117 lines
4.2 KiB
JSON
117 lines
4.2 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-10-14",
|
||
|
"extends_uuid": "",
|
||
|
"info": "ELF Linux/NyaDrop",
|
||
|
"publish_timestamp": "1476475443",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1476475422",
|
||
|
"uuid": "580138b8-23f8-4c51-b788-4f3702de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
},
|
||
|
{
|
||
|
"colour": "#3b7500",
|
||
|
"name": "circl:incident-classification=\"malware\""
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475074",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "580138c2-4584-48f1-b719-c28f02de0b81",
|
||
|
"value": "http://blog.malwaremustdie.org/2016/10/mmd-0058-2016-elf-linuxnyadrop.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475092",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "580138d4-bd1c-4701-9b0d-c2bb02de0b81",
|
||
|
"value": "Since the end of September 2016 I received a new type of attacks that aims the MIPS platform I provided to detect IoT attacks. I will call this threat as new ELF Linux/NyaDrop as per the name used by threat actor himself, for the \"nyadrop\" binary that is dropped in the compromised system.\r\n\r\nThis is not the \"really\" first time we're seeing this threat actually, in this year, some small events was detected on having these attacks which I ignored for some reasons, and on May 22th, me and hFiref0x of KernelMode was in a convo regarding to the threat which was detected. It was obviously the same threat (proof is as per picture below, thanks to hFiref0x for the ping that time)."
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475130",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "580138f3-4fe8-49b6-a630-c56c02de0b81",
|
||
|
"value": "c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff"
|
||
|
},
|
||
|
{
|
||
|
"category": "Antivirus detection",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475245",
|
||
|
"to_ids": false,
|
||
|
"type": "text",
|
||
|
"uuid": "5801396d-7f5c-4084-8125-c2bb02de0b81",
|
||
|
"value": "Linux/NyaDrop"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475320",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-src",
|
||
|
"uuid": "580139b8-adac-46dc-a628-474702de0b81",
|
||
|
"value": "46.172.91.20"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "nyadrop",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475366",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "580139e6-deec-4e3f-8d0c-cdc002de0b81",
|
||
|
"value": "095bb52056d00f0d93bba78e4b5b56313de7b79f"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload installation",
|
||
|
"comment": "- Xchecked via VT: c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475422",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "58013a1e-8b50-4121-b21d-cdbe02de0b81",
|
||
|
"value": "752e353a88b6e3e5e5a60891ba06a065"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "- Xchecked via VT: c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1476475422",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58013a1e-9bb0-4212-92b0-cdbe02de0b81",
|
||
|
"value": "https://www.virustotal.com/file/c3865eb1c211de6435d1352647c023c2606f9285d3304d54f17261a16bbec5ff/analysis/1476430710/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|