396 lines
No EOL
15 KiB
JSON
396 lines
No EOL
15 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-01-27",
|
|
"extends_uuid": "",
|
|
"info": "OSINT Introducing Hi-Zor RAT by Fidelis",
|
|
"publish_timestamp": "1484156943",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1464346759",
|
|
"uuid": "56af2d05-bff0-4753-b2ed-4074950d210f",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321070",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af2dae-5358-441d-97bb-4223950d210f",
|
|
"value": "http://www.threatgeek.com/2016/01/introducing-hi-zor-rat.html"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321101",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af2dcd-37b0-4f5e-a760-4070950d210f",
|
|
"value": "https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL.pdf"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "rat payload for inocnation campaign,12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454325949",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2dec-db54-40ed-b12d-44a0950d210f",
|
|
"value": "75d3d1f23628122a64a2f1b7ef33f5cf"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321133",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2ded-7a50-467f-ab41-4bfd950d210f",
|
|
"value": "cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321133",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2ded-ca60-403e-9d3f-4028950d210f",
|
|
"value": "f25cc334809bd1c36fd94184177de8a4"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321133",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2ded-9dcc-4ff4-ae67-466f950d210f",
|
|
"value": "2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321257",
|
|
"to_ids": true,
|
|
"type": "user-agent",
|
|
"uuid": "56af2e69-a158-4af8-ad95-4d71950d210f",
|
|
"value": "iexplorer"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321301",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56af2e95-0ee4-4e07-a2eb-4f0a950d210f",
|
|
"value": "citrix.vipreclod.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321309",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "56af2e95-d8b8-47f7-bbfc-459c950d210f",
|
|
"value": "inocnation.com"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321374",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af2ede-7140-40ad-a15b-480b950d210f",
|
|
"value": "https://github.com/fideliscyber/indicators/tree/master/FTA-1020"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "initial dropper for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321452",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2f2c-a788-438e-a8d9-40ac950d210f",
|
|
"value": "a7bd555866ae1c161f78630a638850e7"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "initial dropper for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321452",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2f2c-2804-426b-8aba-4153950d210f",
|
|
"value": "fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "rat installer for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321470",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2f3e-c1dc-43c9-987d-463a950d210f",
|
|
"value": "4f4bf27b738ff8f2a89d1bc487b054a8"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "rat installer for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321471",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2f3f-4ca0-430e-936b-42c7950d210f",
|
|
"value": "01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "rat payload for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321507",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2f63-55a8-42a4-b2fa-46df950d210f",
|
|
"value": "75d3d1f23628122a64a2f1b7ef33f5cf"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "rat payload for inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321508",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2f64-05c0-4c4e-b1e0-4f05950d210f",
|
|
"value": "cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "decoy anyconnect installer used in inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321534",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56af2f7e-d078-4748-b2c6-42b8950d210f",
|
|
"value": "2f7e5f91be1f5be2b2f4fda0910a4c16"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "decoy anyconnect installer used in inocnation campaign 12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321535",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56af2f7f-e2d0-4ad6-9b66-4c90950d210f",
|
|
"value": "1ed0c71298d7e69916fb579772f67109f43c7c9c2809fd80e61fc5e680079663"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "rat payload for inocnation campaign 12/15/2015 - Xchecked via VT: cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321678",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56af300e-4698-4085-b38e-490602de0b81",
|
|
"value": "3d7b789e3a630c0bd9db0b3217f72348025b845c"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321678",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af300e-49c0-4299-b3fb-48df02de0b81",
|
|
"value": "https://www.virustotal.com/file/cd07ac5947c643854375603800a4f70e2dfe202c8a1f801204328921cb3a2a4c/analysis/1453497583/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "rat installer for inocnation campaign 12/15/2015 - Xchecked via VT: 01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321679",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56af300f-ce4c-4d37-962a-4bd402de0b81",
|
|
"value": "13a53cbe20908d9b1c705d3901ae87655a87cfb9"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321679",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af300f-6d5c-424b-8f79-434502de0b81",
|
|
"value": "https://www.virustotal.com/file/01a0c03f7e01bc41e91cff5d2610ac22da77dbfd01decf60c486b500390cd3ae/analysis/1450425230/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "initial dropper for inocnation campaign 12/15/2015 - Xchecked via VT: fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321679",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56af300f-4f1c-42db-ba5f-441702de0b81",
|
|
"value": "b38a8747f2fe62d9f57921154f5d6829688a7ab7"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321680",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af3010-9ef8-4f11-a983-486f02de0b81",
|
|
"value": "https://www.virustotal.com/file/fce3dd4bd160b8c0698ca1dfba37bc49b3e1ad80cf77a31741bdbd2fa698be36/analysis/1450425880/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "- Xchecked via VT: 2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321680",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "56af3010-01a0-498b-ba3b-401602de0b81",
|
|
"value": "8a34521175b66e073ee34870263d55611b38b1da"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454321680",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "56af3010-ee54-4140-b790-491102de0b81",
|
|
"value": "https://www.virustotal.com/file/2b4cc716ec23a095d831069968d951a125f40574775f466f4251c8a0a37abfca/analysis/1452694847/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Domain used by INOCNATION campaign,12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326090",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "56af414a-6ae0-4748-874f-4406950d210f",
|
|
"value": "mail.cbppnews.com"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326147",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "56af4183-6a04-4a4c-bebc-4172950d210f",
|
|
"value": "INOCNATION"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP used by INOCNATION (inocnation.com) current as of this date,12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326177",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56af41a1-8fb0-4db8-b6a5-4455950d210f",
|
|
"value": "87.193.23.40"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Previous IP used by INOCNATION (inocnation.com) used until Oct 2015,12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326200",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56af41b8-f8b8-4dfd-94d6-4ff5950d210f",
|
|
"value": "211.104.106.41"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "IP used by INOCNATION (mail.cbppnews.com) current as of this date,12/15/2015",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326215",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "56af41c7-0ed4-4bbd-9da9-4b7e950d210f",
|
|
"value": "202.172.32.160"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1454326313",
|
|
"to_ids": true,
|
|
"type": "pattern-in-memory",
|
|
"uuid": "56af4229-082c-493b-96b5-40c8950d210f",
|
|
"value": "1a53b0cp32e46g0qio9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1464346759",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "56af423c-2de8-4e99-88c5-4d35950d210f",
|
|
"value": "rule dll_rat_1a53b0cp32e46g0qio7\r\n{\r\nmeta:\r\nhash1 = \"75d3d1f23628122a64a2f1b7ef33f5cf\"\r\nhash2 = \"d9821468315ccd3b9ea03161566ef18e\"\r\nhash3 = \"b9af5f5fd434a65d7aa1b55f5441c90a\"\r\nstrings:\r\n // Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0;rv:11.0) like Gecko\r\n $ = { c7 [2] 64 00 63 00 c7 [2] 69 00 62 00 c7 [2] 7a 00 7e 00 c7 [2] 2d 00 43 00 c7 [2] 59\r\n 00 2d 00 c7 [2] 3b 00 23 00 c7 [2] 3e 00 36 00 c7 [2] 2d 00 5a 00 c7 [2] 42 00 5a 00 c7 [2] 3b 00\r\n 39 00 c7 [2] 36 00 2d 00 c7 [2] 59 00 7f 00 c7 [2] 64 00 69 00 c7 [2] 68 00 63 00 c7 [2] 79 00 22\r\n 00 c7 [2] 3a 00 23 00 c7 [2] 3d 00 36 00 c7 [2] 2d 00 7f 00 c7 [2] 7b 00 37 00 c7 [2] 3c 00 3c 00\r\n c7 [2] 23 00 3d 00 c7 [2] 24 00 2d 00 c7 [2] 61 00 64 00 c7 [2] 66 00 68 00 c7 [2] 2d 00 4a 00 c7\r\n [2] 68 00 6e 00 c7 [2] 66 00 62 00 } // offset 10001566\r\n // Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\n $ = { c7 [2] 23 00 24 00 c7 [2] 24 00 33 00 c7 [2] 38 00 22 00 c7 [2] 00 00 33 00 c7 [2] 24\r\n 00 25 00 c7 [2] 3f 00 39 00 c7 [2] 38 00 0a 00 c7 [2] 04 00 23 00 c7 [2] 38 00 00 00 c7 [2] 43 00\r\n 66 00 c7 [2] 6d 00 60 00 c7 [2] 67 00 52 00 c7 [2] 6e 00 63 00 c7 [2] 7b 00 67 00 c7 [2] 70 00 00\r\n 00 c7 [2] 43 00 4d 00 c7 [2] 44 00 00 00 c7 [2] 0f 00 43 00 c7 [2] 00 00 50 00 c7 [2] 49 00 4e 00\r\n c7 [2] 47 00 00 00 c7 [2] 11 00 12 00 c7 [2] 17 00 0e 00 c7 [2] 10 00 0e 00 c7 [2] 10 00 0e 00 c7\r\n [2] 11 00 06 00 c7 [2] 44 00 45 00 c7 [2] 4c 00 00 00 } // 10003D09\r\n $ = { 66 [4-7] 0d 40 83 f8 44 7c ?? }\r\n // xor word ptr [ebp+eax*2+var_5C], 14h\r\n // inc eax\r\n // cmp eax, 14h\r\n // Loop to decode a static string. It reveals the \"1a53b0cp32e46g0qio9\" static string sent in the beacon\r\n $ = { 66 [4-7] 14 40 83 f8 14 7c ?? } // 100017F0\r\n $ = { 66 [4-7] 56 40 83 f8 2d 7c ?? } // 10003621\r\n $ = { 66 [4-7] 20 40 83 f8 1a 7c ?? } // 10003640\r\n $ = { 80 [2-7] 2e 40 3d 50 02 00 00 72 ?? } // 10003930\r\n $ = \"%08x%08x%08x%08x\" wide ascii\r\n $ = \"WinHttpGetIEProxyConfigForCurrentUser\" wide ascii\r\ncondition:\r\n (uint16(0) == 0x5A4D or uint32(0) == 0x4464c457f) and (all of them)\r\n}"
|
|
}
|
|
]
|
|
}
|
|
} |