adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/566067e0-5c54-45b4-8dff-4fae950d210b.json

330 lines
No EOL
13 KiB
JSON
Raw Permalink Blame History

{
"Event": {
"analysis": "2",
"date": "2015-11-23",
"extends_uuid": "",
"info": "OSINT Yara rules for GlassRAT in Loki IOC Scanner by Florian Roth",
"publish_timestamp": "1456154284",
"published": true,
"threat_level_id": "4",
"timestamp": "1449158765",
"uuid": "566067e0-5c54-45b4-8dff-4fae950d210b",
"Orgc": {
"name": "CthulhuSPRL.be",
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
},
"Tag": [
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158647",
"to_ids": false,
"type": "link",
"uuid": "566067f7-36c8-4f78-a805-4e92950d210b",
"value": "https://github.com/Neo23x0/Loki/blob/master/signatures/apt_glassRAT.yar"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158665",
"to_ids": true,
"type": "yara",
"uuid": "56606809-fb5c-4835-a5d5-4608950d210b",
"value": "rule glassRAT\r\n{\r\n\tmeta:\r\n\t\tauthor = \"RSA RESEARCH\"\r\n\t\tdate = \"3 Nov 2015\"\r\n description = \"Detects GlassRAT by RSA (modified by Florian Roth - speed improvements)\"\r\n\t\tInfo = \"GlassRat\"\r\n\t\t/* MD5s\r\n\t\t\t37adc72339a0c2c755e7fef346906330\r\n\t\t\t59b404076e1af7d0faae4a62fa41b69f\r\n\t\t\t5c17395731ec666ad0056d3c88e99c4d\r\n\t\t\te98027f502f5acbcb5eda17e67a21cdc\r\n\t\t\t87a965cf75b2da112aea737220f2b5c2\r\n\t\t\t22e01495b4419b564d5254d2122068d9\r\n\t\t\t42b57c0c4977a890ecb0ea9449516075\r\n\t\t\tb7f2020208ebd137616dadb60700b847\t*/\r\n\tstrings:\r\n\t\t$bin1 = {85 C0 B3 01} \t\t/* \ttest eax, eax\r\n\t\t\t\t\t\t\t\t\t\t mov bl, 1 */\r\n\t\t// $bin2 = {34 02}\t\t\t\t// xor al, 2 ---> XOR key for rundll32.exe\r\n\t\t$bin3 = {68 4C 50 00 10}\t// push offset KeyName ; \"2\"\r\n\t\t$bin4 = {68 48 50 00 10}\t// push offset a3 ; \"3\"\r\n\t\t$bin5 = {68 44 50 00 10}\t// push offset a4 ; \"4\"\r\n\t\t$hs = {CB FF 5D C9 AD 3F 5B A1 54 13 FE FB 05 C6 22} // Initial Handshake ---> can be added or removed for hunting for different variants\r\n\t\t//$re1 = {50 00 00 00}\r\n\t\t//$re2 = {BB 01 00 00}\r\n\t\t// Dwords of C2 Ports (80 | 443 | 53) 2 -3 times\r\n\t\t$s1 = \"pwlfnn10,gzg\" // rundll32.exe XOR 02\r\n\t\t$s2 = \"AddNum\"\r\n\t\t$s3 = \"ServiceMain\"\r\n\t\t$s4 = \"The Window\"\r\n\t\t$s5 = \"off.dat\"\r\n\tcondition:\r\n\t\tall of ($bin*) and $hs and 3 of ($s*) //The conditions can be adjusted for hunting for different variants\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158689",
"to_ids": true,
"type": "md5",
"uuid": "56606821-6208-4b60-af62-4010950d210b",
"value": "37adc72339a0c2c755e7fef346906330"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158689",
"to_ids": true,
"type": "md5",
"uuid": "56606821-f258-47c4-9fcb-4c41950d210b",
"value": "59b404076e1af7d0faae4a62fa41b69f"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158690",
"to_ids": true,
"type": "md5",
"uuid": "56606822-d054-44b2-b67b-4fe8950d210b",
"value": "5c17395731ec666ad0056d3c88e99c4d"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158690",
"to_ids": true,
"type": "md5",
"uuid": "56606822-33d0-447d-b42d-47cf950d210b",
"value": "e98027f502f5acbcb5eda17e67a21cdc"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158691",
"to_ids": true,
"type": "md5",
"uuid": "56606823-c358-4baa-963b-4e40950d210b",
"value": "87a965cf75b2da112aea737220f2b5c2"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158691",
"to_ids": true,
"type": "md5",
"uuid": "56606823-81bc-48ab-aa81-43c0950d210b",
"value": "22e01495b4419b564d5254d2122068d9"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158691",
"to_ids": true,
"type": "md5",
"uuid": "56606823-4fb4-4f3a-8f81-4eb9950d210b",
"value": "42b57c0c4977a890ecb0ea9449516075"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158692",
"to_ids": true,
"type": "md5",
"uuid": "56606824-7770-448e-b80b-4a49950d210b",
"value": "b7f2020208ebd137616dadb60700b847"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158706",
"to_ids": true,
"type": "yara",
"uuid": "56606832-3264-4d41-801c-47f7950d210b",
"value": "rule GlassRAT_Generic {\r\n\tmeta:\r\n\t\tdescription = \"Detects GlassRAT Malware\"\r\n\t\tauthor = \"Florian Roth\"\r\n\t\treference = \"https://blogs.rsa.com/peering-into-glassrat/\"\r\n\t\tdate = \"2015-11-23\"\r\n\t\tscore = 80\r\n\t\thash1 = \"30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399\"\r\n\t\thash2 = \"3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4\"\r\n\t\thash3 = \"79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e\"\r\n\t\thash4 = \"a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e\"\r\n\t\thash5 = \"c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb\"\r\n\t\thash6 = \"d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d\"\r\n\t\thash7 = \"f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea\"\r\n\tstrings:\r\n\t\t$s1 = \"cmd.exe /c %s\" fullword ascii\r\n\t\t$s2 = \"update.dll\" fullword ascii\r\n\t\t$s3 = \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\RasAuto\\\\Parameters\" fullword ascii\r\n\t\t$s4 = \"%%temp%%\\\\%u\" fullword ascii\r\n\t\t$s5 = \"\\\\off.dat\" fullword ascii\r\n\t\t$s6 = \"rundll32 \\\"%s\\\",AddNum\" fullword ascii\r\n\t\t$s7 = \"cmd.exe /c erase /F \\\"%s\\\"\" fullword ascii\r\n\t\t$s8 = \"SYSTEM\\\\ControlSet00%d\\\\Services\\\\RasAuto\" fullword ascii\r\n\tcondition:\r\n\t\tuint16(0) == 0x5a4d and filesize < 15MB and 5 of them\r\n}"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158762",
"to_ids": true,
"type": "sha256",
"uuid": "5660686a-9e9c-4945-96d9-434d950d210b",
"value": "30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158763",
"to_ids": true,
"type": "sha256",
"uuid": "5660686b-7ad8-48e2-9616-447e950d210b",
"value": "3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158763",
"to_ids": true,
"type": "sha256",
"uuid": "5660686b-b1ec-4228-852d-40e4950d210b",
"value": "79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158763",
"to_ids": true,
"type": "sha256",
"uuid": "5660686b-a62c-4f7d-8d9b-4a32950d210b",
"value": "a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158764",
"to_ids": true,
"type": "sha256",
"uuid": "5660686c-16e4-454a-b2d6-4a94950d210b",
"value": "c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158764",
"to_ids": true,
"type": "sha256",
"uuid": "5660686c-f458-48df-abbd-4bd2950d210b",
"value": "d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d"
},
{
"category": "Artifacts dropped",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1449158765",
"to_ids": true,
"type": "sha256",
"uuid": "5660686d-30b0-446d-8355-4a59950d210b",
"value": "f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 37adc72339a0c2c755e7fef346906330)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862991",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4cf-0aa4-48e1-bb25-4912950d210f",
"value": "3835394230f1e56633379eaba47a91141d61ec65"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 59b404076e1af7d0faae4a62fa41b69f)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862993",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d1-a900-4d64-9153-5ca1950d210f",
"value": "e98f21692f12e37057aea3c721d8e97af7f41dd3"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 5c17395731ec666ad0056d3c88e99c4d)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862994",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d2-5618-438a-80da-c654950d210f",
"value": "ee65b0604a6138256ab5aadaa18544d0bef52acd"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via e98027f502f5acbcb5eda17e67a21cdc)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862995",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d3-9080-447f-af68-59a0950d210f",
"value": "b4dde11be53c599f32bd43a0dcd86fe14a989fd4"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 87a965cf75b2da112aea737220f2b5c2)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862997",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d5-be7c-41c3-b471-4c8b950d210f",
"value": "2947eb890f97d2fb11ddec7c987dd2f176a81eda"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 22e01495b4419b564d5254d2122068d9)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862998",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d6-d38c-44c9-8bd4-59a3950d210f",
"value": "6008df16bca4fc234b2d654115d3a2f55b1defc6"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via 42b57c0c4977a890ecb0ea9449516075)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862998",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d6-1c8c-4bdf-9e55-c653950d210f",
"value": "c5dd7278180c260c28c252787e65bf3e99c4aee8"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via b7f2020208ebd137616dadb60700b847)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862999",
"to_ids": true,
"type": "sha1",
"uuid": "56c6b4d7-3a44-4c01-b51c-4034950d210f",
"value": "f95c2a8aeb081ff849ec720045beffd6c9cb1bf4"
},
{
"category": "Artifacts dropped",
"comment": "Automatically added (via e98027f502f5acbcb5eda17e67a21cdc)",
"deleted": false,
"disable_correlation": false,
"timestamp": "1455862996",
"to_ids": true,
"type": "sha256",
"uuid": "56c6b4d4-1f88-4975-86e7-c651950d210f",
"value": "89317809806ef90bb619a4163562f7db3ca70768db706a4ea483fdb370a79ede"
}
]
}
}
Reference in a new issue View git blame Copy permalink