249 lines
No EOL
10 KiB
JSON
249 lines
No EOL
10 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2016-04-22",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Teaching an old RAT new tricks",
|
|
"publish_timestamp": "1461334497",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1461334427",
|
|
"uuid": "571a302c-e5c4-4014-8131-4e9c950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#004646",
|
|
"name": "type:OSINT"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334074",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "571a303a-3c3c-4030-885f-400b950d210f",
|
|
"value": "https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334102",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "571a3056-7f64-4ee4-99d6-425b950d210f",
|
|
"value": "Attackers have been successfully deploying RATs for years to remotely control users systems - giving them full access to the victim\u00e2\u20ac\u2122s files or resources such as cameras, recording key strokes, or downloading further malware. Traditionally RATs have been deployed when a user opens an email attachment, or downloads a file from a website or peer-to-peer network. In both cases, these vectors involve use of files to deliver the payload - which are easier to detect.\r\n\r\nRecently we detected a more sophisticated technique that a handful of countries across Asia are actively using to infect systems with RATs. This new technique ensures that the payload/file remains in memory through its execution, never touching the disk in a de-encrypted state. In doing so, the attacker can remain out of view from antivirus technologies, and even \u00e2\u20ac\u02dcnext-generation\u00e2\u20ac\u2122 technologies that only focus on file-based threat vectors. Also, the samples analyzed have the ability detect the presence of a virtual machine to ensure it\u00e2\u20ac\u2122s not being analyzed in a network sandbox.\r\n\r\nAnd finally it\u00e2\u20ac\u2122s important to highlight that the RAT itself is not new. In fact this technique can be used to deliver any \u00e2\u20ac\u0153known\u00e2\u20ac\u009d RAT to a victim\u00e2\u20ac\u2122s system. We analyzed this sample against our SentinelOne EPP to confirm is does not evade our behavior-based detection mechanisms. This is due to the fact that we\u00e2\u20ac\u2122re monitoring all processes at the user-space/kernel-space interface - and because all communication between the application and the kernel must be unencrypted, we detect the sample at both process-injection points."
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Win32 PE .NET 2.0 - Samples Analyzed",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334141",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "571a307d-d2a8-48f3-a7fa-4c68950d210f",
|
|
"value": "b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334259",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "571a30f3-44ec-4b50-a024-40d702de0b81",
|
|
"value": "3b1ac573509281cdc0b6141f8ea6ed3af393b554"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Win32 PE .NET 2.0 - Samples Analyzed - Xchecked via VT: b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334260",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "571a30f4-dd90-4bbc-8f25-4cfd02de0b81",
|
|
"value": "65752e742d643d121ee7e826ab65dc9b"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334260",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "571a30f4-5ec4-4d2a-86ed-40c602de0b81",
|
|
"value": "https://www.virustotal.com/file/b7cfc7e9551b15319c068aae966f8a9ff563b522ed9b1b42d19c122778e018c8/analysis/1461260966/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Packed \"Benchmark\" DLL",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334316",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "571a312c-ada4-409a-9d75-437e950d210f",
|
|
"value": "e5c71180f117270538487cd9b9b1b6d8"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Monitor (PerfWatson.exe)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334371",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "571a3163-6690-403b-9d75-43e6950d210f",
|
|
"value": "9e05fb115bd4e85cfc0e32c72aa721be"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "NanoCore RAT dumped from memory",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334394",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "571a317a-55bc-42d0-a5b2-4164950d210f",
|
|
"value": "d740ed3f33ca4cef3a6aa717f94bf52a"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334405",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "571a3185-2014-41d4-8f7f-45dc02de0b81",
|
|
"value": "755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "NanoCore RAT dumped from memory - Xchecked via VT: d740ed3f33ca4cef3a6aa717f94bf52a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334406",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "571a3186-1514-4141-a640-482702de0b81",
|
|
"value": "8105e6146d9cacf30ca38920a5a8483b52ddff62"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334406",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "571a3186-bcbc-4ce1-a073-439e02de0b81",
|
|
"value": "https://www.virustotal.com/file/755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050/analysis/1460984076/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334406",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "571a3186-6a4c-409f-948d-4df502de0b81",
|
|
"value": "51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Monitor (PerfWatson.exe) - Xchecked via VT: 9e05fb115bd4e85cfc0e32c72aa721be",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334407",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "571a3187-e8b0-4cb8-9896-49c802de0b81",
|
|
"value": "407abece50b4905197d5132c19f19b5321fa9a55"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334407",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "571a3187-a00c-45ee-b49b-49ec02de0b81",
|
|
"value": "https://www.virustotal.com/file/51142d1fb6c080b3b754a92e8f5826295f5da316ec72b480967cbd68432cede1/analysis/1455165681/"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334408",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "571a3188-39b4-474d-adbd-414502de0b81",
|
|
"value": "e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06"
|
|
},
|
|
{
|
|
"category": "Payload installation",
|
|
"comment": "Packed \"Benchmark\" DLL - Xchecked via VT: e5c71180f117270538487cd9b9b1b6d8",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334408",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "571a3188-fb1c-4924-8bcb-4d7f02de0b81",
|
|
"value": "3a35080da4c0e71bdd1445fdae886a87d27a419e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334408",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "571a3188-e618-4f9d-8024-420b02de0b81",
|
|
"value": "https://www.virustotal.com/file/e707a7745e346c5df59b5aa4df084574ae7c204f4fb7f924c0586ae03b79bf06/analysis/1461269734/"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 1617",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334426",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "571a319a-7aa4-48bc-bc4b-4ffb950d210f",
|
|
"value": "azona2015.chickenkiller.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "On port 1617",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1461334427",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "571a319b-f570-4379-b681-476c950d210f",
|
|
"value": "azona.chickenkiller.com"
|
|
}
|
|
]
|
|
}
|
|
} |