{ "Event": { "analysis": "2", "date": "2019-12-23", "extends_uuid": "", "info": "OSINT - Reversing a real-world 249 bytes backdoor!", "publish_timestamp": "1577112250", "published": true, "threat_level_id": "3", "timestamp": "1577112228", "uuid": "5e00d123-d688-417f-aafe-40fb02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "name": "type:OSINT" }, { "colour": "#0071c3", "name": "osint:lifetime=\"perpetual\"" }, { "colour": "#0087e8", "name": "osint:certainty=\"50\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#2c0037", "name": "ms-caro-malware:malware-type=\"Backdoor\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1577112123", "to_ids": false, "type": "link", "uuid": "5e00d23b-051c-4038-866e-4aaa02de0b81", "value": "https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32?gi=af1848a0c8d6" } ], "Object": [ { "comment": "Apparently it tries to make a socket and connect to the IP address: 104.248.237.194 on port number 1337. This ip address is owned by Digital Ocean.", "deleted": false, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "name": "ip-port", "template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "template_version": "8", "timestamp": "1577111942", "uuid": "5e00d186-98c8-4333-8ce9-464802de0b81", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1577111942", "to_ids": true, "type": "ip-dst", "uuid": "5e00d186-906c-4b0f-90c6-4b2002de0b81", "value": "104.248.237.194" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "dst-port", "timestamp": "1577111943", "to_ids": false, "type": "port", "uuid": "5e00d187-21a0-4462-af53-411602de0b81", "value": "1337" } ] }, { "comment": "Epic! This 249 byte backdoor can run any shellcode we give it. The attackers can deploy it on an offshore IP address and execute arbitrary instructions on the victim\u00e2\u20ac\u2122s box.", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "18", "timestamp": "1577112228", "uuid": "5e00d1ba-d438-4138-90ad-427802de0b81", "ObjectReference": [ { "comment": "", "object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81", "referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81", "relationship_type": "connects-to", "timestamp": "1577112019", "uuid": "5e00d1d4-c114-4a6e-af6e-401902de0b81" }, { "comment": "", "object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81", "referenced_uuid": "5e00d259-cf84-4973-84be-41ac02de0b81", "relationship_type": "related-to", "timestamp": "1577112228", "uuid": "5e00d2a4-5050-4d46-8eb9-422c02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1577111994", "to_ids": true, "type": "md5", "uuid": "5e00d1ba-00d8-454c-8dea-434e02de0b81", "value": "93363683dcf1ccc4db296fa5fde69b71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1577111995", "to_ids": true, "type": "sha1", "uuid": "5e00d1bb-a874-4883-aed0-478f02de0b81", "value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "17", "timestamp": "1577112202", "uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d", "ObjectReference": [ { "comment": "", "object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d", "referenced_uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea", "relationship_type": "analysed-with", "timestamp": "1577112077", "uuid": "5e00d20d-70a0-4d2a-b4f3-4be702de0b81" }, { "comment": "", "object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d", "referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81", "relationship_type": "connects-to", "timestamp": "1577112202", "uuid": "5e00d28a-3a3c-40f9-8c10-43f902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1577111995", "to_ids": true, "type": "md5", "uuid": "46d8a2f5-3b3f-429f-a4da-f5997e0e248d", "value": "93363683dcf1ccc4db296fa5fde69b71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1577111995", "to_ids": true, "type": "sha1", "uuid": "b0f200bb-2129-4771-9280-e60954c4346d", "value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1577111995", "to_ids": true, "type": "sha256", "uuid": "5e7c2942-9b88-48a6-99e8-00c5246bd169", "value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1577112076", "uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1577111995", "to_ids": false, "type": "datetime", "uuid": "455902f8-0097-4722-b3e8-632b0576b786", "value": "2019-12-23T14:37:22" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1577111995", "to_ids": false, "type": "link", "uuid": "8e8622e6-c217-4007-b5b1-f687b7229150", "value": "https://www.virustotal.com/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/analysis/1577111842/" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1577111995", "to_ids": false, "type": "text", "uuid": "9eace253-03a3-48a4-b9df-372f58d000fe", "value": "16/60" } ] }, { "comment": "The payload", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "18", "timestamp": "1577112153", "uuid": "5e00d259-cf84-4973-84be-41ac02de0b81", "Attribute": [ { "category": "Payload delivery", "comment": "", "data": "UEsDBBQACQAIAFF1l0/yRZ1UsgAAAPkAAAAgABwAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAAvqjt0iUIi4uyNisDgBbMaHCnsKqPxjxpPH/j7WjbigFyFZA/IjIYjAG+CYO0Z4hGM+ugnHUGqFnGgUZG9pDrFQxcSI06cNK19h+1W8HjHTIGLnsIXlwIYPEyVaTS7mpAP9Cp/67AnVBRTqd9OiDzStsPebcgilKPPiXPmG3PvTFWBBCtEcVIwswY6e3dSDdUsZJ77r11CBOk89VTgD49ONCQx5n3uP0Gj9dDUCyQ+TrGiFBLBwjyRZ1UsgAAAPkAAABQSwMECgAJAAAAUXWXT+YK5VMTAAAABwAAAC0AHAA5MzM2MzY4M2RjZjFjY2M0ZGIyOTZmYTVmZGU2OWI3MS5maWxlbmFtZS50eHRVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAA5ApOcJaEASZbKJeSi3wsUB8AIVBLBwjmCuVTEwAAAAcAAABQSwECHgMUAAkACABRdZdP8kWdVLIAAAD5AAAAIAAYAAAAAAAAAAAApIEAAAAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAUAA1nSAF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAABRdZdP5grlUxMAAAAHAAAALQAYAAAAAAABAAAApIEcAQAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzEuZmlsZW5hbWUudHh0VVQFAANZ0gBedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAKYBAAAAAA==", "deleted": false, "disable_correlation": false, "object_relation": "malware-sample", "timestamp": "1577112153", "to_ids": true, "type": "malware-sample", "uuid": "5e00d259-8d4c-4fa8-bbea-4b7e02de0b81", "value": "pay.bin|93363683dcf1ccc4db296fa5fde69b71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "filename", "timestamp": "1577112153", "to_ids": false, "type": "filename", "uuid": "5e00d259-7370-4e58-bea0-4dfb02de0b81", "value": "pay.bin" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1577112153", "to_ids": true, "type": "md5", "uuid": "5e00d259-8c38-461a-9b02-43f702de0b81", "value": "93363683dcf1ccc4db296fa5fde69b71" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1577112153", "to_ids": true, "type": "sha1", "uuid": "5e00d259-b210-480a-85a7-497502de0b81", "value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1577112153", "to_ids": true, "type": "sha256", "uuid": "5e00d259-d1fc-4073-b121-488c02de0b81", "value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1577112154", "to_ids": false, "type": "size-in-bytes", "uuid": "5e00d25a-01c0-4481-8e5c-437802de0b81", "value": "249" } ] } ] } }