adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/misp/758d96ed-9dd4-4009-9270-65f2c3dd30cc.json

449 lines
No EOL
14 KiB
JSON
Raw Blame History

{
"Event": {
"analysis": "0",
"date": "2022-09-02",
"extends_uuid": "",
"info": "Buzzing in the Background: BumbleBee, a New Modular Backdoor Evolved From BookWorm",
"publish_timestamp": "1666603457",
"published": true,
"threat_level_id": "2",
"timestamp": "1666603410",
"uuid": "758d96ed-9dd4-4009-9270-65f2c3dd30cc",
"Orgc": {
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"Tag": [
{
"colour": "#064b00",
"name": "misp-galaxy:mitre-attack-pattern=\"Hijack Execution Flow - T1574\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Indicator Removal on Host - T1070\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Execution Guardrails - T1480\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Autostart Execution - T1547\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Boot or Logon Initialization Scripts - T1037\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\""
},
{
"colour": "#075900",
"name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1417\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Input Capture - T1056\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Gather Victim Host Information - T1592\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Bypass User Access Control - T1548.002\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:mitre-attack-pattern=\"Malware - T1587.001\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:malpedia=\"BumbleBee\""
},
{
"colour": "#004646",
"name": "type:OSINT"
},
{
"colour": "#0071c3",
"name": "osint:lifetime=\"perpetual\""
},
{
"colour": "#0087e8",
"name": "osint:certainty=\"50\""
},
{
"colour": "#ffffff",
"name": "tlp:white"
},
{
"colour": "#0088cc",
"name": "misp-galaxy:tool=\"BumbleBee\""
},
{
"colour": "#00b3b3",
"name": "ecsirt:intrusions=\"backdoor\""
},
{
"colour": "#00a9ce",
"name": "veris:action:malware:variety=\"Backdoor\""
},
{
"colour": "#2c0037",
"name": "ms-caro-malware:malware-type=\"Backdoor\""
},
{
"colour": "#001534",
"name": "ms-caro-malware-full:malware-type=\"Backdoor\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:malpedia=\"Bookworm\""
},
{
"colour": "#0088cc",
"name": "misp-galaxy:tool=\"Bookworm\""
}
],
"Attribute": [
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729265",
"to_ids": true,
"type": "sha256",
"uuid": "35a4ef92-4ae2-4a9b-b23e-d03024f278a1",
"value": "eeca34fba68754e05e7307de61708e4ce74441754fcc6ae762148edf9e8e2ca0"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729274",
"to_ids": true,
"type": "sha256",
"uuid": "5823caf2-1ab2-4c0d-a24e-de7edd58b23e",
"value": "6690b7ace461b60b7a72613c202d70f4684c8cdc5afbb4267c67b5fe5dbf828e"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729281",
"to_ids": true,
"type": "sha256",
"uuid": "d56163b8-3f70-494a-8c03-b5cd66da7aca",
"value": "4ecde81a476f1e4622d192fe2f120f7c5c3ec58bf118b791d5532f3ff61c09ee"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729289",
"to_ids": true,
"type": "sha256",
"uuid": "dba0f86f-314c-4aac-b08c-5b4d47e2a1da",
"value": "8ab8bb836b074e170c129b7f0523d256930fd1f8cf126ca1875b450fdb6c4c05"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - ore",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729293",
"to_ids": true,
"type": "sha256",
"uuid": "903429af-87ca-4865-ab0a-da4febe313e9",
"value": "515cb31b2c89df83ea6d54d5c0c3e4fe9a024319d9bd8fd76ad351860bd67ea3"
},
{
"category": "Payload delivery",
"comment": "Backdoor.Win32.BUMBLEB.ZTIC - bin",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729299",
"to_ids": true,
"type": "sha256",
"uuid": "01769315-d698-45fe-8388-4853f1f7a30d",
"value": "8e340746339614ca105a1873dad471188b24421648d080e37d52b87f4ced5e6d"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729805",
"to_ids": true,
"type": "url",
"uuid": "c9e05448-4911-489a-a310-2f6bd3b0c8f5",
"value": "http://www.synolo.ns01.biz:80/update"
},
{
"category": "Network activity",
"comment": "C&C",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662729805",
"to_ids": true,
"type": "url",
"uuid": "5cb19648-900a-4363-ac92-f0dcef307ef1",
"value": "http://118.163.105.130:80/update"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "39fff771-4832-4181-abf2-1aadd9a9d815",
"value": "launcher.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "f25b964c-9158-436e-8f77-86e949f4c5ac",
"value": "kernel.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "6516e8c0-eb91-45f4-9436-cdce2e06e1ab",
"value": "installer.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "79256a9e-de15-47c7-a361-eb7281617e36",
"value": "keylog.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "11ac46b5-49f4-44cc-9eb4-edf82ec428da",
"value": "loader.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"timestamp": "1662963677",
"to_ids": true,
"type": "filename",
"uuid": "2f9eb12e-0e85-4498-aee6-e01f9855fe79",
"value": "slaver.dll"
}
],
"Object": [
{
"comment": "",
"deleted": false,
"description": "Metadata used to generate an executive level report",
"meta-category": "misc",
"name": "report",
"template_uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
"template_version": "7",
"timestamp": "1662708531",
"uuid": "a68b22f1-a68b-4866-b711-3e20fd9914b2",
"Attribute": [
{
"category": "External analysis",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "link",
"timestamp": "1662708531",
"to_ids": false,
"type": "link",
"uuid": "56256c65-96f3-4ffc-b9d2-b2cd01e49cdc",
"value": "https://www.trendmicro.com/en_us/research/22/i/buzzing-in-the-background-bumblebee-a-new-modular-backdoor-evolv.html"
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "summary",
"timestamp": "1662708531",
"to_ids": false,
"type": "text",
"uuid": "72c873ac-5a7e-4cde-a97f-7d6a1fe8d4e9",
"value": "\"In March 2021, we investigated a backdoor with a unique modular architecture. Its type of modular framework made our static analysis more challenging because it required us to first rebuild its structure or use dynamic analysis to understand its functionality and behavior.\""
},
{
"category": "Other",
"comment": "",
"deleted": false,
"disable_correlation": true,
"object_relation": "type",
"timestamp": "1662708531",
"to_ids": false,
"type": "text",
"uuid": "72b488f3-fd16-46c6-a46e-787709228af3",
"value": "Report"
}
]
},
{
"comment": " Trojan.Win32.MULTICOM.ZTIC",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724249",
"uuid": "807f2024-9752-456a-be70-284533077af6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724249",
"to_ids": true,
"type": "sha256",
"uuid": "57ac80d1-cca3-4457-8969-76874f9915b3",
"value": "f8809c6c56d2a0f8a08fe181614e6d9488eeb6983f044f2e6a8fa6a617ef2475"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724249",
"to_ids": true,
"type": "filename",
"uuid": "fe5af199-95c0-46c2-8459-97a88ec5efe8",
"value": "slaver.exe"
}
]
},
{
"comment": "Trojan.Win32.REGLOAD.ZTI",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724592",
"uuid": "01ffa6b4-4c4a-4e4d-848c-2e8834970353",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724592",
"to_ids": true,
"type": "filename",
"uuid": "6a41f248-8cc7-422e-8669-37ba4601bed7",
"value": "XecureIO_v20.dll"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724592",
"to_ids": true,
"type": "sha256",
"uuid": "66759a76-7557-4c81-8419-cd7e47ad7952",
"value": "3fc6c5df4a04d555d5cbf2ca53bed7769b5595fc6143a2599097cb6193ef8810"
}
]
},
{
"comment": "Trojan.Win32.REGLOAD.ZTI",
"deleted": false,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"name": "file",
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"template_version": "24",
"timestamp": "1662724615",
"uuid": "788f4f53-7c1e-4528-9315-17e4af67cae6",
"Attribute": [
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "sha256",
"timestamp": "1662724615",
"to_ids": true,
"type": "sha256",
"uuid": "8ea49814-7e60-42bf-a3ec-b273de5751ea",
"value": "ea5db8d658f42acad38106cbc46eea5944607eb709fb00f8adb501d4779fbea0"
},
{
"category": "Payload delivery",
"comment": "",
"deleted": false,
"disable_correlation": false,
"object_relation": "filename",
"timestamp": "1662724615",
"to_ids": true,
"type": "filename",
"uuid": "2772b523-c1a8-436a-8ccf-ddac54976d6a",
"value": "XecureIO_v20.dll"
}
]
}
]
}
}
Reference in a new issue View git blame Copy permalink