{ "Event": { "analysis": "2", "date": "2019-09-29", "extends_uuid": "", "info": "New IoT multiplatform Linux malware: Linux/AirDropBot", "publish_timestamp": "1569866650", "published": true, "threat_level_id": "3", "timestamp": "1569866386", "uuid": "5d9049fa-1a6c-4668-b7aa-4bf7950d210f", "Orgc": { "name": "MalwareMustDie", "uuid": "569e04b2-efd0-45bd-b83a-4f7b950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#32003e", "local": false, "name": "ms-caro-malware:malware-type=\"DDoS\"", "relationship_type": "" }, { "colour": "#670080", "local": false, "name": "ms-caro-malware:malware-platform=\"Linux\"", "relationship_type": "" }, { "colour": "#22681c", "local": false, "name": "malware_classification:malware-category=\"Botnet\"", "relationship_type": "" } ], "Attribute": [ { "category": "Network activity", "comment": "C2 server", "deleted": false, "disable_correlation": false, "timestamp": "1569737385", "to_ids": false, "type": "ip-dst", "uuid": "5d904a90-5a30-4809-a7ba-45b4950d210f", "value": "179.43.149.189" }, { "category": "Network activity", "comment": "Payload spreading hosts", "deleted": false, "disable_correlation": false, "timestamp": "1569737415", "to_ids": false, "type": "ip-dst", "uuid": "5d904a90-ef94-41ad-bccf-4e01950d210f", "value": "147.135.124.113" }, { "category": "Network activity", "comment": "Spoofed IP used when performing infection aims Cisco Linksys CGI vulnerability", "deleted": false, "disable_correlation": false, "timestamp": "1569737465", "to_ids": false, "type": "ip-dst", "uuid": "5d904a90-53a4-4624-aecb-491b950d210f", "value": "192.168.0.14" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-964c-460c-9edf-4539950d210f", "value": "417151777eaaccfc62f778d33fd183ff" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-fe4c-4ea6-b1aa-48b9950d210f", "value": "d31f047c125deb4c2f879d88b083b9d5" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-af54-4c82-abf2-4ae5950d210f", "value": "ff1eb225f31e5c29dde47c147f40627e" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-1394-4eb6-bc6c-4343950d210f", "value": "f3aed39202b51afdd1354adc8362d6bf" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-0268-4b7d-8b8b-490f950d210f", "value": "083a5f463cb84f7ae8868cb2eb6a22eb" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-0464-48c8-8ca9-4a5b950d210f", "value": "9ce4decd27c303a44ab2e187625934f3" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-d358-4491-9a7b-42d2950d210f", "value": "b6c6c1b2e89de81db8633144f4cb4b7d" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-a844-44f8-8e4b-4025950d210f", "value": "abd5008522f69cca92f8eefeb5f160e2" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-f544-4dba-a041-4852950d210f", "value": "a84bbf660ace4f0159f3d13e058235e9" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-72c4-4629-9273-4d0c950d210f", "value": "5fec65455bd8c842d672171d475460b6" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-0d90-4605-9169-43cf950d210f", "value": "4d3cab2d0c51081e509ad25fbd7ff596" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-0f0c-4113-8ac0-4999950d210f", "value": "252e2dfdf04290e7e9fc3c4d61bb3529" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-7c04-4e53-86e0-4e2f950d210f", "value": "5dcdace449052a596bce05328bd23a3b" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-2ecc-4765-b655-4f46950d210f", "value": "9c66fbe776a97a8613bfa983c7dca149" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-5f88-4ec9-98ab-49a2950d210f", "value": "59af44a74873ac034bd24ca1c3275af5" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-b45c-4e50-ab5f-453a950d210f", "value": "9642b8aff1fda24baa6abe0aa8c8b173" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-9720-4a69-acf0-4aef950d210f", "value": "e56cec6001f2f6efc0ad7c2fb840aceb" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-8b14-454b-91d2-4b31950d210f", "value": "54d93673f9539f1914008cfe8fd2bbdd" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-6b10-4016-a9d5-4f32950d210f", "value": "6d202084d4f25a0aa2225589dab536e7" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-b490-4091-aeec-423f950d210f", "value": "cfbf1bd882ae7b87d4b04122d2ab42cb" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737663", "to_ids": true, "type": "md5", "uuid": "5d904bbf-64f8-42fd-a0cd-4447950d210f", "value": "b02af5bd329e19d7e4e2006c9c172713" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737664", "to_ids": true, "type": "md5", "uuid": "5d904bc0-90b4-46aa-b797-401e950d210f", "value": "85a8aad8d938c44c3f3f51089a60ec16" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737664", "to_ids": true, "type": "md5", "uuid": "5d904bc0-3a20-408b-a86b-486c950d210f", "value": "2c0afe7b13cdd642336ccc7b3e952d8d" }, { "category": "Payload delivery", "comment": "Payload hash, AirDropBot binary", "deleted": false, "disable_correlation": false, "timestamp": "1569737664", "to_ids": true, "type": "md5", "uuid": "5d904bc0-0c00-4a1c-b1e1-4307950d210f", "value": "94b8337a2d217286775bcc36d9c862d2" }, { "category": "Internal reference", "comment": "Linux/AirDropBot analysis report", "deleted": false, "disable_correlation": false, "timestamp": "1569737734", "to_ids": false, "type": "link", "uuid": "5d904c06-4058-40c9-ae01-4c1a950d210f", "value": "https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html" }, { "category": "Network activity", "comment": "other C2", "deleted": false, "disable_correlation": false, "timestamp": "1569866386", "to_ids": true, "type": "ip-dst", "uuid": "5d924292-b9cc-49dd-ab90-6bc1950d210f", "value": "185.244.25.200" }, { "category": "Network activity", "comment": "other C2", "deleted": false, "disable_correlation": false, "timestamp": "1569866386", "to_ids": true, "type": "ip-dst", "uuid": "5d924292-5444-44a0-96b1-6bc1950d210f", "value": "185.244.25.201" }, { "category": "Network activity", "comment": "other C2", "deleted": false, "disable_correlation": false, "timestamp": "1569866386", "to_ids": true, "type": "ip-dst", "uuid": "5d924292-f1dc-4fcd-9395-6bc1950d210f", "value": "185.244.25.202" } ] } }