1591 lines
No EOL
59 KiB
JSON
1591 lines
No EOL
59 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "1",
|
|
"date": "2021-07-05",
|
|
"extends_uuid": "",
|
|
"info": "Kaseya ransomware attack - indicators and information publicly available",
|
|
"publish_timestamp": "1625651259",
|
|
"published": true,
|
|
"threat_level_id": "1",
|
|
"timestamp": "1625650507",
|
|
"uuid": "e0eaf6f2-a12c-4b31-9d19-f77faf1ea4c9",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": false,
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": false,
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": false,
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": false,
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:ransomware=\"Sodinokibi\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": false,
|
|
"name": "misp-galaxy:mitre-attack-pattern=\"Data Encrypted for Impact - T1486\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472004",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "0e569e9a-17bd-4af6-b785-f83596b7a97a",
|
|
"value": "https://twitter.com/r3c0nst/status/1411922502553673728"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472355",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "89531d9a-c947-4bd8-a84c-68b4e89d2446",
|
|
"value": "https://github.com/cado-security/DFIR_Resources_REvil_Kaseya"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472643",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "580a5488-69c5-4019-83e1-02879ea0ac22",
|
|
"value": "ncuccr.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472643",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d1092ff9-f976-4029-9c29-7af01d6759b2",
|
|
"value": "1team.es"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472643",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "34d82c52-13de-4f37-9a70-336feae63b6a",
|
|
"value": "4net.guru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472643",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5b08c28f-2d33-4075-b8b2-a8cea74dafa5",
|
|
"value": "35-40konkatsu.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472643",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "6c041cd6-b04e-4130-9aed-3140d3f3b78b",
|
|
"value": "123vrachi.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "02484f6e-c50d-4b26-bdd2-aa14c3ebab2e",
|
|
"value": "4youbeautysalon.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "1ae94e8f-be1f-487f-81d6-cd519663ddef",
|
|
"value": "12starhd.online"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "da43a1ec-a1b6-441c-8ea5-48d64cc8e226",
|
|
"value": "101gowrie.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "75c79264-1974-4aa2-b2c6-480ec8e7970d",
|
|
"value": "8449nohate.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "3da15a87-1fb3-4d69-aa35-3efa20b7c701",
|
|
"value": "1kbk.com.ua"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5ae32a41-e5ad-49a0-934f-a0adc913c7d9",
|
|
"value": "365questions.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "ec97ce8b-b674-4689-8720-5100614bcbbb",
|
|
"value": "321play.com.hk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b5135450-e1fc-4c49-991a-f3042d3f21cf",
|
|
"value": "candyhouseusa.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "93d7c230-354b-4378-bb4b-9c9d5fc76265",
|
|
"value": "andersongilmour.co.uk"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "58593514-a54d-4eeb-807d-a9d448bac80f",
|
|
"value": "facettenreich27.de"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "aa9d2ada-9102-4ab7-a846-2c53f53db035",
|
|
"value": "blgr.be"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "27fbdd1c-83e3-421a-bb3b-ae83c8bd24c2",
|
|
"value": "fannmedias.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "085927fc-1a26-43a9-878e-e6ba9aff2869",
|
|
"value": "southeasternacademyofprosthodontics.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "d403cb96-0385-4ded-ae2d-2d9c80445eb2",
|
|
"value": "filmstreamingvfcomplet.be"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b5946dfb-7a24-471c-b661-150a3f67c2e6",
|
|
"value": "smartypractice.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a6382aea-9681-4d3c-b031-cedb56900b78",
|
|
"value": "tanzschule-kieber.de"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7e14c5bd-5522-4085-8de9-67885ef022cf",
|
|
"value": "iqbalscientific.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bca4585a-5cb3-45c1-956b-5516f184be9c",
|
|
"value": "pasvenska.se"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "2429561d-6b7a-46d3-9d6d-13a0bd99409b",
|
|
"value": "cursosgratuitosnainternet.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "57fc5262-d25d-4c17-b714-8caa54a91e36",
|
|
"value": "bierensgebakkramen.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7128f692-5453-41ea-9ee3-f3aa47802b39",
|
|
"value": "c2e-poitiers.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9cdaccaa-2179-439f-8579-5e8f26e12c92",
|
|
"value": "gonzalezfornes.es"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "c4024a8b-c8ea-4cdf-aba7-084fdf316969",
|
|
"value": "tonelektro.nl"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "32018026-7020-45fa-8e1d-c835a796fa9b",
|
|
"value": "milestoneshows.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "e5faad77-39b0-4d55-b83c-e35302d03d21",
|
|
"value": "blossombeyond50.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5e62790f-3493-449c-acb1-d4adfab3f4a9",
|
|
"value": "thomasvicino.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "46272f67-9303-4f9b-acf0-97ea54e7eae2",
|
|
"value": "kaotikkustomz.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "7c089669-43c3-42d9-8c2c-7f3d717281aa",
|
|
"value": "mindpackstudios.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "a489899c-c4f4-46dd-a596-f9d165cc75f9",
|
|
"value": "faroairporttransfers.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "cc0a65b6-d4ac-4486-afb1-da22800a25bd",
|
|
"value": "daklesa.de"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "dfac7576-54ff-41ec-a759-a4e362fd78e3",
|
|
"value": "bxdf.info"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "b1c574bc-446c-437d-ac2f-31fe56889df8",
|
|
"value": "simoneblum.de"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "bbdf4eb4-3f5f-435e-81a3-27eeea6ab88b",
|
|
"value": "gmto.fr"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "38f1ecc6-4e89-40db-a826-c2eda523f946",
|
|
"value": "cerebralforce.net"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "3275524c-6128-4a8e-86c5-3aa90362f9e3",
|
|
"value": "myhostcloud.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "9c0ffa35-e772-4341-b04b-8c63a3385982",
|
|
"value": "fotoscondron.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "0dedcd10-8c29-4647-80f1-8eca7d58bef2",
|
|
"value": "sw1m.ru"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472644",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "575f1379-0074-410a-9433-49b8b9958118",
|
|
"value": "homng.net"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625472960",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "10036ce7-76fb-44b5-95ec-aa98744391b2",
|
|
"value": "https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "The Kaseya webpage will be the definitive and most up-to-date source for information.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1625650506",
|
|
"to_ids": false,
|
|
"type": "url",
|
|
"uuid": "0a0a5eaa-39aa-474e-91f7-16818eb45441",
|
|
"value": "https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625471909",
|
|
"uuid": "86947a18-f1ed-4ef9-bdfc-cd6d5f586179",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625467460",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "bd53d79e-c645-47b9-925a-5c4b14ebc5c4",
|
|
"value": "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1625467460",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "407c25ff-8013-4b43-b49c-bf711ad4c23c",
|
|
"value": "mpsvc.dll"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1625471909",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "07fa8363-31b0-400d-8c01-ac103cbfe43e",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "8",
|
|
"timestamp": "1625471952",
|
|
"uuid": "83cac77f-3395-4e66-8748-4a3c93f13f9f",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1625471952",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "d53b7f86-6433-4dd9-bd07-4a9fd2bad93d",
|
|
"value": "161.35.239.148"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472060",
|
|
"uuid": "0bb49474-a26d-448c-a5fe-6a646bae941d",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472060",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "9ef10b77-668a-4093-874b-78b7071add8b",
|
|
"value": "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1625472060",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "60d07b4f-d7ad-46f6-8356-87cbc4297ec8",
|
|
"value": "agent.exe"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "27b19d64-4188-453c-9b93-85a71532153f",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472101",
|
|
"uuid": "94d2a666-8901-4fdd-b637-12cd14214ed9",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472101",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "ee71f120-f0fb-49df-969c-6d77704e2f3f",
|
|
"value": "45aebd60e3c4ed8d3285907f5bf6c71b3b60a9bcb7c34e246c20410cf678fc0c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1625472101",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "f55d4be6-6cee-4ef0-98f6-441975f7d505",
|
|
"value": "agent.crt"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472160",
|
|
"uuid": "382db752-d40a-44b4-8043-8ed41ad534df",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "382db752-d40a-44b4-8043-8ed41ad534df",
|
|
"referenced_uuid": "f5e08151-622f-4b0f-9a5f-3b329b8da50c",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1625472161",
|
|
"uuid": "872f10b4-9fe5-4f85-9fe9-70ff20de6628"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1625467460",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "8308235a-e5ad-4400-be3f-0ccc974534ae",
|
|
"value": "a47cf00aedf769d60d58bfe00c0b5421"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1625467460",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "6edbe361-4ddb-4d4c-ab29-e5f6135f20a0",
|
|
"value": "656c4d285ea518d90c1b669b79af475db31e30b1"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625467460",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "6350e9d8-3346-42fa-a423-babc0dc6f043",
|
|
"value": "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1625472161",
|
|
"uuid": "f5e08151-622f-4b0f-9a5f-3b329b8da50c",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1625467460",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "b82380c0-f8d1-4628-93db-30b0329f769c",
|
|
"value": "2021-07-05T07:25:40+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1625467460",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "9928eec8-58f6-4045-bb3e-a262fd2ba91d",
|
|
"value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625469940"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1625467460",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "7e59ed0f-cab2-4281-a782-9da359ec6216",
|
|
"value": "48/67"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472924",
|
|
"uuid": "b5e68470-eac8-4708-9c02-bd24d67639d9",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "b5e68470-eac8-4708-9c02-bd24d67639d9",
|
|
"referenced_uuid": "6b906ba0-33c1-4070-8962-49359d7ab1e1",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1625472161",
|
|
"uuid": "963957e0-0e90-411c-adf1-069ae9fe845b"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "b5e68470-eac8-4708-9c02-bd24d67639d9",
|
|
"referenced_uuid": "e6a7fd5d-ff89-4a3f-840f-892e99de748b",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1625472924",
|
|
"uuid": "e8027003-5dc9-4066-a817-fe3073ede5e1"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1625472060",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "2e139fb6-ce1a-4e8d-aa6c-b16c80a6412d",
|
|
"value": "561cffbaba71a6e8cc1cdceda990ead4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1625472060",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "c982cf2f-d181-4a48-b7d1-ed50d475a265",
|
|
"value": "5162f14d75e96edb914d1756349d6e11583db0b0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472060",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "579776c0-3e3c-4919-8ed2-e648dd606c65",
|
|
"value": "d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1625472161",
|
|
"uuid": "6b906ba0-33c1-4070-8962-49359d7ab1e1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "62f89fbb-f229-43f3-9070-42136d2b9dcf",
|
|
"value": "2021-07-05T07:38:02+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "9f23d9a9-531e-4989-8855-9a9ab929a3b0",
|
|
"value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625470682"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "c2ed79ca-fec5-4be8-8c84-2458aba65061",
|
|
"value": "45/67"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Metadata used to generate an executive level report",
|
|
"meta-category": "misc",
|
|
"name": "report",
|
|
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
|
|
"template_version": "4",
|
|
"timestamp": "1625472278",
|
|
"uuid": "66a1099e-fc17-4447-a35a-671d1dce2b3a",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "link",
|
|
"timestamp": "1625472278",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "3d161d9c-33c4-4e4b-b1e0-9fa940089aab",
|
|
"value": "https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "summary",
|
|
"timestamp": "1625472278",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "8927e0f4-f8e0-455a-a97c-5fcaf825e8bb",
|
|
"value": "CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers. CISA and FBI strongly urge affected MSPs and their customers to follow the guidance below.\r\n\r\nCISA and FBI recommend affected MSPs:\r\n\r\n Download the Kaseya VSA Detection Tool\r\n\r\n . This tool analyzes a system (either VSA server or managed endpoint) and determines whether any indicators of compromise (IoC) are present. \r\n Enable and enforce multi-factor authentication (MFA) on every single account that is under the control of the organization, and\u2014to the maximum extent possible\u2014enable and enforce MFA for customer-facing services.\r\n Implement allowlisting to limit communication with remote monitoring and management (RMM) capabilities to known IP address pairs, and/or\r\n Place administrative interfaces of RMM behind a virtual private network (VPN) or a firewall on a dedicated administrative network.\r\n\r\nCISA and FBI recommend MSP customers affected by this attack take immediate action to implement the following cybersecurity best practices. Note: these actions are especially important for MSP customer who do not currently have their RMM service running due to the Kaseya attack.\r\n\r\nCISA and FBI recommend affected MSP customers:\r\n\r\n Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network;\r\n Revert to a manual patch management process that follows vendor remediation guidance, including the installation of new patches as soon as they become available;\r\n Implement:\r\n Multi-factor authentication; and\r\n Principle of least privilege on key network resources admin accounts."
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "type",
|
|
"timestamp": "1625472278",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "fb986017-9d19-403f-929e-959fe625dbea",
|
|
"value": "Alert"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1625472394",
|
|
"uuid": "b86e6a60-1bc6-4b06-9816-7d253d8136af",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "context",
|
|
"timestamp": "1625472394",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "ceff86ca-f9c9-43ca-8323-ebb80b912e2b",
|
|
"value": "all"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1625472394",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "b91d3b13-b02f-436c-9264-9de11d15cee4",
|
|
"value": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Cert.yar\r\n*/\r\n\r\nimport \"pe\"\r\nrule REvil_Cert\r\n{\r\nmeta:\r\n\tdescription = \"Identifies the digital certificate PB03 TRANSPORT LTD, used by REvil in the Kaseya supply chain attack.\"\r\n\tauthor = \"@bartblaze\"\r\n\tdate = \"2021-07\"\r\n\treference = \"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\"\r\n\ttlp = \"White\"\r\n\t\r\ncondition:\r\n\tuint16(0) == 0x5a4d and\r\n\t\tfor any i in (0 .. pe.number_of_signatures) : (\r\n\t\tpe.signatures[i].serial == \"11:9a:ce:ad:66:8b:ad:57:a4:8b:4f:42:f2:94:f8:f0\"\r\n\t)\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1625472426",
|
|
"uuid": "92efa833-8ea8-49ee-9d46-5fedbf946d46",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "context",
|
|
"timestamp": "1625472426",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "6b082806-6136-41ba-91f0-5e39568e03e4",
|
|
"value": "all"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1625472426",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "ee10752f-c432-48f3-9d1d-f798e0e7c5d9",
|
|
"value": "/* Via https://github.com/bartblaze/Yara-rules/blob/master/rules/ransomware/REvil_Dropper.yar\r\n*/\r\n\r\nrule REvil_Dropper\r\n{\r\nmeta:\r\n\tdescription = \"Identifies the dropper used by REvil in the Kaseya supply chain attack.\"\r\n\tauthor = \"@bartblaze\"\r\n\tdate = \"2021-07\"\r\n\thash = \"d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e\"\r\n \treference = \"https://community.sophos.com/b/security-blog/posts/active-ransomware-attack-on-kaseya-customers\"\r\n\ttlp = \"White\"\r\n\t\r\nstrings:\r\n $ = { 55 8b ec 56 8b 35 24 d0 40 00 68 04 1c 41 00 6a 65 6a 00 ff \r\n d6 85 c0 0f 84 98 00 00 00 50 6a 00 ff 15 20 d0 40 00 85 c0 0f 84 \r\n 87 00 00 00 50 ff 15 18 d0 40 00 68 14 1c 41 00 6a 66 6a 00 a3 a0 \r\n 43 41 00 ff d6 85 c0 74 6c 50 33 f6 56 ff 15 20 d0 40 00 85 c0 74 \r\n 5e 50 ff 15 18 d0 40 00 68 24 1c 41 00 ba 88 55 0c 00 a3 a4 43 41 \r\n 00 8b c8 e8 9a fe ff ff 8b 0d a0 43 41 00 ba d0 56 00 00 c7 04 ?4 \r\n 38 1c 41 00 e8 83 fe ff ff c7 04 ?4 ec 43 41 00 68 a8 43 41 00 56 \r\n 56 68 30 02 00 00 56 56 56 ff 75 10 c7 05 a8 43 41 00 44 00 00 00 \r\n 50 ff 15 28 d0 40 00 }\r\n\t\r\ncondition:\r\n\tall of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1625472461",
|
|
"uuid": "22682f05-d593-4378-983c-e247b5f6df07",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "context",
|
|
"timestamp": "1625472461",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "14a9c8ee-d25d-4b80-bcff-8ec7980fbf2a",
|
|
"value": "all"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1625472461",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "c95a3cf3-048f-42a4-abad-afe87a3508c8",
|
|
"value": "/* Via: https://github.com/Neo23x0/signature-base/blob/master/yara/crime_revil_general.yar\r\n*/\r\n\r\nrule APT_MAL_REvil_Kaseya_Jul21_2 {\r\n meta:\r\n description = \"Detects malware used in the Kaseya supply chain attack\"\r\n author = \"Florian Roth\"\r\n reference = \"https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b\"\r\n date = \"2021-07-02\"\r\n hash1 = \"0496ca57e387b10dfdac809de8a4e039f68e8d66535d5d19ec76d39f7d0a4402\"\r\n hash2 = \"8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd\"\r\n hash3 = \"cc0cdc6a3d843e22c98170713abf1d6ae06e8b5e34ed06ac3159adafe85e3bd6\"\r\n hash4 = \"d5ce6f36a06b0dc8ce8e7e2c9a53e66094c2adfc93cfac61dd09efe9ac45a75f\"\r\n hash5 = \"d8353cfc5e696d3ae402c7c70565c1e7f31e49bcf74a6e12e5ab044f306b4b20\"\r\n hash6 = \"e2a24ab94f865caeacdf2c3ad015f31f23008ac6db8312c2cbfb32e4a5466ea2\"\r\n strings:\r\n $opa1 = { 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 }\r\n $opa2 = { 89 45 f0 8b 4d fc 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 }\r\n $opa3 = { 83 c1 01 89 4d fc 81 7d f0 ff 00 00 00 77 1? ba 01 00 00 00 6b c2 00 8b 4d 08 0f b6 14 01 }\r\n $opa4 = { 89 45 f4 8b 0d ?? ?0 07 10 89 4d f8 8b 15 ?? ?1 07 10 89 55 fc ff 75 fc ff 75 f8 ff 55 f4 }\r\n\r\n $opb1 = { 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc cc }\r\n $opb2 = { 18 00 10 0e 19 00 10 cc cc cc cc 8b 44 24 04 }\r\n $opb3 = { 10 c4 18 00 10 bd 18 00 10 bd 18 00 10 0e 19 00 10 cc cc }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 3000KB and ( 2 of ($opa*) or 3 of them )\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
|
|
"meta-category": "misc",
|
|
"name": "yara",
|
|
"template_uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
|
|
"template_version": "5",
|
|
"timestamp": "1625472481",
|
|
"uuid": "f1a24c1c-d479-447e-abbe-dfc97c485829",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "context",
|
|
"timestamp": "1625472481",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "023305ec-22f9-43dc-af38-dac1fad79341",
|
|
"value": "all"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "yara",
|
|
"timestamp": "1625472482",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "47a4fdbd-deda-4351-95d4-669b84cedf53",
|
|
"value": "/* Via https://github.com/Neo23x0/signature-base/blob/e360605894c12859de36f28fda95140aa330694b/yara/crime_ransom_revil.yar\r\n*/\r\n\r\n\r\nrule MAL_RANSOM_REvil_Oct20_1 {\r\n meta:\r\n description = \"Detects REvil ransomware\"\r\n author = \"Florian Roth\"\r\n reference = \"Internal Research\"\r\n date = \"2020-10-13\"\r\n hash1 = \"5966c25dc1abcec9d8603b97919db57aac019e5358ee413957927d3c1790b7f4\"\r\n hash2 = \"f66027faea8c9e0ff29a31641e186cbed7073b52b43933ba36d61e8f6bce1ab5\"\r\n hash3 = \"f6857748c050655fb3c2192b52a3b0915f3f3708cd0a59bbf641d7dd722a804d\"\r\n hash4 = \"fc26288df74aa8046b4761f8478c52819e0fca478c1ab674da7e1d24e1cfa501\"\r\n strings:\r\n $op1 = { 0f 8c 74 ff ff ff 33 c0 5f 5e 5b 8b e5 5d c3 8b }\r\n $op2 = { 8d 85 68 ff ff ff 50 e8 2a fe ff ff 8d 85 68 ff }\r\n $op3 = { 89 4d f4 8b 4e 0c 33 4e 34 33 4e 5c 33 8e 84 }\r\n $op4 = { 8d 85 68 ff ff ff 50 e8 05 06 00 00 8d 85 68 ff }\r\n $op5 = { 8d 85 68 ff ff ff 56 57 ff 75 0c 50 e8 2f }\r\n condition:\r\n uint16(0) == 0x5a4d and\r\n filesize < 400KB and\r\n 2 of them or 4 of them\r\n}"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
|
|
"meta-category": "file",
|
|
"name": "registry-key",
|
|
"template_uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
|
|
"template_version": "4",
|
|
"timestamp": "1625472688",
|
|
"uuid": "e0115c11-ab7d-4d4c-a7a2-078a8dc6b6dd",
|
|
"Attribute": [
|
|
{
|
|
"category": "Persistence mechanism",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "key",
|
|
"timestamp": "1625472688",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "0653e974-a18d-4999-80f6-2648b7b6de89",
|
|
"value": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\BlackLivesMatter"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472924",
|
|
"uuid": "80fca50b-89b9-4331-9b9a-6a62e7080126",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "80fca50b-89b9-4331-9b9a-6a62e7080126",
|
|
"referenced_uuid": "67af034f-5173-445b-ae08-1f1a7e9a7f87",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1625472924",
|
|
"uuid": "cef5566e-f62a-45f3-ad71-48d61f1270ac"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472778",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "daa001c3-deed-4310-8396-4fd422d4b691",
|
|
"value": "8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1625472778",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "fe34fdc3-44d7-4a45-a836-d57cb450393e",
|
|
"value": "mpsvc.dll"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1625472778",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "85c777eb-9e7e-416f-ac5b-1ef01e89657d",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472864",
|
|
"uuid": "e489c678-49cd-4f79-a70b-9b3de81bd252",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472864",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "e94a8037-2b5f-4eb2-aae4-41ca18aa5a4b",
|
|
"value": "33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "filename",
|
|
"timestamp": "1625472864",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "581a3d68-2887-4b91-bb45-a43f3ca276be",
|
|
"value": "msmpeng.exe"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "state",
|
|
"timestamp": "1625472864",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "89aaf1e9-81e0-4dd6-bc69-6588961515bf",
|
|
"value": "Malicious"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625472924",
|
|
"uuid": "a855e025-6cbb-4c93-9585-95121ea5c55c",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "a855e025-6cbb-4c93-9585-95121ea5c55c",
|
|
"referenced_uuid": "f42f63de-36c2-41d3-86d1-d1e3e3508da1",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1625472925",
|
|
"uuid": "4ea4ee4c-2468-4c14-98c9-68a0283eda05"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1625472864",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "9f6653a7-ec15-4071-bc1f-02a2cb4a896a",
|
|
"value": "8cc83221870dd07144e63df594c391d9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1625472864",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "3f203a18-544c-4d26-95b9-7773315d942c",
|
|
"value": "3d409b39b8502fcd23335a878f2cbdaf6d721995"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1625472864",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "51656206-9922-46c9-b474-c38adfdf2c67",
|
|
"value": "33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1625472924",
|
|
"uuid": "f42f63de-36c2-41d3-86d1-d1e3e3508da1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1625472864",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "d3098b51-a5b4-423d-8300-1d367736f857",
|
|
"value": "2021-07-05T07:54:28+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1625472864",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "d39ee2f9-56f3-42be-8de3-4e464a297c19",
|
|
"value": "https://www.virustotal.com/gui/file/33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a/detection/f-33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a-1625471668"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1625472864",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "65828223-6628-400c-99c8-cd7a1c4e2de7",
|
|
"value": "0/68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1625472924",
|
|
"uuid": "67af034f-5173-445b-ae08-1f1a7e9a7f87",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1625472778",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "45e226ea-be4f-45ce-8ac1-ccdcc263a1b8",
|
|
"value": "2021-07-05T08:11:57+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1625472778",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "c93ae24c-908f-4dd0-ae98-4b376b9cf2fd",
|
|
"value": "https://www.virustotal.com/gui/file/8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd/detection/f-8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd-1625472717"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1625472778",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "f8f3e9cd-5ff9-479d-8a71-86f210c79adb",
|
|
"value": "48/68"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "4",
|
|
"timestamp": "1625472924",
|
|
"uuid": "e6a7fd5d-ff89-4a3f-840f-892e99de748b",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "1b7654f4-816d-462a-a589-1c72eeb110aa",
|
|
"value": "2021-07-05T08:12:17+00:00"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "43d4b31b-3140-4f05-8b0e-5f0eedd20103",
|
|
"value": "https://www.virustotal.com/gui/file/d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e/detection/f-d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e-1625472737"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1625472060",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "9d182ba8-8b82-453f-8e0e-91f29ee97d65",
|
|
"value": "47/70"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1625473186",
|
|
"uuid": "cd7445c8-4121-45e1-a294-121ec9d35d8e",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "cd7445c8-4121-45e1-a294-121ec9d35d8e",
|
|
"referenced_uuid": "0ff15772-0b74-45a7-b805-f2a4363639d1",
|
|
"relationship_type": "child-of",
|
|
"timestamp": "1625473186",
|
|
"uuid": "7ee8bd91-c1ac-4e49-aae8-ea1f3fd3d660"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1625473011",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "cbfcd350-0e50-4e7e-a839-f3869a4ae11e",
|
|
"value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 6258 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "Command line and option related to a software malicious or not to execute specific commands.",
|
|
"meta-category": "misc",
|
|
"name": "command-line",
|
|
"template_uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
|
|
"template_version": "1",
|
|
"timestamp": "1625473142",
|
|
"uuid": "f722ecce-fb4e-44f6-a2ed-f40f4fd96f11",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "f722ecce-fb4e-44f6-a2ed-f40f4fd96f11",
|
|
"referenced_uuid": "0ff15772-0b74-45a7-b805-f2a4363639d1",
|
|
"relationship_type": "child-of",
|
|
"timestamp": "1625473142",
|
|
"uuid": "fd48f9be-0494-4fc6-baf2-7899fbac51d4"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "value",
|
|
"timestamp": "1625473037",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "d27857cb-272f-434f-8236-5a65e4c12acf",
|
|
"value": "\"%WINDIR%\\system32\\cmd.exe\" /c ping 127.0.0.1 -n 5693 > nul & %WINDIR%\\System32\\WindowsPowerShell\\v1.0\\powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend & copy /Y %WINDIR%\\System32\\certutil.exe %WINDIR%\\cert.exe & echo %RANDOM% >> %WINDIR%\\cert.exe & %WINDIR%\\cert.exe -decode c:\\kworking\\agent.crt c:\\kworking\\agent.exe & del /q /f c:\\kworking\\agent.crt %WINDIR%\\cert.exe & c:\\kworking\\agent.exe"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "24",
|
|
"timestamp": "1625473084",
|
|
"uuid": "0ff15772-0b74-45a7-b805-f2a4363639d1",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "fullpath",
|
|
"timestamp": "1625473084",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "a94932af-2266-4478-860f-a16e0162f761",
|
|
"value": "%PROGRAMFILES%\\(x86)\\Kaseya\\<ID>\\AgentMon.exe"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |