{ "Event": { "analysis": "0", "date": "2019-01-26", "extends_uuid": "", "info": "2019-01-25: Lazarus Pakistan Toolkits", "publish_timestamp": "1622020145", "published": true, "threat_level_id": "2", "timestamp": "1621849995", "uuid": "5c4cb9a7-0454-42eb-8f63-383368f8e8cf", "Orgc": { "name": "VK-Intel", "uuid": "5bfa439e-c978-4dcd-b474-73f568f8e8cf" }, "Tag": [ { "colour": "#e0b538", "local": "0", "name": "Actor: Lazarus", "relationship_type": "" }, { "colour": "#302c04", "local": "0", "name": "DPRK", "relationship_type": "" }, { "colour": "#403c80", "local": "0", "name": "Malware: PowerRatankba,b", "relationship_type": "" }, { "colour": "#7036f2", "local": "0", "name": "PowerShell Installer", "relationship_type": "" }, { "colour": "#2be799", "local": "0", "name": "Keylogger", "relationship_type": "" }, { "colour": "#b11b8a", "local": "0", "name": "Country: Pakistan", "relationship_type": "" }, { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#13eb00", "local": "0", "name": "misp-galaxy:threat-actor=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"PowerRatankba\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:malpedia=\"Lazarus\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-enterprise-attack-intrusion-set=\"Lazarus Group - G0032\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-intrusion-set=\"Lazarus Group\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:tool=\"PowerRatankba\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1548532135", "to_ids": true, "type": "md5", "uuid": "5c4cb9a7-3684-4f00-bff9-383368f8e8cf", "value": "c9ed87e9f99c631cda368f6f329ee27e" }, { "category": "Payload installation", "comment": "Lazarus Tools", "deleted": false, "disable_correlation": false, "timestamp": "1548532274", "to_ids": true, "type": "md5", "uuid": "5c4cba32-e9e4-4bbf-8396-383068f8e8cf", "value": "c9ed87e9f99c631cda368f6f329ee27e" }, { "category": "Payload installation", "comment": "Lazarus Tools", "deleted": false, "disable_correlation": false, "timestamp": "1548532274", "to_ids": true, "type": "md5", "uuid": "5c4cba32-070c-42ba-a0e0-383068f8e8cf", "value": "5cc28f3f32e7274f13378a724a5ec33a" }, { "category": "Payload installation", "comment": "Lazarus Tools", "deleted": false, "disable_correlation": false, "timestamp": "1548532274", "to_ids": true, "type": "md5", "uuid": "5c4cba32-0238-4c6d-b8e2-383068f8e8cf", "value": "2025d91c1cdd33db576b2c90ef4067c7" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1548532356", "to_ids": true, "type": "url", "uuid": "5c4cba84-aed4-452e-8eb2-4e2768f8e8cf", "value": "https://ecombox.store/tbl_add.php?action=cgetpsa" }, { "category": "Network activity", "comment": "C2", "deleted": false, "disable_correlation": false, "timestamp": "1548532356", "to_ids": true, "type": "url", "uuid": "5c4cba84-c3c8-422c-a870-4e2768f8e8cf", "value": "https://ecombox.store/tbl_add.php?action=cgetrun" }, { "category": "Payload delivery", "comment": "Yara for Keylogger", "deleted": false, "disable_correlation": false, "timestamp": "1548585989", "to_ids": false, "type": "yara", "uuid": "5c4cbbd2-1258-453f-b07d-383068f8e8cf", "value": "rule APT_Lazarus_Keylogger {\r\n meta:\r\n description = \"Detects possible Lazarus Keylogger\"\r\n author = \"@VK_Intel\"\r\n date = \"2019-01-25\"\r\n strings:\r\n\t$s0 = \"%s%s\" fullword ascii wide\r\n\t$s1 = \"[ENTER]\" fullword ascii wide \r\n\t$s2 = \"[EX]\" fullword ascii wide\r\n\t$s3 = \"%02d:%02d\" fullword ascii wide\r\n \r\n \r\n\t$dll0 = \"PSLogger.dll\" fullword ascii wide\r\n\t$dll1 = \"capture_x64.dll\" fullword ascii wide \r\n\t$exe = \"PSLogger.exe\" fullword ascii wide\r\n \r\n condition:\r\n\tuint16(0) == 0x5a4d and all of ($s*) and (1 of ($dll*) or $exe)\r\n }" }, { "category": "External analysis", "comment": "Original MISP event", "deleted": false, "disable_correlation": false, "timestamp": "1548586255", "to_ids": false, "type": "link", "uuid": "5c4d8bce-3e80-4dc4-9820-436102de0b81", "value": "https://github.com/k-vitali/apt_lazarus_toolkits/blob/master/2019-01-26.lazarus_pakistan_misp_vk.json", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0082e1", "local": "0", "name": "osint:certainty=\"75\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "Original blog post", "deleted": false, "disable_correlation": false, "timestamp": "1548586254", "to_ids": false, "type": "link", "uuid": "5c4d8bf5-85c8-4424-a35f-4dd602de0b81", "value": "https://www.vkremez.com/2019/01/lets-learn-dissecting-lazarus.html", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0082e1", "local": "0", "name": "osint:certainty=\"75\"", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1548586035", "uuid": "49032699-f4cf-4808-a272-9ca316968a35", "ObjectReference": [ { "comment": "", "object_uuid": "49032699-f4cf-4808-a272-9ca316968a35", "referenced_uuid": "c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6", "relationship_type": "analysed-with", "timestamp": "1621849995", "uuid": "5c4d8c34-3a40-4bb6-bf80-4ee802de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548586036", "to_ids": true, "type": "md5", "uuid": "30a7f4f9-7042-409b-89fd-5bbbb1071402", "value": "c9ed87e9f99c631cda368f6f329ee27e" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548586036", "to_ids": true, "type": "sha1", "uuid": "b3c9ea66-7f0e-41d4-9275-44f1aadb2996", "value": "943feef623db1143f4b9c957fee4c94753cfb6a5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548586036", "to_ids": true, "type": "sha256", "uuid": "fdedfbee-bab6-464b-86d7-c3ad7ef6f3ab", "value": "802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548586036", "uuid": "c3f88cfe-b795-4813-aaf3-3e8dcc5aceb6", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548586036", "to_ids": false, "type": "datetime", "uuid": "7b3cc6f2-b07f-457e-b07b-d540d8411068", "value": "2019-01-26T18:54:38" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548586036", "to_ids": false, "type": "link", "uuid": "a0ecf930-b40e-4994-a828-67700f5f7c7e", "value": "https://www.virustotal.com/file/802efe9c41909354921009bd54be7dcf1ee14fcfaf62dacbcdaafbe051a711e3/analysis/1548528878/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548586036", "to_ids": false, "type": "text", "uuid": "44dca040-d0e5-4292-9239-670b5be27c9b", "value": "2/56" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1548586036", "uuid": "a45c3106-dec5-404d-acfc-8d00abde20c1", "ObjectReference": [ { "comment": "", "object_uuid": "a45c3106-dec5-404d-acfc-8d00abde20c1", "referenced_uuid": "f8013005-dcd4-4c9f-9277-143df2440b9b", "relationship_type": "analysed-with", "timestamp": "1621849995", "uuid": "5c4d8c34-a3f8-4ee5-ad31-4caf02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548586036", "to_ids": true, "type": "md5", "uuid": "a5c6b587-af55-4ded-bb5e-247a219f79d5", "value": "2025d91c1cdd33db576b2c90ef4067c7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548586036", "to_ids": true, "type": "sha1", "uuid": "d157e754-e19f-4480-8f86-0113748ab373", "value": "ec80c302c91c6caf5343cfd3fabf43b0bbd067a5" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548586036", "to_ids": true, "type": "sha256", "uuid": "d0476a87-7a08-4cad-866c-9b2f38e8a8de", "value": "bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548586036", "uuid": "f8013005-dcd4-4c9f-9277-143df2440b9b", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548586036", "to_ids": false, "type": "datetime", "uuid": "44f0d1c6-d716-4e81-9349-5d1f1de27808", "value": "2019-01-25T21:10:16" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548586036", "to_ids": false, "type": "link", "uuid": "2e44c2c4-bb77-4f87-a9d0-5162e7ce0712", "value": "https://www.virustotal.com/file/bed916831e8c9babfb6d08644058a61e3547d621f847c081309f616aed06c2fe/analysis/1548450616/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548586036", "to_ids": false, "type": "text", "uuid": "e80a9946-d609-4362-b9e4-ff861a117761", "value": "3/68" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "11", "timestamp": "1548586036", "uuid": "88a6f7a4-9334-4ba6-af2d-93defaae48d4", "ObjectReference": [ { "comment": "", "object_uuid": "88a6f7a4-9334-4ba6-af2d-93defaae48d4", "referenced_uuid": "de16e29f-b02f-4768-a6a2-18ea57310af0", "relationship_type": "analysed-with", "timestamp": "1621849995", "uuid": "5c4d8c34-e44c-4f98-83d0-4d8502de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1548586036", "to_ids": true, "type": "md5", "uuid": "818bd3a8-031c-47e6-8574-23e832fc625f", "value": "5cc28f3f32e7274f13378a724a5ec33a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1548586036", "to_ids": true, "type": "sha1", "uuid": "a1be4cc8-c1c4-41c3-aae7-24b91913daad", "value": "32292b4e125287a6567e3879d53d0d8d82bcdf01" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1548586036", "to_ids": true, "type": "sha256", "uuid": "74d6e72e-02c3-45ff-8f90-6a69a73d5b70", "value": "18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "2", "timestamp": "1548586036", "uuid": "de16e29f-b02f-4768-a6a2-18ea57310af0", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1548586036", "to_ids": false, "type": "datetime", "uuid": "e37a032b-0abd-4860-a6fd-5e6a98537472", "value": "2019-01-26T22:25:46" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1548586036", "to_ids": false, "type": "link", "uuid": "4c46bec8-3b2d-4494-a2de-12288573a536", "value": "https://www.virustotal.com/file/18f0ad8c58558d6eb8129f32cbc2905d0b63822185506b7c3bca49d423d837c7/analysis/1548541546/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1548586036", "to_ids": false, "type": "text", "uuid": "ab18849e-cd56-4123-b59e-5086417c0d7f", "value": "3/56" } ] } ] } }