{ "Event": { "analysis": "2", "date": "2022-08-19", "extends_uuid": "", "info": "OSINT - JSSLoader: the shellcode edition", "publish_timestamp": "1660912855", "published": true, "threat_level_id": "3", "timestamp": "1660912821", "uuid": "013585af-ba0a-480a-8f2f-48df896d9229", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-intrusion-set=\"FIN7 - G0046\"", "relationship_type": "" }, { "colour": "#dd5a72", "local": false, "name": "misp-galaxy:threat-actor=\"FIN7\"", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": false, "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": false, "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "33ff2767-0cd0-4f23-8d5e-ef4e7c599a31", "value": "cc2171d14d0d3c4d117155185f7c911f781aac15b57adef6c32eb0149d5da3ba" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "328fe82a-fbab-4589-9a7b-11e5caef263a", "value": "bf1371e2d79115fc7cfc89266cd7a59c02b04a74e1246435392eb5e20c661d8f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "42764a9c-4661-481b-acd0-66649ddcf5cb", "value": "b08e713196b712c42da2df9da7836d270306065fbf6d4720f25d80e4104daf38" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "6b066e8f-f78f-43f4-9331-8cdd54c8e719", "value": "7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "3d35309b-d8b1-4c14-b565-2d158cbc6b59", "value": "7a17ef218eebfdd4d3e70add616adcd5b78105becd6616c88b79b261d1a78fdf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "92e60ec9-126c-4708-b444-04ade49d2d2c", "value": "410cd107dfd37752936bd20d022ea614cd373aa9d37db255f65dc434e653236a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910204", "to_ids": true, "type": "sha256", "uuid": "2281dea8-11e1-4763-976a-f312d7fb0154", "value": "35f5c781d61d398ce47a8881228346a81afb4915bf083518bf2b4cc8d6a2685b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "sha1", "uuid": "9a498744-8261-428a-98bf-49d000228346", "value": "529f476f952fd1526d2038cb0012e5bdd8a702f3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "sha1", "uuid": "b765a67f-1c41-4c2f-92c0-c654b37adff5", "value": "0eaf6289dd7ebe8ae0879a4a72d1518e1d4ffac9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "md5", "uuid": "e081fdb9-1972-4090-bfc4-123e792897a1", "value": "f1aff007c04c6fd3739dbeac537edaaa" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "md5", "uuid": "6d0ce48e-c437-46de-ae24-7472fbea594b", "value": "4a1e60be00e59617d53122d70c64506c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "md5", "uuid": "1406da62-389f-4c9b-8112-8a2eeb651c48", "value": "4961aec62fac8beeafffa5bfc841fab8" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "md5", "uuid": "8d74be00-dc29-43aa-8497-db3684056d65", "value": "2956c03bff952b22387eed8172a26ba5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910304", "to_ids": true, "type": "md5", "uuid": "79754502-9a01-49f3-858f-9696336fd465", "value": "1e12ac069c1898ffe271ebdfcbd689c1" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910352", "to_ids": true, "type": "sha1", "uuid": "d72a4609-ff18-46b7-8921-eac3740002d4", "value": "d2742d7c4b7454745795c547594bb4f9dbddecfe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910352", "to_ids": true, "type": "sha1", "uuid": "00698b4e-497c-459d-94fa-e12da80c9008", "value": "9d0f6c8be3214eee1dda6ebb4bb41ef97cfe28b4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1660910352", "to_ids": true, "type": "sha1", "uuid": "cfdc5e5b-057b-49cd-b9db-646250947783", "value": "5c7b4da950b0f1845b38ef1aa11ca41b4731c766" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "7", "timestamp": "1660910745", "uuid": "aaff4760-ea84-46a6-a79a-27919f325ed3", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1660910745", "to_ids": false, "type": "link", "uuid": "fadbc54c-4adb-46b8-9d9e-b001f35b0f44", "value": "https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1660910745", "to_ids": false, "type": "text", "uuid": "ddcaf51a-7f89-4427-b93d-82804562da14", "value": "JSSLoader: the shellcode edition" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "type", "timestamp": "1660910745", "to_ids": false, "type": "text", "uuid": "8555a473-687e-475b-943b-1d9cdb633669", "value": "Report" } ] }, { "comment": "Decoding of the strings is crucial for getting deeper understanding of the malware functionality. The following tool was used for strings deobfuscation:\uf0b7https://gist.github.com/hasherezade/6eb355c2c81e640e7470fafe4db3f069(it loads the original shellcode, and then deploys a decoding function out of it)", "deleted": false, "description": "GitHub user", "meta-category": "misc", "name": "github-user", "template_uuid": "4329b5e6-8e6a-4b55-8fd1-9033782017d4", "template_version": "3", "timestamp": "1660911074", "uuid": "9560a135-3e58-4c09-bade-b3109a40ec35", "Attribute": [ { "category": "Social network", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1660911074", "to_ids": false, "type": "github-username", "uuid": "3c958b8f-aa3c-4c6e-86c0-f303835be16e", "value": "hasherezade" }, { "category": "Social network", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "repository", "timestamp": "1660911074", "to_ids": false, "type": "github-repository", "uuid": "83112dd4-06fb-44d3-99da-9c3458d38ea9", "value": "https://gist.github.com/hasherezade/6eb355c2c81e640e7470fafe4db3f069" } ] }, { "comment": "generated listing", "deleted": false, "description": "GitHub user", "meta-category": "misc", "name": "github-user", "template_uuid": "4329b5e6-8e6a-4b55-8fd1-9033782017d4", "template_version": "3", "timestamp": "1660911217", "uuid": "c41f294b-2395-4d53-a671-577483c9180b", "Attribute": [ { "category": "Social network", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "username", "timestamp": "1660911217", "to_ids": false, "type": "github-username", "uuid": "b32b4209-2439-4aa4-842e-c54b189bde12", "value": "hasherezade" }, { "category": "Social network", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "repository", "timestamp": "1660911217", "to_ids": false, "type": "github-repository", "uuid": "1ce528f7-24dc-4602-968c-fd2e019c9909", "value": "https://gist.github.com/hasherezade/4048e435cda43be374277afb06744ab1" } ] } ] } }