{ "Event": { "analysis": "2", "date": "2017-09-27", "extends_uuid": "", "info": "OSINT - Experts analyzed an Advanced \"all in memory\" CryptoWorm", "publish_timestamp": "1518771036", "published": true, "threat_level_id": "3", "timestamp": "1516071630", "uuid": "5a54ca42-e9a0-4d71-a9e6-4f9b950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516008849", "to_ids": false, "type": "link", "uuid": "5a54ca53-f374-44ba-9475-455f950d210f", "value": "http://securityaffairs.co/wordpress/63488/malware/advanced-memory-cryptoworm.html", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516008850", "to_ids": false, "type": "comment", "uuid": "5a5c5cdc-dd14-4415-8ce3-4ae3950d210f", "value": "Today I want to share a nice Malware analysis having an interesting flow. The \u00e2\u20ac\u0153interesting\u00e2\u20ac\u009d adjective comes from the abilities the given sample owns. Capabilities of exploiting, hard obfuscations and usage of advanced techniques to steal credentials and run commands.\r\n\r\nThe analyzed sample has been provided by a colleague of mine (Alessandro) who received the first stage by eMail. A special thanks to Luca and Edoardo for having recognized XMRig during the last infection stage.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516008850", "to_ids": true, "type": "filename", "uuid": "5a5c5d76-21e8-42fd-8b34-4d39950d210f", "value": "info6.ps1" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516008850", "to_ids": true, "type": "url", "uuid": "5a5c5d76-59e8-46ee-88b7-4240950d210f", "value": "http://118.184.48.95:8000/" }, { "category": "Financial fraud", "comment": "Monero Address", "deleted": false, "disable_correlation": false, "timestamp": "1516008851", "to_ids": false, "type": "other", "uuid": "5a5c5dfd-aaac-4c47-9eff-417d950d210f", "value": "46CJt5F7qiJiNhAFnSPN1G7BMTftxtpikUjt8QXRFwFH2c3e1h6QdJA5dFYpTXK27dEL9RN3H2vLc6eG2wGahxpBK5zmCuE" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516002831", "to_ids": true, "type": "sha256", "uuid": "5a5c5e0f-4364-483b-98c3-4fad950d210f", "value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516002831", "to_ids": true, "type": "sha256", "uuid": "5a5c5e0f-0dac-46db-b486-4cbb950d210f", "value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1516008851", "to_ids": true, "type": "filename", "uuid": "5a5c5e62-827c-4ed3-94d6-4de0950d210f", "value": "y1.bat" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1516008854", "uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8", "ObjectReference": [ { "comment": "", "object_uuid": "ef15fe55-96db-4f8e-a563-90107aa04fd8", "referenced_uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238", "relationship_type": "analysed-with", "timestamp": "1518771036", "uuid": "5a5c759a-d860-423d-b8e8-417702de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516008852", "to_ids": true, "type": "sha1", "uuid": "5a5c7594-c11c-4a83-bf8d-42f702de0b81", "value": "8da156580747bf9ef8fa4d1c42ee112ab743da69" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1516008852", "to_ids": true, "type": "md5", "uuid": "5a5c7594-fdd4-4116-ba61-4f5e02de0b81", "value": "9ac3bdb9378cd1fafbb8e08def738481" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1516008852", "to_ids": true, "type": "sha256", "uuid": "5a5c7594-dc68-4253-a790-454802de0b81", "value": "038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1516008853", "uuid": "f12256d2-41cd-4eb1-bbd1-fb0128573238", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1516008853", "to_ids": false, "type": "link", "uuid": "5a5c7595-db48-49f6-84da-459f02de0b81", "value": "https://www.virustotal.com/file/038d4ef30a0bfebe3bfd48a5b6fed1b47d1e9b2ed737e8ca0447d6b1848ce309/analysis/1513112352/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1516008853", "to_ids": false, "type": "text", "uuid": "5a5c7595-4a78-4b7d-b6d0-422f02de0b81", "value": "47/67" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1516008854", "to_ids": false, "type": "datetime", "uuid": "5a5c7596-3728-4530-b061-411f02de0b81", "value": "2017-12-12T20:59:12" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1516008857", "uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3", "ObjectReference": [ { "comment": "", "object_uuid": "d932fbce-6248-4955-bf1c-ddbd669a67b3", "referenced_uuid": "c46c80e3-a03a-497f-87ee-816333479203", "relationship_type": "analysed-with", "timestamp": "1518771036", "uuid": "5a5c759a-3aac-478c-874d-482902de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1516008854", "to_ids": true, "type": "sha1", "uuid": "5a5c7596-2d24-46fd-b61a-488802de0b81", "value": "686761aff5e4efedbc5b2931c0f214d8ba7b9463" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1516008854", "to_ids": true, "type": "md5", "uuid": "5a5c7596-ffec-4371-921c-4b1302de0b81", "value": "8365158c74008879df00a9d49e61aaea" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1516008855", "to_ids": true, "type": "sha256", "uuid": "5a5c7597-0f38-4b34-865c-47fe02de0b81", "value": "19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1516008855", "uuid": "c46c80e3-a03a-497f-87ee-816333479203", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1516008856", "to_ids": false, "type": "link", "uuid": "5a5c7598-efc4-400f-9451-4f2502de0b81", "value": "https://www.virustotal.com/file/19e15a4288e109405f0181d921d3645e4622c87c4050004357355b7a9bf862cc/analysis/1513112312/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1516008857", "to_ids": false, "type": "text", "uuid": "5a5c7599-bbfc-49f5-bf91-417d02de0b81", "value": "30/65" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1516008857", "to_ids": false, "type": "datetime", "uuid": "5a5c7599-ce88-4d2a-9ccd-446c02de0b81", "value": "2017-12-12T20:58:32" } ] } ] } }