misp-circl-feed/feeds/circl/misp/f07207d5-e6f7-4369-9a9d-a1390b83aaeb.json

410 lines
27 KiB
JSON
Raw Normal View History

2023-06-14 17:31:25 +00:00
{
"type": "bundle",
"id": "bundle--f07207d5-e6f7-4369-9a9d-a1390b83aaeb",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:57:07.000Z",
"modified": "2023-05-12T07:57:07.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--f07207d5-e6f7-4369-9a9d-a1390b83aaeb",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:57:07.000Z",
"modified": "2023-05-12T07:57:07.000Z",
"name": "Is Hagga Threat Actor (ab)using FSociety framework ?",
"published": "2023-05-12T07:58:02Z",
"object_refs": [
"observed-data--936d6d4b-5c93-4478-ad04-c139b861550e",
"network-traffic--936d6d4b-5c93-4478-ad04-c139b861550e",
"ipv4-addr--936d6d4b-5c93-4478-ad04-c139b861550e",
"indicator--4c5b66ef-5fd3-43e1-b907-7f85521e29e7",
"indicator--e8ee6df7-d699-4858-bcb4-0aaf9ecc7ce8",
"indicator--1bbdf5d0-ceba-44bb-85ed-921915c4cb78",
"indicator--d1d886cd-6f9a-4e31-8d22-4842f52ae41a",
"indicator--634c18f3-7cfb-4bde-87c7-9b5d14f89fb5",
"indicator--5087add7-e405-41cf-a3f1-1cb7d189c368",
"indicator--323e3caf-fb86-4910-82af-819b6bdf84df",
"indicator--bbc87ea8-1024-4443-bbad-662afeafc4db",
"indicator--1fea7ac2-60dd-4d59-92ad-f6222e849ecc",
"indicator--7aa855f7-2a9d-45d0-809c-fe0d8ba6f7a7",
"indicator--6a06a7cd-0263-4586-b96c-8e7a78f36a79",
"x-misp-object--57ec3f12-e191-472f-bd94-59d2800107c6",
"note--4d918891-4c17-48b1-a273-4bde07d916cc"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"tlp:clear",
"type:OSINT",
"osint:lifetime=\"perpetual\"",
"osint:certainty=\"50\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--936d6d4b-5c93-4478-ad04-c139b861550e",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:32:17.000Z",
"modified": "2023-05-12T07:32:17.000Z",
"first_observed": "2023-05-12T07:32:17Z",
"last_observed": "2023-05-12T07:32:17Z",
"number_observed": 1,
"object_refs": [
"network-traffic--936d6d4b-5c93-4478-ad04-c139b861550e",
"ipv4-addr--936d6d4b-5c93-4478-ad04-c139b861550e"
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Payload delivery\""
]
},
{
"type": "network-traffic",
"spec_version": "2.1",
"id": "network-traffic--936d6d4b-5c93-4478-ad04-c139b861550e",
"dst_ref": "ipv4-addr--936d6d4b-5c93-4478-ad04-c139b861550e",
"protocols": [
"tcp"
]
},
{
"type": "ipv4-addr",
"spec_version": "2.1",
"id": "ipv4-addr--936d6d4b-5c93-4478-ad04-c139b861550e",
"value": "4.204.233.44"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--4c5b66ef-5fd3-43e1-b907-7f85521e29e7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:31:53.000Z",
"modified": "2023-05-12T07:31:53.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '69.174.99.181']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:31:53Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--e8ee6df7-d699-4858-bcb4-0aaf9ecc7ce8",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:32:00.000Z",
"modified": "2023-05-12T07:32:00.000Z",
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.151.123.121']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:32:00Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "Payload delivery"
}
],
"labels": [
"misp:type=\"ip-dst\"",
"misp:category=\"Payload delivery\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1bbdf5d0-ceba-44bb-85ed-921915c4cb78",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:33:26.000Z",
"modified": "2023-05-12T07:33:26.000Z",
"description": "Drop and Execute",
"pattern": "[file:hashes.SHA256 = '9ea4eebd9cf2a5d4e6343cb559d8c996fae6bf0f3bd7ffada0567053c08acc31' AND file:name = 'update.js']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:33:26Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--d1d886cd-6f9a-4e31-8d22-4842f52ae41a",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:42:40.000Z",
"modified": "2023-05-12T07:42:40.000Z",
"description": "Drop, evasion and Memory Invoke",
"pattern": "[file:hashes.SHA256 = 'ab5b1989ddf6113fcb50d06234dbef65d871e41ce8d76d5fb5cc72055c1b28ba' AND file:name = 'Dll.ppam']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:42:40Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--634c18f3-7cfb-4bde-87c7-9b5d14f89fb5",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:44:21.000Z",
"modified": "2023-05-12T07:44:21.000Z",
"pattern": "[file:hashes.SHA256 = '20a53f17071f377d50ad9de30fdddd320d54d00b597bf96565a2b41c15649f76' AND file:name = 'Rump.xls']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:44:21Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5087add7-e405-41cf-a3f1-1cb7d189c368",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:46:48.000Z",
"modified": "2023-05-12T07:46:48.000Z",
"description": "post exploitation tool, C2 communication decoded",
"pattern": "[file:hashes.SHA256 = '5d910ee5697116faa3f4efe230a9d06f6e3f80a7ad2cf8e122546b10e34a0088' AND file:name = 'Rump.xls.inverted.charsReplaced.decoded']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:46:48Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--323e3caf-fb86-4910-82af-819b6bdf84df",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:49:27.000Z",
"modified": "2023-05-12T07:49:27.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '970f993ad1a289620b5f5033ff5e0b5c4491bb2b' AND x509-certificate:serial_number = '136234453590953102797263558291395548452' AND x509-certificate:subject = 'servidor' AND x509-certificate:x_misp_is_ca = '0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:49:27Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--bbc87ea8-1024-4443-bbad-662afeafc4db",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:50:18.000Z",
"modified": "2023-05-12T07:50:18.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = 'b0238c547a905bfa119c4e8baccaeacf36491ff6' AND x509-certificate:serial_number = '13098529066745705731' AND x509-certificate:subject = 'localhost' AND x509-certificate:x_misp_is_ca = '0']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:50:18Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--1fea7ac2-60dd-4d59-92ad-f6222e849ecc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:51:20.000Z",
"modified": "2023-05-12T07:51:20.000Z",
"description": "Command And Control",
"pattern": "[(network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '103.151.123.121') AND network-traffic:dst_port = '8895']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:51:20Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"ip-port\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--7aa855f7-2a9d-45d0-809c-fe0d8ba6f7a7",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:53:47.000Z",
"modified": "2023-05-12T07:53:47.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://4.204.233.44/Rump/Rump.xls' AND url:x_misp_resource_path = '/Rump/Rump.xls' AND url:x_misp_host = '4.204.233.44' AND url:x_misp_domain_without_tld = '4.204.233.44' AND url:x_misp_domain = '4.204.233.44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:53:47Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--6a06a7cd-0263-4586-b96c-8e7a78f36a79",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:54:12.000Z",
"modified": "2023-05-12T07:54:12.000Z",
"description": "Enriched via the url_import module",
"pattern": "[url:value = 'http://4.204.233.44/Dll/Dll.ppam' AND url:x_misp_resource_path = '/Dll/Dll.ppam' AND url:x_misp_host = '4.204.233.44' AND url:x_misp_domain_without_tld = '4.204.233.44' AND url:x_misp_domain = '4.204.233.44']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2023-05-12T07:54:12Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"url\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--57ec3f12-e191-472f-bd94-59d2800107c6",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:57:07.000Z",
"modified": "2023-05-12T07:57:07.000Z",
"labels": [
"misp:name=\"report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "link",
"object_relation": "link",
"value": "https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/",
"category": "External analysis",
"uuid": "0ba5d25e-9241-414e-9ed0-0ad883981643"
},
{
"type": "text",
"object_relation": "summary",
"value": "Is Hagga Threat Actor (ab)using FSociety framework ?\r\napt cybersecurity malwareNovember 21, 2022\r\nIntroduction\r\n\r\nToday I\u2019d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable.",
"category": "Other",
"uuid": "b316f57d-4c28-47b8-97d3-fcf3f5860352"
},
{
"type": "text",
"object_relation": "type",
"value": "Blog",
"category": "Other",
"uuid": "141bd92b-1cf2-4026-af87-3c3af93bebb4"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "report"
},
{
"type": "note",
"spec_version": "2.1",
"id": "note--4d918891-4c17-48b1-a273-4bde07d916cc",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2023-05-12T07:32:00.000Z",
"modified": "2023-05-12T07:32:00.000Z",
"abstract": "Report from - https://marcoramilli.com/2022/11/21/is-hagga-threat-actor-abusing-fsociety-framework/ (1683876572)",
"content": "# apt cybersecurity malwareNovember 21, 2022November 21, 2022 .container.container-medium #### Introduction\n\nToday I\u2019d like to share a quick analysis initiated during a threat hunting process. The first observable was found during hunting process over OSINT sources, the entire infrastructure was still up and running during the analyses as well as malicious payload were downloadable. \n\n#### Analysis\n\n My first observable was a zipped text file compressing a simple update.js script. The script was created to avoid automatic analisis tools since the dimension (>9MB) really makes hard to beautify or remove unwanted/funny or added trash code every which happens to be everywhere.\n\nnameupdate.js sha256 9ea4eebd9cf2a5d4e6343cb559d8c996fae6bf0f3bd7ffada0567053c08acc31 type Drop and ExecuteStage 1 The following images show how it looked like at first sight. As many of you are aware, analyzing scripts is just a matter of time or, if you have enough memory on your machine (or time to spend over that task) a computational matter during virtualization. If you are old style (I do like it a lot ) it is a matter of \u201ckeywords\u201d , in other words adding some console.println or whatsoever you like to make debugging quick and easy. Few strings in this update.js reminded me to the use of obfuscator.io tool, but I did not investigate further on this direction, it was quite easy as well to reach the point.\n\n \nFinally its execution was reached. I obtained this status by using some classic and romantic hand working balance to dynamic execution with the always great JSDetox. Finally the real behavior came out. It looks like to be a drop and execute artifact. It takes a file called Dll.ppam from an IP address (please take a look to IoC section to see details on found IoC), it decodes it from base64, and it invoked the method VAI (really interested Italian word to say \u201cGO\u201d, nice coincidence !?) in the Fiber.Home class. It then passes to such a function an interesting address: https://firebasestorage. googleapis. com with some parameters as the following image shows (please reverse the byte order on the right string).\n\nStage1 Drop and execute Lets take a closer look to what Dll.ppam is. First it\u2019s a .NET Portable Executable, so we might have an easy path ahead.\n\n nameDll.ppam sha256 ab5b1989ddf6113fcb50d06234dbef65d871e41ce8d76d5fb5cc72055c1b28ba type Drop, evasion and Memory Invoke The .NET is not packed and the code reading is quite \u201cstraight forward\u201d. An interesting technique that I\u2019d like to highlight (and to track) is in the way the malware developer used to step forward the malware control flow, which reminds me a known threat actor. Many different techniques could be used at this point if you want to make something happening after specific conditions or if you simply want to give an execution order. The most easy and (maybe) quick way to follow could be the adoption of nested functions or, if you are a more sophisticated malware developer, you might decide to use exception handlers or, again, you might decide to switch from function to function in different libraries, or for the shake of example, a simple single flow as a simple unique function. But this malware developer decided to use a quite characteristic way developing an interesting combination of switch/case. In other words it starts by assigning 0 to num variable which it makes case 0 to switch. In each case it updates the num variable to control the switch(num) selector making the flow running in the desired way. The following image shows the VAI function, in where you might appreciate the control flow and additional IoC (such as IP address, dropped url and artifact name, etc..). \n\n Principal routine on Dll.ppam The VAI routing starts by downloading a file called Rump.xls from a remote server. It places the file content into a variable and it reverse its bytes order, later it replaces special characters to the letter A. The resulting decoded file (bytes Inverted, Special Character replaced a
"object_refs": [
"observed-data--936d6d4b-5c93-4478-ad04-c139b861550e",
"indicator--e8ee6df7-d699-4858-bcb4-0aaf9ecc7ce8",
"indicator--4c5b66ef-5fd3-43e1-b907-7f85521e29e7"
]
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}