRfgf+DTQipgmvfLoijguGm3xbrNxgaKRdAHNVFSA66dKmoK//3OyJfKlhRfwq4fCJMcac6cGc6M2OvnxeQ2vS7Iy5e9flGk11+zG3LVG8/vP/fGi/usd5HeTWZpMZnPeqMfXwpc+itLb7L81Sty9npAvnciRhn+nLOcMKK9plIQpzj1guRZJ/r0gsw60dm4E/XecMI5ZYqMbzsRSjPCifCWGkusN/jg+BvIvR1ZcvcAryZ35cytZm870VVMkq6CwVT/fCbj953oHHT804kCYJJcUMmrmEooGwSn6QNZcj4ckF4L7Wfzoph/a2f+zXxehGTeMuqEItJTHt5I0rtA84aDd68JC47ZGoZP7AFdA8JPAyII19SbRiBCU2eOBiLCA2GGquMZkeGASGmo9cQ4Q707GogKzogxlmp1NBB9GhD5BBDlqTwahwmPQzjqj8ZhT8UhG0Fo5xtAjBLO4w8Jl/HHhIv4Ew7/JlzHfRyGOD3D4RxFLvcgdoEQC2soty2I99HmTwOhCHeNtEHC0ysUVGtb7uZ31dlliWuYTn+meUb6s3S6eMASOUls/EAus/t5nsi4eFaxrMETWlGlD4e3N0NXakV3iYwLYd0aECjYRjjdLJTS3EnOcXHr4e2tpUGlM1tUCCg8pqJhS8xIhupg+Wsnun2xpvF3owX6ng931MI6r7OuHPcH2yEEsxXNjGljdrZWdlDHcccxtxoxSoSS1IM246jypUVGlQvKUuXKF0uHrYBWZbjhgvawwCHyNFWm1Rv/lxUY3cHMaPOSqHmJeekPjjZmOJO6YqBy1rjdvcrp0Niak6531MIevF66X9Ppep9Ds+xsmwd+I0Kk/ASIbezK+hngxvBTo0daJWxL9FQzJCLUmggIC1BhFKMKarjhdHn8pYTYIV2+0Sm8olqAjRA4u2mobtS6reLoT6k0tRr6EUWlJQL6NQ9BBX1jmefxHQz3f2J6R3Kflh+t9H3HF0OlREFHpSoFJdjAHYb0rxKyBazSZh329KYAie2uU0sKrrZaU1Nv9t7PJ0lXxDMsfCS9eVzWQ1h5gGLYlfGCfMHZ4s9aVXwWKAXeEqIN1N4aaAJzIxQ19W+UIRJQkjHFofxXpPmCDOY/ZomKiwwah3yCUiV/OJ1ui99lyXLzOkt0TEZZ/liuwzQon1p4CnmgxZC9fNrAfDLf9Kn1R1ibJbRU8DnVomyvzS6szQayDqtTPzhHd1/iMIYwoBA2F38H5sFzdHoLgB0eGqlYt+LYSuNpoAbAcItdPRxQyL3r7Bc9KVHJdxays8NbCLBAlYKSQI03qiXbiUpXe8izGyrq9x9AocMN2fBNwmV5JdaHs3gPnsgn0+UV2a4/ngcBdUNf2QSBYO3Dsje+vooFEzK0aqnxbqHZ+r13LjywE5yiriG9P3KKtLPAtmOrwVqVtpyD/wDS/EKiDQplbmRzdHJlYW0NCmVuZG9iag0KNSAwIG9iag0KPDwvVHlwZS9Gb250L1N1YnR5cGUvVHJ1ZVR5cGUvTmFtZS9GMS9CYXNlRm9udC9CQ0RFRUUrUmFqZGhhbmktUmVndWxhci9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgNiAwIFIvRmlyc3RDaGFyIDMyL0xhc3RDaGFyIDEyNS9XaWR0aHMgMTI3MyAwIFI+Pg0KZW5kb2JqDQo2IDAgb2JqDQo8PC9UeXBlL0ZvbnREZXNjcmlwdG9yL0ZvbnROYW1lL0JDREVFRStSYWpkaGFuaS1SZWd1bGFyL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDkzMC9EZXNjZW50IC0zNDYvQ2FwSGVpZ2h0IDkzMC9BdmdXaWR0aCA0NzcvTWF4V2lkdGggMjQzNi9Gb250V2VpZ2h0IDQwMC9YSGVpZ2h0IDI1MC9TdGVtViA0Ny9Gb250QkJveFsgLTQxNiAtMzQ2IDIwMjAgOTMwXSAvRm9udEZpbGUyIDEyNzEgMCBSPj4NCmVuZG9iag0KNyAwIG9iag0KPDwvVHlwZS9FeHRHU3RhdGUvQk0vTm9ybWFsL2NhIDE+Pg0KZW5kb2JqDQo4IDAgb2JqDQo8PC9UeXBlL0V4dEdTdGF0ZS9CTS9Ob3JtYWwvQ0EgMT4+DQplbmRvYmoNCjkgMCBvYmoNCjw8L1R5cGUvRm9udC9TdWJ0eXBlL1RydWVUeXBlL05hbWUvRjIvQmFzZUZvbnQvQkNERkVFK1ZlcmRhbmEtQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTAgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAzMi9XaWR0aHMgMTI3NCAwIFI+Pg0KZW5kb2JqDQoxMCAwIG9iag0KPDwvVHlwZS9Gb250RGVzY3JpcHRvci9Gb250TmFtZS9CQ0RGRUUrVmVyZGFuYS1Cb2xkL0ZsYWdzIDMyL0l0YWxpY0FuZ2xlIDAvQXNjZW50IDEwMDUvRGVzY2VudCAtMjA3L0NhcEhlaWdodCA3NjUvQXZnV2lkdGggNTY4L01heFdpZHRoIDIyNTcvRm9udFdlaWdodCA3MDAvWEhlaWdodCAyNTAvU3RlbVYgNTYvRm9udEJCb3hbIC01NTAgLTIwNyAxNzA3IDc2NV0gL0ZvbnRGaWxlMiAxMjc1IDAgUj4+DQplbmRvYmoNCjExIDAgb2JqDQo8PC9UeXBlL0ZvbnQvU3VidHlwZS9UcnVlVHlwZS9OYW1lL0YzL0Jhc2VGb250L0JDREdFRStSYWpkaGFuaS1TZW1pQm9sZC9FbmNvZGluZy9XaW5BbnNpRW5jb2RpbmcvRm9udERlc2NyaXB0b3IgMTIgMCBSL0ZpcnN0Q2hhciAzMi9MYXN0Q2hhciAxMjEvV2lkdGhzIDEyNzkgMCBSPj4NCmVuZG9iag0KMTIgMCBvYmoNCjw8L1R5cGUvRm9udERlc2NyaXB0b3IvRm9udE5hbWUvQkNER0VFK1JhamRoYW5pLVNlbWlCb2
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "report-file",
|
||
|
"timestamp": "1681726216",
|
||
|
"to_ids": false,
|
||
|
"type": "attachment",
|
||
|
"uuid": "746857c1-6069-48a8-ae9f-6e8d68f2e191",
|
||
|
"value": "SNOWYAMBER_.pdf"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681731313",
|
||
|
"uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
|
||
|
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"relationship_type": "contained-within",
|
||
|
"timestamp": "1681731313",
|
||
|
"uuid": "c063585d-8376-4b83-8cd7-606fe34cb77d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681730403",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "ffef844b-22c3-4a94-b69f-c2eba895666a",
|
||
|
"value": "vcruntime140.dll"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681731274",
|
||
|
"uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"referenced_uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1681731238",
|
||
|
"uuid": "001fac35-e347-4152-9d1d-c93f5078c6bc"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"referenced_uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1681731252",
|
||
|
"uuid": "4ea55007-d683-4e19-8294-57737a1a3a2e"
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"referenced_uuid": "75ed444d-3ce9-470c-9ea7-dc4e6eb7c3ca",
|
||
|
"relationship_type": "contains",
|
||
|
"timestamp": "1681731274",
|
||
|
"uuid": "f5418b84-9731-43d8-bb40-fc1a52d4388f"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681730487",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "05a981bb-8177-4078-b30e-c574777d6176",
|
||
|
"value": "schedule.zip"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681736959",
|
||
|
"uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "63cb13b4-f8d5-42eb-819d-7ae6f4c992ed",
|
||
|
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"relationship_type": "contained-within",
|
||
|
"timestamp": "1681731338",
|
||
|
"uuid": "38811445-4575-4a36-9da8-d779c985df0d"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681736959",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "3be2fbef-0eb4-447c-8b5e-7da5b8e91121",
|
||
|
"value": "7za.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1681736959",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "84c6ca7a-c084-4707-9722-ede4426144d3",
|
||
|
"value": "270336"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1681736959",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "7358cd6c-05e8-4a52-927e-d0fd846c6b12",
|
||
|
"value": "c938934c0f5304541087313382aee163e0c5239c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1681736959",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "96a9a86c-2484-48df-8c64-978c982dbfcd",
|
||
|
"value": "d0efe94196b4923eb644ec0b53d226cc"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1681736959",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "83f9bcdc-834d-443c-a65d-ea887e4cbd2b",
|
||
|
"value": "381a3c6c7e119f58dfde6f03a9890353a20badfa1bfa7c38ede62c6b0692103c"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681731328",
|
||
|
"uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
|
||
|
"ObjectReference": [
|
||
|
{
|
||
|
"comment": "",
|
||
|
"object_uuid": "ba9983ca-8bd7-410c-a9e9-f96fa47fc920",
|
||
|
"referenced_uuid": "af58c5b3-e47e-4e9e-b841-c80cfa4cc91a",
|
||
|
"relationship_type": "contained-within",
|
||
|
"timestamp": "1681731328",
|
||
|
"uuid": "85724344-42da-4f8b-8c21-b714ed6d7dec"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681730507",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "501a0c84-2110-470c-b7b0-668a8bd46884",
|
||
|
"value": "november_schedulexe.pdf"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681732508",
|
||
|
"uuid": "ef951d3f-c15c-43db-ac22-67316faf4dfd",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681732508",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "cb443611-4671-439e-90d5-7556fa426937",
|
||
|
"value": "Instructions.lnk"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "It seems that the adversary made a mistake while compiling this sample. Internal functions were added to exports (authored by the adversary as well as those from libraries: SysWhispers3, Nlohmann JSON, Obfuscate). While binary itself is stripped, those exported functions have names that can be demangled revealing naming, prototypes and datatypes.",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"first_seen": "2023-02-08T00:00:00+00:00",
|
||
|
"last_seen": "2023-02-08T00:00:00+00:00",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681737208",
|
||
|
"uuid": "88421de8-4479-4a9c-9433-9d918795a10b",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681737208",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "a0482318-d18e-49d7-8097-d661bf17c9b1",
|
||
|
"value": "BugSplatRc64.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1681737208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "33f69f2a-1d36-44d0-a026-ace071af7031",
|
||
|
"value": "8eb64670c10505322d45f6114bc9f7de0826e3a1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1681737208",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "ef02ee0e-d7a3-4af2-9bdd-59b4b92b76fb",
|
||
|
"value": "cf36bf564fbb7d5ec4cec9b0f185f6c9"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1681737208",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "eb52f1df-a9ab-44ab-95b9-f432708ceda5",
|
||
|
"value": "e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab81826a522979aeb98"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1681737208",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "db5cbc1f-3468-4677-b357-0079f4ab7c11",
|
||
|
"value": "271360"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
||
|
"meta-category": "misc",
|
||
|
"name": "yara",
|
||
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
||
|
"template_version": "6",
|
||
|
"timestamp": "1681735978",
|
||
|
"uuid": "515a4264-5f6e-4690-b9b0-6eb6a31aa972",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara",
|
||
|
"timestamp": "1681735978",
|
||
|
"to_ids": true,
|
||
|
"type": "yara",
|
||
|
"uuid": "a51eae60-e3c6-4fbe-a03e-c14334626315",
|
||
|
"value": "rule APT29_SNOWYAMBER\r\n{\r\nmeta:\r\ndescription = \"Detects APT29-linked SNOWYAMBER dropper\"\r\nstrings:\r\n// Payload decryption loop\r\n// Custom algorithm based on XOR\r\n$op_decrypt_payload = {49 8B 45 08 48 ?? ?? ?? 48 39 ?? 76 2B 48 89 C8 31 D2 4C 8B 4C 24 ?? 48 F7 74 24 ?? 49 8B 45\r\n00 41 8A 14 11 32 54 08 10 89 C8 41 0F AF C0 31 C2 88 14 0B 48 FF C1}\r\n// Decryption routine generated by Obfuscate library\r\n$op_decrypt_string = {48 39 D0 74 19 48 89 C1 4D 89 C2 83 E1 07 48 C1 E1 03 49 D3 EA 45 30 14 01 48 FF C0 EB E2}\r\n// Hardcoded inital value used as beaconing counter\r\n$op_initialize_emoji = {C6 [3] A5 66 [4] F0 9F}\r\n// src/json.hpp - string left in binary using nlohmann JSON\r\n$str_nlohmann = {73 72 63 2F 6A 73 6F 6E 2E 68 70 70 00}\r\ncondition:\r\nuint16(0) == 0x5A4D\r\nand\r\nfilesize < 500KB\r\nand\r\n$str_nlohmann\r\nand\r\n$op_decrypt_string\r\nand\r\n($op_initialize_emoji or $op_decrypt_payload)\r\n}"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "yara-rule-name",
|
||
|
"timestamp": "1681735978",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "bf06b2d4-55b2-42af-a520-163bc03391bf",
|
||
|
"value": "APT29_SNOWYAMBER"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681737803",
|
||
|
"uuid": "11702c83-79b9-4a02-9e48-93534a11ed08",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1681737803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "f2ded617-cbfc-45cf-a848-2a97bfdc9839",
|
||
|
"value": "3fd43de3c9f7609c52da71c1fc4c01ce0b5ac74c"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1681737803",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "61aabd77-0da9-47f0-b109-6258ee9d9d78",
|
||
|
"value": "82ecb8474efe5fedcb8f57b8aafa93d2"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1681737803",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "fb63d8c4-f10f-4e55-aecf-2a74b37fd001",
|
||
|
"value": "4d92a4cecb62d237647a20d2cdfd944d5a29c1a14b274d729e9c8ccca1f0b68b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681737803",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "f74a67c5-2acf-465c-999e-65418fd68e2a",
|
||
|
"value": "BugSplatRc64.dll"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"last_seen": "2023-02-07T00:00:00+00:00",
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1681737803",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "1eee95b4-72d0-486f-9680-9b6f7411ecb0",
|
||
|
"value": "301056"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "2nd stage - CobaltStrike beacon (decrypted)",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681738413",
|
||
|
"uuid": "2a667d0c-1f7f-41d4-8ba2-2e44d839b432",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1681738413",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "e36f46b4-114c-44da-9a9f-641487e6c555",
|
||
|
"value": "aaf973a56b17a0a82cf1b3a49ff68da1c50283d4"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1681738413",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "aa996c3c-4650-4d6c-95ac-bf8fea8d7374",
|
||
|
"value": "800db035f9b6f1e86a7f446a8a8e3947"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1681738413",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "558be957-7b03-4667-9344-6c65050f6c4a",
|
||
|
"value": "032855b043108967a6c2de154624c16b70a0b7d0d0a0e93064b387f59537cc1e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681738413",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "51e163b5-ce39-4690-9714-358f049fbe2d",
|
||
|
"value": "hXaIk1725.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1681738413",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "84d79df8-b742-41ba-9619-ac47f137cfeb",
|
||
|
"value": "261635"
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"comment": "2nd stage \u2013 BruteRatel stageless badger (decrypted)",
|
||
|
"deleted": false,
|
||
|
"description": "File object describing a file with meta-information",
|
||
|
"meta-category": "file",
|
||
|
"name": "file",
|
||
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
||
|
"template_version": "24",
|
||
|
"timestamp": "1681738525",
|
||
|
"uuid": "26da3ae3-4d28-49c3-a4d7-2b86cca4f59a",
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha1",
|
||
|
"timestamp": "1681738525",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "9f7f3b2a-cdd3-4d94-8ab7-c6e5938642ba",
|
||
|
"value": "a8a82a7da2979b128cbeddf4e70f9d5725ef666b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "md5",
|
||
|
"timestamp": "1681738525",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "9e1b013e-2c30-4238-b571-d3e584ca157c",
|
||
|
"value": "0e594576bb36b025e80eab7c35dc885e"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"object_relation": "sha256",
|
||
|
"timestamp": "1681738525",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "7a95da1a-8ef0-4820-9742-96ff05f3d743",
|
||
|
"value": "ec687a447ca036b10c28c1f9e1e9cef9f2078fdbc2ffdb4d8dd32e834b310c0d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "filename",
|
||
|
"timestamp": "1681738525",
|
||
|
"to_ids": true,
|
||
|
"type": "filename",
|
||
|
"uuid": "91aab884-091f-4d4d-8988-86a01a9333d3",
|
||
|
"value": "hXaIk1314.pdf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Other",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": true,
|
||
|
"object_relation": "size-in-bytes",
|
||
|
"timestamp": "1681738525",
|
||
|
"to_ids": false,
|
||
|
"type": "size-in-bytes",
|
||
|
"uuid": "6e01548f-3eaf-4fe9-9c3a-41d9c001db29",
|
||
|
"value": "347837"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|