227 lines
8.7 KiB
JSON
227 lines
8.7 KiB
JSON
|
{
|
||
|
"Event": {
|
||
|
"analysis": "2",
|
||
|
"date": "2016-12-16",
|
||
|
"extends_uuid": "",
|
||
|
"info": "OSINT - One, if by email, and two, if by EK: The Cerbers are coming!",
|
||
|
"publish_timestamp": "1481870914",
|
||
|
"published": true,
|
||
|
"threat_level_id": "3",
|
||
|
"timestamp": "1481870845",
|
||
|
"uuid": "58538c11-4694-47ba-a01c-4cfe02de0b81",
|
||
|
"Orgc": {
|
||
|
"name": "CIRCL",
|
||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||
|
},
|
||
|
"Tag": [
|
||
|
{
|
||
|
"colour": "#3ab400",
|
||
|
"name": "enisa:nefarious-activity-abuse=\"exploits-exploit-kits\""
|
||
|
},
|
||
|
{
|
||
|
"colour": "#ffffff",
|
||
|
"name": "tlp:white"
|
||
|
}
|
||
|
],
|
||
|
"Attribute": [
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870365",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58538c1d-82a0-4d24-867d-41a202de0b81",
|
||
|
"value": "https://isc.sans.edu/forums/diary/One+if+by+email+and+two+if+by+EK+The+Cerbers+are+coming/21823"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870399",
|
||
|
"to_ids": false,
|
||
|
"type": "comment",
|
||
|
"uuid": "58538c3f-4960-4980-bab9-4c6b02de0b81",
|
||
|
"value": "As I've discussed before, EKs are merely a method to distribute malware. Criminal groups establish campaigns utilizing EKs to distribute their malware. I often see indicators of campaigns that use Magnitude EK or Rig EK to distribute Cerber ransomware.\r\n\r\nIn my lab environment, I generally don't generate much Magnitude EK. Why? Because Magnitude usually happens through a malvertising campaign, and that's quite difficult to replicate. By the time any particular malvertisement's indicators are known, the criminals have moved to a new malvertisement.\r\n\r\nSince early October 2016, I've typically seen Cerber ransomware from the pseudoDarkleech campaign using Rig EK. PseudoDarkleech currently uses a variant of Rig EK that researcher Kafeine has designated as Rig-V, because it's a \"vip\" version that's evolved from the old Rig EK.\r\n\r\nEITest is another major campaign that utilizes EKs to distribute malware. Although EITest distributes a variety of malware, I'll occasionally see Cerber sent by this campaign."
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rig-V from the EITest campaign",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870563",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "58538ce3-601c-4716-bb6f-417b02de0b81",
|
||
|
"value": "195.133.49.182"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rig-V from the EITest campaign",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870564",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "58538ce4-7814-4334-8180-418102de0b81",
|
||
|
"value": "hit.thincoachmd.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "Rig-V from the pseudoDarkleech campaign",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870564",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "58538ce4-7bec-4498-b89a-445302de0b81",
|
||
|
"value": "new.slimcoachmd.com"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870565",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "58538ce5-3240-4327-bcc6-4e1a02de0b81",
|
||
|
"value": "1.11.32.0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "1.11.32.0 to 1.11.32.31 (1.11.32.0/27) UDP port 6892 - Cerber post-infection UDP traffic",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870566",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "58538ce6-3e80-4e94-8ab8-46fe02de0b81",
|
||
|
"value": "55.15.15.0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "194.165.16.0/23) UDP port 6892 - Cerber post-infection UDP traffic",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870568",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "58538ce8-2d7c-49ca-89ae-48bd02de0b81",
|
||
|
"value": "194.165.16.0"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "attempted HTTP connections by Cerber from pseudoDarkleech campaign",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870570",
|
||
|
"to_ids": true,
|
||
|
"type": "ip-dst",
|
||
|
"uuid": "58538cea-d9f0-4ef3-8d22-453e02de0b81",
|
||
|
"value": "185.45.192.155"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870570",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "58538cea-4fe0-4dca-b42e-450802de0b81",
|
||
|
"value": "ftoxmpdipwobp4qy.19dmua.top"
|
||
|
},
|
||
|
{
|
||
|
"category": "Network activity",
|
||
|
"comment": "attempted HTTP connections by Cerber from EITest campaign",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870571",
|
||
|
"to_ids": true,
|
||
|
"type": "hostname",
|
||
|
"uuid": "58538ceb-a834-43a4-aa47-4a9802de0b81",
|
||
|
"value": "ffoqr3ug7m726zou.19dmua.top"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Rig-V Flash exploit seen on 2016-12-15",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870625",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58538d21-bb20-4511-b10a-4a7402de0b81",
|
||
|
"value": "df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8AA1F.tmp.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870733",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58538d8d-0888-4b53-a42a-4a4102de0b81",
|
||
|
"value": "4e877be5523d5ab453342695fef1d03adb854d215bde2cff647421bd3d583060"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "C:\\Users\\[username]\\AppData\\Local\\Temp\\rad8DE79.tmp.exe",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870753",
|
||
|
"to_ids": true,
|
||
|
"type": "sha256",
|
||
|
"uuid": "58538da1-7b68-45ed-abb7-436b02de0b81",
|
||
|
"value": "0e395c547547a79bd29280ea7f918a0559058a58ffc789940ceb4caf7a708610"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870766",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58538dae-a6d8-4f69-bc5c-4fa502de0b81",
|
||
|
"value": "http://www.malware-traffic-analysis.net/2016/12/16/index.html"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870845",
|
||
|
"to_ids": true,
|
||
|
"type": "sha1",
|
||
|
"uuid": "58538dfd-53a0-4703-ad4e-4e0e02de0b81",
|
||
|
"value": "9284df1374b35d929f07e010e88b78a8495c0cfd"
|
||
|
},
|
||
|
{
|
||
|
"category": "Payload delivery",
|
||
|
"comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870846",
|
||
|
"to_ids": true,
|
||
|
"type": "md5",
|
||
|
"uuid": "58538dfe-0c74-4137-aa72-4db102de0b81",
|
||
|
"value": "2b3e5fa9c8932e27531dd26dc92c81f8"
|
||
|
},
|
||
|
{
|
||
|
"category": "External analysis",
|
||
|
"comment": "Rig-V Flash exploit seen on 2016-12-15 - Xchecked via VT: df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf",
|
||
|
"deleted": false,
|
||
|
"disable_correlation": false,
|
||
|
"timestamp": "1481870846",
|
||
|
"to_ids": false,
|
||
|
"type": "link",
|
||
|
"uuid": "58538dfe-0750-4380-83c4-448802de0b81",
|
||
|
"value": "https://www.virustotal.com/file/df65f65dc15cfa999f07869b587c74c645da66129c009db5d8b8c2c29ae4fadf/analysis/1481853351/"
|
||
|
}
|
||
|
]
|
||
|
}
|
||
|
}
|