378 lines
No EOL
14 KiB
JSON
378 lines
No EOL
14 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-01-19",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - FINDING THE RAT\u00e2\u20ac\u2122S NEST",
|
|
"publish_timestamp": "1484833112",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1484833091",
|
|
"uuid": "5880bb50-2330-42a3-a253-4c08950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#0088cc",
|
|
"name": "misp-galaxy:tool=\"LuminosityLink\""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"name": "tlp:white"
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"name": "osint:source-type=\"blog-post\""
|
|
},
|
|
{
|
|
"colour": "#440055",
|
|
"name": "ms-caro-malware:malware-type=\"RemoteAccess\""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484831594",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5880bb6a-6a00-411b-9395-1d0e950d210f",
|
|
"value": "https://blog.opendns.com/2017/01/18/finding-the-rats-nest/"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484831619",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5880bb83-31b4-4906-a648-4447950d210f",
|
|
"value": "We\u00e2\u20ac\u2122ve spotted a Remote Access Trojan(RAT) and are headed down into the unknown. In this blog post we\u00e2\u20ac\u2122re going to examine some malicious infrastructure that we\u00e2\u20ac\u2122ve found by pivoting through domains delivering and communicating with RATs.\r\n\r\nA RAT is malware that creates a back door to gain access to the target and its connected resources in order to spy/steal information, drop additional malware such as ransomware, or to enlist the target into a botnet for DDoS purposes. A RAT can basically give all of the same access to a system that the attacker would have if they were physically accessing the target. A RAT has many functionalities: remote desktop control, webcam and microphone control, keylogger, remote shell, crypto miner, download and execute functionalities, screen capturing."
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832365",
|
|
"to_ids": true,
|
|
"type": "url",
|
|
"uuid": "5880be6d-4ce0-4a6c-af3c-4fc3950d210f",
|
|
"value": "http://onsitepowersystems.com/invoice86291320.zip"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Compromised website",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832398",
|
|
"to_ids": false,
|
|
"type": "domain",
|
|
"uuid": "5880be8e-ab60-4d26-80cd-4828950d210f",
|
|
"value": "onsitepowersystems.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Compromised website",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832398",
|
|
"to_ids": false,
|
|
"type": "ip-dst",
|
|
"uuid": "5880be8e-8278-46e7-925b-47b2950d210f",
|
|
"value": "191.101.22.47"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Sample",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832430",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5880beae-2e70-43f9-be6b-48ad950d210f",
|
|
"value": "083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832509",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880befd-2c2c-4308-8871-47e3950d210f",
|
|
"value": "thevm2.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "C2",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832510",
|
|
"to_ids": true,
|
|
"type": "hostname",
|
|
"uuid": "5880befe-0c6c-49d7-90a0-440c950d210f",
|
|
"value": "blackhills.ddns.net"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832559",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5880bf2f-f570-4cd5-93d9-1d0e950d210f",
|
|
"value": "0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832560",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5880bf30-10f0-40c2-bc95-1d0e950d210f",
|
|
"value": "1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832561",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5880bf31-d0b0-4c41-bb57-1d0e950d210f",
|
|
"value": "ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Potential malicious domains registered by nie0461@gmail[.]com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832704",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880bfc0-2bb4-4903-9700-4807950d210f",
|
|
"value": "marciaguthke.com"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Potential malicious domains registered by nie0461@gmail[.]com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832705",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880bfc1-0bdc-4713-bfba-483f950d210f",
|
|
"value": "email-hosting.us"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Potential malicious domains registered by nie0461@gmail[.]com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832706",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880bfc2-4618-4d45-b874-43dc950d210f",
|
|
"value": "emailhostings.in"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Potential malicious domains registered by nie0461@gmail[.]com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832707",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880bfc3-75bc-4e71-a80b-420c950d210f",
|
|
"value": "myvm2.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "Potential malicious domains registered by nie0461@gmail[.]com",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832707",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880bfc3-65c4-4815-951a-4fbd950d210f",
|
|
"value": "vm2online.biz"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "which has the nameservers that are hosting these panels currently, and hosted some in the past.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832771",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880c003-3ce8-45ef-8a6d-4eb0950d210f",
|
|
"value": "hackcom.org"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "fake AV support domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832951",
|
|
"to_ids": true,
|
|
"type": "domain",
|
|
"uuid": "5880c0b7-2e18-4ae8-8a66-425c950d210f",
|
|
"value": "irus-os-77h7ft.pw"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "fake AV support domains",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484832952",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5880c0b8-a8a8-4966-9a76-46ab950d210f",
|
|
"value": "192.111.155.6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833023",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5880c0ff-72f4-4679-891b-402e02de0b81",
|
|
"value": "81d77e94b1ba8462b81eb27f3fed6faa5b0b7da9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833024",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5880c100-9e5c-477d-bd00-4d6102de0b81",
|
|
"value": "9d30dbac68b18b3a12994a10ff685f40"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Sample - Xchecked via VT: 083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833024",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5880c100-5da8-4221-8728-44d102de0b81",
|
|
"value": "https://www.virustotal.com/file/083bb90a33710585883ae6bbb7f36437c083a5d889a3e4e3994955a53bfa1be0/analysis/1482557009/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833025",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5880c101-32a8-4abd-a7c5-4e3d02de0b81",
|
|
"value": "7547d0ec26695ecd8a9e696b6e1a1e5485330662"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833026",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5880c102-3094-4160-b109-4b7402de0b81",
|
|
"value": "7e5dd95f50dd0df531c8bb9069b8f350"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833027",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5880c103-9c50-4447-8d6f-4eb202de0b81",
|
|
"value": "https://www.virustotal.com/file/0247b0ecbf6069e38e772ef546e63c46262cc77efe5d004a3ec516baf0e74d87/analysis/1483722136/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833027",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5880c103-47c4-4c29-b062-451502de0b81",
|
|
"value": "bc9d26c387cc938c3c50f2a14042fbf6524f3b9f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833028",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5880c104-b694-4afe-96e4-415902de0b81",
|
|
"value": "edc94982e4b857a58947c235acb762f6"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833029",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5880c105-8f14-42d1-a7e4-43fd02de0b81",
|
|
"value": "https://www.virustotal.com/file/ac3ade715adafa5784c43f407843bf8889e7c97c4e62239c1b22f07aab2920c9/analysis/1484664762/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833030",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5880c106-6e2c-4db5-b5f7-453202de0b81",
|
|
"value": "9ae528cd78a02a989fa91c841c5792fff30e7271"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833030",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5880c106-c7f0-4262-aea9-4a4802de0b81",
|
|
"value": "c505995c2c79d7d4f484fc1bba828c9a"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Malware dropped (after RAT installation) - Xchecked via VT: 1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1484833031",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5880c107-5c20-412b-8b7c-4c5802de0b81",
|
|
"value": "https://www.virustotal.com/file/1ae134e146c43891a6e28d917d9cfcf32bb0ff435051261462b57181320b992a/analysis/1484297083/"
|
|
}
|
|
]
|
|
}
|
|
} |