2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2019-03-07" ,
"extends_uuid" : "" ,
"info" : "OSINT - New SLUB Backdoor Uses GitHub, Communicates via Slack" ,
"publish_timestamp" : "1551970480" ,
"published" : true ,
"threat_level_id" : "3" ,
"timestamp" : "1551970460" ,
"uuid" : "5c812baa-d614-4f99-88e0-426d950d210f" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Alternative Protocol - T1048\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Scripting - T1064\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969207" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "5c812bb7-f9a4-4e40-8386-2d92950d210f" ,
"value" : "https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969237" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5c812bd5-5ff0-4398-aa70-44d7950d210f" ,
"value" : "We recently came across a previously unknown malware that piqued our interest in multiple ways. For starters, we discovered it being spread via watering hole attacks, a technique that involves an attacker compromising a website before adding code to it so visitors are redirected to the infecting code. In this case, each visitor is redirected only once. The infection was done by exploiting CVE-2018-8174, a VBScript engine vulnerability that was patched by Microsoft back in May 2018.\r\n\r\nSecond, it uses a multi-stage infection scheme. After it exploits the vulnerability, it downloads a DLL and runs it in PowerShell (PS). This file, which is a downloader, then downloads and runs the second executable file containing a backdoor. The first stage downloader also checks for the existence of different kinds of antivirus software processes, and then proceeds to exit if any is found. At the time of discovery, the backdoor was seemingly unknown to AV products.\r\n\r\nIn addition to the previously mentioned facts, we quickly noticed that the malware was connecting to the Slack platform, a collaborative messaging system that lets users create and use their own workspaces through the use of channels, similar to the IRC chatting system. We found this quite interesting, since we haven\u00e2\u20ac\u2122t observed any malware to date that communicates using Slack.\r\n\r\nOur technical investigation and analysis of the attacker\u00e2\u20ac\u2122s tools, techniques, and procedures (TTP) lead us to think that this threat is actually a stealthy targeted attack run by capable actors, and not a typical cybercriminal scheme.\r\n\r\nNote that as soon as this malware was discovered, we informed the Canadian Centre for Cyber Security, which acts as Canada\u00e2\u20ac\u2122s National Computer Security Incident Response Team (CSIRT). The Cyber Centre alerted the site operator, helped them understand the malware that was found, and offered mitigation advice."
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969339" ,
"to_ids" : false ,
"type" : "vulnerability" ,
"uuid" : "5c812c3b-92e4-4dca-ae5d-423f950d210f" ,
"value" : "CVE-2018-8174"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A g E A l g C W A A D / 7 g A O Q W R v Y m U A Z A A A A A A B / + E A S k V 4 a W Y A A E 1 N A C o A A A A I A A M B G g A F A A A A A Q A A A D I B G w A F A A A A A Q A A A D o B K A A D A A A A A Q A C A A A A A A A A A J Y A A A A B A A A A l g A A A A E A A P / t A C x Q a G 90 b 3 N o b 3 A g M y 4 w A D h C S U 0 D 7 Q A A A A A A E A C W A A A A A Q A B A J Y A A A A B A A H / 4 V K f a H R 0 c D o v L 25 z L m F k b 2 J l L m N v b S 94 Y X A v M S 4 w L w A 8 P 3 h w Y W N r Z X Q g Y m V n a W 49 I u + 7 v y I g a W Q 9 I l c 1 T T B N c E N l a G l I e n J l U 3 p O V G N 6 a 2 M 5 Z C I / P g 0 K P H g 6 e G 1 w b W V 0 Y S B 4 b W x u c z p 4 P S J h Z G 9 i Z T p u c z p t Z X R h L y I g e D p 4 b X B 0 a z 0 i Q W R v Y m U g W E 1 Q I E N v c m U g N S 4 z L W M w M T E g N j Y u M T Q 1 N j Y x L C A y M D E y L z A y L z A 2 L T E 0 O j U 2 O j I 3 I C A g I C A g I C A i P g 0 K C T x y Z G Y 6 U k R G I H h t b G 5 z O n J k Z j 0 i a H R 0 c D o v L 3 d 3 d y 53 M y 5 v c m c v M T k 5 O S 8 w M i 8 y M i 1 y Z G Y t c 3 l u d G F 4 L W 5 z I y I + D Q o J C T x y Z G Y 6 R G V z Y 3 J p c H R p b 24 g c m R m O m F i b 3 V 0 P S I i I H h t b G 5 z O m R j P S J o d H R w O i 8 v c H V y b C 5 v c m c v Z G M v Z W x l b W V u d H M v M S 4 x L y I + D Q o J C Q k 8 Z G M 6 Z m 9 y b W F 0 P m l t Y W d l L 2 p w Z W c 8 L 2 R j O m Z v c m 1 h d D 4 N C g k J C T x k Y z p 0 a X R s Z T 4 N C g k J C Q k 8 c m R m O k F s d D 4 N C g k J C Q k J P H J k Z j p s a S B 4 b W w 6 b G F u Z z 0 i e C 1 k Z W Z h d W x 0 I j 5 G S W d 1 c m U t N T w v c m R m O m x p P g 0 K C Q k J C T w v c m R m O k F s d D 4 N C g k J C T w v Z G M 6 d G l 0 b G U + D Q o J C T w v c m R m O k R l c 2 N y a X B 0 a W 9 u P g 0 K C Q k 8 c m R m O k R l c 2 N y a X B 0 a W 9 u I H J k Z j p h Y m 91 d D 0 i I i B 4 b W x u c z p 4 b X A 9 I m h 0 d H A 6 L y 9 u c y 5 h Z G 9 i Z S 5 j b 20 v e G F w L z E u M C 8 i I H h t b G 5 z O n h t c E d J b W c 9 I m h 0 d H A 6 L y 9 u c y 5 h Z G 9 i Z S 5 j b 20 v e G F w L z E u M C 9 n L 2 l t Z y 8 i P g 0 K C Q k J P H h t c D p N Z X R h Z G F 0 Y U R h d G U + M j A x O S 0 w M y 0 w N V Q x N z o z N j o z N S s w O D o w M D w v e G 1 w O k 1 l d G F k Y X R h R G F 0 Z T 4 N C g k J C T x 4 b X A 6 T W 9 k a W Z 5 R G F 0 Z T 4 y M D E 5 L T A z L T A 1 V D A 5 O j M 2 O j M 2 W j w v e G 1 w O k 1 v Z G l m e U R h d G U + D Q o J C Q k 8 e G 1 w O k N y Z W F 0 Z U R h d G U + M j A x O S 0 w M y 0 w N V Q x N z o z N j o z N S s w O D o w M D w v e G 1 w O k N y Z W F 0 Z U R h d G U + D Q o J C Q k 8 e G 1 w O k N y Z W F 0 b 3 J U b 29 s P k F k b 2 J l I E l s b H V z d H J h d G 9 y I E N T N i A o V 2 l u Z G 93 c y k 8 L 3 h t c D p D c m V h d G 9 y V G 9 v b D 4 N C g k J C T x 4 b X A 6 V G h 1 b W J u Y W l s c z 4 N C g k J C Q k 8 c m R m O k F s d D 4 N C g k J C Q k J P H J k Z j p s a S B y Z G Y 6 c G F y c 2 V U e X B l P S J S Z X N v d X J j Z S I + D Q o J C Q k J C Q k 8 e G 1 w R 0 l t Z z p 3 a W R 0 a D 4 y N T Y 8 L 3 h t c E d J b W c 6 d 2 l k d G g + D Q o J C Q k J C Q k 8 e G 1 w R 0 l t Z z p o Z W l n a H Q + M T U y P C 94 b X B H S W 1 n O m h l a W d o d D 4 N C g k J C Q k J C T x 4 b X B H S W 1 n O m Z v c m 1 h d D 5 K U E V H P C 94 b X B H S W 1 n O m Z v c m 1 h d D 4 N C g k J C Q k J C T x 4 b X B H S W 1 n O m l t Y W d l P i 85 a i 80 Q U F R U 2 t a S l J n Q U J B Z 0 V B b G d D V 0 F B R C 83 U U F z V U d o d m R H O X p h R z l 3 S U R N d U 1 B Q T R R a 2 x O Q S s w Q U F B Q U F B Q k F B b G d B Q U F B R U E N C k F R Q 1 d B Q U F B Q V F B Q i 8 r S U 1 X R W x E U T E 5 U V V r O U d T V X h G Q U F F Q k F B Q U 1 T R X h w Y m 0 4 Q 0 V B Q U F i V z U w Y 2 x K S F F p Q l l X V m 9 n Q j g 0 Q U F n Q U o N C k F B W U F N U U F B W V d O e m N F M V R S b F F B Q U F B Q V N V V k R J S E 5 T U j B J Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B U G J X Q U F F Q U F B Q U E w e T F J V U N B Z 0 F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B U l k z Q n l k Q U F B Q V Z B Q U F B Q X o N C l p H V n p Z d 0 F B Q V l R Q U F B Q n N k M 1 J 3 Z E F B Q U F m Q U F B Q U F V W W 10 d 2 R B Q U F B Z 1 F B Q U F B V W N s a F p X Z 0 F B Q W h n Q U F B Q V V a M W h a V 2 d B Q U F p d 0 E N C k F B Q V V Z b G h a V 2 d B Q U F r Q U F B Q U F V W k c x d V p B Q U F B b F F B Q U F C d 1 p H M W t a Q U F B Q X N R Q U F B Q 0 l k b l Z s W k F B Q U E w d 0 F B Q U N H Z G 1 s b G R 3 Q U E N C k E 5 U U F B Q U F r Y k h W d G F R Q U F B L 2 d B Q U F B V W J X V m h j d 0 F B Q k F 3 Q U F B Q W t k R 1 Z q Y U F B Q U J E Q U F B Q U F N Y 2 x S U 1 F 3 Q U F C R H d B Q U F n T V o x U l M N C l F 3 Q U F C R H d B Q U F n T V l s U l N R d 0 F B Q k R 3 Q U F B Z 0 1 k R 1 Y 0 Z E F B Q U F B Q k R i M 0 I 1 Y 21 s b m F I U W d L R 0 1 w S U R F N U 9 U Z 2 d T R 1 Y z Y k d W M G R D M V E N C l l X T n J Z W E p r S U V O d m J Y Q m h i b m t B Q U d S b G M y T U F B Q U F B Q U F B Q U V u T l N S M E l n U 1 V W R E 5 q R T V O a l l 0 T W k 0 e E F B Q U F B Q U F B Q U F B Q U F B Q V M N C m M x S k h R a U J K U l V N M k 1 U a z J O a T B 5 T G p F Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F G a F p X a U F B Q U F B Q U F B R H p V U U F C Q U F B Q U F S Y k 1 X R m x h S U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U J Z V 1 Z v Z 0 F B Q U E N C k F B Q U F i N k l B Q U R q M U F B Q U R r R m h a V 2 l B Q U F B Q U F B Q U J p b V F B Q X Q 0 V U F B Q m p h V 0 Z s Y U l B Q U F B Q U F B Q U N T Z 0 F B Q V B o Q U F B d H M 5 a 1 p Y T m o N C k F B Q U F B Q U F B Q U J a S l J V T W d h S F I w Y 0 R v d k w z Z D N k e T V w W l d N d V k y Z 0 F B Q U F B Q U F B Q U F B Q U F B Q l p K U l V N Z 2 F I U j B j R G 92 T D N k M 2 R 5 N X A N C l p X T X V Z M m d B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B W k d W e l l 3 Q U E N C k F B Q U F B Q U F 1 U 1 V W R E l E W X h P V F k y T F R J d U 1 T Q k V a V 1 p o Z F d 4 M E l G S k h R a U J q Y j J 4 d m R Y S W d j M 0 J o W T J V Z 0 x T Q n p V a 2 R D Q U F B Q U F B Q U E N C k F B Q U F B Q U F 1 U 1 V W R E l E W X h P V F k y T F R J d U 1 T Q k V a V 1 p o Z F d 4 M E l G S k h R a U J q Y j J 4 d m R Y S W d j M 0 J o W T J V Z 0 x T Q n p V a 2 R D Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U d S b G M y T U F B Q U F B Q U F B Q U x G S m x a b V Z 5 W l c 1 a l p T Q l d h V 1 Y z Y V c 1 b k l F T n Z i b V J w Z E d s d m J p Q n A N C m J p Q k p S V U 0 y T V R r M k 5 p M H l M a k V B Q U F B Q U F B Q U F B Q U F B Q U N 4 U 1 p X W m x j b V Z 1 W T J V Z 1 Z t b G x k M m x 1 W n l C R G I y N W t h W F J w Y j I 0 Z 2 F X N G c N C l N V V k R O a k U 1 T m p Z d E 1 p N H h B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q U F B Q j J h V 1 Y z Q U F B Q U F B Q V R w U D R B R k Y 4 d U F C R F A N C k Z B Q U Q 3 Y 3 d B Q k J N T E F B T m N u Z 0 F B Q U F G W V d W b 2 d B Q U F B Q U F C T U N W W U F V Q U F B Q U Z j Z j U y M W x Z W E 1 B Q U F B Q U F B Q U F B U U F B Q U F B Q U F B Q U E N C k F B Q U F B Q U F B Q U F B Q U F B S 1 B B Q U F B Q W 5 O c F p 5 Q U F B Q U F B U T F K V U l H T j F j b l l B Q U F B Q U F B Q U V B Q U F B Q U F V Q U N n Q V B B Q l F B R 1 F B Z U F D T U E N C k t B Q X R B R E l B T n d B N 0 F F Q U F S U U J L Q U U 4 Q V Z B Q l p B R j R B W X d C b 0 F H M E F j Z 0 I z Q U h 3 Q W d R Q 0 d B S X N B a 0 F D V k F K b 0 F u d 0 N r Q U t r Q X J n Q 3 k N C k F M Y 0 F 2 Q U R C Q U 1 Z Q X l 3 R F F B T l V B M n d E Z 0 F P V U E 2 d 0 R 3 Q V B Z Q S t 3 R U J B U W N C R F F F V E F S a 0
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969377" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5c812c61-3fb8-4dd4-a066-426f950d210f" ,
"value" : "SLUB-Figure-5-1.jpg"
} ,
{
"category" : "External analysis" ,
"comment" : "Timeline" ,
"data" : " / 9 j / 4 A A Q S k Z J R g A B A Q E A 3 A D c A A D / 2 w B D A A I B A Q I B A Q I C A g I C A g I C A w U D A w M D A w Y E B A M F B w Y H B w c G B w c I C Q s J C A g K C A c H C g 0 K C g s M D A w M B w k O D w 0 M D g s M D A z / 2 w B D A Q I C A g M D A w Y D A w Y M C A c I D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A w M D A z / w A A R C A I Y B O s D A S I A A h E B A x E B / 8 Q A H w A A A Q U B A Q E B A Q E A A A A A A A A A A A E C A w Q F B g c I C Q o L / 8 Q A t R A A A g E D A w I E A w U F B A Q A A A F 9 A Q I D A A Q R B R I h M U E G E 1 F h B y J x F D K B k a E I I 0 K x w R V S 0 f A k M 2 J y g g k K F h c Y G R o l J i c o K S o 0 N T Y 3 O D k 6 Q 0 R F R k d I S U p T V F V W V 1 h Z W m N k Z W Z n a G l q c 3 R 1 d n d 4 e X q D h I W G h 4 i J i p K T l J W W l 5 i Z m q K j p K W m p 6 i p q r K z t L W 2 t 7 i 5 u s L D x M X G x 8 j J y t L T 1 N X W 19 j Z 2 u H i 4 + T l 5 u f o 6 e r x 8 v P 0 9 f b 3 + P n 6 / 8 Q A H w E A A w E B A Q E B A Q E B A Q A A A A A A A A E C A w Q F B g c I C Q o L / 8 Q A t R E A A g E C B A Q D B A c F B A Q A A Q J 3 A A E C A x E E B S E x B h J B U Q d h c R M i M o E I F E K R o b H B C S M z U v A V Y n L R C h Y k N O E l 8 R c Y G R o m J y g p K j U 2 N z g 5 O k N E R U Z H S E l K U 1 R V V l d Y W V p j Z G V m Z 2 h p a n N 0 d X Z 3 e H l 6 g o O E h Y a H i I m K k p O U l Z a X m J m a o q O k p a a n q K m q s r O 0 t b a 3 u L m 6 w s P E x c b H y M n K 0 t P U 1 d b X 2 N n a 4 u P k 5 e b n 6 O n q 8 v P 0 9 f b 3 + P n 6 / 9 o A D A M B A A I R A x E A P w D 9 / K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i i i g A o o o o A K K K K A C i j N F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A F F F F A B R R R Q A U U U U A e e f t V / t L e H f 2 Q f g D 4 l + I n i l 5 R o / h u 3 E z x x Y 825 k Z g k c S Z 43 O 7 K o + t f g 98 b f 8 A g 49 / a K + I f j W 7 v P D G r a R 4 J 0 U y s b W w t N O h u W j j z 8 o e S Z W L N j q Q A M 9 q / R 3 / A I O Z L + a z / w C C a T x x O U S 68 V a d F K B / G o W d 8 f 8 A f S q f w r + e a u m j B N X Z z V p t O y P s v / h / 7 + 1 V / w B F I j / 8 E t j / A P G q P + H / A L + 1 V / 0 U i P 8 A 8 E t j / w D G q + N K K 25 V 2 M u d 9 z 7 L / w C H / v 7 V X / R S I / 8 A w S 2 P / w A a o / 4 f + / t V f 9 F I j / 8 A B L Y //Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqP+H/AL+1V/0UiP8A8Etj/wDGq+NKKOVdg533Psv/AIf+/tVf9FIj/wDBLY//ABqj/h/7+1V/0UiP/wAEtj/8ar40oo5V2Dnfc+y/+H/v7VX/AEUiP/wS2P8A8ao/4f8Av7VX/RSI/wDwS2P/AMar40oo5V2Dnfc+y/8Ah/7+1V/0UiP/AMEtj/8AGqP+H/v7VX/RSI//AAS2P/xqvjSijlXYOd9z7L/4f+/tVf8ARSI//BLY/wDxqj/h/wC/tVf9FIj/APBLY/8AxqvjSijlXYOd9z7L/wCH/v7VX/RSI/8AwS2P/wAao/4f+/tVf9FIj/8ABLY//Gq+NKKOVdg533Psv/h/7+1V/wBFIj/8Etj/APGqUf8ABf39qoEH/hZEZx/1BbH/AONV8Z0Uci7BzvufuJ/wR2/4L2+IP2nPjBYfCz4uW2mf27rmU0XXLKIW63MyqW8iaP7oZgDtZccjGOQa/Vyv5Qf+Cd9xJbft+fA9o3ZGPj7Q1yODg6hACPxBI/Gv6vq5q0UnodFGTa1CiiisTYKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiiigAooooAKKKKACiig0AGaK/n6/4LC/8FoPiT8Xf2ifE3gb4e+KdY8H+AvCl/NpatpN01rcazJExjkmkljIcxlg21AQpXBIz0+KR+178V/+imePv/B9df8AxdbxoNq7ZhKuk7JH9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0/q/mL6x5H9bdFfySf8NffFf8A6KZ4+/8AB9df/F0f8NffFf8A6KZ4+/8AB9df/F0fV/MPrHkf1t0V/JJ/w198V/8Aopnj7/wfXX/xdH/DX3xX/wCimePv/B9df/F0fV/MPrHkf1t0V/JJ/wANff
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969440" ,
"to_ids" : false ,
"type" : "attachment" ,
"uuid" : "5c812ca0-4fb4-4e00-89a3-424b950d210f" ,
"value" : "SLUB-Figure-9.jpg"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969497" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "5c812cd9-3bd0-4fb8-aebf-426f950d210f" ,
"value" : "https://gist.github.com/kancc14522/626a3a68a2cc2a91c1ece1eed7610c8a"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c812e19-f324-4fb4-8321-41b2950d210f" ,
"value" : "3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "5c812e19-02cc-4e58-ad6f-4531950d210f" ,
"value" : "43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1551969838" ,
"uuid" : "caa8ad96-cb54-41af-87e6-0d652834620b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "caa8ad96-cb54-41af-87e6-0d652834620b" ,
"referenced_uuid" : "e326acd3-60af-46c8-bdb0-e3879b6dea8b" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1551969840" ,
"uuid" : "5c812e30-2174-40b7-bba8-426f950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "d743e01f-736b-4d91-9d97-00b171c8f5a6" ,
"value" : "142ea550d65fbd90cc2a47aeaef0c210"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "5e5e763c-e4df-4537-9652-0a827d31d505" ,
"value" : "e092e130a0627015331c3d3e0265befd65c167b4"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "96e93e29-65fd-4364-b791-690554b055b3" ,
"value" : "3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1551969839" ,
"uuid" : "e326acd3-60af-46c8-bdb0-e3879b6dea8b" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "40be40ac-66c7-45ea-a2d7-0ffaea92ce0a" ,
"value" : "2019-03-01T01:49:19"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "442cf993-0cb9-48a6-8bb1-e1ab6fcb3a0a" ,
"value" : "https://www.virustotal.com/file/3ba00114d0ae766cf77edcdcc953ec6ee7527181968c02d4ffc36b9f89c4ebc7/analysis/1551404959/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Trojan.Win32.CVE20151701.E" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "49b64f75-c33f-42ab-a43d-8ea7bfafbe12" ,
"value" : "32/63"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "15" ,
"timestamp" : "1551969840" ,
"uuid" : "4712ac16-d976-47b2-8e95-99e0fbbfb94a" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "4712ac16-d976-47b2-8e95-99e0fbbfb94a" ,
"referenced_uuid" : "ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1551969840" ,
"uuid" : "5c812e30-7790-4186-acc6-426f950d210f"
}
] ,
"Attribute" : [
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "e89e007b-245a-47a7-bd54-5000e77de71d" ,
"value" : "f3004ddaef5b8c18883e716dda966141"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "0933ea8f-a6e4-491b-8a35-f8f6573e7648" ,
"value" : "786e366ab9edbbba315ee1cc0de12132b107ba9c"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1551969817" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "c866cd38-f68a-4edc-87ff-eeae3e606241" ,
"value" : "43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "2" ,
"timestamp" : "1551969840" ,
"uuid" : "ae0fe876-57e2-4670-8a0d-d6fed9a7d0d3" ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "last-submission" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a77369bd-22fd-4be7-883e-933bd72867cc" ,
"value" : "2019-03-06T16:37:38"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "permalink" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "81801a81-6192-4cfb-8aaf-ead1f36da2e8" ,
"value" : "https://www.virustotal.com/file/43221eb160733ea694b4fdda70e7eab4a86d59c5f9749fd2f9b71783e5da6dd7/analysis/1551890258/"
} ,
{
"category" : "Payload delivery" ,
"comment" : "Backdoor.Win32.SLUB.A" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1551969817" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "a1fe3994-9403-415e-b117-30f4b38e65d4" ,
"value" : "7/69"
}
]
}
]
}
}