323 lines
No EOL
12 KiB
JSON
323 lines
No EOL
12 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-12-12",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Rise of One More Mirai Worm Variant",
|
|
"publish_timestamp": "1514468186",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1513911633",
|
|
"uuid": "5a3a3aca-a210-497a-9715-452c950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#22681c",
|
|
"local": "0",
|
|
"name": "malware_classification:malware-category=\"Botnet\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0088cc",
|
|
"local": "0",
|
|
"name": "misp-galaxy:tool=\"Satori\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a3a3ad7-43e0-4b4c-9343-49b6950d210f",
|
|
"value": "https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "5a3a3aee-d9e0-43bf-a335-49e4950d210f",
|
|
"value": "Not long after a new strain of the Akuma malware was discovered targeting ZyXEL devices with a new series of login/password attacks, FortiGuard Labs last week also began detecting strange scanning activities on uncommon TCP ports 52869 and 37215. We and other threat research teams quickly began to suspect that these were tied together, and that there was a new botnet out there.\r\n\r\nWith some focused research, the new Satori botnet, or \u00e2\u20ac\u0153Okiru\u00e2\u20ac\u009d \u00e2\u20ac\u201c as it was named by its malevolent author \u00e2\u20ac\u201c came to light. Okiru is a Japanese word that can be translated to \u00e2\u20ac\u0153to get up\u00e2\u20ac\u009d or \u00e2\u20ac\u0153to rise\u00e2\u20ac\u009d. Okiru first appeared on our radar at the end of October 2017, but during the first week of December it significantly stepped up its game by also adding worm capabilities to its arsenal. I will break down our analysis of this new botnet strain in this report.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513765658",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a3a3b1a-44f4-4bcf-953f-4af4950d210f",
|
|
"value": "e5fc493874f2a49e1a1594f3ee2254fa30e6dd69c6f24d24a08a562f03b2fd26"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1513765658",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a3a3b1a-3398-40a6-8ed9-430d950d210f",
|
|
"value": "dd6e5607f137b6536097670a1211b4e20821ca136e2db26529948ff0a48555ff"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1513805835",
|
|
"uuid": "4a76a7c3-a63e-4701-882d-dcada5375372",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "4a76a7c3-a63e-4701-882d-dcada5375372",
|
|
"referenced_uuid": "402734d9-a857-45bd-9ae8-04657966f1c8",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1514468186",
|
|
"uuid": "5a3ad808-0190-40c5-9cf0-04a602de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a3ad808-2d10-4ae7-8713-04a602de0b81",
|
|
"value": "562c61a6413bf35c00a76e22d4cd8278658a0483"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a3ad808-0fa8-4406-83d9-04a602de0b81",
|
|
"value": "fc11c9cb0d4433143271f0f767864a30"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a3ad808-4fa4-47aa-b76e-04a602de0b81",
|
|
"value": "e5fc493874f2a49e1a1594f3ee2254fa30e6dd69c6f24d24a08a562f03b2fd26"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1513805832",
|
|
"uuid": "402734d9-a857-45bd-9ae8-04657966f1c8",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a3ad808-98b0-4301-aeb3-04a602de0b81",
|
|
"value": "https://www.virustotal.com/file/e5fc493874f2a49e1a1594f3ee2254fa30e6dd69c6f24d24a08a562f03b2fd26/analysis/1513339300/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a3ad808-ab94-4518-bf1b-04a602de0b81",
|
|
"value": "26/59"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a3ad808-1360-4a31-be33-04a602de0b81",
|
|
"value": "2017-12-15T12:01:40"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "7",
|
|
"timestamp": "1513805835",
|
|
"uuid": "10e3647b-ec40-4bba-9dae-9b62d89a7ff0",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "10e3647b-ec40-4bba-9dae-9b62d89a7ff0",
|
|
"referenced_uuid": "eae4f37c-fb66-445a-a462-c399c92638a3",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1514468186",
|
|
"uuid": "5a3ad808-df78-497a-b740-04a602de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5a3ad808-baac-4124-99b2-04a602de0b81",
|
|
"value": "fc6569b13e4f0fb9a541f0eb4b0b179d34aadb4c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5a3ad808-1ac4-4ab1-8d4d-04a602de0b81",
|
|
"value": "eeab715dc67af05280c926dc4c4676f5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1513805832",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5a3ad808-2fd0-44a9-91e4-04a602de0b81",
|
|
"value": "dd6e5607f137b6536097670a1211b4e20821ca136e2db26529948ff0a48555ff"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "1",
|
|
"timestamp": "1513805832",
|
|
"uuid": "eae4f37c-fb66-445a-a462-c399c92638a3",
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5a3ad808-7ac8-4434-865d-04a602de0b81",
|
|
"value": "https://www.virustotal.com/file/dd6e5607f137b6536097670a1211b4e20821ca136e2db26529948ff0a48555ff/analysis/1513706129/"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "5a3ad808-77cc-4147-805d-04a602de0b81",
|
|
"value": "28/59"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "Linux/Mirai.Y!tr.bdr",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1513805832",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "5a3ad808-0fac-4369-949d-04a602de0b81",
|
|
"value": "2017-12-19T17:55:29"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |