{ "Event": { "analysis": "2", "date": "2015-01-29", "extends_uuid": "", "info": "OSINT New 'f0xy' malware is intelligent - employs cunning stealth & trickery from Websense", "publish_timestamp": "1456152025", "published": true, "threat_level_id": "3", "timestamp": "1422603841", "uuid": "54cb3580-cde4-4b39-bf8c-443f950d210b", "Orgc": { "name": "CthulhuSPRL.be", "uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f" }, "Tag": [ { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#33FF00", "local": false, "name": "tlp:green", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603660", "to_ids": false, "type": "text", "uuid": "54cb358c-2360-4acd-ab3c-de9b950d210b", "value": "f0xy" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603668", "to_ids": false, "type": "link", "uuid": "54cb3594-3d30-40d0-a49f-cf08950d210b", "value": "http://community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603714", "to_ids": true, "type": "sha1", "uuid": "54cb35c2-dc18-4a6f-88c0-05f5950d210b", "value": "080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603714", "to_ids": true, "type": "sha1", "uuid": "54cb35c2-5204-42c6-b115-05f5950d210b", "value": "c25da337ec5ac041312b062e7fb697e4f01ca8d9" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-c3e4-44be-b112-05f5950d210b", "value": "cd4e297928502dece4545acbe0b94dd1270f955c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-b894-4128-8f54-05f5950d210b", "value": "adbf0e4d37e381fe7599695561262d1a65205317" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-7d8c-484c-af92-05f5950d210b", "value": "54d2810aaae67da9fa24f4e11f4c2d5fe4d2b6d4" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-b0bc-4486-9a2b-05f5950d210b", "value": "7de3ed8f751a528fde1688d35c6eb5533b09ae11" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-7f58-4d2c-9f87-05f5950d210b", "value": "812e453c22e1a9f70b605cd27d3f642c3778d96d" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-db14-4dcc-805a-05f5950d210b", "value": "55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-10dc-4465-a0cd-05f5950d210b", "value": "e80d7f27405ece2697a05d6c2612c63335851490" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-ad38-4403-9de4-05f5950d210b", "value": "f4f1d8bceb62c72f2fe6713c5395555917fc40ad" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-8268-473b-b22a-05f5950d210b", "value": "2a4837fdb331f823ca474f521248b2cdb766528f" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603715", "to_ids": true, "type": "sha1", "uuid": "54cb35c3-2828-425d-a232-05f5950d210b", "value": "f522e0893ec97438c6184e13adc48219f08b67d8" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603733", "to_ids": true, "type": "ip-dst", "uuid": "54cb35d5-6090-4c3e-8660-c32e950d210b", "value": "185.53.169.79" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603755", "to_ids": true, "type": "filename", "uuid": "54cb35eb-a9f0-4877-8ad1-4b9d950d210b", "value": "%appdata%\\Microsoft\\svchost.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603755", "to_ids": true, "type": "filename", "uuid": "54cb35eb-bcb8-4b6a-8d62-49d9950d210b", "value": "%appdata%\\Microsoft\\f0xyupdate.exe" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603790", "to_ids": true, "type": "regkey", "uuid": "54cb360e-7f00-4311-aed4-4505950d210b", "value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603804", "to_ids": true, "type": "yara", "uuid": "54cb361c-7c88-4d35-b0e0-cf08950d210b", "value": "rule ws_f0xy_downloader {\r\n\r\n meta:\r\n\r\n description = \"f0xy malware downloader\"\r\n author = \"Nick Griffin (Websense)\"\r\n\r\n strings:\r\n\r\n $mz=\"MZ\"\r\n $string1=\"bitsadmin /transfer\"\r\n $string2=\"del rm.bat\"\r\n $string3=\"av_list=\"\r\n\r\n condition:\r\n\r\n ($mz at 0) and (all of ($string*))\r\n}" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1422603841", "to_ids": false, "type": "comment", "uuid": "54cb3641-6244-4691-98b0-8154950d210b", "value": "Data entered by David Andr\u00c3\u00a9" }, { "category": "Payload delivery", "comment": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455836901", "to_ids": true, "type": "md5", "uuid": "56c64ee5-9114-4be4-b1e4-4ebc950d210f", "value": "f2eccbc5d545221c0d0906a5808f90c6" }, { "category": "Payload delivery", "comment": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)", "deleted": false, "disable_correlation": false, "timestamp": "1455836903", "to_ids": true, "type": "md5", "uuid": "56c64ee7-05e8-4d4d-814e-59a0950d210f", "value": "d46d7edd10bbb3c2d2158606e329ea6d" }, { "category": "Payload delivery", "comment": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)", "deleted": false, "disable_correlation": false, "timestamp": "1455836905", "to_ids": true, "type": "md5", "uuid": "56c64ee9-1378-4314-852a-c654950d210f", "value": "f6ae08aba0a188963e8c299db6a14c0e" }, { "category": "Payload delivery", "comment": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)", "deleted": false, "disable_correlation": false, "timestamp": "1455836907", "to_ids": true, "type": "md5", "uuid": "56c64eeb-a314-4f12-b561-4c62950d210f", "value": "dc645cf749611aca49a4e3e6a7c0eb49" }, { "category": "Payload delivery", "comment": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)", "deleted": false, "disable_correlation": false, "timestamp": "1455836908", "to_ids": true, "type": "md5", "uuid": "56c64eec-6798-4b97-a239-5f51950d210f", "value": "dc4345fe0a312b8b035daa9711b099a7" }, { "category": "Payload delivery", "comment": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)", "deleted": false, "disable_correlation": false, "timestamp": "1455836912", "to_ids": true, "type": "md5", "uuid": "56c64ef0-65e4-42d1-bcd9-599c950d210f", "value": "160634d784c256d29563117554685c31" }, { "category": "Payload delivery", "comment": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)", "deleted": false, "disable_correlation": false, "timestamp": "1455836902", "to_ids": true, "type": "sha256", "uuid": "56c64ee6-e9f0-4c93-81f4-599e950d210f", "value": "0c4196bd5f2dea9ded5da5b23f081a713f6452e9a64f9e3898854a6c9d81e412" }, { "category": "Payload delivery", "comment": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)", "deleted": false, "disable_correlation": false, "timestamp": "1455836903", "to_ids": true, "type": "sha256", "uuid": "56c64ee7-9ad4-4c88-a202-4028950d210f", "value": "21ed2d1ed704979292ccab5512244423b522fda486ef52fd73b6f851321affb9" }, { "category": "Payload delivery", "comment": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)", "deleted": false, "disable_correlation": false, "timestamp": "1455836905", "to_ids": true, "type": "sha256", "uuid": "56c64ee9-fd34-418d-979b-5ca1950d210f", "value": "2e832777a77f5cc7cfa05183253440484c614733547a4ea0f2f75cfafc165e39" }, { "category": "Payload delivery", "comment": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)", "deleted": false, "disable_correlation": false, "timestamp": "1455836907", "to_ids": true, "type": "sha256", "uuid": "56c64eeb-e2fc-420e-afe8-59a0950d210f", "value": "4d235e31ee278255918157b999fb5987a0cac95cf3ca231950a7adfe49ffc4d7" }, { "category": "Payload delivery", "comment": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)", "deleted": false, "disable_correlation": false, "timestamp": "1455836910", "to_ids": true, "type": "sha256", "uuid": "56c64eee-d864-4b3c-8999-59a4950d210f", "value": "8b62000e09a00755eb9e08523e07b9aef292c96a423d28c863bd018ebba3636d" }, { "category": "Payload delivery", "comment": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)", "deleted": false, "disable_correlation": false, "timestamp": "1455836913", "to_ids": true, "type": "sha256", "uuid": "56c64ef1-a8d8-4d2a-a63f-47c0950d210f", "value": "c85940369a8028803460baf600203c435179611769a9850a2aef7fb45d2c86d7" } ] } }