{ "Event": { "analysis": "2", "date": "2016-11-17", "extends_uuid": "", "info": "It\u2019s Parliamentary: KeyBoy and the targeting of the Tibetan Community", "publish_timestamp": "1602322972", "published": true, "threat_level_id": "2", "timestamp": "1588068722", "uuid": "582dd48e-66bc-40c1-ae49-6fe8d56c6cd2", "Orgc": { "name": "CiviCERT", "uuid": "56743359-c860-4361-b1dc-7b65d56c6cd2" }, "Tag": [ { "colour": "#316200", "local": false, "name": "circl:incident-classification=\"phishing\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:tool=\"KeyBoy\"", "relationship_type": "" } ], "Attribute": [ { "category": "Artifacts dropped", "comment": "Wab32res.exe legitimate file used for DLL side loading", "deleted": false, "disable_correlation": false, "timestamp": "1479399205", "to_ids": false, "type": "md5", "uuid": "582dd725-1a84-4454-b86e-7007d56c6cd2", "value": "8f08609e4e0b3d26814b3073a42df415" }, { "category": "Artifacts dropped", "comment": "Wab32res.dll payload, KeyBoy 20160509", "deleted": false, "disable_correlation": false, "timestamp": "1479399231", "to_ids": true, "type": "md5", "uuid": "582dd740-b944-4070-9b70-0692d56c6cd2", "value": "495adb1b9777002ecfe22aaf52fcee93" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy P_20150313", "deleted": false, "disable_correlation": false, "timestamp": "1479399247", "to_ids": true, "type": "md5", "uuid": "582dd74f-c72c-4221-bc3f-6fe8d56c6cd2", "value": "0c7e55509e0b6d4277b3facf864af018" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108", "deleted": false, "disable_correlation": false, "timestamp": "1479399261", "to_ids": true, "type": "md5", "uuid": "582dd75d-7a3c-4990-883d-0696d56c6cd2", "value": "98977426d544bd145979f65f0322ae30" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108", "deleted": false, "disable_correlation": false, "timestamp": "1479399277", "to_ids": true, "type": "md5", "uuid": "582dd76d-b590-4d21-9ff6-7005d56c6cd2", "value": "c5b5f01ba24d6c02636388809f44472e" }, { "category": "Artifacts dropped", "comment": "64b KeyBoy payload 20151108", "deleted": false, "disable_correlation": false, "timestamp": "1479399290", "to_ids": true, "type": "md5", "uuid": "582dd77a-cda4-42a0-9b86-7008d56c6cd2", "value": "371bc132499f455f06fa80696db0df27" }, { "category": "Artifacts dropped", "comment": "wab32res.dll, agewkassif version", "deleted": false, "disable_correlation": false, "timestamp": "1588068722", "to_ids": true, "type": "md5", "uuid": "582dd78b-1198-4b24-b6d3-7006d56c6cd2", "value": "087bffa8a570079948310dc9731c5709" }, { "category": "Artifacts dropped", "comment": "Contains the Keyboy version", "deleted": false, "disable_correlation": false, "timestamp": "1479399322", "to_ids": true, "type": "regkey", "uuid": "582dd79a-c36c-4329-952c-7007d56c6cd2", "value": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\Ver" }, { "category": "Artifacts dropped", "comment": "legitimate Microsoft Windows Address Book executable, used to load final payload", "deleted": false, "disable_correlation": false, "timestamp": "1479399347", "to_ids": false, "type": "sha256", "uuid": "582dd7b3-3fec-4380-b6a1-6ff1d56c6cd2", "value": "58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d" }, { "category": "Artifacts dropped", "comment": "Wab32res.dll payload, KeyBoy 20160509", "deleted": false, "disable_correlation": false, "timestamp": "1479399362", "to_ids": true, "type": "sha256", "uuid": "582dd7c2-7434-4d28-af67-7007d56c6cd2", "value": "9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04" }, { "category": "Artifacts dropped", "comment": "Wab32res.dll payload, KeyBoy agewkassif version", "deleted": false, "disable_correlation": false, "timestamp": "1479399379", "to_ids": true, "type": "sha256", "uuid": "582dd7d3-3800-473b-b088-7006d56c6cd2", "value": "5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399393", "to_ids": true, "type": "yara", "uuid": "582dd7e1-7bcc-4b5c-b6ef-6ff0d56c6cd2", "value": "import \"pe\"\r\nrule new_keyboy_export\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the new 2016 sample's export\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n\r\nfilesize < 200KB and\r\n\r\n\r\n//The malware family seems to share many exports\r\n//but this is the new kid on the block.\r\npe.exports(\"cfsUpdate\")\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399405", "to_ids": true, "type": "yara", "uuid": "582dd7ed-ff54-4450-9f8a-7008d56c6cd2", "value": "rule new_keyboy_header_codes\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's header codes\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"*l*\" wide fullword\r\n$s2 = \"*a*\" wide fullword\r\n$s3 = \"*s*\" wide fullword\r\n$s4 = \"*d*\" wide fullword\r\n$s5 = \"*f*\" wide fullword\r\n$s6 = \"*g*\" wide fullword\r\n$s7 = \"*h*\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\nall of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399417", "to_ids": true, "type": "yara", "uuid": "582dd7f9-5180-4a45-baff-7005d56c6cd2", "value": "rule keyboy_commands\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the 2016 sample's sent and received commands\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n$s1 = \"Update\" wide fullword\r\n$s2 = \"UpdateAndRun\" wide fullword\r\n$s3 = \"Refresh\" wide fullword\r\n$s4 = \"OnLine\" wide fullword\r\n$s5 = \"Disconnect\" wide fullword\r\n$s6 = \"Pw_Error\" wide fullword\r\n$s7 = \"Pw_OK\" wide fullword\r\n$s8 = \"Sysinfo\" wide fullword\r\n$s9 = \"Download\" wide fullword\r\n$s10 = \"UploadFileOk\" wide fullword\r\n$s11 = \"RemoteRun\" wide fullword\r\n$s12 = \"FileManager\" wide fullword\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n6 of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399436", "to_ids": true, "type": "yara", "uuid": "582dd80c-aa34-453f-9a06-6fe8d56c6cd2", "value": "rule keyboy_errors\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the sample's shell error2 log statements\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are in ASCII pre-2015 and UNICODE in 2016\r\n$error = \"Error2\" ascii wide\r\n//2016 specific:\r\n$s1 = \"Can't find [%s]!Check the file name and try again!\" ascii wide\r\n$s2 = \"Open [%s] error! %d\" ascii wide\r\n$s3 = \"The Size of [%s] is zero!\" ascii wide\r\n$s4 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s5 = \"UploadFile [%s] Error:Connect Server Failed!\" ascii wide\r\n$s6 = \"Receive [%s] Error(Recved[%d] != Send[%d])!\" ascii wide\r\n$s7 = \"Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s\" ascii wide\r\n$s8 = \"CreateThread UploadFile[%s] Error!\" ascii wide\r\n//Pre-2016:\r\n$s9 = \"Ready Download [%s] ok!\" ascii wide\r\n$s10 = \"Get ControlInfo from FileClient error!\" ascii wide\r\n$s11 = \"FileClient has a error!\" ascii wide\r\n$s12 = \"VirtualAlloc SendBuff Error(%d)\" ascii wide\r\n$s13 = \"ReadFile [%s] Error(%d)...\" ascii wide\r\n$s14 = \"ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error...\" ascii wide\r\n$s15 = \"CreateThread DownloadFile[%s] Error!\" ascii wide\r\n$s16 = \"RecvData MyRecv_Info Size Error!\" ascii wide\r\n$s17 = \"RecvData MyRecv_Info Tag Error!\" ascii wide\r\n$s18 = \"SendData szControlInfo_1 Error!\" ascii wide\r\n$s19 = \"SendData szControlInfo_3 Error!\" ascii wide\r\n$s20 = \"VirtualAlloc RecvBuff Error(%d)\" ascii wide\r\n$s21 = \"RecvData Error!\" ascii wide\r\n$s22 = \"WriteFile [%s} Error(%d)...\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n$error and 3 of ($s*)\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399459", "to_ids": true, "type": "yara", "uuid": "582dd817-deac-4afa-a4a9-0696d56c6cd2", "value": "rule keyboy_systeminfo\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the system information format before sending to C2\"\r\ndate = \"2016-08-28\"\r\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\r\n\r\nstrings:\r\n//These strings are ASCII pre-2015 and UNICODE in 2016\r\n$s1 = \"SystemVersion: %s\" ascii wide\r\n$s2 = \"Product ID: %s\" ascii wide\r\n$s3 = \"InstallPath: %s\" ascii wide\r\n$s4 = \"InstallTime: %d-%d-%d, %02d:%02d:%02d\" ascii wide\r\n$s5 = \"ResgisterGroup: %s\" ascii wide\r\n$s6 = \"RegisterUser: %s\" ascii wide\r\n$s7 = \"ComputerName: %s\" ascii wide\r\n$s8 = \"WindowsDirectory: %s\" ascii wide\r\n$s9 = \"System Directory: %s\" ascii wide\r\n$s10 = \"Number of Processors: %d\" ascii wide\r\n$s11 = \"CPU[%d]: %s: %sMHz\" ascii wide\r\n$s12 = \"RAM: %dMB Total, %dMB Free.\" ascii wide\r\n$s13 = \"DisplayMode: %d x %d, %dHz, %dbit\" ascii wide\r\n$s14 = \"Uptime: %d Days %02u:%02u:%02u\" ascii wide\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\nfilesize < 200KB and\r\n7 of them\r\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1588068717", "to_ids": true, "type": "yara", "uuid": "582dd82e-469c-4a22-8669-6ff1d56c6cd2", "value": "import \"pe\"\nrule keyboy_related_exports\n{\nmeta:\nauthor = \"Matt Brooks, @cmatthewbrooks\"\ndesc = \"Matches the new 2016 sample's export\"\ndate = \"2016-08-28\"\nmd5 = \"495adb1b9777002ecfe22aaf52fcee93\"\n\ncondition:\n//MZ header\nuint16(0) == 0x5A4D and\n\n//PE signature\nuint32(uint32(0x3C)) == 0x00004550 and\n\n\nfilesize < 200KB and\n\n\n//The malware family seems to share many exports\n//but this is the new kid on the block.\npe.exports(\"Embedding\") or\npe.exports(\"SSSS\") or\npe.exports(\"GetUP\")\n}" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399483", "to_ids": true, "type": "yara", "uuid": "582dd83b-0524-4fed-a9e3-700dd56c6cd2", "value": "import \"pe\"\r\nrule keyboy_init_config_section\r\n{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the Init section where the config is stored\"\r\ndate = \"2016-08-28\"\r\n\r\ncondition:\r\n//MZ header\r\nuint16(0) == 0x5A4D and\r\n\r\n//PE signature\r\nuint32(uint32(0x3C)) == 0x00004550 and\r\n\r\n//Payloads are normally smaller but the new dropper we spotted\r\n//is a bit larger.\r\nfilesize < 300KB and\r\n\r\n//Observed virtual sizes of the .Init section vary but they've\r\n//always been 1024, 2048, or 4096 bytes.\r\nfor any i in (0..pe.number_of_sections - 1):\r\n(\r\npe.sections[i].name == \".Init\" and\r\npe.sections[i].virtual_size % 1024 == 0\r\n)\r\n}" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399925", "to_ids": false, "type": "link", "uuid": "582dd9f5-639c-4a10-8ced-6ff0d56c6cd2", "value": "https://citizenlab.org/2016/11/parliament-keyboy/" }, { "category": "Network activity", "comment": "domain linked to one of the C2 IPs", "deleted": false, "disable_correlation": false, "timestamp": "1479399513", "to_ids": true, "type": "domain", "uuid": "582dd859-da30-4ad9-9118-7005d56c6cd2", "value": "tibetvoices.com" }, { "category": "Network activity", "comment": "C2 domains", "deleted": false, "disable_correlation": false, "timestamp": "1479399538", "to_ids": true, "type": "domain", "uuid": "582dd873-7d5c-4433-9e36-6ff0d56c6cd2", "value": "www.about.jkub.com" }, { "category": "Network activity", "comment": "C2 domains", "deleted": false, "disable_correlation": false, "timestamp": "1479399539", "to_ids": true, "type": "domain", "uuid": "582dd873-ef48-4fe2-8f27-6ff0d56c6cd2", "value": "www.eleven.mypop3.org" }, { "category": "Network activity", "comment": "C2 domains", "deleted": false, "disable_correlation": false, "timestamp": "1479399539", "to_ids": true, "type": "domain", "uuid": "582dd873-7f8c-4373-aa0d-6ff0d56c6cd2", "value": "www.backus.myftp.name" }, { "category": "Network activity", "comment": "C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1479399568", "to_ids": true, "type": "ip-dst", "uuid": "582dd890-d548-436f-bd0a-6ff2d56c6cd2", "value": "45.125.12.147" }, { "category": "Network activity", "comment": "C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1479399568", "to_ids": true, "type": "ip-dst", "uuid": "582dd890-e77c-48ef-b609-6ff2d56c6cd2", "value": "103.40.102.233" }, { "category": "Network activity", "comment": "C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1479399569", "to_ids": true, "type": "ip-dst", "uuid": "582dd891-0d3c-41a2-9385-6ff2d56c6cd2", "value": "116.193.154.69" }, { "category": "Network activity", "comment": "C2 IP", "deleted": false, "disable_correlation": false, "timestamp": "1479399569", "to_ids": true, "type": "ip-dst", "uuid": "582dd891-0e90-4e82-bfba-6ff2d56c6cd2", "value": "103.242.134.243" }, { "category": "Network activity", "comment": "IPs for C2 Host: www.about.jkub.com", "deleted": false, "disable_correlation": false, "timestamp": "1479399595", "to_ids": true, "type": "ip-dst", "uuid": "582dd8ab-850c-4a68-812b-7007d56c6cd2", "value": "45.32.47.148" }, { "category": "Network activity", "comment": "IPs for C2 Host: www.about.jkub.com", "deleted": false, "disable_correlation": false, "timestamp": "1479399596", "to_ids": true, "type": "ip-dst", "uuid": "582dd8ac-097c-45be-8370-7007d56c6cd2", "value": "157.7.84.81" }, { "category": "Network activity", "comment": "IP behind C2 Host: www.backus.myftp[.]name", "deleted": false, "disable_correlation": false, "timestamp": "1479399617", "to_ids": true, "type": "ip-dst", "uuid": "582dd8c1-9ec0-4fa4-8d06-700fd56c6cd2", "value": "192.241.149.43" }, { "category": "Network activity", "comment": "Other IP hosting tibetvoices.com", "deleted": false, "disable_correlation": false, "timestamp": "1479399661", "to_ids": true, "type": "ip-dst", "uuid": "582dd8ed-34cc-49c9-9ae4-700fd56c6cd2", "value": "112.10.117.47" }, { "category": "Payload delivery", "comment": "Source of phishing emails", "deleted": false, "disable_correlation": false, "timestamp": "1479399684", "to_ids": true, "type": "email-src", "uuid": "582dd904-3f68-4706-b596-0696d56c6cd2", "value": "tibetanparliarnent@yahoo.com" }, { "category": "Payload delivery", "comment": "theme of the conference.doc", "deleted": false, "disable_correlation": false, "timestamp": "1588068668", "to_ids": true, "type": "md5", "uuid": "582dd918-13bc-44e9-9b8d-6ff2d56c6cd2", "value": "8307e444cad98b1b59568ad2eba5f201" }, { "category": "Payload delivery", "comment": "Dw20.exe dropper", "deleted": false, "disable_correlation": false, "timestamp": "1588068666", "to_ids": true, "type": "md5", "uuid": "582dd924-6350-4beb-bc4d-700dd56c6cd2", "value": "0b4d45db323f68b465ae052d3a872068" }, { "category": "Payload delivery", "comment": "Other similar doc", "deleted": false, "disable_correlation": false, "timestamp": "1588068693", "to_ids": true, "type": "md5", "uuid": "582dd932-aac0-48ba-8235-7006d56c6cd2", "value": "beadf21b923600554b0ce54df42e78f5" }, { "category": "Payload delivery", "comment": "Dw20.exe dropper", "deleted": false, "disable_correlation": false, "timestamp": "1479399744", "to_ids": true, "type": "md5", "uuid": "582dd940-4910-478c-a8f6-700ed56c6cd2", "value": "69df3d3df4d99bc6045d073d89c68697" }, { "category": "Payload delivery", "comment": "Malicious doc with CVE-2014-4114 vulnerability", "deleted": false, "disable_correlation": false, "timestamp": "1588068677", "to_ids": true, "type": "md5", "uuid": "582dd94c-9948-4f28-a0a8-6ff1d56c6cd2", "value": "05b5cf94f07fee666eb086c91182ad25" }, { "category": "Payload delivery", "comment": "Doc exploiting CVE-2012-0158", "deleted": false, "disable_correlation": false, "timestamp": "1588068675", "to_ids": true, "type": "md5", "uuid": "582dd958-b8e4-47e1-b3bd-6ff0d56c6cd2", "value": "8846d109b457a2ee44ddbf54d1cf7944" }, { "category": "Payload delivery", "comment": "Attached file urgent action larung gar buddhist academy.rtf (CVE-2015-1641)", "deleted": false, "disable_correlation": false, "timestamp": "1588068682", "to_ids": true, "type": "md5", "uuid": "582dd965-41f0-4ca5-a4f6-700fd56c6cd2", "value": "913b82ff8f090670fc6387e3a7bea12d" }, { "category": "Payload delivery", "comment": "dropper of 'agewkassif' version", "deleted": false, "disable_correlation": false, "timestamp": "1588068685", "to_ids": true, "type": "md5", "uuid": "582dd971-87dc-4fa4-a22b-7007d56c6cd2", "value": "23d284245e53ae4fe05c517d807ffccf" }, { "category": "Payload delivery", "comment": "dw20.exe dropper", "deleted": false, "disable_correlation": false, "timestamp": "1588068687", "to_ids": true, "type": "sha256", "uuid": "582dd982-e0b0-4f79-bab1-0696d56c6cd2", "value": "5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49" }, { "category": "Payload delivery", "comment": "dropper of 'agewkassif' sample", "deleted": false, "disable_correlation": false, "timestamp": "1588068691", "to_ids": true, "type": "sha256", "uuid": "582dd992-c5ac-438a-8737-7005d56c6cd2", "value": "542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399853", "to_ids": false, "type": "vulnerability", "uuid": "582dd9ad-23d0-45dd-9bee-6ff2d56c6cd2", "value": "CVE-2012-0158" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399853", "to_ids": false, "type": "vulnerability", "uuid": "582dd9ad-a8e4-4cd1-b839-6ff2d56c6cd2", "value": "CVE-2014-4114" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399853", "to_ids": false, "type": "vulnerability", "uuid": "582dd9ad-8e60-429f-b92c-6ff2d56c6cd2", "value": "CVE-2015-1641" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399870", "to_ids": true, "type": "yara", "uuid": "582dd9be-541c-40c0-875a-700dd56c6cd2", "value": "rule CVE_2012_0158_KeyBoy {\r\nmeta:\r\nauthor = \"Etienne Maynier \"\r\ndescription = \"CVE-2012-0158 variant\"\r\nfile = \"8307e444cad98b1b59568ad2eba5f201\"\r\n\r\nstrings:\r\n$a = \"d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff09000600000000000000000000000100000001\" nocase // OLE header\r\n$b = \"ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff\" nocase // junk data\r\n$c = /5(\\{\\\\b0\\}|)[ ]*2006F00(\\{\\\\b0\\}|)[ ]*6F007(\\{\\\\b0\\}|)[ ]*400200045(\\{\\\\b0\\}|)[ ]*006(\\{\\\\b0\\}|)[ ]*E007(\\{\\\\b0\\}|)[ ]*400720079/ nocase\r\n$d = \"MSComctlLib.ListViewCtrl.2\"\r\n$e = \"ac38c874503c307405347aaaebf2ac2c31ebf6e8e3\" nocase //decoding shellcode\r\n\r\ncondition:\r\nall of them\r\n}" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479399885", "to_ids": true, "type": "yara", "uuid": "582dd9cd-5bf4-40a1-9f79-700ed56c6cd2", "value": "rule keyboy_exploit_doc_meta{\r\nmeta:\r\nauthor = \"Matt Brooks, @cmatthewbrooks\"\r\ndesc = \"Matches the meta associated with these exploit docs\"\r\ndate = \"2016-09-30\"\r\n\r\nstrings:\r\n$role = \"{\\\\author Master}{\\\\operator Master}\"\r\n$creatim = \"{\\\\creatim\\\\yr2015\\\\mo10\\\\dy16\\\\hr11\\\\min37}\"\r\n$revtim = \"{\\\\revtim\\\\yr2015\\\\mo10\\\\dy16\\\\hr13\\\\min54}\"\r\n\r\ncondition:\r\nuint32be(0) == 0x7B5C7274 and\r\nfilesize < 1MB and\r\nall of them\r\n}" }, { "category": "Payload type", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1588068655", "to_ids": true, "type": "text", "uuid": "582dd9d6-8564-46ea-9b4e-700ed56c6cd2", "value": "KeyBoy" }, { "category": "Payload delivery", "comment": "dropper of 'agewkassif' sample - Xchecked via VT: 542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf", "deleted": false, "disable_correlation": false, "timestamp": "1588068657", "to_ids": true, "type": "sha1", "uuid": "5832bd46-65f0-4dad-892b-426702de0b81", "value": "3afd1071b8c05d743be976468f36663c22d57311" }, { "category": "External analysis", "comment": "dropper of 'agewkassif' sample - Xchecked via VT: 542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf", "deleted": false, "disable_correlation": false, "timestamp": "1479720263", "to_ids": false, "type": "link", "uuid": "5832bd47-c064-429b-bb2f-467302de0b81", "value": "https://www.virustotal.com/file/542c85fda8df8510c1b66a122e459aac8c0919f1fe9fa2c43fd87899cffa05bf/analysis/1479643747/" }, { "category": "Payload delivery", "comment": "dw20.exe dropper - Xchecked via VT: 5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49", "deleted": false, "disable_correlation": false, "timestamp": "1588068659", "to_ids": true, "type": "sha1", "uuid": "5832bd47-9600-41f5-896c-4e8b02de0b81", "value": "c4611aff5e05ee92398b8700b878e016f4ff6113" }, { "category": "External analysis", "comment": "dw20.exe dropper - Xchecked via VT: 5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49", "deleted": false, "disable_correlation": false, "timestamp": "1479720264", "to_ids": false, "type": "link", "uuid": "5832bd48-b104-49f7-ae8e-436e02de0b81", "value": "https://www.virustotal.com/file/5f24a5ee9ecfd4a8e5f967ffcf24580a83942cd7b09d310b9525962ed2614a49/analysis/1479643732/" }, { "category": "Artifacts dropped", "comment": "Wab32res.dll payload, KeyBoy agewkassif version - Xchecked via VT: 5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88", "deleted": false, "disable_correlation": false, "timestamp": "1479720264", "to_ids": true, "type": "sha1", "uuid": "5832bd48-3de0-4688-8add-48f502de0b81", "value": "c97b12039e324721130d58d127c4e6f356e3f6e8" }, { "category": "External analysis", "comment": "Wab32res.dll payload, KeyBoy agewkassif version - Xchecked via VT: 5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88", "deleted": false, "disable_correlation": false, "timestamp": "1479720265", "to_ids": false, "type": "link", "uuid": "5832bd49-a008-4fd1-bc69-4cd102de0b81", "value": "https://www.virustotal.com/file/5da2f14c382d7cac8dfa6c86e528a646a81f0b40cfee9611c8cfb4b5d589aa88/analysis/1479643740/" }, { "category": "Artifacts dropped", "comment": "Wab32res.dll payload, KeyBoy 20160509 - Xchecked via VT: 9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04", "deleted": false, "disable_correlation": false, "timestamp": "1479720265", "to_ids": true, "type": "sha1", "uuid": "5832bd49-19b0-4338-af0d-47c402de0b81", "value": "5bc42d475fa35e00e2584a4142c2767a4707019b" }, { "category": "External analysis", "comment": "Wab32res.dll payload, KeyBoy 20160509 - Xchecked via VT: 9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04", "deleted": false, "disable_correlation": false, "timestamp": "1479720266", "to_ids": false, "type": "link", "uuid": "5832bd4a-8608-4468-9038-447602de0b81", "value": "https://www.virustotal.com/file/9a55577d357922711ab0821bf5379289293c8517ae1d94d48c389f306af57a04/analysis/1479499742/" }, { "category": "Artifacts dropped", "comment": "legitimate Microsoft Windows Address Book executable, used to load final payload - Xchecked via VT: 58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d", "deleted": false, "disable_correlation": false, "timestamp": "1479720266", "to_ids": false, "type": "sha1", "uuid": "5832bd4a-dd54-4a76-bf57-4b9c02de0b81", "value": "280dd67bbdfadaac0a4eb7a1c770387c216f3b8b" }, { "category": "External analysis", "comment": "legitimate Microsoft Windows Address Book executable, used to load final payload - Xchecked via VT: 58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d", "deleted": false, "disable_correlation": false, "timestamp": "1479720267", "to_ids": false, "type": "link", "uuid": "5832bd4b-25c4-4edb-8ab9-436502de0b81", "value": "https://www.virustotal.com/file/58105e9772f6befbc319c147a97faded4fbacf839947b34fe3695ae72771da5d/analysis/1478876071/" }, { "category": "Payload delivery", "comment": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944", "deleted": false, "disable_correlation": false, "timestamp": "1588068702", "to_ids": true, "type": "sha256", "uuid": "5832bd4c-0190-4a6f-9c4f-472202de0b81", "value": "ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f" }, { "category": "Payload delivery", "comment": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944", "deleted": false, "disable_correlation": false, "timestamp": "1588068701", "to_ids": true, "type": "sha1", "uuid": "5832bd4c-d698-4f11-b5c9-476202de0b81", "value": "ba57bc840bc8fa5b7a235b2d2cff47af610aa14a" }, { "category": "External analysis", "comment": "Doc exploiting CVE-2012-0158 - Xchecked via VT: 8846d109b457a2ee44ddbf54d1cf7944", "deleted": false, "disable_correlation": false, "timestamp": "1479720269", "to_ids": false, "type": "link", "uuid": "5832bd4d-e058-48a1-9e0a-483f02de0b81", "value": "https://www.virustotal.com/file/ba442907f3218c8664bbecb47f915c4469340219e0f05af8f2d108d72659ff0f/analysis/1479483627/" }, { "category": "Payload delivery", "comment": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25", "deleted": false, "disable_correlation": false, "timestamp": "1588068699", "to_ids": true, "type": "sha256", "uuid": "5832bd4d-c198-40bf-83ca-4c7002de0b81", "value": "442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed" }, { "category": "Payload delivery", "comment": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25", "deleted": false, "disable_correlation": false, "timestamp": "1588068697", "to_ids": true, "type": "sha1", "uuid": "5832bd4e-dab8-4936-ac41-489e02de0b81", "value": "7631a0682a1a6423c95fd1b80263b8470717f0f8" }, { "category": "External analysis", "comment": "Malicious doc with CVE-2014-4114 vulnerability - Xchecked via VT: 05b5cf94f07fee666eb086c91182ad25", "deleted": false, "disable_correlation": false, "timestamp": "1479720270", "to_ids": false, "type": "link", "uuid": "5832bd4e-88e0-452b-9d0b-47f602de0b81", "value": "https://www.virustotal.com/file/442e5d3d46330e814b4fdc5640b06732de69a08a574d92cd9a0df5eea62d88ed/analysis/1479484054/" }, { "category": "Payload delivery", "comment": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5", "deleted": false, "disable_correlation": false, "timestamp": "1588068704", "to_ids": true, "type": "sha256", "uuid": "5832bd4f-f9d0-48f9-a3dc-4f2902de0b81", "value": "b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b" }, { "category": "Payload delivery", "comment": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5", "deleted": false, "disable_correlation": false, "timestamp": "1588068705", "to_ids": true, "type": "sha1", "uuid": "5832bd4f-48d0-4d0b-9719-439d02de0b81", "value": "d2bf4b04d05f398b4101e91873e71d5b0e121aeb" }, { "category": "External analysis", "comment": "Other similar doc - Xchecked via VT: beadf21b923600554b0ce54df42e78f5", "deleted": false, "disable_correlation": false, "timestamp": "1479720272", "to_ids": false, "type": "link", "uuid": "5832bd50-1ff0-44dd-b44d-401d02de0b81", "value": "https://www.virustotal.com/file/b1d1b8fa9c104309fe27b3405d3572ac44d8401efba4868f743d45ed797d444b/analysis/1479485679/" }, { "category": "Artifacts dropped", "comment": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27", "deleted": false, "disable_correlation": false, "timestamp": "1479720272", "to_ids": true, "type": "sha256", "uuid": "5832bd50-8af8-4d7a-bf57-4c1702de0b81", "value": "4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d" }, { "category": "Artifacts dropped", "comment": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27", "deleted": false, "disable_correlation": false, "timestamp": "1479720273", "to_ids": true, "type": "sha1", "uuid": "5832bd51-76b0-4f37-860b-4b3802de0b81", "value": "aec5001d91673d052e9a0793aea0ebaea1a96e3d" }, { "category": "External analysis", "comment": "64b KeyBoy payload 20151108 - Xchecked via VT: 371bc132499f455f06fa80696db0df27", "deleted": false, "disable_correlation": false, "timestamp": "1479720273", "to_ids": false, "type": "link", "uuid": "5832bd51-1400-4733-9436-4f7902de0b81", "value": "https://www.virustotal.com/file/4c9bf4ffbd7047f46035f89e6f7f4c63b8597ac63097577d467c157e3aa7ab4d/analysis/1479643752/" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e", "deleted": false, "disable_correlation": false, "timestamp": "1479720274", "to_ids": true, "type": "sha256", "uuid": "5832bd52-5310-486b-876f-4b0e02de0b81", "value": "e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e", "deleted": false, "disable_correlation": false, "timestamp": "1479720274", "to_ids": true, "type": "sha1", "uuid": "5832bd52-2228-4453-b38e-41b102de0b81", "value": "bbeacc746b6ddb61a3be7613bb155aa2b1ac422a" }, { "category": "External analysis", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: c5b5f01ba24d6c02636388809f44472e", "deleted": false, "disable_correlation": false, "timestamp": "1479720275", "to_ids": false, "type": "link", "uuid": "5832bd53-a558-4ea4-957d-4e7202de0b81", "value": "https://www.virustotal.com/file/e6fdcf64d7e7d59366ba23c68332167dfc569b6acc71a03498d4a925ce9c1e0a/analysis/1479481835/" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30", "deleted": false, "disable_correlation": false, "timestamp": "1479720275", "to_ids": true, "type": "sha256", "uuid": "5832bd53-d3f0-4c64-80cf-469402de0b81", "value": "082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30", "deleted": false, "disable_correlation": false, "timestamp": "1479720276", "to_ids": true, "type": "sha1", "uuid": "5832bd54-87e0-49a7-8971-480e02de0b81", "value": "edad39839bd60bcc1426df9c68df7de169cd062f" }, { "category": "External analysis", "comment": "Payload KeyBoy 20151108 - Xchecked via VT: 98977426d544bd145979f65f0322ae30", "deleted": false, "disable_correlation": false, "timestamp": "1479720276", "to_ids": false, "type": "link", "uuid": "5832bd54-0efc-4f4a-b342-4a8e02de0b81", "value": "https://www.virustotal.com/file/082da7874d6c0bfbe8f2d954c8a47f25a90ef83bda89c8495101dc95986d7977/analysis/1479643737/" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018", "deleted": false, "disable_correlation": false, "timestamp": "1479720277", "to_ids": true, "type": "sha256", "uuid": "5832bd55-6890-47d5-b97c-4a6402de0b81", "value": "5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596" }, { "category": "Artifacts dropped", "comment": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018", "deleted": false, "disable_correlation": false, "timestamp": "1479720277", "to_ids": true, "type": "sha1", "uuid": "5832bd55-f334-44ed-81f9-401602de0b81", "value": "a3655df2811069ea7a818517c9e9f11561fce3e8" }, { "category": "External analysis", "comment": "Payload KeyBoy P_20150313 - Xchecked via VT: 0c7e55509e0b6d4277b3facf864af018", "deleted": false, "disable_correlation": false, "timestamp": "1479720277", "to_ids": false, "type": "link", "uuid": "5832bd55-7e88-4e84-98fa-44ea02de0b81", "value": "https://www.virustotal.com/file/5395f709ef1ca64c57be367f9795b66b5775b6e73f57089386a85925cc0ec596/analysis/1431473021/" } ] } }