736 lines
No EOL
38 KiB
JSON
736 lines
No EOL
38 KiB
JSON
{
|
|
"Event": {
|
|
"analysis": "2",
|
|
"date": "2017-07-31",
|
|
"extends_uuid": "",
|
|
"info": "OSINT - TwoFace Webshell: Persistent Access Point for Lateral Movement",
|
|
"publish_timestamp": "1501961887",
|
|
"published": true,
|
|
"threat_level_id": "3",
|
|
"timestamp": "1501961841",
|
|
"uuid": "59861ab3-3ef8-4683-ad19-9533950d210f",
|
|
"Orgc": {
|
|
"name": "CIRCL",
|
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
|
},
|
|
"Tag": [
|
|
{
|
|
"colour": "#ffffff",
|
|
"local": "0",
|
|
"name": "tlp:white",
|
|
"relationship_type": ""
|
|
}
|
|
],
|
|
"Attribute": [
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": false,
|
|
"type": "text",
|
|
"uuid": "59861af0-25a4-49f9-bf01-4f2c950d210f",
|
|
"value": "While investigating a recent security incident, Unit 42 found a webshell that we believe was used by the threat actor to remotely access the network of a targeted Middle Eastern organization. The construction of the webshell was interesting by itself, as it was actually two separate webshells: an initial webshell that was responsible for saving and loading the second fully functional webshell. It is this second webshell that enabled the threat actor to run a variety of commands on the compromised server. Due to these two layers, we use the name TwoFace to track this webshell.\r\n\r\nDuring our analysis, we extracted the commands executed by the TwoFace webshell from the server logs on the compromised server. Our analysis shows that the commands issued by the threat actor date back to June 2016; this suggests that the actor had access to this shell for almost an entire year. The commands issued show the actor was interested in gathering credentials from the compromised server using the Mimikatz tool. We also saw the attacker using the TwoFace webshell to move laterally through the network by copying itself and other webshells to other servers.",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861b17-1cbc-4813-965b-4fa3950d210f",
|
|
"value": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-twoface-webshell-persistent-access-point-lateral-movement/",
|
|
"Tag": [
|
|
{
|
|
"colour": "#00223b",
|
|
"local": "0",
|
|
"name": "osint:source-type=\"blog-post\"",
|
|
"relationship_type": ""
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b70-3c18-4ad8-a631-4262950d210f",
|
|
"value": "ed684062f43d34834c4a87fdb68f4536568caf16c34a0ea451e6f25cf1532d51"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b70-0bf0-4044-8432-4ade950d210f",
|
|
"value": "f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b70-f498-42f2-89ca-45e9950d210f",
|
|
"value": "9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b70-8370-478b-8ad6-4c50950d210f",
|
|
"value": "d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b87-9d74-4493-96ab-4d85950d210f",
|
|
"value": "bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861b87-fb2c-425a-85df-4f5d950d210f",
|
|
"value": "8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-3e74-4e1e-8e9c-4528950d210f",
|
|
"value": "8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-4fb8-4eb0-b43e-4528950d210f",
|
|
"value": "0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-ff20-4384-8bb4-4528950d210f",
|
|
"value": "54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-cd24-4f0d-90c7-4528950d210f",
|
|
"value": "818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-d38c-4274-9ef2-4528950d210f",
|
|
"value": "fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-d3b4-4c45-bc66-4528950d210f",
|
|
"value": "79c9a2a2b596f8270b32f30f3e03882b00b87102e65de00a325b64d30051da4e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-dcd8-49d9-919c-4528950d210f",
|
|
"value": "e33096ab328949af19c290809819034d196445b8ed0406206e7418ec96f66b68"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861ba3-fd08-431f-b42e-4528950d210f",
|
|
"value": "c116f078a0b9ea25c5fdb2e72914c3446c46f22d9f2b37c582600162ed711b69"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "IntrudingDivisor Shell",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861bc6-0238-4656-8840-9533950d210f",
|
|
"value": "e342d6bf07de1257e82f4ea19e9f08c9e11a43d9ad576cd799782f6e968914b8"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "IntrudingDivisor Shell",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861bc6-dc24-4ccf-bb7b-9533950d210f",
|
|
"value": "49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Mimikatz",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961272",
|
|
"to_ids": true,
|
|
"type": "sha256",
|
|
"uuid": "59861bfb-a1cc-4996-8368-4245950d210f",
|
|
"value": "f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-89f0-4b18-b602-475702de0b81",
|
|
"value": "28e2b56ee6ca16d84bc05f01dd6abeb12ef52e77"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-db1c-4926-9bc9-4cb502de0b81",
|
|
"value": "cb567013f063019f5f57fa8240caa3dc"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "Mimikatz - Xchecked via VT: f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-8ce8-498a-9f27-4b7a02de0b81",
|
|
"value": "https://www.virustotal.com/file/f17272d146f4d46dda5dc2791836bfa783bdc09ca062f33447e4f3a26f26f4e0/analysis/1501873561/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-f138-4f70-9226-47b702de0b81",
|
|
"value": "e4ac7454be74994e5b32e4a2aedd21b077417a4c"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-09c0-4478-812f-4dbf02de0b81",
|
|
"value": "872df1b1889f34a6479952d258c73ccb"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "IntrudingDivisor Shell - Xchecked via VT: 49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-a73c-4f9c-9e37-4cf802de0b81",
|
|
"value": "https://www.virustotal.com/file/49f43f2caaea89bd3bb137f4228e543783ef265abbdc84e3743d93a7d30b0a7e/analysis/1501873544/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-3c84-4bd2-a0e9-412102de0b81",
|
|
"value": "1a9b15800c570997191ec1613ac5816c280d8283"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-cc70-4028-916c-459f02de0b81",
|
|
"value": "154354bbb42ff8326fff9b86ce22e1a9"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Payload - Xchecked via VT: fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-5664-4e0a-8d88-4e5202de0b81",
|
|
"value": "https://www.virustotal.com/file/fd47825d75e3da3e43dc84f425178d6e834a900d6b2fd850ee1083dbb1e5b113/analysis/1501873497/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-f1ec-4cd9-ab7a-4dab02de0b81",
|
|
"value": "5260114801ddd07f721fa04607c722d2add0fa32"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-75bc-4043-a143-49c802de0b81",
|
|
"value": "7d8766edf1680bdb12ff4b71a2e53edf"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-ac3c-41b3-b1b3-495c02de0b81",
|
|
"value": "https://www.virustotal.com/file/818ac924fd8f7bc1b6062a8ef456226a47c4c59d2f9e38eda89fff463253942f/analysis/1501873479/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-97a8-49a8-866c-4ffe02de0b81",
|
|
"value": "a406513a493e2ee9fa0db8f1d9871cb982906a48"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-d250-46e9-b502-451502de0b81",
|
|
"value": "c2dcbd7b96d363b84cf655648cd6b59e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-63b0-4a13-a446-493802de0b81",
|
|
"value": "https://www.virustotal.com/file/54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f/analysis/1501873465/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-bff0-4078-ba6c-4f8602de0b81",
|
|
"value": "e2446d181c54d3883a3613404cfbba666bb04106"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-0884-4dc6-ae42-4fcc02de0b81",
|
|
"value": "fb5aa6b2dae48602ad5db408800b908e"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-84a8-4d66-9785-49e602de0b81",
|
|
"value": "https://www.virustotal.com/file/0a77e28e6d0d7bd057167ca8a63da867397f1619a38d5c713027ebb22b784d4f/analysis/1501954505/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-c338-4b2b-91cc-4c9c02de0b81",
|
|
"value": "9cc0e7f80ca9dce6976bda0660885825a1f1afbf"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-e778-459f-ac0b-46da02de0b81",
|
|
"value": "aff218b56ae622a3b3376996a33287ad"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Payload - Xchecked via VT: 8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-7d64-4635-9b3e-405302de0b81",
|
|
"value": "https://www.virustotal.com/file/8f0419493da5ba201429503e53c9ccb8f8170ab73141bdc6ae6b9771512ad84b/analysis/1501873416/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-f2dc-4158-bcbf-4b1b02de0b81",
|
|
"value": "8d82ea31ce64e262c834ceed49ea97a53f8302e4"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-f030-4c07-9afb-44d002de0b81",
|
|
"value": "142b659975be77dd125fd3432c95e5de"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: 8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-4ff4-4c9f-bc50-413702de0b81",
|
|
"value": "https://www.virustotal.com/file/8d178b9730e09e35c071526bfb91ce72f876797ebc4e81f0bc05e7bb8ad1734e/analysis/1501873395/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-8884-4f11-a6fe-412602de0b81",
|
|
"value": "75890380e99448e612530871f2c65b27c9a401ec"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-d110-41d3-9ee1-4bf202de0b81",
|
|
"value": "6ca2818f6cce5b5fc484c3557b59a003"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace++ Loader - Xchecked via VT: bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-8980-4e01-b5ac-4b7602de0b81",
|
|
"value": "https://www.virustotal.com/file/bca01f14fb3cb4cfbe7f240156feebc55abac73a6c96b9f75da2f9df580101ef/analysis/1501873378/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-0b80-4353-a6dc-491602de0b81",
|
|
"value": "418fb8a86d3a9ce0b32ef338de2fa4b3a4cffc6f"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-d3d0-4f7c-ba66-404002de0b81",
|
|
"value": "abb7f1eefdc2a539cfe541f416f22407"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Loader - Xchecked via VT: d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-953c-4d87-871e-414302de0b81",
|
|
"value": "https://www.virustotal.com/file/d0ffd613b1b285b15e2d6c038b0bd4951eb40eb802617cf6eb4f56cda4b023e3/analysis/1501873357/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-a978-48c5-8c2d-4a4102de0b81",
|
|
"value": "a238ac53363f8a4b65271a1f380c21ceacd9c0b3"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-4220-433c-83ef-45b002de0b81",
|
|
"value": "c0e62672fab65be9ecf54a64730323b8"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Loader - Xchecked via VT: 9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-bfd4-40f0-b115-488102de0b81",
|
|
"value": "https://www.virustotal.com/file/9a361019f6fbd4a246b96545868dcb7908c611934c41166b9aa93519504ac813/analysis/1501873330/"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "sha1",
|
|
"uuid": "59861c39-3dec-4985-9014-439e02de0b81",
|
|
"value": "da78d71fce08e809f114bfb931daa9a5ec7eea33"
|
|
},
|
|
{
|
|
"category": "Payload delivery",
|
|
"comment": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": true,
|
|
"type": "md5",
|
|
"uuid": "59861c39-c2b8-4764-90d5-47d002de0b81",
|
|
"value": "6c6567b4ccf9c650c4ae80b516881164"
|
|
},
|
|
{
|
|
"category": "External analysis",
|
|
"comment": "TwoFace Loader - Xchecked via VT: f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961273",
|
|
"to_ids": false,
|
|
"type": "link",
|
|
"uuid": "59861c39-f954-450e-a2d4-417602de0b81",
|
|
"value": "https://www.virustotal.com/file/f4da5cb72246434decb8cf676758da410f6ddc20196dfd484f513aa3b6bc4ac5/analysis/1501873300/"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-d65c-4eed-8a99-4aae950d210f",
|
|
"value": "a2c9afd6adac242827adb00d76c20c491b2d2247"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-ebe0-471d-b47c-4f97950d210f",
|
|
"value": "6a0e681586988388d4a0690b6fb686715d92d069"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-8dcc-46fb-a973-4597950d210f",
|
|
"value": "5e1c37bf3bd8a7567d46db63ed9b0aeed53e57fe"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-4bbc-4cb5-9349-4e65950d210f",
|
|
"value": "37ada887553cf48715cc19131b8e661ac43718e9"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-c574-4ca7-8d0e-44ac950d210f",
|
|
"value": "9789b5c0c13fb58c423bce5577873d413d9494be"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-eb0c-4230-aa9a-4ca4950d210f",
|
|
"value": "c56bc0d331a825fdea01c5437877d5e9e1cda2c4"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-1754-46ee-9b2c-4459950d210f",
|
|
"value": "9f4e10484f4ceac34878d4f621a1ad8e580fd02a"
|
|
},
|
|
{
|
|
"category": "Artifacts dropped",
|
|
"comment": "The TwoFace payload shell requires a password that is sent within HTTP POST data or within the HTTP Cookie, specifically with a field with a name \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d. The \u00e2\u20ac\u0153pwd\u00e2\u20ac\u009d field is used for authentication as a password, which the payload will generate the SHA1 hash and compare it with a hash that is hardcoded within the payload. We extracted the SHA1 hashes used for authentication from the known TwoFace shells, as seen in Table 4 and were able to find the associated password string for three of them. One of the passwords, \u00e2\u20ac\u0153RamdanAlKarim12\u00e2\u20ac\u009d contains a phrase that means \u00e2\u20ac\u0153Ramadan the generous\u00e2\u20ac\u009d in Arabic (\u00d8\u00b1\u00d9\u2026\u00d8\u00b6\u00d8\u00a7\u00d9\u2020 \u00d8\u00a7\u00d9\u201e\u00d9\u0192\u00d8\u00b1\u00d9\u0160\u00d9\u2026). Another known password is \u00e2\u20ac\u0153FreeMe!\u00e2\u20ac\u009d, while the last known password contains what may be an acronym of a middle eastern energy organization followed by \u00e2\u20ac\u0153pass\u00e2\u20ac\u009d. It is possible that the actor chose this acronym based on the targeted organization, but we cannot confirm this.",
|
|
"deleted": false,
|
|
"disable_correlation": false,
|
|
"timestamp": "1501961841",
|
|
"to_ids": false,
|
|
"type": "sha1",
|
|
"uuid": "59861e71-7c58-4271-abbd-4c5d950d210f",
|
|
"value": "57dd9721f9837ebd24dea55a90a2a9e3e6ad6f1e"
|
|
}
|
|
]
|
|
}
|
|
} |