adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/5e00d123-d688-417f-aafe-40fb02de0b81.json

358 lines
No EOL
13 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "2",
"date": "2019-12-23",
"extends_uuid": "",
"info": "OSINT - Reversing a real-world 249 bytes backdoor!",
"publish_timestamp": "1577112250",
"published": true,
"threat_level_id": "3",
"timestamp": "1577112228",
"uuid": "5e00d123-d688-417f-aafe-40fb02de0b81",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#004646",
"local": false,
"name": "type:OSINT",
"relationship_type": ""
},
{
"colour": "#0071c3",
"local": false,
"name": "osint:lifetime=\"perpetual\"",
"relationship_type": ""
},
{
"colour": "#0087e8",
"local": false,
"name": "osint:certainty=\"50\"",
"relationship_type": ""
},
{
"colour": "#ffffff",
"local": false,
"name": "tlp:white",
"relationship_type": ""
},
{
"colour": "#2c0037",
"local": false,
"name": "ms-caro-malware:malware-type=\"Backdoor\"",
"relationship_type": ""
}
],
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1577112123",
"to_ids": false,
"type": "link",
"uuid": "5e00d23b-051c-4038-866e-4aaa02de0b81",
"value": "https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32?gi=af1848a0c8d6"
}
],
"Object": [
{
"comment": "Apparently it tries to make a socket and connect to the IP address: 104.248.237.194 on port number 1337. This ip address is owned by Digital Ocean.",
"deleted": false,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"name": "ip-port",
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"template_version": "8",
"timestamp": "1577111942",
"uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
"Attribute": [
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "ip",
"timestamp": "1577111942",
"to_ids": true,
"type": "ip-dst",
"uuid": "5e00d186-906c-4b0f-90c6-4b2002de0b81",
"value": "104.248.237.194"
},
{
"category": "Network activity",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "dst-port",
"timestamp": "1577111943",
"to_ids": false,
"type": "port",
"uuid": "5e00d187-21a0-4462-af53-411602de0b81",
"value": "1337"
}
]
},
{
"comment": "Epic! This 249 byte backdoor can run any shellcode we give it. The attackers can deploy it on an offshore IP address and execute arbitrary instructions on the victim\u00e2\u20ac\u2122s box.",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "18",
"timestamp": "1577112228",
"uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
"ObjectReference": [
{
"comment": "",
"object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
"referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
"relationship_type": "connects-to",
"timestamp": "1577112019",
"uuid": "5e00d1d4-c114-4a6e-af6e-401902de0b81"
},
{
"comment": "",
"object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
"referenced_uuid": "5e00d259-cf84-4973-84be-41ac02de0b81",
"relationship_type": "related-to",
"timestamp": "1577112228",
"uuid": "5e00d2a4-5050-4d46-8eb9-422c02de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577111994",
"to_ids": true,
"type": "md5",
"uuid": "5e00d1ba-00d8-454c-8dea-434e02de0b81",
"value": "93363683dcf1ccc4db296fa5fde69b71"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577111995",
"to_ids": true,
"type": "sha1",
"uuid": "5e00d1bb-a874-4883-aed0-478f02de0b81",
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
}
]
},
{
"comment": "",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "17",
"timestamp": "1577112202",
"uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
"ObjectReference": [
{
"comment": "",
"object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
"referenced_uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea",
"relationship_type": "analysed-with",
"timestamp": "1577112077",
"uuid": "5e00d20d-70a0-4d2a-b4f3-4be702de0b81"
},
{
"comment": "",
"object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
"referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
"relationship_type": "connects-to",
"timestamp": "1577112202",
"uuid": "5e00d28a-3a3c-40f9-8c10-43f902de0b81"
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577111995",
"to_ids": true,
"type": "md5",
"uuid": "46d8a2f5-3b3f-429f-a4da-f5997e0e248d",
"value": "93363683dcf1ccc4db296fa5fde69b71"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577111995",
"to_ids": true,
"type": "sha1",
"uuid": "b0f200bb-2129-4771-9280-e60954c4346d",
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577111995",
"to_ids": true,
"type": "sha256",
"uuid": "5e7c2942-9b88-48a6-99e8-00c5246bd169",
"value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e"
}
]
},
{
"comment": "",
"deleted": false,
"description": "VirusTotal report",
"meta-category": "misc",
"name": "virustotal-report",
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"template_version": "2",
"timestamp": "1577112076",
"uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea",
"Attribute": [
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "last-submission",
"timestamp": "1577111995",
"to_ids": false,
"type": "datetime",
"uuid": "455902f8-0097-4722-b3e8-632b0576b786",
"value": "2019-12-23T14:37:22"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "permalink",
"timestamp": "1577111995",
"to_ids": false,
"type": "link",
"uuid": "8e8622e6-c217-4007-b5b1-f687b7229150",
"value": "https://www.virustotal.com/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/analysis/1577111842/"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "detection-ratio",
"timestamp": "1577111995",
"to_ids": false,
"type": "text",
"uuid": "9eace253-03a3-48a4-b9df-372f58d000fe",
"value": "16/60"
}
]
},
{
"comment": "The payload",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "18",
"timestamp": "1577112153",
"uuid": "5e00d259-cf84-4973-84be-41ac02de0b81",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"data": "UEsDBBQACQAIAFF1l0/yRZ1UsgAAAPkAAAAgABwAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAAvqjt0iUIi4uyNisDgBbMaHCnsKqPxjxpPH/j7WjbigFyFZA/IjIYjAG+CYO0Z4hGM+ugnHUGqFnGgUZG9pDrFQxcSI06cNK19h+1W8HjHTIGLnsIXlwIYPEyVaTS7mpAP9Cp/67AnVBRTqd9OiDzStsPebcgilKPPiXPmG3PvTFWBBCtEcVIwswY6e3dSDdUsZJ77r11CBOk89VTgD49ONCQx5n3uP0Gj9dDUCyQ+TrGiFBLBwjyRZ1UsgAAAPkAAABQSwMECgAJAAAAUXWXT+YK5VMTAAAABwAAAC0AHAA5MzM2MzY4M2RjZjFjY2M0ZGIyOTZmYTVmZGU2OWI3MS5maWxlbmFtZS50eHRVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAA5ApOcJaEASZbKJeSi3wsUB8AIVBLBwjmCuVTEwAAAAcAAABQSwECHgMUAAkACABRdZdP8kWdVLIAAAD5AAAAIAAYAAAAAAAAAAAApIEAAAAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAUAA1nSAF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAABRdZdP5grlUxMAAAAHAAAALQAYAAAAAAABAAAApIEcAQAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzEuZmlsZW5hbWUudHh0VVQFAANZ0gBedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAKYBAAAAAA==",
"deleted": false,
"disable_correlation": false,
"object_relation": "malware-sample",
"timestamp": "1577112153",
"to_ids": true,
"type": "malware-sample",
"uuid": "5e00d259-8d4c-4fa8-bbea-4b7e02de0b81",
"value": "pay.bin|93363683dcf1ccc4db296fa5fde69b71"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1577112153",
"to_ids": false,
"type": "filename",
"uuid": "5e00d259-7370-4e58-bea0-4dfb02de0b81",
"value": "pay.bin"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "md5",
"timestamp": "1577112153",
"to_ids": true,
"type": "md5",
"uuid": "5e00d259-8c38-461a-9b02-43f702de0b81",
"value": "93363683dcf1ccc4db296fa5fde69b71"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha1",
"timestamp": "1577112153",
"to_ids": true,
"type": "sha1",
"uuid": "5e00d259-b210-480a-85a7-497502de0b81",
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1577112153",
"to_ids": true,
"type": "sha256",
"uuid": "5e00d259-d1fc-4073-b121-488c02de0b81",
"value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "size-in-bytes",
"timestamp": "1577112154",
"to_ids": false,
"type": "size-in-bytes",
"uuid": "5e00d25a-01c0-4481-8e5c-437802de0b81",
"value": "249"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink