{ "Event": { "analysis": "2", "date": "2018-01-23", "extends_uuid": "", "info": "OSINT - Analyzing CrossRAT", "publish_timestamp": "1518771211", "published": true, "threat_level_id": "3", "timestamp": "1517454034", "uuid": "5a719a5d-ba14-4ec4-b4b8-4c94950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#4bec00", "local": false, "name": "enisa:nefarious-activity-abuse=\"remote-access-tool\"", "relationship_type": "" }, { "colour": "#850048", "local": false, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster-values\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:rat=\"CrossRat\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404415", "to_ids": false, "type": "comment", "uuid": "5a719a75-8c84-4da4-a006-41dd950d210f", "value": "The EFF/Lookout report describes CrossRat as a \u00e2\u20ac\u0153newly discovered desktop surveillanceware tool\u00e2\u20ac\u00a6which is able to target Windows, OSX, and Linux.\u00e2\u20ac\u009d Of course the OSX (macOS) part intrigues me the most, so this post may have somewhat of a \u00e2\u20ac\u02dcMac-slant.\u00e2\u20ac\u2122" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404415", "to_ids": false, "type": "link", "uuid": "5a719a99-1774-46c6-820b-4b7d950d210f", "value": "https://digitasecurity.com/blog/2018/01/23/crossrat/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404415", "to_ids": true, "type": "filename", "uuid": "5a71ac17-ec40-42e2-ac4d-47ec950d210f", "value": "mediamgrs.jar" }, { "category": "Network activity", "comment": "on port 2223.", "deleted": false, "disable_correlation": false, "timestamp": "1517404416", "to_ids": true, "type": "domain", "uuid": "5a71acc8-fcc0-4835-8908-46fd950d210f", "value": "flexberry.com" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404416", "to_ids": false, "type": "filename", "uuid": "5a71acef-87b0-4f2d-a464-4844950d210f", "value": "crossrat/client.class" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404416", "to_ids": false, "type": "filename", "uuid": "5a71acef-d690-4c29-bdad-4574950d210f", "value": "crossrat/k.class" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1517404417", "to_ids": false, "type": "filename", "uuid": "5a71ad6b-4fe4-41ef-b4f2-452a950d210f", "value": "crossrat/j.class" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "9", "timestamp": "1517394738", "uuid": "5a719b32-1108-47a6-aa7c-4847950d210f", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1517394738", "to_ids": true, "type": "filename", "uuid": "5a719b32-fbc0-4cff-bb3d-4f9f950d210f", "value": "hmar6.jar" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517394739", "to_ids": true, "type": "sha256", "uuid": "5a719b33-3644-4c1c-9cec-488f950d210f", "value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1517394739", "to_ids": false, "type": "text", "uuid": "5a719b33-71d8-4268-873b-4fd9950d210f", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1517404420", "uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3", "ObjectReference": [ { "comment": "", "object_uuid": "ba79aee9-019a-4cf1-aa7e-8dd9c091d4c3", "referenced_uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1", "relationship_type": "analysed-with", "timestamp": "1518771211", "uuid": "5a71c104-4034-4505-b082-406702de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1517404417", "to_ids": true, "type": "sha1", "uuid": "5a71c101-ef58-4aca-985d-441702de0b81", "value": "b23e070dadc997759574d5ee92c7753b84968f50" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1517404418", "to_ids": true, "type": "md5", "uuid": "5a71c102-4654-4c01-9262-475602de0b81", "value": "85b794e080d83a91e904b97769e1e770" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1517404418", "to_ids": true, "type": "sha256", "uuid": "5a71c102-4f64-4ca5-877a-499102de0b81", "value": "15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1517404419", "uuid": "3883cdf4-fe7a-4c52-beb5-8b4ab2ee37d1", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1517404419", "to_ids": false, "type": "link", "uuid": "5a71c103-d788-427c-823b-49f802de0b81", "value": "https://www.virustotal.com/file/15af5bbf3c8d5e5db41fd7c3d722e8b247b40f2da747d5c334f7fd80b715a649/analysis/1517401865/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1517404419", "to_ids": false, "type": "text", "uuid": "5a71c103-59d4-42dd-a748-4e6f02de0b81", "value": "33/57" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1517404419", "to_ids": false, "type": "datetime", "uuid": "5a71c103-c41c-4d36-aecf-453202de0b81", "value": "2018-01-31T12:31:05" } ] }, { "comment": "", "deleted": false, "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "6", "timestamp": "1517409088", "uuid": "5a71d340-9298-45fe-a0d4-43b8950d210f", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1517409088", "to_ids": true, "type": "domain", "uuid": "5a71d340-95b8-4ba8-9256-4243950d210f", "value": "flexberry.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "dst-port", "timestamp": "1517409089", "to_ids": false, "type": "port", "uuid": "5a71d341-be70-4699-9f93-434f950d210f", "value": "2223" } ] } ] } }