1 line
No EOL
27 KiB
JSON
1 line
No EOL
27 KiB
JSON
{"Event": {"info": "OSINT - CRASHOVERRIDE Analyzing the Threat to Electric Grid Operations", "Tag": [{"colour": "#14ff00", "exportable": true, "name": "admiralty-scale:information-credibility=\"6\""}, {"colour": "#ffffff", "exportable": true, "name": "tlp:white"}, {"colour": "#73e700", "exportable": true, "name": "circl:topic=\"industry\""}], "publish_timestamp": "1497347375", "timestamp": "1497536012", "analysis": "2", "Attribute": [{"comment": "", "category": "Network activity", "uuid": "593fb528-8dd0-46f6-8593-44e7950d210f", "timestamp": "1497347368", "to_ids": false, "value": "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1)", "disable_correlation": false, "object_relation": null, "type": "user-agent"}, {"comment": "Custom-built port scanner. ,Stage 2: Develop,Recon - Xchecked via VT: b335163e6eb854df5e08e85026b2c3518891eda8", "category": "External analysis", "uuid": "593fb0fa-c9ec-4df2-8cfc-4aa802de0b81", "timestamp": "1497346298", "to_ids": false, "value": "https://www.virustotal.com/file/893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f/analysis/1497333819/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Custom-built port scanner. ,Stage 2: Develop,Recon - Xchecked via VT: b335163e6eb854df5e08e85026b2c3518891eda8", "category": "Payload delivery", "uuid": "593fb0fa-aab8-4283-abb0-4aa802de0b81", "timestamp": "1497346298", "to_ids": true, "value": "497de9d388d23bf8ae7230d80652af69", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Custom-built port scanner. ,Stage 2: Develop,Recon - Xchecked via VT: b335163e6eb854df5e08e85026b2c3518891eda8", "category": "Payload delivery", "uuid": "593fb0f9-6978-4081-9c12-45c502de0b81", "timestamp": "1497346297", "to_ids": true, "value": "893e4cca7fe58191d2f6722b383b5e8009d3885b5913dcd2e3577e5a763cdb3f", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: b92149f046f00bb69de329b8457d32c24726ee00", "category": "External analysis", "uuid": "593fb0f9-7008-4064-86a8-4ae802de0b81", "timestamp": "1497346297", "to_ids": false, "value": "https://www.virustotal.com/file/ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910/analysis/1487157094/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: b92149f046f00bb69de329b8457d32c24726ee00", "category": "Payload delivery", "uuid": "593fb0f9-57f8-40b8-a4fb-41b202de0b81", "timestamp": "1497346297", "to_ids": true, "value": "7a7ace486dbb046f588331a08e869d58", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: b92149f046f00bb69de329b8457d32c24726ee00", "category": "Payload delivery", "uuid": "593fb0f8-0b84-4af5-a9ae-4ef002de0b81", "timestamp": "1497346296", "to_ids": true, "value": "ad23c7930dae02de1ea3c6836091b5fb3c62a89bf2bcfb83b4b39ede15904910", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "category": "External analysis", "uuid": "593fb0f8-3900-43b4-91d7-4a7402de0b81", "timestamp": "1497346296", "to_ids": false, "value": "https://www.virustotal.com/file/018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81/analysis/1497287042/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "category": "Payload delivery", "uuid": "593fb0f7-c2d8-469e-a937-442002de0b81", "timestamp": "1497346295", "to_ids": true, "value": "ab17f2b17c57b731cb930243589ab0cf", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction - Xchecked via VT: 5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "category": "Payload delivery", "uuid": "593fb0f7-87bc-4fd3-aa72-444c02de0b81", "timestamp": "1497346295", "to_ids": true, "value": "018eb62e174efdcdb3af011d34b0bf2284ed1a803718fba6edffe5bc0b446b81", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control - Xchecked via VT: 94488f214b165512d2fc0438a581f5c9e3bd4d4c", "category": "External analysis", "uuid": "593fb0f6-198c-47b8-826c-4ec702de0b81", "timestamp": "1497346294", "to_ids": false, "value": "https://www.virustotal.com/file/7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad/analysis/1497333815/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control - Xchecked via VT: 94488f214b165512d2fc0438a581f5c9e3bd4d4c", "category": "Payload delivery", "uuid": "593fb0f6-9618-4a55-94e9-4da102de0b81", "timestamp": "1497346294", "to_ids": true, "value": "a193184e61e34e2bc36289deaafdec37", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control - Xchecked via VT: 94488f214b165512d2fc0438a581f5c9e3bd4d4c", "category": "Payload delivery", "uuid": "593fb0f5-b50c-48dd-9a57-40d302de0b81", "timestamp": "1497346293", "to_ids": true, "value": "7907dd95c1d36cf3dc842a1bd804f0db511a0f68f4b3d382c23a3c974a383cad", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control - Xchecked via VT: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "category": "External analysis", "uuid": "593fb0f5-7408-4484-93d6-489d02de0b81", "timestamp": "1497346293", "to_ids": false, "value": "https://www.virustotal.com/file/21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561/analysis/1497333825/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control - Xchecked via VT: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "category": "Payload delivery", "uuid": "593fb0f4-59f4-470c-a940-4eb902de0b81", "timestamp": "1497346292", "to_ids": true, "value": "f9005f8e9d9b854491eb2fbbd06a16e0", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control - Xchecked via VT: 79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "category": "Payload delivery", "uuid": "593fb0f4-4bac-4acb-97e4-42bd02de0b81", "timestamp": "1497346292", "to_ids": true, "value": "21c1fdd6cfd8ec3ffe3e922f944424b543643dbdab99fa731556f8805b0d5561", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access - Xchecked via VT: 2cb8230281b86fa944d3043ae906016c8b5984d9", "category": "External analysis", "uuid": "593fb0f3-bcbc-4b9a-9ee7-473302de0b81", "timestamp": "1497536001", "to_ids": false, "value": "https://www.virustotal.com/file/ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77/analysis/1497333833/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access - Xchecked via VT: 2cb8230281b86fa944d3043ae906016c8b5984d9", "category": "Payload delivery", "uuid": "593fb0f3-4e3c-4b78-ace3-40e202de0b81", "timestamp": "1497535964", "to_ids": true, "value": "ff69615e3a8d7ddcdc4b7bf94d6c7ffb", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access - Xchecked via VT: 2cb8230281b86fa944d3043ae906016c8b5984d9", "category": "Payload delivery", "uuid": "593fb0f3-a9d8-4e80-be95-440d02de0b81", "timestamp": "1497535967", "to_ids": true, "value": "ecaf150e087ddff0ec6463c92f7f6cca23cc4fd30fe34c10b3cb7c2a6d135c77", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access - Xchecked via VT: 8e39eca1e48240c01ee570631ae8f0c9a9637187", "category": "External analysis", "uuid": "593fb0f2-222c-4437-b07b-4fac02de0b81", "timestamp": "1497346290", "to_ids": false, "value": "https://www.virustotal.com/file/3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571/analysis/1497333806/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access - Xchecked via VT: 8e39eca1e48240c01ee570631ae8f0c9a9637187", "category": "Payload delivery", "uuid": "593fb0f2-880c-4d69-9b07-43d102de0b81", "timestamp": "1497346290", "to_ids": true, "value": "11a67ff9ad6006bd44f08bcc125fb61e", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access - Xchecked via VT: 8e39eca1e48240c01ee570631ae8f0c9a9637187", "category": "Payload delivery", "uuid": "593fb0f1-8078-4a19-bbea-42bf02de0b81", "timestamp": "1497346289", "to_ids": true, "value": "3e3ab9674142dec46ce389e9e759b6484e847f5c1e1fc682fc638fc837c13571", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access - Xchecked via VT: cccce62996d578b984984426a024d9b250237533", "category": "External analysis", "uuid": "593fb0f1-46d4-4df8-a3a9-4bb802de0b81", "timestamp": "1497346289", "to_ids": false, "value": "https://www.virustotal.com/file/6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47/analysis/1497333810/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access - Xchecked via VT: cccce62996d578b984984426a024d9b250237533", "category": "Payload delivery", "uuid": "593fb0f0-608c-4933-be94-4ec802de0b81", "timestamp": "1497346288", "to_ids": true, "value": "fc4fe1b933183c4c613d34ffdb5fe758", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access - Xchecked via VT: cccce62996d578b984984426a024d9b250237533", "category": "Payload delivery", "uuid": "593fb0f0-c63c-41f8-abfa-432902de0b81", "timestamp": "1497346288", "to_ids": true, "value": "6d707e647427f1ff4a7a9420188a8831f433ad8c5325dc8b8cc6fc5e7f1f6f47", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access - Xchecked via VT: f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "category": "External analysis", "uuid": "593fb0ef-a1a8-4580-850d-420e02de0b81", "timestamp": "1497346287", "to_ids": false, "value": "https://www.virustotal.com/file/37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4/analysis/1497333801/", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access - Xchecked via VT: f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "category": "Payload delivery", "uuid": "593fb0ef-a250-4723-bb6b-43d902de0b81", "timestamp": "1497346287", "to_ids": true, "value": "f67b65b9346ee75a26f491b70bf6091b", "disable_correlation": false, "object_relation": null, "type": "md5"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access - Xchecked via VT: f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "category": "Payload delivery", "uuid": "593fb0ee-fba4-4b44-a0d4-42d002de0b81", "timestamp": "1497346286", "to_ids": true, "value": "37d54e3d5e8b838f366b9c202f75fa264611a12444e62ae759c31a0d041aa6e4", "disable_correlation": false, "object_relation": null, "type": "sha256"}, {"comment": "", "category": "Artifacts dropped", "uuid": "593fb0c2-fd20-473e-8fef-4da3950d210f", "timestamp": "1497346274", "to_ids": true, "value": "import \"pe\"\r\nimport \"hash\"\r\n\r\nrule dragos_crashoverride_exporting_dlls\r\n{\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Suspicious Export\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tcondition:\r\n\t\tpe.exports(\"Crash\") & pe.characteristics\r\n}\r\n\r\nrule dragos_crashoverride_suspcious\r\n{\r\nmeta:\r\n\tdescription = \"CRASHOVERRIDE v1 Wiper\"\r\n\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s0 = \"SYS_BASCON.COM\" fullword nocase wide\r\n\t\t$s1 = \".pcmp\" fullword nocase wide\r\n\t\t$s2 = \".pcmi\" fullword nocase wide\r\n\t\t$s3 = \".pcmt\" fullword nocase wide\r\n\t\t$s4 = \".cin\" fullword nocase wide\r\n\r\n\tcondition:\r\n\t\tpe.exports(\"Crash\") and any of ($s*)\r\n}\r\n\r\n\r\nrule dragos_crashoverride_name_search {\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Suspicious Strings and Export\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s0 = \"101.dll\" fullword nocase wide\r\n\t\t$s1 = \"Crash101.dll\" fullword nocase wide\r\n\t\t$s2 = \"104.dll\" fullword nocase wide\r\n\t\t$s3 = \"Crash104.dll\" fullword nocase wide\r\n\t\t$s4 = \"61850.dll\" fullword nocase wide\r\n\t\t$s5 = \"Crash61850.dll\" fullword nocase wide\r\n\t\t$s6 = \"OPCClientDemo.dll\" fullword nocase wide\r\n\t\t$s7 = \"OPC\" fullword nocase wide\r\n\t\t$s8 = \"CrashOPCClientDemo.dll\" fullword nocase wide\r\n\t\t$s9 = \"D2MultiCommService.exe\" fullword nocase wide\r\n\t\t$s10 = \"CrashD2MultiCommService.exe\" fullword nocase wide\r\n\t\t$s11 = \"61850.exe\" fullword nocase wide\r\n\t\t$s12 = \"OPC.exe\" fullword nocase wide\r\n\t\t$s13 = \"haslo.exe\" fullword nocase wide\r\n\t\t$s14 = \"haslo.dat\" fullword nocase wide\r\n\r\n\tcondition:\r\n\t\tany of ($s*) and pe.exports(\"Crash\")\r\n}\r\n\r\nrule dragos_crashoverride_hashes {\r\n\r\n meta:\r\n description = \"CRASHOVERRIDE Malware Hashes\"\r\n author = \"Dragos Inc\"\r\n\r\n condition:\r\n filesize < 1MB and\r\n hash.sha1(0, filesize) == \"f6c21f8189ced6ae150f9ef2e82a3a57843b587d\" or\r\n hash.sha1(0, filesize) == \"cccce62996d578b984984426a024d9b250237533\" or\r\n hash.sha1(0, filesize) == \"8e39eca1e48240c01ee570631ae8f0c9a9637187\" or\r\n hash.sha1(0, filesize) == \"2cb8230281b86fa944d3043ae906016c8b5984d9\" or\r\n hash.sha1(0, filesize) == \"79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a\" or\r\n hash.sha1(0, filesize) == \"94488f214b165512d2fc0438a581f5c9e3bd4d4c\" or\r\n hash.sha1(0, filesize) == \"5a5fafbc3fec8d36fd57b075ebf34119ba3bff04\" or\r\n hash.sha1(0, filesize) == \"b92149f046f00bb69de329b8457d32c24726ee00\" or\r\n hash.sha1(0, filesize) == \"b335163e6eb854df5e08e85026b2c3518891eda8\"\r\n}\r\n\r\nrule dragos_crashoverride_moduleStrings {\r\n\r\n\tmeta:\r\n\t\tdescription = \"IEC-104 Interaction Module Program Strings\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\r\n\tstrings:\r\n\t\t$s1 = \"IEC-104 client: ip=%s; port=%s; ASDU=%u\" nocase wide ascii\r\n\t\t$s2 = \" MSTR ->> SLV\" nocase wide ascii\r\n\t\t$s3 = \" MSTR <<- SLV\" nocase wide ascii\r\n\t\t$s4 = \"Unknown APDU format !!!\" nocase wide ascii\r\n\t\t$s5 = \"iec104.log\" nocase wide ascii\r\n\r\n\tcondition:\r\n\t\tany of ($s*)\r\n}\r\n\r\nrule crashoverride_configReader\r\n{\r\n\tmeta:\r\n\t\tdescription = \"CRASHOVERRIDE v1 Config File Parsing\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 68 e8 ?? ?? ?? 6a 00 e8 a3 ?? ?? ?? 8b f8 83 c4 ?8 }\r\n\t\t$s1 = { 8a 10 3a 11 75 ?? 84 d2 74 12 }\r\n\t\t$s2 = { 33 c0 eb ?? 1b c0 83 c8 ?? }\r\n\t\t$s3 = { 85 c0 75 ?? 8d 95 ?? ?? ?? ?? 8b cf ?? ?? }\r\n\t\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_weirdMutex\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Blank mutex creation assoicated with CRASHOVERRIDE\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\tstrings:\r\n\t\t$s1 = { 81 ec 08 02 00 00 57 33 ff 57 57 57 ff 15 ?? ?? 40 00 a3 ?? ?? ?? 00 85 c0 }\r\n\t\t$s2 = { 8d 85 ?? ?? ?? ff 50 57 57 6a 2e 57 ff 15 ?? ?? ?? 00 68 ?? ?? 40 00}\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_serviceStomper\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Identify service hollowing and persistence setting\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 33 c9 51 51 51 51 51 51 ?? ?? ?? }\r\n\t\t$s1 = { 6a ff 6a ff 6a ff 50 ff 15 24 ?? 40 00 ff ?? ?? ff 15 20 ?? 40 00 }\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_wiperModuleRegistry\r\n{\r\n\tmeta:\r\n\t\tdescription = \"Registry Wiper functionality assoicated with CRASHOVERRIDE\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 8d 85 a0 ?? ?? ?? 46 50 8d 85 a0 ?? ?? ?? 68 68 0d ?? ?? 50 }\r\n\t\t$s1 = { 6a 02 68 78 0b ?? ?? 6a 02 50 68 b4 0d ?? ?? ff b5 98 ?? ?? ?? ff 15 04 ?? ?? ?? }\r\n\t\t$s2 = { 68 00 02 00 00 8d 85 a0 ?? ?? ?? 50 56 ff b5 9c ?? ?? ?? ff 15 00 ?? ?? ?? 85 c0 }\r\n\t\r\n\tcondition:\r\n\t\tall of them\r\n}\r\n\r\nrule crashoverride_wiperFileManipulation\r\n{\r\n\tmeta:\r\n\t\tdescription = \"File manipulation actions associated with CRASHOVERRIDE wiper\"\r\n\t\tauthor = \"Dragos Inc\"\r\n\t\r\n\tstrings:\r\n\t\t$s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }\r\n\t\t$s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }\r\n\t\t\r\n\tcondition:\r\n\t\tall of them\r\n}", "disable_correlation": false, "object_relation": null, "type": "yara"}, {"comment": "", "category": "External analysis", "uuid": "593fb09c-9074-41fa-9a45-42ac950d210f", "timestamp": "1497346274", "to_ids": false, "value": "https://raw.githubusercontent.com/dragosinc/CRASHOVERRIDE/master/CRASHOVERRIDE%20IOC%202016-06-12.csv", "disable_correlation": false, "object_relation": null, "type": "link"}, {"comment": "IEC-61850 enumeration and address manipulation,Stage 2: Attack,Loss of Control", "category": "Payload delivery", "uuid": "593fb08b-32c4-4ca6-a7cb-463c950d210f", "timestamp": "1497346274", "to_ids": true, "value": "ecf6adf20a7137a84a1b319ccaa97cb0809a8454", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "OPC Data Access protocol enumeration of servers and addresses ,Stage 2: Attack,Loss of Control", "category": "Payload delivery", "uuid": "593fb08a-b44c-4388-9d65-43ad950d210f", "timestamp": "1497346274", "to_ids": true, "value": "7fac2eddf22ff692e1b4e7f99910e5dbb51295e6", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Custom-built port scanner. ,Stage 2: Develop,Recon", "category": "Payload delivery", "uuid": "593fb08a-ccf4-4a3f-b036-40ba950d210f", "timestamp": "1497346274", "to_ids": true, "value": "b335163e6eb854df5e08e85026b2c3518891eda8", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction", "category": "Payload delivery", "uuid": "593fb089-ae9c-45b6-8d6b-41f2950d210f", "timestamp": "1497346274", "to_ids": true, "value": "b92149f046f00bb69de329b8457d32c24726ee00", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "\"Wiper module, wipes list of files by extension, removes system processes, and makes registry changes to prevent system boot. \",Stage 2: Attack,Destruction", "category": "Payload delivery", "uuid": "593fb089-1e98-4309-9ebf-4a46950d210f", "timestamp": "1497346274", "to_ids": true, "value": "5a5fafbc3fec8d36fd57b075ebf34119ba3bff04", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Module for 104 effect. Exports 'Crash' which is invoked by launcher. Functionality requires config file. ,Stage 2: Attack,Loss of Control", "category": "Payload delivery", "uuid": "593fb089-c74c-43c3-8813-4d88950d210f", "timestamp": "1497346274", "to_ids": true, "value": "94488f214b165512d2fc0438a581f5c9e3bd4d4c", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "\"Launcher for payload DLL. Takes input as three command line parameters \u2013 working directory, module, and config file.\",Stage 2: Attack,Loss of Control", "category": "Payload delivery", "uuid": "593fb088-4578-4c5f-9ec8-4952950d210f", "timestamp": "1497346274", "to_ids": true, "value": "79ca89711cdaedb16b0ccccfdcfbd6aa7e57120a", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "On port 443", "category": "Payload delivery", "uuid": "593fb087-03e8-4d74-a6f7-49b5950d210f", "timestamp": "1497535980", "to_ids": false, "value": "195.16.88.6|443", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 195.16.88.6:443 ,Phase2: C2,Remote Access", "category": "Payload delivery", "uuid": "593fb087-0f4c-4a43-b6f1-4dbf950d210f", "timestamp": "1497536012", "to_ids": true, "value": "2cb8230281b86fa944d3043ae906016c8b5984d9", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "On port 443", "category": "Payload delivery", "uuid": "593fb086-8e30-4c1e-a3ce-4a23950d210f", "timestamp": "1497346274", "to_ids": false, "value": "93.115.27.57|443", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "Backdoor/RAT Proxy + HTTP CONNECT to 93.115.27.57:443. ,Phase2: C2,Remote Access", "category": "Payload delivery", "uuid": "593fb086-b88c-425e-946d-41c0950d210f", "timestamp": "1497346274", "to_ids": true, "value": "8e39eca1e48240c01ee570631ae8f0c9a9637187", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT.\",Phase2: C2,Remote Access", "category": "Payload delivery", "uuid": "593fb085-7334-4cde-b4ee-4bf3950d210f", "timestamp": "1497346274", "to_ids": true, "value": "cccce62996d578b984984426a024d9b250237533", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "On port 443", "category": "Payload delivery", "uuid": "593fb085-2d7c-4a1d-af7a-4b1f950d210f", "timestamp": "1497346274", "to_ids": false, "value": "5.39.218.152|443", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "On port 3128", "category": "Payload delivery", "uuid": "593fb084-1164-4a83-b3a2-476d950d210f", "timestamp": "1497346274", "to_ids": false, "value": "10.15.1.69|3128", "disable_correlation": false, "object_relation": null, "type": "ip-dst|port"}, {"comment": "\"Traffic to 10.15.1.69:3128, HTTP CONNECT to 5.39.218.152:443. Backdoor/RAT. \",Phase2: C2,Remote Access", "category": "Payload delivery", "uuid": "593fb084-a26c-412b-8c5e-439b950d210f", "timestamp": "1497346274", "to_ids": true, "value": "f6c21f8189ced6ae150f9ef2e82a3a57843b587d", "disable_correlation": false, "object_relation": null, "type": "sha1"}, {"comment": "Change in Service Image Path in the system registry to point to malware allowing malware to restart on system reboot.,Stage 2: Installation,Persistence", "category": "Persistence mechanism", "uuid": "593fb083-d114-411f-b654-4985950d210f", "timestamp": "1497346274", "to_ids": false, "value": "HKLM\\SYSTEM\\CurrentControlSet\\Services\\<target_service_name>\\ImagePath", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "External C2 server [DEC 2016] (likely TOR node at time of attack),Stage 2: C2,Remote Access", "category": "Network activity", "uuid": "593fb083-f0a4-494a-bfef-4461950d210f", "timestamp": "1497346274", "to_ids": false, "value": "5.39.218.152", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "External C2 server [DEC 2016] (likely TOR node at time of attack),Stage 2: C2,Remote Access", "category": "Network activity", "uuid": "593fb082-322c-4da0-9bbf-436d950d210f", "timestamp": "1497346274", "to_ids": false, "value": "93.115.27.57", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "External C2 server [DEC 2016] (likely TOR node at time of attack),Stage 2: C2,Remote Access", "category": "Network activity", "uuid": "593fb082-e264-4a31-8662-47a6950d210f", "timestamp": "1497533822", "to_ids": false, "value": "195.16.88.6", "disable_correlation": false, "object_relation": null, "type": "ip-dst"}, {"comment": "", "category": "Persistence mechanism", "uuid": "593fb082-d0fc-4e80-ad70-4ab8950d210f", "timestamp": "1497346274", "to_ids": false, "value": "User>\\imapi", "disable_correlation": false, "object_relation": null, "type": "regkey"}, {"comment": "", "category": "External analysis", "uuid": "593faec0-43fc-4d9b-a04d-43d3950d210f", "timestamp": "1497346274", "to_ids": false, "value": "Executive Summary\r\nDragos, Inc. was notified by the Slovakian anti-virus firm ESET of an ICS tailored\r\nmalware on June 8th, 2017. The Dragos team was able to use this notification to find\r\nsamples of the malware, identify new functionality and impact scenarios, and confirm\r\nthat this was the malware employed in the December 17th, 2016 cyber-attack\r\non the Kiev, Ukraine transmission substation which resulted in electric grid operations\r\nimpact. This report serves as an industry report to inform the electric sector\r\nand security community of the potential implications of this malware and the appropriate details to have a nuanced discussion.", "Tag": [{"colour": "#002b4a", "exportable": true, "name": "osint:source-type=\"technical-report\""}], "disable_correlation": false, "object_relation": null, "type": "text"}, {"comment": "", "category": "External analysis", "uuid": "593fae91-fa4c-470f-9b47-4fc8950d210f", "timestamp": "1497346274", "to_ids": false, "value": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf", "Tag": [{"colour": "#002b4a", "exportable": true, "name": "osint:source-type=\"technical-report\""}], "disable_correlation": false, "object_relation": null, "type": "link"}], "extends_uuid": "", "published": false, "date": "2017-06-13", "Orgc": {"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", "name": "CIRCL"}, "threat_level_id": "2", "uuid": "593fae82-db94-4c16-b623-42d9950d210f"}} |