385 lines
No EOL
13 KiB
JSON
385 lines
No EOL
13 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2015-01-29",
|
|
"extends_uuid": "",
|
|
"info": "OSINT New 'f0xy' malware is intelligent - employs cunning stealth & trickery from Websense",
|
|
"publish_timestamp": "1456152025",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1422603841",
|
|
"uuid": "54cb3580-cde4-4b39-bf8c-443f950d210b",
|
|
"Orgc": {
|
|
"name": "CthulhuSPRL.be",
|
|
"uuid": "55f6ea5f-fd34-43b8-ac1d-40cb950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#004646",
|
|
"local": "0",
|
|
"name": "type:OSINT",
|
|
"relationship_type": ""
|
|
},
|
|
{
|
|
"colour": "#33FF00",
|
|
"local": "0",
|
|
"name": "tlp:green",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603660",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "54cb358c-2360-4acd-ab3c-de9b950d210b",
|
|
"value": "f0xy"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603668",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "54cb3594-3d30-40d0-a49f-cf08950d210b",
|
|
"value": "http://community.websense.com/blogs/securitylabs/archive/2015/01/29/new-f0xy-malware-employs-cunning-stealth-amp-trickery.aspx"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603714",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c2-dc18-4a6f-88c0-05f5950d210b",
|
|
"value": "080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603714",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c2-5204-42c6-b115-05f5950d210b",
|
|
"value": "c25da337ec5ac041312b062e7fb697e4f01ca8d9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-c3e4-44be-b112-05f5950d210b",
|
|
"value": "cd4e297928502dece4545acbe0b94dd1270f955c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-b894-4128-8f54-05f5950d210b",
|
|
"value": "adbf0e4d37e381fe7599695561262d1a65205317"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-7d8c-484c-af92-05f5950d210b",
|
|
"value": "54d2810aaae67da9fa24f4e11f4c2d5fe4d2b6d4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-b0bc-4486-9a2b-05f5950d210b",
|
|
"value": "7de3ed8f751a528fde1688d35c6eb5533b09ae11"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-7f58-4d2c-9f87-05f5950d210b",
|
|
"value": "812e453c22e1a9f70b605cd27d3f642c3778d96d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-db14-4dcc-805a-05f5950d210b",
|
|
"value": "55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-10dc-4465-a0cd-05f5950d210b",
|
|
"value": "e80d7f27405ece2697a05d6c2612c63335851490"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-ad38-4403-9de4-05f5950d210b",
|
|
"value": "f4f1d8bceb62c72f2fe6713c5395555917fc40ad"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-8268-473b-b22a-05f5950d210b",
|
|
"value": "2a4837fdb331f823ca474f521248b2cdb766528f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603715",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "54cb35c3-2828-425d-a232-05f5950d210b",
|
|
"value": "f522e0893ec97438c6184e13adc48219f08b67d8"
|
|
},
|
|
{
|
|
"category": "Network activity",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603733",
|
|
"to_ids": true,
|
|
"type": "ip-dst",
|
|
"uuid": "54cb35d5-6090-4c3e-8660-c32e950d210b",
|
|
"value": "185.53.169.79"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603755",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54cb35eb-a9f0-4877-8ad1-4b9d950d210b",
|
|
"value": "%appdata%\\Microsoft\\svchost.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603755",
|
|
"to_ids": true,
|
|
"type": "filename",
|
|
"uuid": "54cb35eb-bcb8-4b6a-8d62-49d9950d210b",
|
|
"value": "%appdata%\\Microsoft\\f0xyupdate.exe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603790",
|
|
"to_ids": true,
|
|
"type": "regkey",
|
|
"uuid": "54cb360e-7f00-4311-aed4-4505950d210b",
|
|
"value": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\f0xy"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603804",
|
|
"to_ids": true,
|
|
"type": "yara",
|
|
"uuid": "54cb361c-7c88-4d35-b0e0-cf08950d210b",
|
|
"value": "rule ws_f0xy_downloader {\r\n\r\n meta:\r\n\r\n description = \"f0xy malware downloader\"\r\n author = \"Nick Griffin (Websense)\"\r\n\r\n strings:\r\n\r\n $mz=\"MZ\"\r\n $string1=\"bitsadmin /transfer\"\r\n $string2=\"del rm.bat\"\r\n $string3=\"av_list=\"\r\n\r\n condition:\r\n\r\n ($mz at 0) and (all of ($string*))\r\n}"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1422603841",
|
|
"to_ids": false,
|
|
"type": "comment",
|
|
"uuid": "54cb3641-6244-4691-98b0-8154950d210b",
|
|
"value": "Data entered by David Andr\u00c3\u00a9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836901",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64ee5-9114-4be4-b1e4-4ebc950d210f",
|
|
"value": "f2eccbc5d545221c0d0906a5808f90c6"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836903",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64ee7-05e8-4d4d-814e-59a0950d210f",
|
|
"value": "d46d7edd10bbb3c2d2158606e329ea6d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836905",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64ee9-1378-4314-852a-c654950d210f",
|
|
"value": "f6ae08aba0a188963e8c299db6a14c0e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836907",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64eeb-a314-4f12-b561-4c62950d210f",
|
|
"value": "dc645cf749611aca49a4e3e6a7c0eb49"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836908",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64eec-6798-4b97-a239-5f51950d210f",
|
|
"value": "dc4345fe0a312b8b035daa9711b099a7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836912",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "56c64ef0-65e4-42d1-bcd9-599c950d210f",
|
|
"value": "160634d784c256d29563117554685c31"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 080c61c9172cd49f6e4e7ef27285ccaaf6d5f0ac)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836902",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64ee6-e9f0-4c93-81f4-599e950d210f",
|
|
"value": "0c4196bd5f2dea9ded5da5b23f081a713f6452e9a64f9e3898854a6c9d81e412"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via c25da337ec5ac041312b062e7fb697e4f01ca8d9)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836903",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64ee7-9ad4-4c88-a202-4028950d210f",
|
|
"value": "21ed2d1ed704979292ccab5512244423b522fda486ef52fd73b6f851321affb9"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 7de3ed8f751a528fde1688d35c6eb5533b09ae11)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836905",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64ee9-fd34-418d-979b-5ca1950d210f",
|
|
"value": "2e832777a77f5cc7cfa05183253440484c614733547a4ea0f2f75cfafc165e39"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 812e453c22e1a9f70b605cd27d3f642c3778d96d)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836907",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64eeb-e2fc-420e-afe8-59a0950d210f",
|
|
"value": "4d235e31ee278255918157b999fb5987a0cac95cf3ca231950a7adfe49ffc4d7"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via 55c9d015b1f8d68e6b5ce150f2dbab2b621dac1c)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836910",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64eee-d864-4b3c-8999-59a4950d210f",
|
|
"value": "8b62000e09a00755eb9e08523e07b9aef292c96a423d28c863bd018ebba3636d"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Automatically added (via f522e0893ec97438c6184e13adc48219f08b67d8)",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1455836913",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "56c64ef1-a8d8-4d2a-a63f-47c0950d210f",
|
|
"value": "c85940369a8028803460baf600203c435179611769a9850a2aef7fb45d2c86d7"
|
|
}
|
|
]
|
|
}
|
|
} |