358 lines
No EOL
13 KiB
JSON
358 lines
No EOL
13 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2019-12-23",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - Reversing a real-world 249 bytes backdoor!",
|
|
"publish_timestamp": "1577112250",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1577112228",
|
|
"uuid": "5e00d123-d688-417f-aafe-40fb02de0b81",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0071c3",
|
|
"local": "0",
|
|
"name": "osint:lifetime=\"perpetual\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#0087e8",
|
|
"local": "0",
|
|
"name": "osint:certainty=\"50\"",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#2c0037",
|
|
"local": "0",
|
|
"name": "ms-caro-malware:malware-type=\"Backdoor\"",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1577112123",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "5e00d23b-051c-4038-866e-4aaa02de0b81",
|
|
"value": "https://anee.me/reversing-a-real-world-249-bytes-backdoor-aadd876c0a32?gi=af1848a0c8d6"
|
|
}
|
|
],
|
|
"Object": [
|
|
{
|
|
"comment": "Apparently it tries to make a socket and connect to the IP address: 104.248.237.194 on port number 1337. This ip address is owned by Digital Ocean.",
|
|
"deleted": false,
|
|
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
|
|
"meta-category": "network",
|
|
"name": "ip-port",
|
|
"template_uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
|
|
"template_version": "8",
|
|
"timestamp": "1577111942",
|
|
"uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
|
|
"Attribute": [
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "ip",
|
|
"timestamp": "1577111942",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "5e00d186-906c-4b0f-90c6-4b2002de0b81",
|
|
"value": "104.248.237.194"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "dst-port",
|
|
"timestamp": "1577111943",
|
|
"to_ids": false,
|
|
"type": "port",
|
|
"uuid": "5e00d187-21a0-4462-af53-411602de0b81",
|
|
"value": "1337"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "Epic! This 249 byte backdoor can run any shellcode we give it. The attackers can deploy it on an offshore IP address and execute arbitrary instructions on the victim\u00e2\u20ac\u2122s box.",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "18",
|
|
"timestamp": "1577112228",
|
|
"uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
|
|
"referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
|
|
"relationship_type": "connects-to",
|
|
"timestamp": "1577112019",
|
|
"uuid": "5e00d1d4-c114-4a6e-af6e-401902de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "5e00d1ba-d438-4138-90ad-427802de0b81",
|
|
"referenced_uuid": "5e00d259-cf84-4973-84be-41ac02de0b81",
|
|
"relationship_type": "related-to",
|
|
"timestamp": "1577112228",
|
|
"uuid": "5e00d2a4-5050-4d46-8eb9-422c02de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1577111994",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5e00d1ba-00d8-454c-8dea-434e02de0b81",
|
|
"value": "93363683dcf1ccc4db296fa5fde69b71"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1577111995",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5e00d1bb-a874-4883-aed0-478f02de0b81",
|
|
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "17",
|
|
"timestamp": "1577112202",
|
|
"uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
|
|
"ObjectReference": [
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
|
|
"referenced_uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea",
|
|
"relationship_type": "analysed-with",
|
|
"timestamp": "1577112077",
|
|
"uuid": "5e00d20d-70a0-4d2a-b4f3-4be702de0b81"
|
|
},
|
|
{
|
|
"comment": "",
|
|
"object_uuid": "565a1793-5fe6-4024-aa00-e20ba4508e7d",
|
|
"referenced_uuid": "5e00d186-98c8-4333-8ce9-464802de0b81",
|
|
"relationship_type": "connects-to",
|
|
"timestamp": "1577112202",
|
|
"uuid": "5e00d28a-3a3c-40f9-8c10-43f902de0b81"
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1577111995",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "46d8a2f5-3b3f-429f-a4da-f5997e0e248d",
|
|
"value": "93363683dcf1ccc4db296fa5fde69b71"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1577111995",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "b0f200bb-2129-4771-9280-e60954c4346d",
|
|
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1577111995",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5e7c2942-9b88-48a6-99e8-00c5246bd169",
|
|
"value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "",
|
|
"deleted": false,
|
|
"description": "VirusTotal report",
|
|
"meta-category": "misc",
|
|
"name": "virustotal-report",
|
|
"template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
|
|
"template_version": "2",
|
|
"timestamp": "1577112076",
|
|
"uuid": "2be25da5-2716-4bb5-b8e7-cc49a557b6ea",
|
|
"Attribute": [
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "last-submission",
|
|
"timestamp": "1577111995",
|
|
"to_ids": false,
|
|
"type": "datetime",
|
|
"uuid": "455902f8-0097-4722-b3e8-632b0576b786",
|
|
"value": "2019-12-23T14:37:22"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "permalink",
|
|
"timestamp": "1577111995",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "8e8622e6-c217-4007-b5b1-f687b7229150",
|
|
"value": "https://www.virustotal.com/file/5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e/analysis/1577111842/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "detection-ratio",
|
|
"timestamp": "1577111995",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "9eace253-03a3-48a4-b9df-372f58d000fe",
|
|
"value": "16/60"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"comment": "The payload",
|
|
"deleted": false,
|
|
"description": "File object describing a file with meta-information",
|
|
"meta-category": "file",
|
|
"name": "file",
|
|
"template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
|
|
"template_version": "18",
|
|
"timestamp": "1577112153",
|
|
"uuid": "5e00d259-cf84-4973-84be-41ac02de0b81",
|
|
"Attribute": [
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"data": "UEsDBBQACQAIAFF1l0/yRZ1UsgAAAPkAAAAgABwAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAAvqjt0iUIi4uyNisDgBbMaHCnsKqPxjxpPH/j7WjbigFyFZA/IjIYjAG+CYO0Z4hGM+ugnHUGqFnGgUZG9pDrFQxcSI06cNK19h+1W8HjHTIGLnsIXlwIYPEyVaTS7mpAP9Cp/67AnVBRTqd9OiDzStsPebcgilKPPiXPmG3PvTFWBBCtEcVIwswY6e3dSDdUsZJ77r11CBOk89VTgD49ONCQx5n3uP0Gj9dDUCyQ+TrGiFBLBwjyRZ1UsgAAAPkAAABQSwMECgAJAAAAUXWXT+YK5VMTAAAABwAAAC0AHAA5MzM2MzY4M2RjZjFjY2M0ZGIyOTZmYTVmZGU2OWI3MS5maWxlbmFtZS50eHRVVAkAA1nSAF5Z0gBedXgLAAEEIQAAAAQhAAAA5ApOcJaEASZbKJeSi3wsUB8AIVBLBwjmCuVTEwAAAAcAAABQSwECHgMUAAkACABRdZdP8kWdVLIAAAD5AAAAIAAYAAAAAAAAAAAApIEAAAAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzFVVAUAA1nSAF51eAsAAQQhAAAABCEAAABQSwECHgMKAAkAAABRdZdP5grlUxMAAAAHAAAALQAYAAAAAAABAAAApIEcAQAAOTMzNjM2ODNkY2YxY2NjNGRiMjk2ZmE1ZmRlNjliNzEuZmlsZW5hbWUudHh0VVQFAANZ0gBedXgLAAEEIQAAAAQhAAAAUEsFBgAAAAACAAIA2QAAAKYBAAAAAA==",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "malware-sample",
|
|
"timestamp": "1577112153",
|
|
"to_ids": true,
|
|
"type": "malware-sample",
|
|
"uuid": "5e00d259-8d4c-4fa8-bbea-4b7e02de0b81",
|
|
"value": "pay.bin|93363683dcf1ccc4db296fa5fde69b71"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "filename",
|
|
"timestamp": "1577112153",
|
|
"to_ids": false,
|
|
"type": "filename",
|
|
"uuid": "5e00d259-7370-4e58-bea0-4dfb02de0b81",
|
|
"value": "pay.bin"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "md5",
|
|
"timestamp": "1577112153",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "5e00d259-8c38-461a-9b02-43f702de0b81",
|
|
"value": "93363683dcf1ccc4db296fa5fde69b71"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha1",
|
|
"timestamp": "1577112153",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "5e00d259-b210-480a-85a7-497502de0b81",
|
|
"value": "0d4570ae80f9fca2d4b68a7f4b88dd0eb2df3573"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"object_relation": "sha256",
|
|
"timestamp": "1577112153",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "5e00d259-d1fc-4073-b121-488c02de0b81",
|
|
"value": "5141d29d0278c8da4eac177126cbf4d15623502d4763abd6d3a4dca2a3ea616e"
|
|
},
|
|
{
|
|
"category": "Other",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": true,
|
|
"object_relation": "size-in-bytes",
|
|
"timestamp": "1577112154",
|
|
"to_ids": false,
|
|
"type": "size-in-bytes",
|
|
"uuid": "5e00d25a-01c0-4481-8e5c-437802de0b81",
|
|
"value": "249"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
} |