misp-circl-feed/feeds/circl/misp/81866b54-7f4b-42f0-bcc1-84b7d8578e74.json

1449 lines
89 KiB
JSON
Raw Normal View History

2024-08-07 08:13:15 +00:00
{
"Event": {
"analysis": "0",
"date": "2024-01-30",
"extends_uuid": "",
"info": "OSINT - KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises",
"publish_timestamp": "1706730822",
"published": true,
"threat_level_id": "1",
"timestamp": "1706730814",
"uuid": "81866b54-7f4b-42f0-bcc1-84b7d8578e74",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:clear",
"relationship_type": ""
},
{
"colour": "#0088cc",
"local": false,
"name": "misp-galaxy:mitre-attack-pattern=\"Exploit Public-Facing Application - T1190\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "ad6ea915-1393-45a3-96fd-1811a8b8c8f2",
"value": "47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "0f532a6d-c58d-4dff-9028-cdfab0ac6a28",
"value": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "126235d8-f3f5-4ec2-a932-c95e8ac9798d",
"value": "c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "d2a47041-3eda-4d3f-bb6a-49a36d2afb28",
"value": "c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "5823f5f4-2cd3-49a3-9b9f-6c72a1c1c348",
"value": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "9f8b50f5-d0a5-41e3-9f3d-f5287375a75d",
"value": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "9afa633f-e168-4cd3-9599-e150775b160d",
"value": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "f5f3cf23-f45a-4b5d-a29d-3ad97e0cb519",
"value": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "4cec77a8-bc9a-4ae8-b6bd-fc15160f5d24",
"value": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "779bd25d-2134-4088-8251-3af9bf76e53c",
"value": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "d319c8b3-4870-45bf-b444-b72b583e9df7",
"value": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6"
},
{
"category": "Payload delivery",
"comment": "Linux Rust downloader",
"deleted": false,
"disable_correlation": false,
"timestamp": "1706629102",
"to_ids": true,
"type": "sha256",
"uuid": "dad9449c-29de-4aab-b298-f3c9e1d369eb",
"value": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"name": "script",
"template_uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",
"template_version": "7",
"timestamp": "1706629192",
"uuid": "d5aed2a3-349c-4b4b-bace-99ec4a7ce781",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"data": "IyEvdXNyL2Jpbi9lbnYgcHl0aG9uMwojCiMga3J1c3R5X2V4dHJhY3Rvci5weQojIENvcHlyaWdodCAoQykgMjAyNCAtIFN5bmFja3RpdiwgVGjDqW8gTGV0YWlsbGV1cgojIGNvbnRhY3RAc3luYWNrdGl2LmNvbQojCiMgVGhpcyBwcm9ncmFtIGlzIGZyZWUgc29mdHdhcmU6IHlvdSBjYW4gcmVkaXN0cmlidXRlIGl0IGFuZC9vciBtb2RpZnkKIyBpdCB1bmRlciB0aGUgdGVybXMgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZSBhcyBwdWJsaXNoZWQgYnkKIyB0aGUgRnJlZSBTb2Z0d2FyZSBGb3VuZGF0aW9uLCBlaXRoZXIgdmVyc2lvbiAzIG9mIHRoZSBMaWNlbnNlLCBvcgojIChhdCB5b3VyIG9wdGlvbikgYW55IGxhdGVyIHZlcnNpb24uCiMKIyBUaGlzIHByb2dyYW0gaXMgZGlzdHJpYnV0ZWQgaW4gdGhlIGhvcGUgdGhhdCBpdCB3aWxsIGJlIHVzZWZ1bCwKIyBidXQgV0lUSE9VVCBBTlkgV0FSUkFOVFk7IHdpdGhvdXQgZXZlbiB0aGUgaW1wbGllZCB3YXJyYW50eSBvZgojIE1FUkNIQU5UQUJJTElUWSBvciBGSVRORVNTIEZPUiBBIFBBUlRJQ1VMQVIgUFVSUE9TRS4gIFNlZSB0aGUKIyBHTlUgQWZmZXJvIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgZm9yIG1vcmUgZGV0YWlscy4KIwojIFlvdSBzaG91bGQgaGF2ZSByZWNlaXZlZCBhIGNvcHkgb2YgdGhlIEdOVSBBZmZlcm8gR2VuZXJhbCBQdWJsaWMgTGljZW5zZQojIGFsb25nIHdpdGggdGhpcyBwcm9ncmFtLiAgSWYgbm90LCBzZWUgPGh0dHA6Ly93d3cuZ251Lm9yZy9saWNlbnNlcy8+LgoKCmZyb20gQ3J5cHRvLkNpcGhlciBpbXBvcnQgQUVTCmZyb20gQ3J5cHRvLkhhc2ggaW1wb3J0IFNIQTI1Ngpmcm9tIGJpbmFzY2lpIGltcG9ydCB1bmhleGxpZnkKaW1wb3J0IHN5cwoKCmRlZiB4b3IoYSxiKToKICAgIHJldHVybiBieXRlcyhbeF5iIGZvciB4IGluIGFdKQoKaWYgbGVuKHN5cy5hcmd2KSA8IDI6CiAgICBwcmludCgidXNhZ2U6IHB5dGhvbiBjcnVzdHlfZGVjcnlwdG8ucHkgLi9lbGYiKQogICAgZXhpdCgpCgpFTEYgPSBzeXMuYXJndlsxXQoKd2l0aCBvcGVuKEVMRiwgInJiIikgYXMgRUxGaDoKICAgIGRhdGEgPSBFTEZoLnJlYWQoKQoKaCA9IFNIQTI1Ni5uZXcoKQpoLnVwZGF0ZShkYXRhKQoKcHJpbnQoZiJTYW1wbGUgU0hBMjU2c3VtOiB7aC5oZXhkaWdlc3QoKX0iKQoKZW5kID0gZGF0YS5maW5kKGIifHx8fHx8fHx8fHx8fHx8fHwiKQpzdGFydCA9IGVuZCAtIDB4MTAwCnN0YXJ0ID0gc3RhcnQgKyBkYXRhW3N0YXJ0OmVuZF0uZmluZChiIi90bXAvIikgKyA1CkVOQ1JZUFRFRCA9ICB1bmhleGxpZnkoZGF0YVtzdGFydDplbmRdKQoKIyA0MCA4MCBmNSBYWCA9PSB4b3IgYnBsLCBYWApiZWZvcmVfeG9ya2V5ID0gZGF0YS5maW5kKGJ5dGVzLmZyb21oZXgoIkZGRkY0MDgwRjUiKSkKWE9SS0VZID0gZGF0YVtiZWZvcmVfeG9ya2V5K2xlbihieXRlcy5mcm9taGV4KCJGRkZGNDA4MEY1IikpXQpwcmludChmIlhPUiBLRVk6IHtoZXgoWE9SS0VZKX0iKQplbmNyeXB0ZWRfc3RhZ2UyID0geG9yKEVOQ1JZUFRFRCwgWE9SS0VZKQoKc3RhcnQgPSBzdGFydCAtIGxlbigiL3RtcC8iKSAtIDMyCkFFU0tFWSA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpzdGFydCArPSAxNgpBRVNJViA9IGRhdGFbc3RhcnQ6c3RhcnQrMTZdCgpTRUdNRU5UX1NJWkUgPSAxMjgKCnByaW50KGYiQUVTLTEyOCBDRkIgS0VZOiB7QUVTS0VZLmhleCgpfSIpCnByaW50KGYiQUVTLTEyOCBDRkIgSVY6IHtBRVNJVi5oZXgoKX0iKQpjaXBoZXIgPSBBRVMubmV3KEFFU0tFWSwgQUVTLk1PREVfQ0ZCLCBpdj1BRVNJViwgc2VnbWVudF9zaXplPVNFR01FTlRfU0laRSkKZGVjcnlwdGVkID0gY2lwaGVyLmRlY3J5cHQoZW5jcnlwdGVkX3N0YWdlMikKcHJpbnQoZiJEZWNyeXB0ZWQgU3RhZ2UgSG9zdGVyIFVSTDoge2RlY3J5cHRlZC5kZWNvZGUoJ3V0Zi04Jyl9IikK",
"deleted": false,
"disable_correlation": false,
"object_relation": "script-as-attachment",
"timestamp": "1706629192",
"to_ids": false,
"type": "attachment",
"uuid": "f751818e-0c5f-44be-8633-b8ec180cb970",
"value": "krusty_extractor.py"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "language",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "37360b05-e581-4c8f-9bd0-9e9fc8138eda",
"value": "Python"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "b217f1d1-95cf-4414-8a55-194b4e96d8f2",
"value": "https://github.com/synacktiv/krustyloader-analysis/blob/main/krusty_extractor.py"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "state",
"timestamp": "1706629192",
"to_ids": false,
"type": "text",
"uuid": "0f38e30e-5a0a-4f37-911d-c16b585541cd",
"value": "Trusted"
}
]
},
{
"comment": "",
"deleted": false,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"name": "yara",
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"template_version": "6",
"timestamp": "1706629250",
"uuid": "343eabeb-41ac-47e8-aaa9-e7de6dea3d97",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "comment",
"timestamp": "1706629250",
"to_ids": false,
"type": "comment",
"uuid": "19745aab-6802-4bd4-9ce8-2c137263214e",
"value": "Yara rule that detects Linux KrustyLoader"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "context",
"timestamp": "1706629250",
"to_ids": false,
"type": "text",
"uuid": "30a9ed56-45b3-4d81-9913-929b0874b6f6",
"value": "all"
},
{
"category": "Payload installation",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "yara",
"timestamp": "1706629250",
"to_ids": true,
"type": "yara",
"uuid": "25579d73-a3f6-44c7-8bc2-0b3478c3b2be",
"value": "// KrustyLoader.yar\r\n// Copyright (C) 2024 - Synacktiv, Th\u00e9o Letailleur\r\n// contact@synacktiv.com\r\n//\r\n// This program is free software: you can redistribute it and/or modify\r\n// it under the terms of the GNU Affero General Public License as published by\r\n// the Free Software Foundation, either version 3 of the License, or\r\n// (at your option) any later version.\r\n//\r\n// This program is distributed in the hope that it will be useful,\r\n// but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n// GNU Affero General Public License for more details.\r\n//\r\n// You should have received a copy of the GNU Affero General Public License\r\n// along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n\r\nrule Linux_Downloader_KrustyLoader\r\n{\r\n meta:\r\n author = \"Theo Letailleur, Synacktiv\"\r\n source = \"Synacktiv\"\r\n status = \"RELEASED\"\r\n sharing = \"TLP:WHITE\"\r\n category = \"MALWARE\"\r\n malware = \"KrustyLoader\"\r\n description = \"Yara rule that detects Linux KrustyLoader\"\r\n\r\n strings:\r\n $tokio_worker = \"TOKIO_WORKER_THREADS\"\r\n $tmpdir = \"/tmp/\"\r\n\r\n // Load \"/proc/self/exe\" string\r\n $proc_self_exe = {\r\n 48 B? 73 65 6C 66 2F 65 78 65 // mov r64, 6578652F666C6573h\r\n 48 8D B4 24 ?? ?? 00 00 // lea rsi, [rsp+????h]\r\n 48 89 46 0? // mov [rsi+6], r64\r\n 48 B? 2F 70 72 6F 63 2F 73 65 // mov r64, 65732F636F72702Fh\r\n 48 89 0? // mov [rsi], r64\r\n }\r\n\r\n $pipe_suffix = \"|||||||||||||||||||||||||||\"\r\n\r\n // AES key expansion\r\n $aeskeygenassist = {\r\n 660F3ADF0601 // aeskeygenassist xmm0, xmmword ptr [rsi], 1\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n // AES InvMixColumns\r\n $aesinvmixcol = {\r\n 660F38DB06 // aesimc xmm0, xmmword ptr [rsi]\r\n 660F7F07 // movdqa xmmword ptr [rdi], xmm0\r\n C3 // retn\r\n }\r\n\r\n condition:\r\n uint32(0) == 0x464C457F and\r\n (\r\n all of them\r\n )\r\n}"
}
]
},
{
"comment": "",
"deleted": false,
"description": "Report object to describe a report along with its metadata.",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "8",
"timestamp": "1706629319",
"uuid": "2f97ed0a-ca8d-42bd-a593-791296fac41a",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1706629319",
"to_ids": false,
"type": "link",
"uuid": "9041edfd-8412-44f3-9f5a-481ad8c459af",
"value": "https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1706629319",
"to_ids": false,
"type": "text",
"uuid": "4c97b4af-78e0-4ba6-ac00-9ad305a0e8c7",
"value": "On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader."
}
]
},
{
"comment": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629388",
"uuid": "dc9874f6-bfc6-4736-9118-6108af933e16",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629388",
"to_ids": true,
"type": "md5",
"uuid": "0291fee6-8080-40cd-89b6-95afd0abd1ed",
"value": "deff93081ccb3fda7a12f6e9e3ad15ad"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629388",
"to_ids": true,
"type": "sha1",
"uuid": "3145b3d8-929b-47b7-a9c7-6128c9b59ce8",
"value": "40b88819594091111c93bd9578b82dedd0823362"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629388",
"to_ids": true,
"type": "sha256",
"uuid": "7d1f9fc5-8547-486e-8283-bc0f9057add5",
"value": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629388",
"to_ids": true,
"type": "tlsh",
"uuid": "74a6d721-22b8-435b-baca-2e98aa4ed456",
"value": "t147154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629388",
"to_ids": true,
"type": "vhash",
"uuid": "9732b0e3-754e-4419-b07a-642582e81924",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629388",
"to_ids": true,
"type": "ssdeep",
"uuid": "fa6e1155-e8d1-437d-b018-baa22feeff5c",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDnPAzRDLZUaWX:aR4xzgHVmAIHhnDnIR+aWX"
}
]
},
{
"comment": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629410",
"uuid": "c71f8917-710d-4424-ac5d-3acf660331e8",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629410",
"to_ids": true,
"type": "md5",
"uuid": "a0fd81e0-4f9f-4ea7-9c3c-447060c630e4",
"value": "322778ac48bb0e0da65c0288b76b1133"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629410",
"to_ids": true,
"type": "sha1",
"uuid": "526f819c-a746-4a0f-96b1-e97c52b1ade0",
"value": "1bc9a9190b86d42f5c74735da669e76a5c7ff6fe"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629410",
"to_ids": true,
"type": "sha256",
"uuid": "7c697f14-b4e8-4a61-8a94-00396fa39603",
"value": "73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629410",
"to_ids": true,
"type": "tlsh",
"uuid": "925fc014-ff57-42ec-ae1d-123980d4d3ed",
"value": "t172154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629410",
"to_ids": true,
"type": "vhash",
"uuid": "46eb4d04-7380-47e5-81ce-58ab778ae1af",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629410",
"to_ids": true,
"type": "ssdeep",
"uuid": "c98a75a3-49dc-4d38-a4ec-c6e2cc1881c6",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDjPAzRDLZUaWX:aR4xzgHVmAIHhnDjIR+aWX"
}
]
},
{
"comment": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629422",
"uuid": "1af4ea7c-c429-4301-bb30-9e07b1e2a0dd",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629422",
"to_ids": true,
"type": "md5",
"uuid": "778b198f-3ad5-4c48-830b-ed33030348c8",
"value": "cbf6325a11ba974278f2b9038a4b99d7"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629422",
"to_ids": true,
"type": "sha1",
"uuid": "1532c06a-e334-47ef-bd77-a7af15a288ec",
"value": "8c7fdcd3a192a37bdbb8e6877a9b8e14c07dd8d5"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629422",
"to_ids": true,
"type": "sha256",
"uuid": "fa72bd4c-7fb5-42b0-94b8-370a2ef436a1",
"value": "e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629422",
"to_ids": true,
"type": "tlsh",
"uuid": "ef90f3d1-3fe3-4eef-b23f-861e93bccc63",
"value": "t1ba154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629422",
"to_ids": true,
"type": "vhash",
"uuid": "676cb936-d22d-4308-a00d-8192e14e8edc",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629422",
"to_ids": true,
"type": "ssdeep",
"uuid": "d123b8db-ea9d-4024-948b-f9cf1c27b364",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDRPAzRDLZUaWX:aR4xzgHVmAIHhnDRIR+aWX"
}
]
},
{
"comment": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629438",
"uuid": "8f8f83da-b449-4f62-8d99-0b519b3a0960",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629438",
"to_ids": true,
"type": "md5",
"uuid": "968f9330-69ba-4378-9ff4-1fee47373c8d",
"value": "5c4cfb6ac2cd3213bace688f0fa2f14e"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629438",
"to_ids": true,
"type": "sha1",
"uuid": "212aa59f-4253-4134-97fb-c5b484476642",
"value": "913b0c9dc8b30d53ea73911c5683c2dc04c14e3b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629438",
"to_ids": true,
"type": "sha256",
"uuid": "08f038f5-aae4-427d-bafa-dd1de0dee442",
"value": "d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629438",
"to_ids": true,
"type": "tlsh",
"uuid": "f40095d0-876c-4f0c-b8e8-278b71fcc459",
"value": "t1d8154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629438",
"to_ids": true,
"type": "vhash",
"uuid": "ced0f459-2453-46ff-9fe8-e153b3abedc0",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629438",
"to_ids": true,
"type": "ssdeep",
"uuid": "c796ed54-a700-4522-9633-76bb23025e4a",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDWPAzRDLZUaWX:aR4xzgHVmAIHhnDWIR+aWX"
}
]
},
{
"comment": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629448",
"uuid": "948fa32b-6eaf-423c-a025-5649b56cecf2",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629448",
"to_ids": true,
"type": "md5",
"uuid": "5d434e74-64f0-44e8-a302-87d09a9c1159",
"value": "4a626140da1009f199afde2581d28d0b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629448",
"to_ids": true,
"type": "sha1",
"uuid": "2ba63bad-8cc4-4168-8a71-f4664e88dde6",
"value": "ba56f6e5b9e7b0137cc237d338471c99480fee96"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629448",
"to_ids": true,
"type": "sha256",
"uuid": "6130a761-d36b-4b97-9ef3-233333af7521",
"value": "6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629448",
"to_ids": true,
"type": "tlsh",
"uuid": "5549cbd2-ce6b-4ae7-b4ee-cffa9c32d8da",
"value": "t116154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629448",
"to_ids": true,
"type": "vhash",
"uuid": "51fa9738-4f73-46e3-8f5f-bb13896d36fc",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629448",
"to_ids": true,
"type": "ssdeep",
"uuid": "ed6aefb6-b5a4-45eb-ba38-947fd64e9f1a",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDkPAzRDLZUaWX:aR4xzgHVmAIHhnDkIR+aWX"
}
]
},
{
"comment": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629465",
"uuid": "7cdf0234-4f0e-474e-a903-861f2d3da40d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629465",
"to_ids": true,
"type": "md5",
"uuid": "b9e10435-c627-4205-a1af-b4258dbc194b",
"value": "d71d37de5bae9a33ce2aa4908178b209"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629465",
"to_ids": true,
"type": "sha1",
"uuid": "84392d15-2e7c-4894-9cc2-842739a16467",
"value": "a19bdf4f7ccc68470c172e67ffe4a1bdef5d7bc4"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629465",
"to_ids": true,
"type": "sha256",
"uuid": "db16c5c8-30a2-4b13-b232-f00cb69adfac",
"value": "a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629465",
"to_ids": true,
"type": "tlsh",
"uuid": "78cdf27f-d7fe-473f-9a02-130ac6ac8f53",
"value": "t1c3154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629465",
"to_ids": true,
"type": "vhash",
"uuid": "ed0c6553-c4b5-4d7d-822f-a0e339b270e4",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629465",
"to_ids": true,
"type": "ssdeep",
"uuid": "fe96cd2f-0edb-4f4c-962f-664173bde493",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKD6PAzRDLZUaWX:aR4xzgHVmAIHhnD6IR+aWX"
}
]
},
{
"comment": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629513",
"uuid": "ab9ca726-84ff-4100-af55-9fe90a7a2434",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629513",
"to_ids": true,
"type": "url",
"uuid": "221edb45-45e4-403e-b344-18a4a3824670",
"value": "http://blaze-uk.s3.amazonaws.com/WymRvUz1HeRw3"
}
]
},
{
"comment": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629513",
"uuid": "48fb75d1-d567-4360-8977-abeede3f56f7",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629513",
"to_ids": true,
"type": "md5",
"uuid": "11c4ab64-2b45-4f07-8158-3e39f048d2a3",
"value": "fc67817ea351dd6f0f0dcdb32a524c54"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629513",
"to_ids": true,
"type": "sha1",
"uuid": "27c5f500-4ff1-45b1-9754-6aa5103ca07a",
"value": "f62d0f71441979785b44c8d062fcf7371fa5eb34"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629513",
"to_ids": true,
"type": "sha256",
"uuid": "bd1a7321-730c-474e-b1bd-fb3162c53eed",
"value": "ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629513",
"to_ids": true,
"type": "tlsh",
"uuid": "f808c3e9-f685-49ff-8505-e824a3a0f52d",
"value": "t1b5154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629513",
"to_ids": true,
"type": "vhash",
"uuid": "905748be-3a36-42d0-ad2c-d3387970952e",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629513",
"to_ids": true,
"type": "ssdeep",
"uuid": "cd533038-4d78-4b64-bb63-fc4f9aad1518",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDlPAzRDLZUaWX:aR4xzgHVmAIHhnDlIR+aWX"
}
]
},
{
"comment": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629530",
"uuid": "9e1e286c-c8fd-4a42-9284-237030894dee",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629530",
"to_ids": true,
"type": "md5",
"uuid": "60435072-863c-4ae3-9f55-f18f28351594",
"value": "c17113b1361002aff47459eb0d5bfd3b"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629530",
"to_ids": true,
"type": "sha1",
"uuid": "f1007aca-2728-4ab5-8246-2654a1b67a08",
"value": "61ec1f157f92cd7110b8324689d40e289ea1dc1a"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629530",
"to_ids": true,
"type": "sha256",
"uuid": "6bb5f372-eb58-4d49-b91f-8691b8e06c2c",
"value": "76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629530",
"to_ids": true,
"type": "tlsh",
"uuid": "6aabdd6c-482d-44a5-8188-3301415c4647",
"value": "t1b2154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629530",
"to_ids": true,
"type": "vhash",
"uuid": "54b8798e-9044-4f1b-81b6-2767e11bade3",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629530",
"to_ids": true,
"type": "ssdeep",
"uuid": "ac5d0abe-616d-4929-bc40-7450576a0f4f",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKD1PAzRDLZUaWX:aR4xzgHVmAIHhnD1IR+aWX"
}
]
},
{
"comment": "030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629561",
"uuid": "a6175dea-b390-4788-a69e-835940de95cf",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629561",
"to_ids": true,
"type": "url",
"uuid": "22ad1133-dd9a-4134-9a9a-f24ab2315a03",
"value": "http://book4timepublic.s3.amazonaws.com/gEsD2heW4crIT"
}
]
},
{
"comment": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"deleted": false,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"name": "url",
"template_uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"template_version": "9",
"timestamp": "1706629581",
"uuid": "01e9ed60-f0f6-4168-bd22-aa1ceec6a479",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "url",
"timestamp": "1706629581",
"to_ids": true,
"type": "url",
"uuid": "4cb889b4-6b9f-44ee-9c14-26d58eb9cccb",
"value": "http://blooming.s3.amazonaws.com/Ea7fbW98CyM5O"
}
]
},
{
"comment": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17: Enriched via the virustotal module",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706629581",
"uuid": "2140ab53-ee01-4cfe-9174-b35ae7e43d8f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706629581",
"to_ids": true,
"type": "md5",
"uuid": "22a064f5-080f-4c68-a751-ff85a8c43e95",
"value": "63b0574cbe77d6231513f32e0d042484"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1706629581",
"to_ids": true,
"type": "sha1",
"uuid": "e86447a0-b365-4075-a8d3-8938331002cd",
"value": "55c2197c88cd3cef23b5f9062c6bdbb6f4b28094"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1706629581",
"to_ids": true,
"type": "sha256",
"uuid": "d3d99289-c4c4-4567-a943-f0da2398da48",
"value": "816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "tlsh",
"timestamp": "1706629581",
"to_ids": true,
"type": "tlsh",
"uuid": "59cc0487-fe0d-4218-844c-193c657e79bf",
"value": "t1f4154b07fda204bdd9b9c834861ea273f639b85c421176377bd85b302e25a20df2db95"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "vhash",
"timestamp": "1706629581",
"to_ids": true,
"type": "vhash",
"uuid": "d54a50e7-a13e-4458-bb80-62885aa3098b",
"value": "1cbe32fb065a3318a29a9156aa4e9083"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ssdeep",
"timestamp": "1706629581",
"to_ids": true,
"type": "ssdeep",
"uuid": "d4a62b15-24f6-47d4-8bfd-6f2f9f1ed288",
"value": "24576:aR4f424TMgHBwOmA8vzHhyKDHPAzRDLZUaWX:aR4xzgHVmAIHhnDHIR+aWX"
}
]
},
{
"comment": "CHAINLINE web shell",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729682",
"uuid": "4764a31d-89d0-438c-b399-cb7981041950",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729682",
"to_ids": true,
"type": "filename",
"uuid": "81c13b88-eccf-489e-a199-60b57e417d19",
"value": "health.py"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729682",
"to_ids": true,
"type": "md5",
"uuid": "8c41de06-9ee3-4ade-aa0b-13140b9c79cf",
"value": "3045f5b3d355a9ab26ab6f44cc831a83"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729901",
"uuid": "e57b9ba2-bc61-48cf-b2d3-eff17548c4a0",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729901",
"to_ids": true,
"type": "filename",
"uuid": "b1ed19f8-9729-4e49-a794-a34b0f8c4a08",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729901",
"to_ids": true,
"type": "md5",
"uuid": "c131a04c-16a5-4228-984b-1e36f5f85539",
"value": "8eb042da6ba683ef1bae460af103cc44"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729936",
"uuid": "983924f8-2fd3-400a-8af0-e6eb88c9c47c",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729936",
"to_ids": true,
"type": "filename",
"uuid": "05e82bff-f99b-4a40-a65b-a6d100406ea3",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729936",
"to_ids": true,
"type": "md5",
"uuid": "bd717784-19da-41f0-b8db-30ee1aca89a8",
"value": "a739bd4c2b9f3679f43579711448786f"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729969",
"uuid": "46364464-737e-4d07-86ce-651524453c47",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729969",
"to_ids": true,
"type": "filename",
"uuid": "9f5f3ad7-4957-4405-8ff8-de719271af45",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729969",
"to_ids": true,
"type": "md5",
"uuid": "f2a751b0-9d12-4c91-95e8-93ba3b7fbb4e",
"value": "a81813f70151a022ea1065b7f4d6b5ab"
}
]
},
{
"comment": "WARPWIRE credential harvester",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706729998",
"uuid": "4cc0f927-92e5-41b0-86b2-54644406aa6d",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706729998",
"to_ids": true,
"type": "filename",
"uuid": "35f5aa5b-5f16-496b-887b-92be5fa8c9d4",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706729998",
"to_ids": true,
"type": "md5",
"uuid": "2b5355d0-8d3b-4c5f-9664-35e9588240c9",
"value": "d0c7a334a4d9dcd3c6335ae13bee59ea"
}
]
},
{
"comment": "WARPWIRE credential harvester variant",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706730040",
"uuid": "35de57af-16b4-4d68-bd64-77c60384c996",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706730040",
"to_ids": true,
"type": "filename",
"uuid": "437c1bcd-766e-4e77-a123-971e5bb6d269",
"value": "lastauthserverused.js"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706730040",
"to_ids": true,
"type": "md5",
"uuid": "c6235f72-a846-4087-b1d5-bd6dc967efb4",
"value": "e8489983d73ed30a4240a14b1f161254"
}
]
},
{
"comment": "FRAMESTING web shell",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1706730073",
"uuid": "36a21306-6be1-4007-81fe-8f6754eeea8f",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1706730073",
"to_ids": true,
"type": "filename",
"uuid": "3e46f09e-4df8-4b85-a1bf-04da9bf5eb61",
"value": "category.py"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1706730073",
"to_ids": true,
"type": "md5",
"uuid": "add8c276-8092-4857-9cf5-5043337a99a7",
"value": "465600cece80861497e8c1c86a07a23e"
}
]
}
],
"EventReport": [
{
"name": "Report from - https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises (1706629030)",
"content": "# KrustyLoader - Rust malware linked to Ivanti ConnectSecure compromises\r\n\r\n Written by Th\u00c3\u00a9o Letailleur - 29/01/2024 - in CSIRT - Download On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution. Volexity and Mandiant published articles reporting how these vulnerabilities were actively exploited by a threat actor. On 18th January, Volexity published new observations including hashes of Rust payloads downloaded on compromised Ivanti Connect Secure instances. This article presents a malware analysis of these unidentified Rust payloads that I labelled as KrustyLoader.\r\n\r\n ## Introduction\r\n\r\n On 10th January 2024, Ivanti disclosed two zero-day critical vulnerabilities affecting Connect Secure VPN product: CVE-2024-21887 and CVE-2023-468051 allowing unauthenticated remote code execution. Volexity2 and Mandiant3 published several articles showing how these vulnerabilities were actively exploited by a threat actor, tracked by Volexity as UTA0178 and by Mandiant as UNC5221.\r\n\r\n On 18th January, Volexity published new indicators of compromise4 including Rust payloads downloaded on compromised Ivanti Connect Secure appliances. Then on 21st and 24th of January, I published two posts on X5\u00c2 6 summarizing the behaviour of those 12 Rust payloads. They share almost 100% code similarity and their main purpose is to download and execute a Sliver backdoor. I personally labelled this piece of malware as *KrustyLoader*.\r\n\r\n Therefore, the purpose of this article is to provide more insights on this malware, reversing tips, as well as a script that automatically extracts the encrypted URL from any similar sample.\r\n\r\n ## Basic information\r\n\r\n KrustyLoader basic information SHA256 47ff0ae9220a09bfad2a2fb1e2fa2c8ffe5e9cb0466646e2a940ac2e0cf55d04\r\n\r\n 816754f6eaf72d2e9c69fe09dcbe50576f7a052a1a450c2a19f01f57a6e13c17\r\n\r\n c26da19e17423ce4cb4c8c47ebc61d009e77fc1ac4e87ce548cf25b8e4f4dc28\r\n\r\n c7ddd58dcb7d9e752157302d516de5492a70be30099c2f806cb15db49d466026\r\n\r\n d14122fa7883b89747f273c44b1f71b81669a088764e97256f97b4b20d945ed0\r\n\r\n 6f684f3a8841d5665d083dcf62e67b19e141d845f6c13ee8ba0b6ccdec591a01\r\n\r\n a4e1b07bb8d6685755feca89899d9ead490efa9a6b6ccc00af6aaea071549960\r\n\r\n ef792687b8bcd3c03bed4b09c4722bba921536802afe01f7cdb01cc7c3c60815\r\n\r\n 76902d101997df43cd6d3ac10470314a82cb73fa91d212b97c8f210d1fa8271f\r\n\r\n e47b86b8df43c8c1898abef15b8b7feffe533ae4e1a09e7294dd95f752b0fbb2\r\n\r\n 73657c062a7cc50a3d51853ec4df904bcb291fdc9cdd08eecaecb78826eb49b6\r\n\r\n 030eb56e155fb01d7b190866aaa8b3128f935afd0b7a7b2178dc8e2eb84228b0\r\n\r\n File type ELF 64-bit LSB pie executable x86\\_64 stripped, static-pie linked File size 878824 bytes Threat Linux Rust downloader \u00c2 \r\n\r\n Screenshots and extracts on this article are based on sample *030eb56e1[...]84228b0* (the highlighted hash above), but \u00e2\u0080\u0093 as they are similar \u00e2\u0080\u0093 the logic is the same for the other payloads.\r\n\r\n ## Code analysis approach\r\n\r\n *You will not find a deep analysis into assembly code with tons of IDA screenshots, because it does not bring much value in this context. However, I find more interesting to explain what is my approach to quickly spot the useful parts of the code and get a general idea of its behaviour.*\r\n\r\n Usually we would start from the entry point and determine the flow of execution, symbols, and API functions. However, there are several difficulties to consider when reversing a Rust-based executable:\r\n\r\n \r\n * The executable is statically linked, meaning that libraries are embedded into the executable, including Rust crates and the libc: it adds lots of functions that are not important to spend time during malware analysis.\r\n * Since Rust is a high-level programming language, its abstractions tend to bring a \u00e2\u0080\u009cnatural\u00e2\u0080\u009d obfuscation to the program code wi
"id": "358",
"event_id": "206742",
"timestamp": "1706629055",
"uuid": "7b9a9467-7bd1-4364-a4c2-c6c50edbf0f3",
"deleted": false
}
]
}
}