422 lines
18 KiB
JSON
422 lines
18 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2017-08-15",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - ShadowPad in corporate networks",
|
||
|
"publish_timestamp": "1502826135",
|
||
|
"published": true,
|
||
|
"threat_level_id": "2",
|
||
|
"timestamp": "1502825996",
|
||
|
"uuid": "59934c13-6410-44a8-9ebe-47fe02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825882",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "59934c36-41d8-4d52-aa5d-43b502de0b81",
|
||
|
"value": "In July 2017, during an investigation, suspicious DNS requests were identified in a partner\u00e2\u20ac\u2122s network. The partner, which is a financial institution, discovered the requests originating on systems involved in the processing of financial transactions.\r\n\r\nFurther investigation showed that the source of the suspicious DNS queries was a software package produced by NetSarang. Founded in 1997, NetSarang Computer, Inc. develops, markets and supports secure connectivity solutions and specializes in the development of server management tools for large corporate networks. The company maintains headquarters in the United States and South Korea.",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825882",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934c51-9914-4a59-b2ca-4dd202de0b81",
|
||
|
"value": "https://securelist.com/shadowpad-in-corporate-networks/81432/",
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#00223b",
|
||
|
"name": "osint:source-type=\"blog-post\""
|
||
|
}
|
||
|
]
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934ccf-6608-4565-a513-4f4b02de0b81",
|
||
|
"value": "ribotqtonut.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-0600-4800-af98-440202de0b81",
|
||
|
"value": "nylalobghyhirgh.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-b9dc-4c8c-b11c-4ea502de0b81",
|
||
|
"value": "jkvmdmjyfcvkf.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-aba4-4af5-8d8d-474202de0b81",
|
||
|
"value": "bafyvoruzgjitwr.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-fab0-4d52-a3b8-4c1102de0b81",
|
||
|
"value": "xmponmzmxkxkh.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-3418-4574-bc50-4e5502de0b81",
|
||
|
"value": "tczafklirkl.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-5f94-4101-a615-42ef02de0b81",
|
||
|
"value": "notped.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-f618-4dd6-aa48-41bf02de0b81",
|
||
|
"value": "dnsgogle.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-32e0-4bca-b864-432c02de0b81",
|
||
|
"value": "operatingbox.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-22b4-49a0-9af1-42b102de0b81",
|
||
|
"value": "paniesx.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "All Kaspersky Labs products detect and cure this threat as Backdoor.Win32.Shadowpad.a. If for some reason you can\u00e2\u20ac\u2122t use an antimalware solution you can check if there were DNS requests from your organization to these domains:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "domain",
|
||
|
"uuid": "59934cd1-a5f0-4a0d-9ac1-448a02de0b81",
|
||
|
"value": "techniciantext.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934d66-6380-4d47-9753-501002de0b81",
|
||
|
"value": "0009f4b9972660eeb23ff3a9dccd8d86"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59934d66-001c-4fac-97dd-501002de0b81",
|
||
|
"value": "12180ff028c1c38d99e8375dd6d01f47f6711b97"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934d66-5734-4d95-a1d4-501002de0b81",
|
||
|
"value": "b69ab19614ef15aa75baf26c869c9cdd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59934d66-905c-4a7e-a42e-501002de0b81",
|
||
|
"value": "35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934d66-8de4-4c4a-a0b4-501002de0b81",
|
||
|
"value": "b2c302537ce8fbbcff0d45968cc0a826"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59934d66-9788-4334-bde5-501002de0b81",
|
||
|
"value": "7cf07efe04fe0012ed8beaa2dec5420a9b5561d6"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934d66-7760-4e8a-91a0-501002de0b81",
|
||
|
"value": "78321ad1deefce193c8172ec982ddad1"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59934d66-6b88-49d1-bcc5-501002de0b81",
|
||
|
"value": "08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934d66-93a4-4adb-a334-501002de0b81",
|
||
|
"value": "28228f337fdbe3ab34316a7132123c49"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "59934d66-0e90-417f-8f4e-501002de0b81",
|
||
|
"value": "3d69fdd4e29ad65799be33ae812fe278b2b2dabe"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB - Xchecked via VT: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59934d73-9500-4b35-acd5-464902de0b81",
|
||
|
"value": "7049bad2755ae8b8a6945a1f323b1bc14551c9ee664b8573910ffbbe6bba97c8"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Xlpd 5 Build 1220\t Xlpd5.exe, Jul 17 2017, 30.22 MB - Xchecked via VT: 3d69fdd4e29ad65799be33ae812fe278b2b2dabe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934d73-32f8-4316-8850-422202de0b81",
|
||
|
"value": "https://www.virustotal.com/file/7049bad2755ae8b8a6945a1f323b1bc14551c9ee664b8573910ffbbe6bba97c8/analysis/1502291882/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB - Xchecked via VT: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59934d73-62a4-44ac-9b4f-476302de0b81",
|
||
|
"value": "ee41a4a58114ccdcbef0c424176ed267b10fc137136185b07d7710770d4dea27"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Xftp 5 Build 1218\t Xftp5.exe, Jul 17 2017, 30.7 MB - Xchecked via VT: 08a67be4a4c5629ac3d12f0fdd1efc20aa4bdb2b",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934d73-be10-498b-95f7-4b9502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/ee41a4a58114ccdcbef0c424176ed267b10fc137136185b07d7710770d4dea27/analysis/1502398416/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB - Xchecked via VT: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59934d73-3960-4f48-905b-409902de0b81",
|
||
|
"value": "f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Xshell 5 Build 1322\t Xshell5.exe, Jul 17 2017, 31.58 MB - Xchecked via VT: 7cf07efe04fe0012ed8beaa2dec5420a9b5561d6",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934d73-04a8-427a-b49a-41a402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/f86fa8fc2f2428ed145e782894ef3be32b9ea8d60b68b805d8fbd1c5e7af427c/analysis/1502688340/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB - Xchecked via VT: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59934d73-383c-4d55-a4b7-488f02de0b81",
|
||
|
"value": "b4a07a3218fe80b8da2f0f470ab327cc3622155adeef8a3d1fd0c43dff4aa130"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Xmanager 5 Build 1045\t Xmgr5.exe, Jul 17 2017, 46.2 MB - Xchecked via VT: 35c9dae68c129ebb7e7f65511b3a804ddbe4cf1d",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825843",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934d73-d378-4f01-af77-4a0502de0b81",
|
||
|
"value": "https://www.virustotal.com/file/b4a07a3218fe80b8da2f0f470ab327cc3622155adeef8a3d1fd0c43dff4aa130/analysis/1502291895/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB - Xchecked via VT: 12180ff028c1c38d99e8375dd6d01f47f6711b97",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825844",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "59934d74-c52c-4683-b648-421d02de0b81",
|
||
|
"value": "d484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Xmanager Enterprise 5 Build 1232\t Xme5.exe, Jul 17 2017, 55.08 MB - Xchecked via VT: 12180ff028c1c38d99e8375dd6d01f47f6711b97",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825844",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934d74-9970-4994-a9fd-4ac402de0b81",
|
||
|
"value": "https://www.virustotal.com/file/d484b9b8c44558c18ef6147c6ca8276a462fccf2acb2863be4ee9bf37942f11e/analysis/1502481033/"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "DLL with the encrypted payload:",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825955",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "59934de3-97c8-4fb9-916e-542c02de0b81",
|
||
|
"value": "97363d50a279492fda14cbab53429e75"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "On Friday August 4th, 2017, our engineers in cooperation with Kaspersky Labs discovered a security exploit in our software specific to the following Builds which were released on July 18, 2017. Currently, there is no evidence that the exploit was utilized.",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1502825996",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "59934e0c-5e2c-4020-a4ee-507102de0b81",
|
||
|
"value": "https://www.netsarang.com/news/security_exploit_in_july_18_2017_build.html"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|