2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2021-02-04" ,
"extends_uuid" : "" ,
"info" : "OSINT - Hildegard: New TeamTNT Malware Targeting Kubernetes" ,
"publish_timestamp" : "1612437699" ,
"published" : true ,
"threat_level_id" : "1" ,
"timestamp" : "1612437672" ,
"uuid" : "2e29b34e-9558-46ba-96b2-211295ece344" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Object" : [
{
"comment" : "This machine hosts malicious files used in the campaign and receives the collected data to this C2.\r\nHosted files: TDGG, api.key, tmate, tt.sh, sGAU.sh, t.sh, x86_64.so, xmr.sh, xmrig, xmrig.so, ziggy, xmr3.assi" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429114" ,
"uuid" : "176f9db1-1f95-4ea1-998a-7d0253d6d45f" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1612429114" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "e6e70410-ab72-4d3b-9cfb-260936c5a563" ,
"value" : "the.borg.wtf"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429114" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "401e4544-5622-4ecd-80a1-cf64e2912c81" ,
"value" : "45.9.150.36"
}
]
} ,
{
"comment" : "The malware connects to this IP to obtain the victim host\u2019s public IP.\r\n" ,
"deleted" : false ,
"description" : "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame." ,
"meta-category" : "network" ,
"name" : "ip-port" ,
"template_uuid" : "9f8cea74-16fe-4968-a2b4-026676949ac6" ,
"template_version" : "8" ,
"timestamp" : "1612429153" ,
"uuid" : "ea90cee2-3338-459b-bf2e-8f84edd9c74d" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429153" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "1a5007d9-1524-4924-a2db-25d2db588d16" ,
"value" : "147.75.47.199"
}
]
} ,
{
"comment" : "This host hosts malicious scripts and binaries.\r\nHosted files: pei.sh, pei64." ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429211" ,
"uuid" : "4f61af6e-155f-46bd-ad05-8ef20e4ca408" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1612429211" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "1a8ce1de-3637-4956-a7bd-acaac2c2afff" ,
"value" : "teamtnt.red"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429211" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "006052d5-f901-413a-ab7a-0d59a14a39bd" ,
"value" : "45.9.148.108"
}
]
} ,
{
"comment" : "This host hosts malicious scripts and binaries.\r\nHosted files: aws2.sh" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429259" ,
"uuid" : "740ba33d-f828-4737-a56f-303cfcd290f5" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1612429259" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "e3dc35a2-a1f8-4591-a722-ccae14a5a237" ,
"value" : "borg.wtf"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429259" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "ac059396-854d-46b8-9475-a7a1d08504a8" ,
"value" : "45.9.148.108"
}
]
} ,
{
"comment" : "This host is one of the C2s. It runs an IRC server on port 6667.\r\n" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429313" ,
"uuid" : "2062baa3-04a0-4feb-9623-842a1aafec3c" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1612429313" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "facd403f-33bc-4ed1-9208-9f36717d15ab" ,
"value" : "irc.borg.wtf"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429313" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "97c38762-6840-4686-be67-465b3f7b091e" ,
"value" : "123.245.9.147"
}
]
} ,
{
"comment" : "This host is one of the C2s. It runs an IRC server on port 6667.\r\n" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429363" ,
"uuid" : "d335ffab-1b09-4ece-a139-43524c9a871a" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "hostname" ,
"timestamp" : "1612429363" ,
"to_ids" : true ,
"type" : "hostname" ,
"uuid" : "2822d1b5-7e4f-46e8-a3bb-51d25bc4c536" ,
"value" : "sampwn.anondns.net"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429363" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "bbecc643-929b-4de6-ae35-c17eb5468077" ,
"value" : "13.245.9.147"
}
]
} ,
{
"comment" : "This host is one of the C2s. It runs an IRC server on port 6667.\r\n" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429396" ,
"uuid" : "ccd37fe0-a473-4e9c-acb0-55f7dc917a66" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429396" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "74db9258-7f43-429a-929d-a05eac9aa2af" ,
"value" : "164.68.106.96"
}
]
} ,
{
"comment" : "This host is one of the C2s. It runs an IRC server on port 6667.\r\n" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "9" ,
"timestamp" : "1612429427" ,
"uuid" : "85a67a9c-b76a-424c-8fd7-fd2f413deafd" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1612429427" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "ab5051a7-98b0-4275-ab8b-a737be286323" ,
"value" : "62.234.121.105"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432746" ,
"uuid" : "282fc55b-627c-4d5e-9342-1af5184ddb5a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432746" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8e291451-979f-4a0e-ab4a-be98c093a52f" ,
"value" : "2c1528253656ac09c7473911b24b243f083e60b98a19ba1bbb050979a1f38a0f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432746" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "1e9af0f7-7718-4c25-9a1f-11b383df4783" ,
"value" : "TDGGi"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432746" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9568c892-09ca-455c-af97-7ec066f7d702" ,
"value" : "script\tThis script downloads and executes tt.sh."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432746" ,
"uuid" : "bdeca9c5-acfc-482a-973f-80386ddc837f" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432746" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "caae21e4-b6ed-404f-8541-6711902d8f5e" ,
"value" : "2cde98579162ab165623241719b2ab33ac40f0b5d0a8ba7e7067c7aebc530172"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "14594566-a119-41a8-afbf-d246248f1f0f" ,
"value" : "tt.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "42c9d149-ea7f-4b21-b817-bfbe1a84e292" ,
"value" : "script\tThis script downloads and runs tmate. It collects system information from the victim\u2019s host and sends the collected data to C2(45.9.150[.]36)"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "5d9e3240-96da-40be-866a-ea3fc431a40e" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "be25ad41-246b-4f3c-b697-d1f2f534b95f" ,
"value" : "b34df4b273b3bedaab531be46a0780d97b87588e93c1818158a47f7add8c7204"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5054836d-da3c-4035-a55b-be33f7720cda" ,
"value" : "api.key"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a478f485-b1de-42b0-8e07-af26490183d0" ,
"value" : "text\tThe API key is used for creating a named tmate session from the compromised containers."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "afa6e590-1959-4c42-b77e-1fd4a9896826" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "87fcc6ae-f6a1-4088-b6fe-235b0fa0425e" ,
"value" : "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "36d7b64d-6f49-46ea-b285-5aa2f5bd6e72" ,
"value" : "tmate"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "3733ed60-8268-4156-bf31-5628626d8b5e" ,
"value" : "ELF\ttmate v2.4.0"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "a5e1d11b-0f73-4cf4-b3ef-b8e723e6d30a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "de23e7f0-9816-41d4-acee-c3b39eef6cf0" ,
"value" : "74e3ccaea4df277e1a9c458a671db74aa47630928a7825f75994756512b09d64"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "e343f8dd-e5d6-4160-8335-3659bdb186ae" ,
"value" : "sGAU.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4a4602af-f9a7-462e-aa88-7b1ee4d7fab9" ,
"value" : "script\tThis script downloads and installs masscan. It scans Kubernetes\u2019 internal IP Kubelets running on port 10250. If masscan finds an exploitable Kubelet"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "2c26666d-b912-4e8a-9f68-803f0b824429" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "58694996-baee-4b64-86b9-d2f49786a149" ,
"value" : "8e33496ea00218c07145396c6bcf3e25f4e38a1061f807d2d3653497a291348c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "10e49b9a-de85-4a35-b1c7-ce67eb6d0c19" ,
"value" : "kshell"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "43496b8e-1a2b-414e-bc19-887574c3b9a1" ,
"value" : "script\tThe script performs remote code execution in containers via Kubelet\u2019s API. It also downloads and executes xmr.sh in a target container."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "c939eb92-cd87-408a-b2c1-5c25430c0470" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "8de9a504-9881-40f3-893c-fb533ae8781b" ,
"value" : "518a19aa2c3c9f895efa0d130e6355af5b5d7edf28e2a2d9b944aa358c23d887"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "013d2cda-a0dd-441a-85d4-9e506881ebde" ,
"value" : "install_monerod.bash"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4dd53c6b-3922-4d6e-8190-90de9d94686f" ,
"value" : "script\tThe script is hosted in this Github repo. It pulls and builds the official monero project. It then creates a user named \u201cmonerodaemon\u201d and starts the monero service."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "33821510-4992-4ecb-84e9-1d320038a927" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "be6f88f3-d864-4abc-bf23-a1bebb53c1be" ,
"value" : "5923f20010cb7c1d59aab36ba41c84cd20c25c6e64aace65dc8243ea827b537b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "33ffbc2f-08fd-4a1e-a4d6-72adbff1ceb8" ,
"value" : "setup_moneroocean_miner.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "bcb3c54a-7b08-48ca-b68d-9feca55488ef" ,
"value" : "script\tThe script is hosted in this Github repo. It pulls and runs the MoneroOcean advanced version of xmrig."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "5ecf50d7-0d07-4c15-844a-6d2954367bc3" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1adb9b5e-6c81-4d7a-9cd4-39fd48e5ee6e" ,
"value" : "a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "3822e9d8-c91e-40ba-a4e0-c2672e7722e4" ,
"value" : "xmrig"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "03d31fc3-7178-426a-a6cf-3e3e9a91cc16" ,
"value" : "(oneroocean)\tELF\txmrig 6.7.2-mo3. This binary is hosted in MoneroOcean/xmrig Github repo."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432747" ,
"uuid" : "06a70163-a39c-4f54-bbdb-a87a814f1c99" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "0e66dc1b-b3bf-4b8b-8f75-39a2c77b81f3" ,
"value" : "ee6dbbf85a3bb301a2e448c7fddaa4c1c6f234a8c75597ee766c66f52540d015"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "ab2b90be-4098-4dbc-8f56-cb4776a75deb" ,
"value" : "pei.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "05762bcc-9586-45f6-ac9a-0566a2c90af8" ,
"value" : "script\tThis script downloads and executes pei64 or pei32"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "49958838-8ef3-42ca-8053-92baf705789a" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "4e8f3c3c-3b6f-42be-891e-5b0ea1323147" ,
"value" : "937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "7b17f7eb-1802-4f36-8893-378284a258e8" ,
"value" : "pei64"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7c896e50-2834-48d9-b180-511d199a90d5" ,
"value" : "ELF\tThis is a Kubernetes penetration tool from the peirates project. The tool is capable of escalating privilege and pivoting through the Kubernetes cluster."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "e309ca78-38e1-4c9a-ab77-b42459ff8396" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "ed4f37ba-5ee6-4a51-b856-c202baad7d08" ,
"value" : "72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "5bdb6bba-b5c6-4953-90a5-0904680b0a42" ,
"value" : "pei32"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "82e8d918-5a9e-4beb-9d1c-6008c93ddd19" ,
"value" : "ELF\tSame as pei64"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "778de61f-d6d7-4c20-9eb1-c75d829a3c4c" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "19839f59-857d-42b1-bda6-3930ce5fc34e" ,
"value" : "12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "e4a38245-b80f-4662-8ed4-b7fbcc7ecf2d" ,
"value" : "xmr3.assi"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "867f7183-013f-4796-b072-919e0dece56c" ,
"value" : "script\tThe script downloads and runs aws2.sh"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "72ed2178-2db5-4c4f-a3b6-ec0f2dfe8855" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "bdb974ac-7789-4cc0-a044-a2a72b83e9cc" ,
"value" : "053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "d8520f81-ed46-4acc-8ad9-c3957559ef33" ,
"value" : "aws2.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "568a649a-ed01-4221-8c29-debb03aa6b45" ,
"value" : "script\tThe script searches for cloud credentials and sends the identified credentials to C2 (the.borg[.]wtf)."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "e3c384cd-1c89-4a4b-a874-1652562a02b8" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "79c8c33e-93e6-472b-9bf1-9bf730729e0f" ,
"value" : "e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "717bd279-5cd2-4f22-b892-821ca3e0a2b0" ,
"value" : "t.sh"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "811f3011-cd22-413a-8e89-1d6468a5bc30" ,
"value" : "script\tThe script downloads x86_64.so and tmate from C2. It modifies ld.so.preload and starts a tmate named session. It then sends back the victim\u2019s system info and tmate session to C2."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "6020f6d1-af71-4e4a-8a12-225c0242d370" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "90e26dbf-7287-4571-890d-48b4fe7f23f0" ,
"value" : "77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "ead2aa0d-ff3e-41d7-9f64-6d04a396e9eb" ,
"value" : "x86_64.so"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7d76d2f5-5acd-4201-b982-3c53811a84bc" ,
"value" : "ELF\tThis shared object replaces the existing /etc/ld.so.preload file. It uses the LD_PRELOAD trick to hide the tmate process."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "dfb15087-2708-4da2-9b47-298071b8304d" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "c537d9ba-ec77-4449-a75b-93ffc46f1436" ,
"value" : "78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "6dfbb3bc-81bf-4773-ab5a-ec9bdf8077d1" ,
"value" : "xmrig"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b4a86293-50c6-47aa-aff1-d7e0c8c1defd" ,
"value" : "ELF\txmrig v6.7.0"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432748" ,
"uuid" : "a086e984-6da5-4f73-8030-469f98c3227c" ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1d72215f-551a-4159-8872-c9441951e305" ,
"value" : "3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "filename" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "filename" ,
"uuid" : "cb1ce43c-f951-45a3-b675-8c73e94a5f00" ,
"value" : "xmrig.so"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "text" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "6e01b4db-5143-4f68-93fb-a902cce2c213" ,
"value" : "ELF\tThis shared object replaces the existing /etc/ld.so.preload."
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1612432858" ,
"uuid" : "94c1c886-20de-4707-b937-40b85b53bd3f" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " i V B O R w 0 K G g o A A A A N S U h E U g A A B P g A A A Q g C A Y A A A B 7 K u L Y A A A g A E l E Q V R 4 A e x d C Z g U x d m u y O L / a x I N L C b R m J g 7 R h P Z x f w m J i a a a D z Y x X j t 7 r C i K O I R V C I i o o K K y s 4 s I K A g N 8 o l t 8 j u z g y 73 H I f c i i X K I K I 4 O + V m E h + j 4 D W / 7 y 9 W 2 N N b 8 / O z G 73 d P f M u 8 + z T / d 0 V 1 d V v / X 211 + 9 / V W V E P w j A k S A C B A B I u A D B L p U 1 J 1 c P j B 8 T k k o f G V Z q K Z H I B Q e U F Y R H V U a j M w u r Y g s C g S j L 3 a u j L 5 W H o q + X V 4 Z / T A Q i n 4 c C E X / E w h G P y 8 L R i T / i Q E 5 Q A 6 Q A + Q A O U A O k A P k Q N Z w I B T 9 o i w U O R o I R T 4 N h C K H y 0 P R 98 t D 0 f 2 d B 0 W 3 B 4 L R l a W h B d V l o c i k 0 s r I k L K K a J / y Y P S 60 l D k o s 7 B 8 O m d x m 0 63 g f u P 6 t I B I g A E S A C R I A I + B W B q y r m n d w 5 t O B P Z a F I j 9 J g + M m y Y C R 6 b S i y p y w U + Y + V M 9 b 18 U V H b h u 57 M j d 41 d 9 c f + U D f L h G Z v k w D l b 5 e B 52 + T Q q h 1 y e H i n H B H Z J U d G 8 f 8 K / 4 k B O U A O k A P k A D l A D p A D 5 E C W c G C X f C K y S w 6 r 3 i G H z N 8 u K + e + J B + d t V k + O G 2 j 7 P P M W t l z z I q j 3 Y c v O d J l U K 3 l x + 5 A Z e S D s l B k f S A U m V Y S r H k o M D B c d n V F 9 V k l c + a 0 8 m t f g v U m A k S A C B A B I k A E X E C g f P C i n 5 R V R A J l o f B g R O D h q 6 M u 4 n U Z U n f 0 b 2 N X H n 14 + i b D c X l 66 V 45 d / 0 h u X D 7 B 3 L t 64 f l y 2 //h//EgBwgB8gBcoAcIAfIAXKAHEjCgU1vfiKXv/JPWbPlXTl91ZtydO1uGZq7VfadtFbe/MSSI7oPXhaKfhEIRXaUB8NTAxXRXp2DNecz4s+FzhKLJAJEgAgQASLgVQQCwarflwWj92G4QOfKBR8oRyJQGf3irrGrPg/O2SonLH5dVr34jly1hwIeBUwKuOQAOUAOkAPkADlADpADmeDAlgOfykXb/y5nrD4gnwzvlP2mbpTdhy+OE/4CochLZRWRUdcMDF9bUrn4e17tc7BeRIAIEAEiQASIgM0IBAZGf1VaEelbVhGpCwSjnylB769PLTsKMW/Ssn1GNF4mnBaWQeeYHCAHyAFygBwgB8gBcoAcSI8Da/celvPWHzKmu7l/8jqJETbKp7+2MrKntCIytrSiprRkWF1bm7sSzI4IEAEiQASIABFwC4Hrhiz8Kl7wZcHwM4FQ9F318r999IqjQ57fLmevPSjX7f03h1AkGUJBxzM9x5N4ES9ygBwgB8gBcoAcIAcyx4G6bR/ICYv2GHP96YIfFvYoD0YeCISqC93qj7BcIkAEiAARIAJEoJkIdBoQblcWinYvDUVrlKDX9fG6o4/M3Cynrtwv13CuPAqaFDTJAXKAHCAHyAFygBwgB7KWA+Gt7xkRfr3Gr44t5tG5Mvo6Vu8tGVhzXjO7GbyMCBABIkAEiAARcBqBkmFrjysNRrqWBcNhJerdOmLpEaxaW7353ax1XvhlOHNfhok1sSYHyAFygBwgB8gBcsB/HFj1+mFjGp5+UzdI1U8oD0X3lw2MDsL0PU73U5g/ESACRIAIEAEikAICpZWRS8pC0SmBUPQ/eGFD1Bse3ilrX36foh6/SpMD5AA5QA6QA+QAOUAOkAPkQIwDG/d/Ip9duV/2n7YxJvZhoY5AMHJPYED1KSl0P5iECBABIkAEiAARsAuBawctOLU0GO3fubJ2L0S964fUHR303EuyZgsj9fhV2X9fldlmbDNygBwgB8gBcoAcIAcyz4H1+/4tn1m6V/aeuDom9pUGI3PLgtFiu/otzIcIEAEiQASIABGwQODaQeELy4KRmSq0/r4p6+T0VW/GvsjRMcq8Y0TMiTk5QA6QA+QAOUAOkAPkgN85sGTH3+Ww6h2y29BFR9DXwGq8ZRXRPkWhSBuLbgkPEQEiQASIABEgAs1BoCwYvTEQim40ovUerzuKl+/SXR9S2ONwC3KAHCAHyAFygBwgB8gBcoAcsJUDM1YfkH0nra2P6gtFjpZVREaVVEZ/2Zx+DK8hAkSACBABIpDzCNwwafl/46tZ51D0IIS9v41deXTSsn22vrz9/qWR9efXcnKAHCAHyAFygBwgB8gBcsAZDtRt+0CG5m6NG77bOVhzfs531AgAESACRIAIEIFUECipnHNioCI8oDwU/QjC3v1TNsi56w9R2OOXWXKAHCAHyAFygBwgB8gBcoAcyDgH1u49LEdGd8muj9cdRf8kEIzUllbWXpJK34ZpiAARIAJEgAjkHAIlo5Z/LRAKDwiEoh/jxfnw9E0yuvW9jL/A+QXUmS+gxJW4kgPkADlADpAD5AA5QA74mQNbD34mxy3aI7sPX2zM01cajCwqCy24OOc6brxhIkAEiAARIAKJECgLRu9TEXsDZmyStdvep7DHr7PkADlADpAD5AA5QA6QA+QAOeBJDkxc/LrsPnyJIfSVBcPhkoE15yXq6/A4ESACRIAIEIGsR6AkFLlFzbH34LMvygUvU9jz81dN1p1f5ckBcoAcIAfIAXKAHCAHcokDiOi7sWHl3UAoMq1zMHx61nfieINEgAgQASJABBQCpcFwR7Uqbp9n1sqqF9/x5Je5XHJOeK90xskBcoAcIAfIAXKAHCAHyIH0ObDlwKfGHH2ByugXmGqobGB0UKdxm45XfR9uiQARIAJEgAhkHQLlgxf9pCwYmYkX320jlx2ZvupNCnscdkEOkAPkADngew4s3/mefDq6ST41d5V8dvHLMvrim/KlQ5/5/r7Y0U+/o0/MiBk5kLscWL3no9iqu+Wh6PsYrZR1HTreEBEgAkSACBCB0mC0v7HqVGX0i1G1u9npYYeeHMhhDqzf+5E89TdXx/1f3bMyISe2HPhEXnlHKC69ur78nmEJr2tuJ+u8sl7yB3/oHPu/ZcA428tobt14nXc6jjOX7ZSXdOtv8CS/oEia/8GhrveNkOGN+xPyZ/jM5Y14vWQbo9rJc+/wnG3BtiAH0udA5KX3ZN9JayX6PqXByLKSYPhc9gaJABEgAkSACPgegdLKyCVloeg2vOAemblZrnjtXwk7OnQg0ncgiBkx8yMH1u75ZyMx5LKbHrS0DYiC6tx7aKP0EFP+2KWv3LjvsOV1LcHl5xffEFceym9Jfrl67Yxl2+W1fYbH/rv0ecKR9so0vpv2/5/sMfDpOI6YxT3z715DpllG9FVOrmuUz8ItBz3Lt8FTF8XaE22L+8o0/iyP7z1ygBzwCwemrHhDdmuYn6+0MjKkZM6cVr7v3PEGiAARIAJEIPcQKBm29riyisgoNRx3zjrvdlj84iSwnnRos4UD6Qh83R8c00gAcVLcA8YU+Ox51qzEq5WvfOBrQejFN/4tf3VFD0tOmkU982+rSFArjLws8AXufjzu3jt0us3X7ZktNpX3YY/NIo7E0QkObHrzEzl43jYjmq+8snZvWWXNX3KvZ8g7JgJEgAgQAd8iUBIKXxkIRQ9A3BtWvYPOfw4PxXTCUWKe/nfAUxX4/jZoSpyYoAQTpyL3FLco8NnDMSvxyu8CX89Ka04qbmLouNq32j7+7JK4d6IVRhT47OGfep65JZ7kADngBQ5gUcGeY1YcNYbtVkTGdhoQ5iIcvu3tsuJEgAgQgRxAYMCA5Xkqaq/nmJWf12x5N64j44WXK+tAJ48ccJ8DqQh8/Z+aZymUnF/ex/FhnhT47OGIlXjlZ4EPc+lZiXY//dN1cmzVOrnm1Q+Nd96qVz6QAydGLNOCW5vf/Dj2brTCiAKfPfyjrSeO5AA54EUOPBneWR/NF4ruLwtGi3Ogi8hbJAJEgAgQAb8hUF4R+WPnyuhufJUaHt4Z67x48cXKOtHhIwfc5UAygS80qdZSHGlK3MNCHGOeXyNHa/+RBIsbTIpujks3b+WrcTYrkcCHekPIufWRCbJb/1GGiDP7hV1y68FP46634hfqh3IhXGJOPywactegqUZ+WIHV6hocw2qs+j1hhVYch0gUnFQrb3zgKXlNz0ExcWlq3VY5Ibwh9r90e/2CDVXr9sq7Bk8zysbCJCgbeKWy0uvq1z406tD78e
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "attachment" ,
"timestamp" : "1612432858" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "2b389dc5-f633-400f-ab9b-660fe5041103" ,
"value" : "word-image.png"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433664" ,
"uuid" : "d5ed01ea-338f-445b-90e6-e5344378aa83" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "d5ed01ea-338f-445b-90e6-e5344378aa83" ,
"referenced_uuid" : "62edf8d4-05c9-4862-8d42-f8a4806a36bc" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "b3286f75-1e9b-40ad-b6f9-648cc1d6af16"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "cc742533-ffad-44f7-aed7-fb036932e839" ,
"value" : "fe9d149dec9cd182254ace576a332f56"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "559f4102-d05a-4b26-86db-57b1484f72f2" ,
"value" : "66f858f47aebad049a58d416ca5f7916bf3ec524"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "380f9601-78a0-45d2-ba9e-322bbc01e432" ,
"value" : "3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433664" ,
"uuid" : "62edf8d4-05c9-4862-8d42-f8a4806a36bc" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "7cce5fc0-9644-441d-8697-37e733ef44f5" ,
"value" : "2021-02-03T19:27:51+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "7d3b53ae-687b-416c-b654-f25154c2070d" ,
"value" : "https://www.virustotal.com/gui/file/3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f/detection/f-3de32f315fd01b7b741cfbb7dfee22c30bf7b9a5a01d7ab6690fcb42759a3e9f-1612380471"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "70d081db-33dd-49a8-970b-038e2fd244b2" ,
"value" : "36/62"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433664" ,
"uuid" : "387943cb-ee93-42dd-98b0-2c27066365df" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "387943cb-ee93-42dd-98b0-2c27066365df" ,
"referenced_uuid" : "10416647-701f-4247-93af-3e201abed9b2" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "1355fbcd-670c-4fec-ae2e-7223a194e94e"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "8b2cc95c-15f2-4a32-819b-6f672ee95b9a" ,
"value" : "92490c9b9d3bb59aca5f106e401dfcaa"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "1b9ac1f4-770b-4f0f-8f98-684e6ed833cb" ,
"value" : "ca46d7e629475ec4dce991221d9c9f3abf4f6ad3"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "99d002e9-8a07-4586-b415-e263187f73d6" ,
"value" : "e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433664" ,
"uuid" : "10416647-701f-4247-93af-3e201abed9b2" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d4cd28b1-b60e-44b4-9c64-7e7c4f45b5b6" ,
"value" : "2021-02-03T19:40:43+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "6852adda-7ef4-4745-8c2b-fb5da0102746" ,
"value" : "https://www.virustotal.com/gui/file/e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7/detection/f-e6422d97d381f255cd9e9f91f06e5e4921f070b23e4e35edd539a589b1d6aea7-1612381243"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "563c3788-bd32-4dcc-a076-af2cdfff1e33" ,
"value" : "8/60"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433664" ,
"uuid" : "13c55aeb-731f-4f9f-bed7-54bc16691ee0" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "13c55aeb-731f-4f9f-bed7-54bc16691ee0" ,
"referenced_uuid" : "663a8f21-2bf4-499e-9f5c-ba6bd04faa87" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "9c9f87fe-a4ed-4e83-8f95-a88910e3c3fe"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "78e284eb-3228-4004-a8ba-7b19f4db742d" ,
"value" : "9f98db93197c6dfb27475075ae14e8ae"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "3f1b1e83-1aa3-4569-a271-990cbc377b6c" ,
"value" : "d849ca5d8fea568c2ccc56719d9b1bc145c64c9e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1260627d-03de-4a92-9d61-baaf93078daa" ,
"value" : "053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433664" ,
"uuid" : "663a8f21-2bf4-499e-9f5c-ba6bd04faa87" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "c032bbff-bca2-49ee-b17d-319677f87a00" ,
"value" : "2021-02-03T19:41:02+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "a7ed5250-91ef-4cdd-9361-a9cb14637692" ,
"value" : "https://www.virustotal.com/gui/file/053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e/detection/f-053318adb15cf23075f737daa153b81ab8bd0f2958fa81cd85336ecdf3d7de4e-1612381262"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "28f8e57c-6ea4-4b49-8f71-7ef6d0ee00dd" ,
"value" : "4/59"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433664" ,
"uuid" : "1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "1cc03dbc-d46a-4ee2-aef9-82cc7ef7c97a" ,
"referenced_uuid" : "1247892f-3395-4415-933b-581bc19ca772" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "7ea78c8f-ccfe-47a0-89dd-a4e21c4220a0"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "068edce3-42fb-4888-be1d-f95d98e674de" ,
"value" : "63248ffca814fec285379d27aaccf2e9"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "24f802b4-a5e6-4769-9e14-2e997ef8ce85" ,
"value" : "661a178188ce87332779fd4e842674dd39425496"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "26508555-8e74-473e-833a-1ff2d8255faf" ,
"value" : "72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433664" ,
"uuid" : "1247892f-3395-4415-933b-581bc19ca772" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "e482ad3f-ea53-4783-a5fc-a9df32a22e68" ,
"value" : "2021-02-04T06:36:23+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "a7245756-6000-46a0-83d0-a8f046c7e488" ,
"value" : "https://www.virustotal.com/gui/file/72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742/detection/f-72cff62d801c5bcb185aa299eb26f417aad843e617cf9c39c69f9dde6eb82742-1612420583"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0154047d-9659-4470-bb33-127abbfd3c46" ,
"value" : "3/61"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433664" ,
"uuid" : "0c47742b-164b-4df9-8c71-ef7acafe77cc" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "0c47742b-164b-4df9-8c71-ef7acafe77cc" ,
"referenced_uuid" : "7454fe7f-f8e1-45bc-acb5-b270c3d9d93d" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "96ff8e7e-82be-48a1-9ec7-30007e20f236"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "a0477665-2efe-448a-a75f-0b10635d7f55" ,
"value" : "35ac482fafb1453f993cb7c447fb9525"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "bf959d69-e780-4ecd-ba22-e276fd12863c" ,
"value" : "59e538c2a3b5a4ccf49b30b88e5571a27931aa4c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1ed8c32a-18da-48db-b253-e2e6caedc626" ,
"value" : "a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "7454fe7f-f8e1-45bc-acb5-b270c3d9d93d" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "f7f0be32-b20e-47e9-bff2-c3b6857999ef" ,
"value" : "2021-02-03T19:34:55+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "3b209465-79f6-4244-b8f0-8d2e1f99f5b7" ,
"value" : "https://www.virustotal.com/gui/file/a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9/detection/f-a22c2a6c2fdc5f5b962d2534aaae10d4de0379c9872f07aa10c77210ca652fa9-1612380895"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4282e0ac-e3ea-4f2e-8d1c-244e51aa67ae" ,
"value" : "24/62"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433665" ,
"uuid" : "b7657286-0c79-4c4e-9e45-b5c47795b70e" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "b7657286-0c79-4c4e-9e45-b5c47795b70e" ,
"referenced_uuid" : "16f3ee0a-c011-439f-8bf5-2f88b5671de2" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "adf78c2c-56b7-4e38-9d9e-5bcb528f600b"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "cb86de17-9186-4c27-8014-87a86dc19b52" ,
"value" : "1aeb95215a633400d90ad8cbca9bc300"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "42322b7c-832b-4c85-80cf-b8d75d70509b" ,
"value" : "31381d57d93b0c0738d2e92bce0014b69371f958"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432747" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "0b77432a-a508-485c-8f2f-55ab11625c1d" ,
"value" : "d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "16f3ee0a-c011-439f-8bf5-2f88b5671de2" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "14744553-4167-424e-a9ea-86c40d3ade68" ,
"value" : "2021-02-03T20:11:13+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "949d6755-855d-4624-8c90-f2e9ece4f101" ,
"value" : "https://www.virustotal.com/gui/file/d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f/detection/f-d2fff992e40ce18ff81b9a92fa1cb93a56fb5a82c1cc428204552d8dfa1bc04f-1612383073"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432747" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "37edadcb-4036-45d7-a086-11f69ac56b2b" ,
"value" : "2/62"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433665" ,
"uuid" : "cd4e86bb-5672-428e-ad55-00bd5ec27323" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "cd4e86bb-5672-428e-ad55-00bd5ec27323" ,
"referenced_uuid" : "31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "79b3febb-c334-48ad-8e3c-0f550b4016d8"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "31142423-39fe-428d-8b93-9e7097a9bd9c" ,
"value" : "80c202ced80965521adf1d63ba6be712"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "8557fefc-4cab-4c16-bfe4-8a7cf47c8d6d" ,
"value" : "9481e349e3b3942edd2346fa823611e16a375ae4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "39a94b9f-b7ff-43ac-8883-628900c4941b" ,
"value" : "77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "31ac78bf-1fb8-40f3-8c88-a6f5c1c1ed9c" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "0bb828f3-37c1-453e-bbec-e3c7504adb9f" ,
"value" : "2021-02-03T19:31:29+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "cb9b754b-9665-477f-b519-e868e5469128" ,
"value" : "https://www.virustotal.com/gui/file/77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8/detection/f-77456c099facd775238086e8f9420308be432d461e55e49e1b24d96a8ea585e8-1612380689"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "2b4e5d30-c772-4b53-b4be-bf6970b9f8d6" ,
"value" : "26/63"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433665" ,
"uuid" : "172dce95-5a65-4cf0-b710-277a5832b326" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "172dce95-5a65-4cf0-b710-277a5832b326" ,
"referenced_uuid" : "cd6c16c4-35f5-474c-b49d-e5d213880efc" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "9d5a038b-0af4-4d76-a340-4cd07cbc9043"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "96383ffb-2aa4-4c2a-aeac-381b7eb8b900" ,
"value" : "70330c23a9027ba0d2d6dd552818d97b"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "447438cc-feb1-4f8b-9aad-8e3f4ab1d81a" ,
"value" : "e94aeaeae1a3df5e3778c37f7a77be43da627c7e"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "6a4319fd-668c-4d2a-aed4-7aa1e5b2c517" ,
"value" : "78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "cd6c16c4-35f5-474c-b49d-e5d213880efc" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "58d5b530-df03-43b3-a0bc-1958ed931ce3" ,
"value" : "2021-02-03T19:38:56+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "f2e6fa65-0bcd-4147-8988-6fa1244279ab" ,
"value" : "https://www.virustotal.com/gui/file/78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983/detection/f-78f92857e18107872526feb1ae834edb9b7189df4a2129a4125a3dd8917f9983-1612381136"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "01a178ee-c1e2-4b87-bfca-f6c9b1c4e6f6" ,
"value" : "30/62"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433665" ,
"uuid" : "de8d5991-babe-4c5d-9343-0a1bd17eaba9" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "de8d5991-babe-4c5d-9343-0a1bd17eaba9" ,
"referenced_uuid" : "a38d8b07-b456-42ae-b58a-036d656a2a25" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "37da24d2-d246-4061-af97-d58ff23c6541"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1e662e68-66c9-4164-9efa-2a577f1b5780" ,
"value" : "e10e607751f00516c86b35a6a3b76517"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "b7499309-76e6-4823-a17a-17dcc50e3d3f" ,
"value" : "841e188fb08de785a7cd43cb9ce3550ba84c21ef"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "2b07dcd8-66c9-41d0-8359-f758772b0383" ,
"value" : "12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "a38d8b07-b456-42ae-b58a-036d656a2a25" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "75e9f292-c358-4b12-897a-66c78643e7ec" ,
"value" : "2021-02-03T19:38:17+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "70cd68f7-0a97-44d5-8a20-9e48050e725e" ,
"value" : "https://www.virustotal.com/gui/file/12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3/detection/f-12c5c5d556394aa107a433144c185a686aba3bb44389b7241d84bea766e2aea3-1612381097"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "ee1c3b33-7bae-4e3c-ba79-09d0275c372c" ,
"value" : "25/60"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "22" ,
"timestamp" : "1612433665" ,
"uuid" : "3b265851-d607-41db-883a-3cdf383f8c65" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "3b265851-d607-41db-883a-3cdf383f8c65" ,
"referenced_uuid" : "383195f4-cd06-40ad-b1f9-8a3f078d3c81" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "0" ,
"uuid" : "2b790ab7-e8f5-47a5-a22f-d8d6bc340039"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "0a52e9fa-7e8c-4638-b794-b1ada937d159" ,
"value" : "018d88b8203bdea0fe4dc5b4baa930c4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5fe8a2cb-1193-4942-ba6e-7cd102118123" ,
"value" : "4ea685a7fc013cf3476ad13e9dcf6f08d06af85a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1612432748" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "566ffde0-c6da-401d-8c23-8ae599ca7a96" ,
"value" : "937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "3" ,
"timestamp" : "1612433665" ,
"uuid" : "383195f4-cd06-40ad-b1f9-8a3f078d3c81" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "d6fb239f-65d1-4aaa-b4a2-081e712bebaa" ,
"value" : "2021-02-04T06:37:14+00:00"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5639436e-48e6-4452-a771-d4475af5fe82" ,
"value" : "https://www.virustotal.com/gui/file/937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d/detection/f-937842811b9e2eb87c4c19354a1a790315f2669eea58b63264f751de4da5438d-1612420634"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1612432748" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "7a643205-b7cc-437b-b564-d722e30939ed" ,
"value" : "1/60"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "2" ,
"timestamp" : "1612437659" ,
"uuid" : "4a242786-2019-442c-a76c-a9b208d7a3c3" ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1612437659" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "1765b652-f97a-46d0-b72d-148a81e51f13" ,
"value" : "https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1612437659" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "9e0c3854-65ec-491c-9338-42613794b6e4" ,
"value" : "In January 2021, Unit 42 researchers detected a new malware campaign targeting Kubernetes clusters. The attackers gained initial access via a misconfigured kubelet that allowed anonymous access. Once getting a foothold into a Kubernetes cluster, the malware attempted to spread over as many containers as possible and eventually launched cryptojacking operations. Based on the tactics, techniques and procedures (TTP) that the attackers used, we believe this is a new campaign from TeamTNT. We refer to this new malware as Hildegard, the username of the tmate account that the malware used.\r\n\r\nTeamTNT is known for exploiting unsecured Docker daemons and deploying malicious container images, as documented in previous research (Cetus, Black-T and TeamTNT DDoS). However, this is the first time we found TeamTNT targeting Kubernetes environments. In addition to the same tools and domains identified in TeamTNT\u2019s previous campaigns, this new malware carries multiple new capabilities that make it more stealthy and persistent. In particular, we found that TeamTNT\u2019s Hildegard malware:\r\n\r\nUses two ways to establish command and control (C2) connections: a tmate reverse shell and an Internet Relay Chat (IRC) channel.\r\nUses a known Linux process name (bioset) to disguise the malicious process.\r\nUses a library injection technique based on LD_PRELOAD to hide the malicious processes.\r\nEncrypts the malicious payload inside a binary to make automated static analysis more difficult.\r\nWe believe that this new malware campaign is still under development due to its seemingly incomplete codebase and infrastructure. At the time of writing, most of Hildegard\u2019s infrastructure has been online for only a month. The C2 domain borg[.]wtf was registered on Dec. 24, 2020, the IRC server went online on Jan. 9, 2021, and some malicious scripts have been updated frequently. The malware campaign has ~25.05 KH/s hashing power, and there is 11 XMR (~$1,500) in the wallet.\r\n\r\nThere has not been any activity since our initial detection, which indicates the threat campaign may still be in the reconnaissance and weaponization stage. However, knowing this malware\u2019s capabilities and target environments, we have good reason to believe that the group will soon launch a larger-scale attack. The malware can leverage the abundant computing resources in Kubernetes environments for cryptojacking and potentially exfiltrate sensitive data from tens to thousands of applications running in the clusters."
}
]
}
2023-05-19 09:05:37 +00:00
] ,
"EventReport" : [
{
"name" : "Report from - https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ (1612437672)" ,
"content" : "html [if IE]> <div class=\"alert alert-warning\"> You are using an <strong>outdated</strong> browser. Please <a href=\"http://browsehappy.com/\" > u p g r a d e y o u r b r o w s e r < / a > t o i m p r o v e y o u r e x p e r i e n c e . < / d i v > < ! [ e n d i f ] \ n * T o o l s \ n * A T O M s \ n * S p e a k i n g E v e n t s \ n * A b o u t U s \ n \ n B y J a y C h e n , A v i v S a s s o n a n d A r i e l Z e l i v a n s k y \ n \ n F e b r u a r y 3 , 2021 a t 6 : 0 0 A M \ n \ n C a t e g o r y : U n i t 42 \ n \ n T a g s : C l o u d , c o n t a i n e r s , c r y p t o j a c k i n g , D o c k e r , K u b e r n e t e s , p u b l i c c l o u d , T e a m T n T \ n \ n T h i s p o s t i s a l s o a v a i l a b l e i n : \ u 65e5 \ u 672 c \ u 8 a 9 e ( J a p a n e s e ) \ n \ n # # E x e c u t i v e S u m m a r y \ n \ n I n J a n u a r y 2021 , U n i t 42 r e s e a r c h e r s d e t e c t e d a n e w m a l w a r e c a m p a i g n t a r g e t i n g K u b e r n e t e s c l u s t e r s . T h e a t t a c k e r s g a i n e d i n i t i a l a c c e s s v i a a m i s c o n f i g u r e d k u b e l e t t h a t a l l o w e d a n o n y m o u s a c c e s s . O n c e g e t t i n g a f o o t h o l d i n t o a K u b e r n e t e s c l u s t e r , t h e m a l w a r e a t t e m p t e d t o s p r e a d o v e r a s m a n y c o n t a i n e r s a s p o s s i b l e a n d e v e n t u a l l y l a u n c h e d c r y p t o j a c k i n g o p e r a t i o n s . B a s e d o n t h e t a c t i c s , t e c h n i q u e s a n d p r o c e d u r e s ( T T P ) t h a t t h e a t t a c k e r s u s e d , w e b e l i e v e t h i s i s a n e w c a m p a i g n f r o m T e a m T N T . W e r e f e r t o t h i s n e w m a l w a r e a s * * H i l d e g a r d * * , t h e u s e r n a m e o f t h e t m a t e a c c o u n t t h a t t h e m a l w a r e u s e d . \ n \ n T e a m T N T i s k n o w n f o r e x p l o i t i n g u n s e c u r e d D o c k e r d a e m o n s a n d d e p l o y i n g m a l i c i o u s c o n t a i n e r i m a g e s , a s d o c u m e n t e d i n p r e v i o u s r e s e a r c h ( C e t u s , B l a c k - T a n d T e a m T N T D D o S ) . H o w e v e r , t h i s i s t h e f i r s t t i m e w e f o u n d T e a m T N T t a r g e t i n g K u b e r n e t e s e n v i r o n m e n t s . I n a d d i t i o n t o t h e s a m e t o o l s a n d d o m a i n s i d e n t i f i e d i n T e a m T N T \ u 2019 s p r e v i o u s c a m p a i g n s , t h i s n e w m a l w a r e c a r r i e s m u l t i p l e n e w c a p a b i l i t i e s t h a t m a k e i t m o r e s t e a l t h y a n d p e r s i s t e n t . I n p a r t i c u l a r , w e f o u n d t h a t T e a m T N T \ u 2019 s H i l d e g a r d m a l w a r e : \ n \ n \ n * U s e s t w o w a y s t o e s t a b l i s h c o m m a n d a n d c o n t r o l ( C 2 ) c o n n e c t i o n s : a t m a t e r e v e r s e s h e l l a n d a n I n t e r n e t R e l a y C h a t ( I R C ) c h a n n e l . \ n * U s e s a k n o w n L i n u x p r o c e s s n a m e ( b i o s e t ) t o d i s g u i s e t h e m a l i c i o u s p r o c e s s . \ n * U s e s a l i b r a r y i n j e c t i o n t e c h n i q u e b a s e d o n L D \ \ _ P R E L O A D t o h i d e t h e m a l i c i o u s p r o c e s s e s . \ n * E n c r y p t s t h e m a l i c i o u s p a y l o a d i n s i d e a b i n a r y t o m a k e a u t o m a t e d s t a t i c a n a l y s i s m o r e d i f f i c u l t . \ n \ n W e b e l i e v e t h a t t h i s n e w m a l w a r e c a m p a i g n i s s t i l l u n d e r d e v e l o p m e n t d u e t o i t s s e e m i n g l y i n c o m p l e t e c o d e b a s e a n d i n f r a s t r u c t u r e . A t t h e t i m e o f w r i t i n g , m o s t o f H i l d e g a r d \ u 2019 s i n f r a s t r u c t u r e h a s b e e n o n l i n e f o r o n l y a m o n t h . T h e C 2 d o m a i n b o r g [ . ] w t f w a s r e g i s t e r e d o n D e c . 24 , 2020 , t h e I R C s e r v e r w e n t o n l i n e o n J a n . 9 , 2021 , a n d s o m e m a l i c i o u s s c r i p t s h a v e b e e n u p d a t e d f r e q u e n t l y . T h e m a l w a r e c a m p a i g n h a s ~ 25.05 K H / s h a s h i n g p o w e r , a n d t h e r e i s 11 X M R ( ~ $ 1 , 500 ) i n t h e w a l l e t . \ n \ n * * T h e r e h a s n o t b e e n a n y a c t i v i t y s i n c e o u r i n i t i a l d e t e c t i o n , w h i c h i n d i c a t e s t h e t h r e a t c a m p a i g n m a y s t i l l b e i n t h e r e c o n n a i s s a n c e a n d w e a p o n i z a t i o n s t a g e . * * H o w e v e r , k n o w i n g t h i s m a l w a r e \ u 2019 s c a p a b i l i t i e s a n d t a r g e t e n v i r o n m e n t s , w e h a v e g o o d r e a s o n t o b e l i e v e t h a t t h e g r o u p w i l l s o o n l a u n c h a l a r g e r - s c a l e a t t a c k . T h e m a l w a r e c a n l e v e r a g e t h e a b u n d a n t c o m p u t i n g r e s o u r c e s i n K u b e r n e t e s e n v i r o n m e n t s f o r c r y p t o j a c k i n g a n d p o t e n t i a l l y e x f i l t r a t e s e n s i t i v e d a t a f r o m t e n s t o t h o u s a n d s o f a p p l i c a t i o n s r u n n i n g i n t h e c l u s t e r s . \ n \ n P a l o A l t o N e t w o r k s c u s t o m e r s r u n n i n g P r i s m a C l o u d a r e p r o t e c t e d f r o m t h i s t h r e a t b y t h e R u n t i m e P r o t e c t i o n f e a t u r e , C r y p t o m i n e r D e t e c t i o n f e a t u r e a n d t h e P r i s m a C l o u d C o m p u t e K u b e r n e t e s C o m p l i a n c e P r o t e c t i o n , w h i c h a l e r t s o n a n i n s u f f i c i e n t K u b e r n e t e s c o n f i g u r a t i o n a n d p r o v i d e s s e c u r e a l t e r n a t i v e s . \ n \ n # \ n \ n F i g u r e 1 . A t t a c k e r a n d m a l w a r e \ u 2019 s m o v e m e n t . # # T a c t i c s , T e c h n i q u e s a n d P r o c e d u r e s \ n \ n F i g u r e 1 i l l u s t r a t e s h o w t h e a t t a c k e r e n t e r e d , m o v e d l a t e r a l l y a n d e v e n t u a l l y p e r f o r m e d c r y p t o j a c k i n g i n m u l t i p l e c o n t a i n e r s . \ n \ n \ n 2 . T h e a t t a c k e r s t a r t e d b y e x p l o i t i n g a n u n s e c u r e d K u b e l e t o n t h e i n t e r n e t a n d s e a r c h e d f o r c o n t a i n e r s r u n n i n g i n s i d e t h e K u b e r n e t e s n o d e s . A f t e r f i n d i n g c o n t a i n e r 1 i n N o d e A , t h e a t t a c k e r a t t e m p t e d t o p e r f o r m r e m o t e c o d e e x e c u t i o n ( R C E ) i n c o n t a i n e r 1 . \ n 4 . T h e a t t a c k e r d o w n l o a d e d t m a t e a n d i s s u e d a c o m m a n d t o r u n i t a n d e s t a b l i s h a r e v e r s e s h e l l t o t m a t e . i o f r o m c o n t a i n e r 1 . T h e a t t a c k e r t h e n c o n t i n u e d t h e a t t a c k w
"id" : "38" ,
"event_id" : "82186" ,
"timestamp" : "1612437672" ,
"uuid" : "2b0419ad-bb80-44c9-895c-eb6d227715f7" ,
"deleted" : false
}
2023-04-21 13:25:09 +00:00
]
}
}